可搜索,可注册,可登录,致敬逗比大佬!尽在救援版逗比根据地 dbgjd.com
投稿文章 | 广告合作 | Telegram 群组 / 公告频道 / 使用教程

记一次清除门罗币挖矿程序xmr-stak

News tysonrapz1984 90℃ 0评论

最近在统计服务器相关信息,忽然发现一个使用比较少的禅道服务器CPU异常的高,起因是看禅道是不是正常跑起来,后来开始排错,然后看到root的家目录有个奇怪的文件夹,看到XMR,恩?xmr不是门罗币么?顺手top了一下,发现果然是挖矿病毒。

Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@localhost opt]# ll
total 3140
drwxrxrx.  3 root root         25 Apr  6 19:34 rh
drwxrxrx.  9 root root       4096 Apr  6 19:42 xmrstak
rwrr.  1 root root    3203299 Jul 13 14:01 xmrstak.tar.gz
drwxrxrx. 10 1000 nogroup    4096 Nov  6  2017 zbox
[root@localhost opt]# top
top 14:08:12 up 2 days,  2:46,  1 user,  load average: 8.15, 8.26, 8.26
Tasks: 149 total,   3 running, 145 sleeping,   0 stopped,   1 zombie
%Cpu(s): 99.6 us,  0.4 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
 
KiB Mem :  3881284 total,  3040016 free,   305200 used,   536068 buff/cache
KiB Swap:  1679356 total,  1679356 free,        0 used.  3285952 avail Mem
 
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                  
1694 root      20   0 1008508  50780   3720 S 800.0  1.3  24347:27 xmrstak                                                                
    1 root      20   0  193708   6932   4088 S   0.0  0.2   0:16.94 systemd                                                                  
    2 root      20   0       0      0      0 S   0.0  0.0   0:00.03 kthreadd                                                                
    3 root      20   0       0      0      0 S   0.0  0.0   0:00.03 ksoftirqd/0                                                              
    5 root       0 20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H                                                            
    7 root      rt   0       0      0      0 S   0.0  0.0   0:00.01 migration/0                                                              
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh                                                                  

kill -9,然后直接rm-rf

Shell

1
2
3
4
5
6
7
[root@localhost opt]# ll
total 3140
drwxrxrx.  3 root root         25 Apr  6 19:34 rh
drwxrxrx.  9 root root       4096 Apr  6 19:42 xmrstak
rwrr.  1 root root    3203299 Jul 13 14:01 xmrstak.tar.gz
drwxrxrx. 10 1000 nogroup    4096 Nov  6  2017 zbox
[root@localhost opt]# rm -rf xmr-stak

再看top,果然还在,估计是后台有自启动。写到crontab里了?有可能。

Shell

1
2
[root@localhost zbox]# crontab -l
*/1 * * * * sh /usr/local/lib/run.sh

果然在这里,那就开始删计划任务、删脚本、删文件

Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[root@localhost cron.d]# cd /var/spool/cron/
[root@localhost cron]# ll
total 4
rw. 1 root root 37 Apr 19 14:48 root
[root@localhost cron]# cat root
*/1 * * * * sh /usr/local/lib/run.sh
[root@localhost cron]# rm root
rm: remove regular file root? y
[root@localhost cron]# cd /usr/local/lib/
[root@localhost lib]# ll
total 6564
rwrr. 1 root root    7573 Apr 19 14:47 config.txt
rwrr. 1 root root    2344 Apr 19 14:47 cpu.txt
rwrr. 1 root root 1247724 Apr 19 14:47 libxmrstakbackend.a
rwrr. 1 root root   54838 Apr 19 14:47 libxmrstakc.a
rw. 1 root root 4616192 Apr 19 14:47 nohup.out
rwrr. 1 root root    1582 Apr 19 14:47 pools.txt
rwrr. 1 root root     140 Apr 19 14:48 run.sh
rwxrxrx. 1 root root  778016 Apr 19 14:47 xmrstak
[root@localhost lib]# rm *
rm: remove regular file config.txt? y
rm: remove regular file cpu.txt? y
rm: remove regular file libxmrstakbackend.a? y
rm: remove regular file libxmrstakc.a? y
rm: remove regular file nohup.out? y
rm: remove regular file pools.txt? y
rm: remove regular file run.sh? y
rm: remove regular file xmrstak? y

过段时间再看

Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@localhost lib]# top
top 15:54:18 up 2 days,  4:32,  1 user,  load average: 0.00, 0.01, 0.05
Tasks: 143 total,   1 running, 142 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.0 us,  0.8 sy,  0.0 ni, 99.2 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
 
KiB Mem :  3881284 total,  2953436 free,   270660 used,   657188 buff/cache
KiB Swap:  1679356 total,  1679356 free,        0 used.  3269556 avail Mem
 
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                                                      
    1 root      20   0  193708   6936   4092 S   0.0  0.2   0:17.84 systemd                                                                                                                                      
    2 root      20   0       0      0      0 S   0.0  0.0   0:00.03 kthreadd                                                                                                                                    
    3 root      20   0       0      0      0 S   0.0  0.0   0:00.03 ksoftirqd/0                                                                                                                                  
    5 root       0 20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H                                                                                                                                
    7 root      rt   0       0      0      0 S   0.0  0.0   0:00.01 migration/0                                                                                                                                  
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh                                                                                                                                      
    9 root      20   0       0      0      0 S   0.0  0.0   0:00.61 rcu_sched                                                                                                                                    
   10 root      rt   0       0      0      0 S   0.0  0.0   0:00.26 watchdog/0                                                                                                                                  
   11 root      rt   0       0      0      0 S   0.0  0.0   0:00.36 watchdog/1                                                                                                                                  
   12 root      rt   0       0      0      0 S   0.0  0.0   0:00.01 migration/1                                                                                                                                  
   13 root      20   0       0      0      0 S   0.0  0.0   0:00.02 ksoftirqd/1                                                                                                                                  
   15 root       0 20       0      0      0 S   0.0  0.0   0:00.00 kworker/1:0H                                                                                                                                

彻底被干掉了。

总结

预估计这次应该是之前的运维人员或者能接触到机房人员的内部作案。恩。就酱。

转载请注明:逗比根据地 » 记一次清除门罗币挖矿程序xmr-stak

喜欢 (0)
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址