Redis被pnscan病毒挟持挖矿

修改密码

lsattr /etc/group /etc/passwd /etc/shadow

chattr -a /etc/group /etc/passwd /etc/shadow

echo '密码' | passwd --stdin root

删除so文件

#执行命令是报错,不管执行什么命令
ERROR: ld.so: object '/usr/local/lib/zrab.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.

vi /etc/ld.so.preload
/usr/local/lib/pscan.so
/usr/local/lib/pscan.so
/usr/local/lib/ext4.so
/usr/local/lib/zrab.so

#查看文件属性
lsattr /usr/local/lib/pscan.so

#去掉属性
chattr -ia /usr/local/lib/pscan.so
chattr -ia /usr/local/lib/pscan.so
chattr -ia /usr/local/lib/ext4.so
chattr -ia /usr/local/lib/zrab.so

#发现chattr不能使用
cp /usr/bin/chattr /usr/bin/chattr2
chmod 755 /usr/bin/chattr2
chattr2 -i /usr/bin/chattr
chmod 755 /usr/bin/chattr
ls -la /usr/bin/chattr  
lsattr /usr/bin/chattr 

#删除
rm -rf /usr/local/lib/pscan.so
rm -rf /usr/local/lib/pscan.so
rm -rf /usr/local/lib/ext4.so
rm -rf /usr/local/lib/zrab.so

删除进程pnscan

# 查看进程
ps -ef | grep pnscan

# 先删除文件,在杀进程
[root@ecs-5613 cron]# find / -name pnscan
/usr/local/bin/pnscan
[root@ecs-5613 cron]# find / -name pnscan*
/usr/local/share/man/man1/pnscan.1.gz

# 删除文件
rm -rf /usr/local/bin/pnscan /usr/local/share/man/man1/pnscan.1.gz

# 查看有没有定时任务
crontab -l
cd /var/spool/cron/

# 查看网络连接
netstat -alntp | grep pnscan
# 解决netstat不能使用
cp /usr/bin/chattr /usr/bin/netstat2
chmod 755 /usr/bin/netstat2
netstat2 -i /usr/bin/netstat
chmod 755 /usr/bin/netstat
ls -la /usr/bin/netstat  
lsattr /usr/bin/netstat

[root@ecs-5611 ~]# netstat -alntp | grep pnscan
tcp        0      1 192.168.0.82:48962      193.162.45.43:6379      SYN_SENT    1157537/pnscan      
tcp        0      1 192.168.0.82:43930      193.162.47.213:6379     SYN_SENT    1157537/pnscan      
tcp        0      1 192.168.0.82:39150      193.162.47.166:6379     SYN_SENT    1157537/pnscan      
tcp        0      1 192.168.0.82:58244      193.162.45.154:6379     SYN_SENT    1157537/pnscan      
tcp        0      1 192.168.0.82:41136      193.162.47.99:6379      SYN_SENT    1157537/pnscan    

# ss貌似看不了
ss -alntp | grep pnscan
[root@ecs-5611 ~]# ss -lntp | grep pnscan
-bash: /usr/sbin/ss: 权限不够
# 解决ss不能使用
cp /usr/bin/chattr /usr/bin/ss
chmod 755 /usr/bin/ss2
ss2 -i /usr/bin/ss
chmod 755 /usr/bin/ss
ls -la /usr/bin/ss  
lsattr /usr/bin/ss 

# 杀进程
kill -9 进程号

删除进程[scan]

                                             
[root@ecs-5610 ~]# ps -ef | grep scan]
root      375238 2975644  0 10:46 pts/0    00:00:00 grep scan]
root     3660439       1  0 Sep01 ?        00:04:09 /bin/bash /var/tmp/.system/[scan]


# 第一个是系统的进程
[root@ecs-5613 ~]# ps -ef | grep scan
root        1386       1  0 18:49 ?        00:00:00 /sbin/mdadm --monitor --scan --syslog -f --pid-file=/run/mdadm/mdadm.pid
root     1337197 2165496  0 21:49 pts/1    00:00:00 grep scan
root     3428173       1 21 21:17 ?        00:06:48 /bin/bash /var/tmp/.system/[scan]

# 删除文件
rm -rf /var/tmp/.system/[scan]

# 杀进程
kill -9 `ps -ef | grep scan] | grep /bin | awk '{print $2}'`

删除进程[crypto]

[root@ecs-5613 cron]# ps -ef | grep cry
root          60       2  0 18:49 ?        00:00:00 [crypto]
root          76       2  0 18:49 ?        00:00:00 [ecryptfs-kthrea]
root     2326734 2165496  0 22:56 pts/1    00:00:00 grep cry

ps -ef | grep crypto]

kill -9 `ps -ef | grep scan] | grep /bin | awk '{print $2}'`


# 补充知识
[root@ecs-5613 cron]# ps -ef | grep redis
systemd+ 2212123 2212104  0 22:46 ?        00:00:01 redis-server 0.0.0.0:6379
root     2481489 2165496  0 23:11 pts/1    00:00:00 grep redis
[root@ecs-5613 cron]# lsof -p 2212123
COMMAND       PID             USER   FD      TYPE   DEVICE SIZE/OFF     NODE NAME
redis-ser 2212123 systemd-coredump  cwd       DIR   253,17     4096  3932163 /data
redis-ser 2212123 systemd-coredump  rtd       DIR     0,50     4096  2627423 /
redis-ser 2212123 systemd-coredump  txt       REG     0,50 10602264  3152826 /usr/local/bin/redis-server
redis-ser 2212123 systemd-coredump  mem       REG    253,2           3152826 /usr/local/bin/redis-server (stat: No such file or directory)
redis-ser 2212123 systemd-coredump  mem       REG    253,2           3148285 /lib/aarch64-linux-gnu/libc-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump  mem       REG    253,2           3148338 /lib/aarch64-linux-gnu/libpthread-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump  mem       REG    253,2           3148342 /lib/aarch64-linux-gnu/librt-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump  mem       REG    253,2           3148293 /lib/aarch64-linux-gnu/libdl-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump  mem       REG    253,2           3152814 /usr/lib/aarch64-linux-gnu/libatomic.so.1.2.0 (stat: No such file or directory)
redis-ser 2212123 systemd-coredump  mem       REG    253,2           3148308 /lib/aarch64-linux-gnu/libm-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump  mem       REG    253,2           3148271 /lib/aarch64-linux-gnu/ld-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump    0u      CHR      1,3      0t0 43777584 /dev/null
redis-ser 2212123 systemd-coredump    1w     FIFO     0,12      0t0 43774771 pipe
redis-ser 2212123 systemd-coredump    2w     FIFO     0,12      0t0 43774772 pipe
redis-ser 2212123 systemd-coredump    3r     FIFO     0,12      0t0 43773580 pipe
redis-ser 2212123 systemd-coredump    4w     FIFO     0,12      0t0 43773580 pipe
redis-ser 2212123 systemd-coredump    5u  a_inode     0,13        0    15249 [eventpoll]
redis-ser 2212123 systemd-coredump    6u     IPv4 43773581      0t0      TCP *:redis (LISTEN)
redis-ser 2212123 systemd-coredump    7w      REG   253,17       53  3932167 /data/appendonly.aof
[root@ecs-5613 cron]# 

定时任务

[root@ecs-5613 ~]# crontab -l
no crontab for root
[root@ecs-5613 ~]# 
[root@ecs-5613 ~]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
/var/spool/cron/#tmp.ecs-5613.XXXX8gxWNz: 不允许的操作
crontab: edits left in /tmp/crontab.948YAY

[root@ecs-5613 cron]# chattr -ai /var/spool/cron
[root@ecs-5613 cron]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab

删除用户

#发现不明用户
[root@ecs-5613 cron]# cat /etc/passwd
hilde:x:1000:1000::/home/hilde:/bin/bash

[root@ecs-5613 cron]# userdel hilde
userdel:无法打开 /etc/passwd

[root@ecs-5613 cron]# lsattr /etc/passwd
-----a--------e----- /etc/passwd

#默认就有 e 属性的 别减了
[root@ecs-5613 cron]# chattr -a /etc/passwd

[root@ecs-5613 cron]# userdel hilde
userdel:无法打开 /etc/shadow

[root@ecs-5613 cron]# chattr -a /etc/shadow

# 成功删除
[root@ecs-5613 cron]# userdel hilde
[root@ecs-5613 cron]# 

[root@ecs-5613 ~]# rm -rf /home/hilde/
rm: 无法删除 '/home/hilde/.ssh/authorized_keys2': 不允许的操作
rm: 无法删除 '/home/hilde/.ssh/authorized_keys': 不允许的操作

chattr -a /home/hilde/.ssh/authorized_keys2
chattr -a /home/hilde/.ssh/authorized_keys

删除公钥

把公钥放上去,黑客能免密登录

[root@ecs-5613 .ssh]# ll -a ~/.ssh
总用量 44
drwx------ 2 root root 4096  9月  1 22:37 .
dr-xr-x--- 9 root root 4096  9月  1 22:26 ..
-rw------- 1 root root 1584  9月  1 18:09 authorized_keys
-rw------- 1 root root 1584  9月  1 22:34 authorized_keys~
-rw------- 1 root root  399  9月  1 18:09 authorized_keys2
-rw------- 1 root root 1584  9月  1 22:37 authorized_keyx~
-rw------- 1 root root 1584  9月  1 22:37 authorized_keyy~
-rw------- 1 root root 1584  9月  1 22:35 authorized_keyz~
-rw------- 1 root root 1823  8月 13 09:39 id_rsa
-rw------- 1 root root  395  8月 13 09:39 id_rsa.pub
-rw-r--r-- 1 root root 2415  8月 24 17:40 known_hosts


[root@ecs-5613 .ssh]# lsattr ~/.ssh/authorized_keys
-----a-------------- /root/.ssh/authorized_keys

[root@ecs-5613 .ssh]# chattr -a ~/.ssh/authorized_keys
[root@ecs-5613 .ssh]# chattr -a ~/.ssh/authorized_keys2

# 删除黑客的公钥
vi ~/.ssh/authorized_keys
# 给authorized_keys加-i,防止删除
chattr +i ~/.ssh/authorized_keys
# 删除
rm -f ~/.ssh/au*

重启redis

docker-compose up -d && docker-compose logs -f --tail=1000

1

posted @ 2021-09-01 20:47  1769987233  阅读(1413)  评论(0编辑  收藏  举报