1.Watchdogs挖礦蠕蟲主要特徵及變種爲kthrotlds特徵。
ps -ef | grep watchdogs # 存在惡意進程watchdogs
ps -ef | grep ksoftirqds # 存在惡意進程ksoftirqds
chkconfig | grep watchdogs # 存在惡意啓動項watchdogs
ldd `which ps` | grep libioset.so # ps、rm等命令被so劫持
crontab -l | grep pastebin # 存在惡意的蠕蟲下載計劃任務
watchdogs進程變更爲kthrotlds
libioset.so變更爲libcset.so
watchdogs開機啓動項名稱變更爲netdns2.解決辦法
上傳busybox到系統的/bin/目錄下,執行腳本clear.sh和clear_kthrotlds.sh。
busybox下載地址:https://github.com/MoreSecLab/DDG_MalWare_Clean_Tool
腳本參考:
clear.sh定義:
service crond stop
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libioset.so
chattr -i /etc/ld.so.preload
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libioset.so
**# 清理異常進程**
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'watchdogs' | busybox awk '{print $1}' | busybox xargs kill -9
busybox rm -f /tmp/watchdogs
busybox rm -f /etc/cron.d/tomcat
busybox rm -f /etc/cron.d/root
busybox rm -f /var/spool/cron/root
busybox rm -f /var/spool/cron/crontabs/root
busybox rm -f /etc/rc.d/init.d/watchdogs
busybox rm -f /usr/sbin/watchdogs
ldconfig
**# 再次清理異常進程**
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'watchdogs' | busybox awk '{print $1}' | busybox xargs kill -9
**# 清理開機啓動項**
chkconfig watchdogs off
chkconfig –del watchdogs
service crond start
echo "Done, Please reboot!"clear_kthrotlds.sh定義:
service crond stop
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcset.so
chattr -i /etc/ld.so.preload
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcset.so
**# 清理異常進程**
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox rm -f /tmp/kthrotlds
busybox rm -f /etc/cron.d/tomcat
busybox rm -f /etc/cron.d/root
busybox rm -f /var/spool/cron/root
busybox rm -f /var/spool/cron/crontabs/root
busybox rm -f /etc/rc.d/init.d/kthrotlds
busybox rm -f /usr/sbin/kthrotlds
busybox rm -f /etc/init.d/netdns
ldconfig
**# 再次清理異常進程**
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
**# 清理開機啓動項**
chkconfig netdns off
chkconfig –del netdns
service crond start
echo "Done, Please reboot!"