服务器挖矿病毒查杀(crontab pastebin.com)

服务器异常症状

  • CPU使用率过高,网络出口流量异常;
  • crontab异常,出现 pastebian.com 相关的 wget 命令

查杀方法

安装busybox

wget http://busybox.net/downloads/busybox-1.21.0.tar.bz2
yum -y install bzip2
tar -xvf busybox-1.21.0.tar.bz2
cd ./busybox-1.21.0
make defconfig
make
make install
ln -s `pwd`/busybox /usr/bin/busybox
busybox|grep BusyBox |grep v

如果出现以下信息,说明安装成功

BusyBox v1.21.0 (2019-04-15 19:51:44 CST) multi-call binary.

注意,部分挖矿病毒会修改动态链接库,用 vim 打开下面文件,并注释掉其中的内容

vim /etc/ld.so.preload

运行下面的查杀脚本

#!/bin/bash
#可以重复执行几次,防止互相拉起导致删除失败

function installBusyBox(){
    #参考第一段
    busybox|grep BusyBox |grep v
}

function banHosts(){
    #删除免密认证,防止继续通过ssh进行扩散,后续需自行恢复,可不执行
    busybox echo "" > /root/.ssh/authorized_keys
    busybox echo "" > /root/.ssh/id_rsa
    busybox echo "" > /root/.ssh/id_rsa.pub
    busybox echo "" > /root/.ssh/known_hosts
    busybox echo "" > /root/.ssh/auth
    #iptables -I INPUT -p tcp --dport 445 -j DROP
    busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com" >> /etc/hosts
}


function fixCron(){
    #修复crontab
    busybox chattr -i  /etc/cron.d/root  2>/dev/null
    busybox rm -f /etc/cron.d/root
    busybox chattr -i /var/spool/cron/root  2>/dev/null
    busybox rm -f /var/spool/cron/root
    busybox chattr -i /var/spool/cron/tomcat  2>/dev/null
    busybox rm -f /var/spool/cron/tomcat
    busybox chattr -i /var/spool/cron/crontabs/root  2>/dev/null
    busybox rm -f /var/spool/cron/crontabs/root
    busybox rm -rf /var/spool/cron/tmp.*
    busybox rm -rf /var/spool/cron/crontabs
    busybox touch /var/spool/cron/root
    busybox chattr +i /var/spool/cron/root
}

function killProcess(){
    #修复异常进程
    busybox ps -ef | busybox grep -v grep | busybox grep 'kerberods' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox grep 'khugepageds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9  2>/dev/null
    busybox rm -f /tmp/khugepageds
    busybox rm -f /usr/sbin/kerberods
    busybox rm -f /usr/sbin/kthrotlds
    busybox rm -f /usr/sbin/kintegrityds
    busybox rm -f /usr/sbin/kpsmouseds
    busybox find /tmp -mtime -4 -type f | busybox xargs busybox rm -rf
}


function clearLib(){
    #修复动态库
    busybox rm -f /etc/ld.so.preload
    busybox rm -f /usr/local/lib/libcryptod.so
    busybox rm -f /usr/local/lib/libcset.so
    busybox chattr -i /etc/ld.so.preload 2>/dev/null
    busybox chattr -i /usr/local/lib/libcryptod.so  2>/dev/null
    busybox chattr -i /usr/local/lib/libcset.so 2>/dev/null
    busybox find /usr/local/lib/ -mtime -4 -type f| busybox xargs rm -rf
    busybox find /lib/ -mtime -4 -type f| busybox xargs rm -rf
    busybox find /lib64/ -mtime -4 -type f| busybox xargs rm -rf
    busybox rm -f /etc/ld.so.cache
    busybox rm -f /etc/ld.so.preload
    busybox rm -f /usr/local/lib/libcryptod.so
    busybox rm -f /usr/local/lib/libcset.so
    busybox rm -rf /usr/local/lib/libdevmapped.so
    busybox rm -rf /usr/local/lib/libpamcd.so 
    busybox rm -rf /usr/local/lib/libdevmapped.so
    busybox touch /etc/ld.so.preload
    busybox chattr +i /etc/ld.so.preload
    ldconfig
}

function clearInit(){
    #修复异常开机项
    #chkconfig netdns off 2>/dev/null
    #chkconfig –del netdns 2>/dev/null
    #systemctl disable netdns 2>/dev/null
    busybox rm -f /etc/rc.d/init.d/kerberods
    busybox rm -f /etc/init.d/netdns
    busybox rm -f /etc/rc.d/init.d/kthrotlds
    busybox rm -f /etc/rc.d/init.d/kpsmouseds
    busybox rm -f /etc/rc.d/init.d/kintegrityds
    #chkconfig watchdogs off 2>/dev/null
    #chkconfig --del watchdogs 2>/dev/null
    #chkconfig --del kworker 2>/dev/null
    #chkconfig --del netdns 2>/dev/null
}

function recoverOk(){
    service crond start
    busybox sleep 3
    busybox chattr -i /var/spool/cron/root
    echo "OK,BETTER REBOOT YOUR DEVICE"
}

#先停止crontab服务
service crond stop
#防止病毒继续扩散
banHosts
#清除lib劫持
clearLib
#修复crontab
fixCron
killProcess
clearLib
killProcess
#删除异常开机项
clearInit
fixCron

recoverOk

以上的操作要尽快执行,执行后 reboot 你的服务器。

如果发现没有清除干净,请重复执行上面的步骤。

发表评论

电子邮件地址不会被公开。 必填项已用*标注