centos-dbused挖矿病毒清理
清理bash_profile
打开终端,清理到用户下bash_profile文件,默认在/home/${name}/的隐藏文件内容中记录
cp -f -r -- /bin/bprofr /bin/dbused 2>/dev/null && /bin/dbused -c >/dev/null 2>&1 && rm -rf -- /bin/dbused 2>/dev/null
删除crontab下任务
#查看是否包含cp -f -r -- /bin/bprofr /bin/dbused 2>/dev/null && /bin/dbused -c >/dev/null 2>&1 && rm -rf -- /bin/dbused 2>/dev/null
crontab -l
#进入目录
cd /var/spool/cron/
#查看该目录下文件中是否存在包含dbuse内容
cat root
#发现有个root的定时任务,删掉!
查询启动脚本的任务
find /etc/ -name '*' | xargs grep 'dbuse' -n 2>/dev/null |grep cron
删除
chattr -i -a /etc/cron.daily/pwnrig
chattr -i -a /etc/cron.hourly/pwnrig
chattr -i -a /etc/cron.weekly/pwnrig
chattr -i -a /etc/cron.d/pwnrig
chattr -i -a /etc/cron.monthly/pwnrig
rm -rf /etc/cron.daily/pwnrig
rm -rf /etc/cron.hourly/pwnrig
rm -rf /etc/cron.weekly/pwnrig
rm -rf /etc/cron.d/pwnrig
rm -rf /etc/cron.monthly/pwnrig
依次查看rc.d init.d 系统服务
#查看系统服务 #执行删除文件命令
find /etc/ -name '*' | xargs grep 'dbuse' -n 2>/dev/null | grep rc
chattr -a -i /etc/rc.d/init.d/pwnrig
rm -rf /etc/rc.d/init.d/pwnrig
find /etc/ -name '*' | xargs grep 'xms' -n 2>/dev/null | grep init.d
find /etc/ -name '*' | xargs grep 'dbuse' -n 2>/dev/null | grep init.d
find /etc/ -name '*' | xargs grep 'dbuse' -n 2>/dev/null | grep systemd
chattr -a -i /etc/systemd/system/multi-user.target.wants/pwnrige.service
rm -rf /etc/systemd/system/multi-user.target.wants/pwnrige.service
chattr -a -i /usr/lib/systemd/system/pwnrigl.service
rm -rf /usr/lib/systemd/system/pwnrigl.service
chattr -a -i /etc/systemd/system/pwnrige.service
rm -rf /etc/systemd/system/pwnrige.service
删除以下文件
/bin/bprofr
/bin/sysdr
/bin/crondr
/bin/initdr
/usr/bin/bprofr
/usr/bin/sysdr
/usr/bin/crondr
/usr/bin/initdr
/tmp/dbused
/tmp/dbusex
/tmp/xms
/tmp/x86_64
/tmp/i686
/tmp/go
/tmp/x64b
/tmp/x32b
删除命令
chattr -i -a /bin/bprofr
rm -rf /bin/bprofr
chattr -i -a /bin/sysdr
rm -rf /bin/sysdr
chattr -i -a /bin/crondr
rm -rf /bin/crondr
chattr -i -a /bin/initdr
rm -rf /bin/initdr
chattr -i -a /usr/bin/bprofr
rm -rf /usr/bin/bprofr
chattr -i -a /usr/bin/sysdr
rm -rf /usr/bin/sysdr
chattr -i -a /usr/bin/crondr
rm -rf /usr/bin/crondr
chattr -i -a /usr/bin/initdr
rm -rf /usr/bin/initdr
rm -rf /tmp/dbused
rm -rf /tmp/dbusex
rm -rf /tmp/xms
rm -rf /tmp/x86_64
rm -rf /tmp/i686
rm -rf /tmp/go
rm -rf /tmp/x64b
rm -rf /tmp/x32b