centos-dbused挖矿病毒清理

清理bash_profile

打开终端,清理到用户下bash_profile文件,默认在/home/${name}/的隐藏文件内容中记录

cp -f -r -- /bin/bprofr /bin/dbused 2>/dev/null && /bin/dbused -c  >/dev/null 2>&1 && rm -rf -- /bin/dbused 2>/dev/null

删除crontab下任务

#查看是否包含cp -f -r -- /bin/bprofr /bin/dbused 2>/dev/null && /bin/dbused -c  >/dev/null 2>&1 && rm -rf -- /bin/dbused 2>/dev/null
crontab -l
#进入目录
cd /var/spool/cron/
#查看该目录下文件中是否存在包含dbuse内容
cat root

#发现有个root的定时任务,删掉!

查询启动脚本的任务

find /etc/ -name '*' | xargs grep 'dbuse' -n 2>/dev/null |grep cron

删除

chattr -i -a /etc/cron.daily/pwnrig
chattr -i -a /etc/cron.hourly/pwnrig
chattr -i -a /etc/cron.weekly/pwnrig
chattr -i -a /etc/cron.d/pwnrig
chattr -i -a /etc/cron.monthly/pwnrig

rm -rf /etc/cron.daily/pwnrig
rm -rf /etc/cron.hourly/pwnrig
rm -rf /etc/cron.weekly/pwnrig
rm -rf /etc/cron.d/pwnrig
rm -rf /etc/cron.monthly/pwnrig

依次查看rc.d init.d 系统服务

#查看系统服务   #执行删除文件命令
find /etc/ -name '*' | xargs grep 'dbuse' -n 2>/dev/null | grep rc
chattr -a -i /etc/rc.d/init.d/pwnrig
rm -rf /etc/rc.d/init.d/pwnrig

find /etc/ -name '*' | xargs grep 'xms' -n 2>/dev/null | grep init.d

find /etc/ -name '*' | xargs grep 'dbuse' -n 2>/dev/null | grep init.d

find /etc/ -name '*' | xargs grep 'dbuse' -n 2>/dev/null | grep systemd
chattr -a -i /etc/systemd/system/multi-user.target.wants/pwnrige.service
rm -rf /etc/systemd/system/multi-user.target.wants/pwnrige.service

chattr -a -i /usr/lib/systemd/system/pwnrigl.service
rm -rf  /usr/lib/systemd/system/pwnrigl.service

chattr -a -i /etc/systemd/system/pwnrige.service
rm -rf /etc/systemd/system/pwnrige.service

删除以下文件

/bin/bprofr

/bin/sysdr

/bin/crondr

/bin/initdr

/usr/bin/bprofr

/usr/bin/sysdr

/usr/bin/crondr

/usr/bin/initdr

/tmp/dbused

/tmp/dbusex

/tmp/xms

/tmp/x86_64

/tmp/i686

/tmp/go

/tmp/x64b

/tmp/x32b

删除命令

chattr -i -a /bin/bprofr
rm -rf /bin/bprofr

chattr -i -a /bin/sysdr
rm -rf /bin/sysdr

chattr -i -a /bin/crondr
rm -rf /bin/crondr

chattr -i -a /bin/initdr
rm -rf /bin/initdr

chattr -i -a /usr/bin/bprofr
rm -rf /usr/bin/bprofr

chattr -i -a  /usr/bin/sysdr
rm -rf /usr/bin/sysdr

chattr -i -a /usr/bin/crondr
rm -rf /usr/bin/crondr

chattr -i -a /usr/bin/initdr
rm -rf /usr/bin/initdr

rm -rf /tmp/dbused
rm -rf /tmp/dbusex
rm -rf /tmp/xms
rm -rf /tmp/x86_64
rm -rf /tmp/i686
rm -rf /tmp/go
rm -rf /tmp/x64b
rm -rf /tmp/x32b
posted @ 2021-08-26 20:06  1769987233  阅读(1156)  评论(0编辑  收藏  举报