Zhouyao's Blog

Do Something Big With Us

记一次清除门罗币挖矿程序xmr-stak

最近在统计服务器相关信息,忽然发现一个使用比较少的禅道服务器CPU异常的高,起因是看禅道是不是正常跑起来,后来开始排错,然后看到root的家目录有个奇怪的文件夹,看到XMR,恩?xmr不是门罗币么?顺手top了一下,发现果然是挖矿病毒。

[root@localhost opt]# ll
total 3140
drwxr-xr-x.  3 root root         25 Apr  6 19:34 rh
drwxr-xr-x.  9 root root       4096 Apr  6 19:42 xmr-stak
-rw-r--r--.  1 root root    3203299 Jul 13 14:01 xmr-stak.tar.gz
drwxr-xr-x. 10 1000 nogroup    4096 Nov  6  2017 zbox
[root@localhost opt]# top
top - 14:08:12 up 2 days,  2:46,  1 user,  load average: 8.15, 8.26, 8.26
Tasks: 149 total,   3 running, 145 sleeping,   0 stopped,   1 zombie
%Cpu(s): 99.6 us,  0.4 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :  3881284 total,  3040016 free,   305200 used,   536068 buff/cache
KiB Swap:  1679356 total,  1679356 free,        0 used.  3285952 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                  
 1694 root      20   0 1008508  50780   3720 S 800.0  1.3  24347:27 xmr-stak                                                                 
    1 root      20   0  193708   6932   4088 S   0.0  0.2   0:16.94 systemd                                                                  
    2 root      20   0       0      0      0 S   0.0  0.0   0:00.03 kthreadd                                                                 
    3 root      20   0       0      0      0 S   0.0  0.0   0:00.03 ksoftirqd/0                                                              
    5 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H                                                             
    7 root      rt   0       0      0      0 S   0.0  0.0   0:00.01 migration/0                                                              
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh                                                                   

kill -9,然后直接rm-rf

[root@localhost opt]# ll
total 3140
drwxr-xr-x.  3 root root         25 Apr  6 19:34 rh
drwxr-xr-x.  9 root root       4096 Apr  6 19:42 xmr-stak
-rw-r--r--.  1 root root    3203299 Jul 13 14:01 xmr-stak.tar.gz
drwxr-xr-x. 10 1000 nogroup    4096 Nov  6  2017 zbox
[root@localhost opt]# rm -rf xmr-stak

再看top,果然还在,估计是后台有自启动。写到crontab里了?有可能。

[root@localhost zbox]# crontab -l
*/1 * * * * sh /usr/local/lib/run.sh

果然在这里,那就开始删计划任务、删脚本、删文件

[root@localhost cron.d]# cd /var/spool/cron/
[root@localhost cron]# ll
total 4
-rw-------. 1 root root 37 Apr 19 14:48 root
[root@localhost cron]# cat root 
*/1 * * * * sh /usr/local/lib/run.sh
[root@localhost cron]# rm root 
rm: remove regular file ‘root’? y
[root@localhost cron]# cd /usr/local/lib/
[root@localhost lib]# ll
total 6564
-rw-r--r--. 1 root root    7573 Apr 19 14:47 config.txt
-rw-r--r--. 1 root root    2344 Apr 19 14:47 cpu.txt
-rw-r--r--. 1 root root 1247724 Apr 19 14:47 libxmr-stak-backend.a
-rw-r--r--. 1 root root   54838 Apr 19 14:47 libxmr-stak-c.a
-rw-------. 1 root root 4616192 Apr 19 14:47 nohup.out
-rw-r--r--. 1 root root    1582 Apr 19 14:47 pools.txt
-rw-r--r--. 1 root root     140 Apr 19 14:48 run.sh
-rwxr-xr-x. 1 root root  778016 Apr 19 14:47 xmr-stak
[root@localhost lib]# rm *
rm: remove regular file ‘config.txt’? y
rm: remove regular file ‘cpu.txt’? y
rm: remove regular file ‘libxmr-stak-backend.a’? y
rm: remove regular file ‘libxmr-stak-c.a’? y
rm: remove regular file ‘nohup.out’? y
rm: remove regular file ‘pools.txt’? y
rm: remove regular file ‘run.sh’? y
rm: remove regular file ‘xmr-stak’? y

过段时间再看

[root@localhost lib]# top
top - 15:54:18 up 2 days,  4:32,  1 user,  load average: 0.00, 0.01, 0.05
Tasks: 143 total,   1 running, 142 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.0 us,  0.8 sy,  0.0 ni, 99.2 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :  3881284 total,  2953436 free,   270660 used,   657188 buff/cache
KiB Swap:  1679356 total,  1679356 free,        0 used.  3269556 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                                                      
    1 root      20   0  193708   6936   4092 S   0.0  0.2   0:17.84 systemd                                                                                                                                      
    2 root      20   0       0      0      0 S   0.0  0.0   0:00.03 kthreadd                                                                                                                                     
    3 root      20   0       0      0      0 S   0.0  0.0   0:00.03 ksoftirqd/0                                                                                                                                  
    5 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H                                                                                                                                 
    7 root      rt   0       0      0      0 S   0.0  0.0   0:00.01 migration/0                                                                                                                                  
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh                                                                                                                                       
    9 root      20   0       0      0      0 S   0.0  0.0   0:00.61 rcu_sched                                                                                                                                    
   10 root      rt   0       0      0      0 S   0.0  0.0   0:00.26 watchdog/0                                                                                                                                   
   11 root      rt   0       0      0      0 S   0.0  0.0   0:00.36 watchdog/1                                                                                                                                   
   12 root      rt   0       0      0      0 S   0.0  0.0   0:00.01 migration/1                                                                                                                                  
   13 root      20   0       0      0      0 S   0.0  0.0   0:00.02 ksoftirqd/1                                                                                                                                  
   15 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/1:0H                                                                                                                                 

彻底被干掉了。

总结

预估计这次应该是之前的运维人员或者能接触到机房人员的内部作案。恩。就酱。

点赞

发表评论

电子邮件地址不会被公开。 必填项已用*标注

98 − 95 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.