Redis被pnscan病毒挟持挖矿
修改密码
lsattr /etc/group /etc/passwd /etc/shadow
chattr -a /etc/group /etc/passwd /etc/shadow
echo '密码' | passwd --stdin root
删除so文件
#执行命令是报错,不管执行什么命令
ERROR: ld.so: object '/usr/local/lib/zrab.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
vi /etc/ld.so.preload
/usr/local/lib/pscan.so
/usr/local/lib/pscan.so
/usr/local/lib/ext4.so
/usr/local/lib/zrab.so
#查看文件属性
lsattr /usr/local/lib/pscan.so
#去掉属性
chattr -ia /usr/local/lib/pscan.so
chattr -ia /usr/local/lib/pscan.so
chattr -ia /usr/local/lib/ext4.so
chattr -ia /usr/local/lib/zrab.so
#发现chattr不能使用
cp /usr/bin/chattr /usr/bin/chattr2
chmod 755 /usr/bin/chattr2
chattr2 -i /usr/bin/chattr
chmod 755 /usr/bin/chattr
ls -la /usr/bin/chattr
lsattr /usr/bin/chattr
#删除
rm -rf /usr/local/lib/pscan.so
rm -rf /usr/local/lib/pscan.so
rm -rf /usr/local/lib/ext4.so
rm -rf /usr/local/lib/zrab.so
删除进程pnscan
# 查看进程
ps -ef | grep pnscan
# 先删除文件,在杀进程
[root@ecs-5613 cron]# find / -name pnscan
/usr/local/bin/pnscan
[root@ecs-5613 cron]# find / -name pnscan*
/usr/local/share/man/man1/pnscan.1.gz
# 删除文件
rm -rf /usr/local/bin/pnscan /usr/local/share/man/man1/pnscan.1.gz
# 查看有没有定时任务
crontab -l
cd /var/spool/cron/
# 查看网络连接
netstat -alntp | grep pnscan
# 解决netstat不能使用
cp /usr/bin/chattr /usr/bin/netstat2
chmod 755 /usr/bin/netstat2
netstat2 -i /usr/bin/netstat
chmod 755 /usr/bin/netstat
ls -la /usr/bin/netstat
lsattr /usr/bin/netstat
[root@ecs-5611 ~]# netstat -alntp | grep pnscan
tcp 0 1 192.168.0.82:48962 193.162.45.43:6379 SYN_SENT 1157537/pnscan
tcp 0 1 192.168.0.82:43930 193.162.47.213:6379 SYN_SENT 1157537/pnscan
tcp 0 1 192.168.0.82:39150 193.162.47.166:6379 SYN_SENT 1157537/pnscan
tcp 0 1 192.168.0.82:58244 193.162.45.154:6379 SYN_SENT 1157537/pnscan
tcp 0 1 192.168.0.82:41136 193.162.47.99:6379 SYN_SENT 1157537/pnscan
# ss貌似看不了
ss -alntp | grep pnscan
[root@ecs-5611 ~]# ss -lntp | grep pnscan
-bash: /usr/sbin/ss: 权限不够
# 解决ss不能使用
cp /usr/bin/chattr /usr/bin/ss
chmod 755 /usr/bin/ss2
ss2 -i /usr/bin/ss
chmod 755 /usr/bin/ss
ls -la /usr/bin/ss
lsattr /usr/bin/ss
# 杀进程
kill -9 进程号
删除进程[scan]
[root@ecs-5610 ~]# ps -ef | grep scan]
root 375238 2975644 0 10:46 pts/0 00:00:00 grep scan]
root 3660439 1 0 Sep01 ? 00:04:09 /bin/bash /var/tmp/.system/[scan]
# 第一个是系统的进程
[root@ecs-5613 ~]# ps -ef | grep scan
root 1386 1 0 18:49 ? 00:00:00 /sbin/mdadm --monitor --scan --syslog -f --pid-file=/run/mdadm/mdadm.pid
root 1337197 2165496 0 21:49 pts/1 00:00:00 grep scan
root 3428173 1 21 21:17 ? 00:06:48 /bin/bash /var/tmp/.system/[scan]
# 删除文件
rm -rf /var/tmp/.system/[scan]
# 杀进程
kill -9 `ps -ef | grep scan] | grep /bin | awk '{print $2}'`
删除进程[crypto]
[root@ecs-5613 cron]# ps -ef | grep cry
root 60 2 0 18:49 ? 00:00:00 [crypto]
root 76 2 0 18:49 ? 00:00:00 [ecryptfs-kthrea]
root 2326734 2165496 0 22:56 pts/1 00:00:00 grep cry
ps -ef | grep crypto]
kill -9 `ps -ef | grep scan] | grep /bin | awk '{print $2}'`
# 补充知识
[root@ecs-5613 cron]# ps -ef | grep redis
systemd+ 2212123 2212104 0 22:46 ? 00:00:01 redis-server 0.0.0.0:6379
root 2481489 2165496 0 23:11 pts/1 00:00:00 grep redis
[root@ecs-5613 cron]# lsof -p 2212123
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
redis-ser 2212123 systemd-coredump cwd DIR 253,17 4096 3932163 /data
redis-ser 2212123 systemd-coredump rtd DIR 0,50 4096 2627423 /
redis-ser 2212123 systemd-coredump txt REG 0,50 10602264 3152826 /usr/local/bin/redis-server
redis-ser 2212123 systemd-coredump mem REG 253,2 3152826 /usr/local/bin/redis-server (stat: No such file or directory)
redis-ser 2212123 systemd-coredump mem REG 253,2 3148285 /lib/aarch64-linux-gnu/libc-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump mem REG 253,2 3148338 /lib/aarch64-linux-gnu/libpthread-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump mem REG 253,2 3148342 /lib/aarch64-linux-gnu/librt-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump mem REG 253,2 3148293 /lib/aarch64-linux-gnu/libdl-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump mem REG 253,2 3152814 /usr/lib/aarch64-linux-gnu/libatomic.so.1.2.0 (stat: No such file or directory)
redis-ser 2212123 systemd-coredump mem REG 253,2 3148308 /lib/aarch64-linux-gnu/libm-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump mem REG 253,2 3148271 /lib/aarch64-linux-gnu/ld-2.28.so (stat: No such file or directory)
redis-ser 2212123 systemd-coredump 0u CHR 1,3 0t0 43777584 /dev/null
redis-ser 2212123 systemd-coredump 1w FIFO 0,12 0t0 43774771 pipe
redis-ser 2212123 systemd-coredump 2w FIFO 0,12 0t0 43774772 pipe
redis-ser 2212123 systemd-coredump 3r FIFO 0,12 0t0 43773580 pipe
redis-ser 2212123 systemd-coredump 4w FIFO 0,12 0t0 43773580 pipe
redis-ser 2212123 systemd-coredump 5u a_inode 0,13 0 15249 [eventpoll]
redis-ser 2212123 systemd-coredump 6u IPv4 43773581 0t0 TCP *:redis (LISTEN)
redis-ser 2212123 systemd-coredump 7w REG 253,17 53 3932167 /data/appendonly.aof
[root@ecs-5613 cron]#
定时任务
[root@ecs-5613 ~]# crontab -l
no crontab for root
[root@ecs-5613 ~]#
[root@ecs-5613 ~]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
/var/spool/cron/#tmp.ecs-5613.XXXX8gxWNz: 不允许的操作
crontab: edits left in /tmp/crontab.948YAY
[root@ecs-5613 cron]# chattr -ai /var/spool/cron
[root@ecs-5613 cron]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
删除用户
#发现不明用户
[root@ecs-5613 cron]# cat /etc/passwd
hilde:x:1000:1000::/home/hilde:/bin/bash
[root@ecs-5613 cron]# userdel hilde
userdel:无法打开 /etc/passwd
[root@ecs-5613 cron]# lsattr /etc/passwd
-----a--------e----- /etc/passwd
#默认就有 e 属性的 别减了
[root@ecs-5613 cron]# chattr -a /etc/passwd
[root@ecs-5613 cron]# userdel hilde
userdel:无法打开 /etc/shadow
[root@ecs-5613 cron]# chattr -a /etc/shadow
# 成功删除
[root@ecs-5613 cron]# userdel hilde
[root@ecs-5613 cron]#
[root@ecs-5613 ~]# rm -rf /home/hilde/
rm: 无法删除 '/home/hilde/.ssh/authorized_keys2': 不允许的操作
rm: 无法删除 '/home/hilde/.ssh/authorized_keys': 不允许的操作
chattr -a /home/hilde/.ssh/authorized_keys2
chattr -a /home/hilde/.ssh/authorized_keys
删除公钥
把公钥放上去,黑客能免密登录
[root@ecs-5613 .ssh]# ll -a ~/.ssh
总用量 44
drwx------ 2 root root 4096 9月 1 22:37 .
dr-xr-x--- 9 root root 4096 9月 1 22:26 ..
-rw------- 1 root root 1584 9月 1 18:09 authorized_keys
-rw------- 1 root root 1584 9月 1 22:34 authorized_keys~
-rw------- 1 root root 399 9月 1 18:09 authorized_keys2
-rw------- 1 root root 1584 9月 1 22:37 authorized_keyx~
-rw------- 1 root root 1584 9月 1 22:37 authorized_keyy~
-rw------- 1 root root 1584 9月 1 22:35 authorized_keyz~
-rw------- 1 root root 1823 8月 13 09:39 id_rsa
-rw------- 1 root root 395 8月 13 09:39 id_rsa.pub
-rw-r--r-- 1 root root 2415 8月 24 17:40 known_hosts
[root@ecs-5613 .ssh]# lsattr ~/.ssh/authorized_keys
-----a-------------- /root/.ssh/authorized_keys
[root@ecs-5613 .ssh]# chattr -a ~/.ssh/authorized_keys
[root@ecs-5613 .ssh]# chattr -a ~/.ssh/authorized_keys2
# 删除黑客的公钥
vi ~/.ssh/authorized_keys
# 给authorized_keys加-i,防止删除
chattr +i ~/.ssh/authorized_keys
# 删除
rm -f ~/.ssh/au*
重启redis
docker-compose up -d && docker-compose logs -f --tail=1000
1