最近在统计服务器相关信息,忽然发现一个使用比较少的禅道服务器CPU异常的高,起因是看禅道是不是正常跑起来,后来开始排错,然后看到root的家目录有个奇怪的文件夹,看到XMR,恩?xmr不是门罗币么?顺手top了一下,发现果然是挖矿病毒。
Shell
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
[root@localhost opt]# ll
total 3140
drwxr–xr–x. 3 root root 25 Apr 6 19:34 rh
drwxr–xr–x. 9 root root 4096 Apr 6 19:42 xmr–stak
–rw–r—r—. 1 root root 3203299 Jul 13 14:01 xmr–stak.tar.gz
drwxr–xr–x. 10 1000 nogroup 4096 Nov 6 2017 zbox
[root@localhost opt]# top
top – 14:08:12 up 2 days, 2:46, 1 user, load average: 8.15, 8.26, 8.26
Tasks: 149 total, 3 running, 145 sleeping, 0 stopped, 1 zombie
%Cpu(s): 99.6 us, 0.4 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 3881284 total, 3040016 free, 305200 used, 536068 buff/cache
KiB Swap: 1679356 total, 1679356 free, 0 used. 3285952 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1694 root 20 0 1008508 50780 3720 S 800.0 1.3 24347:27 xmr–stak
1 root 20 0 193708 6932 4088 S 0.0 0.2 0:16.94 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.03 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.03 ksoftirqd/0
5 root 0 –20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
7 root rt 0 0 0 0 S 0.0 0.0 0:00.01 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
|
kill -9,然后直接rm-rf
Shell
|
1
2
3
4
5
6
7
|
[root@localhost opt]# ll
total 3140
drwxr–xr–x. 3 root root 25 Apr 6 19:34 rh
drwxr–xr–x. 9 root root 4096 Apr 6 19:42 xmr–stak
–rw–r—r—. 1 root root 3203299 Jul 13 14:01 xmr–stak.tar.gz
drwxr–xr–x. 10 1000 nogroup 4096 Nov 6 2017 zbox
[root@localhost opt]# rm -rf xmr-stak
|
再看top,果然还在,估计是后台有自启动。写到crontab里了?有可能。
Shell
|
1
2
|
[root@localhost zbox]# crontab -l
*/1 * * * * sh /usr/local/lib/run.sh
|
果然在这里,那就开始删计划任务、删脚本、删文件
Shell
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[root@localhost cron.d]# cd /var/spool/cron/
[root@localhost cron]# ll
total 4
–rw———–. 1 root root 37 Apr 19 14:48 root
[root@localhost cron]# cat root
*/1 * * * * sh /usr/local/lib/run.sh
[root@localhost cron]# rm root
rm: remove regular file ‘root’? y
[root@localhost cron]# cd /usr/local/lib/
[root@localhost lib]# ll
total 6564
–rw–r—r—. 1 root root 7573 Apr 19 14:47 config.txt
–rw–r—r—. 1 root root 2344 Apr 19 14:47 cpu.txt
–rw–r—r—. 1 root root 1247724 Apr 19 14:47 libxmr–stak–backend.a
–rw–r—r—. 1 root root 54838 Apr 19 14:47 libxmr–stak–c.a
–rw———–. 1 root root 4616192 Apr 19 14:47 nohup.out
–rw–r—r—. 1 root root 1582 Apr 19 14:47 pools.txt
–rw–r—r—. 1 root root 140 Apr 19 14:48 run.sh
–rwxr–xr–x. 1 root root 778016 Apr 19 14:47 xmr–stak
[root@localhost lib]# rm *
rm: remove regular file ‘config.txt’? y
rm: remove regular file ‘cpu.txt’? y
rm: remove regular file ‘libxmr–stak–backend.a’? y
rm: remove regular file ‘libxmr–stak–c.a’? y
rm: remove regular file ‘nohup.out’? y
rm: remove regular file ‘pools.txt’? y
rm: remove regular file ‘run.sh’? y
rm: remove regular file ‘xmr–stak’? y
|
过段时间再看
Shell
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@localhost lib]# top
top – 15:54:18 up 2 days, 4:32, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 143 total, 1 running, 142 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.8 sy, 0.0 ni, 99.2 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 3881284 total, 2953436 free, 270660 used, 657188 buff/cache
KiB Swap: 1679356 total, 1679356 free, 0 used. 3269556 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 193708 6936 4092 S 0.0 0.2 0:17.84 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.03 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.03 ksoftirqd/0
5 root 0 –20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
7 root rt 0 0 0 0 S 0.0 0.0 0:00.01 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
9 root 20 0 0 0 0 S 0.0 0.0 0:00.61 rcu_sched
10 root rt 0 0 0 0 S 0.0 0.0 0:00.26 watchdog/0
11 root rt 0 0 0 0 S 0.0 0.0 0:00.36 watchdog/1
12 root rt 0 0 0 0 S 0.0 0.0 0:00.01 migration/1
13 root 20 0 0 0 0 S 0.0 0.0 0:00.02 ksoftirqd/1
15 root 0 –20 0 0 0 S 0.0 0.0 0:00.00 kworker/1:0H
|
彻底被干掉了。
总结
预估计这次应该是之前的运维人员或者能接触到机房人员的内部作案。恩。就酱。
