问题现象:内存被吃的很满, top之后发现始终有僵尸线程在占用大量资源, kill之后又会重新起来一个

1. 检查恶意进程及非法端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
1 [root@VM‐ 0 ‐ 8 ‐centos ~]# netstat ‐antp
2 Active Internet connections (servers and established)
3 Proto Recv‐Q Send‐Q Local Address Foreign Address State PID/Program name
4 tcp  0 0  127.0.0.1: 25  0.0.0.0:* LISTEN  2163 /master
5 tcp  0 0  127.0.0.1: 8123  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
6 tcp  0 0  10.0.0.8: 8123  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
7 tcp  0 0  127.0.0.1: 1378  0.0.0.0:* LISTEN  3124 /filebeat
8 tcp  0 0  127.0.0.1: 9000  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
9 tcp  0 0  10.0.0.8: 9000  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
10 tcp  0 0  127.0.0.1: 9004  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
11 tcp  0 0  10.0.0.8: 9004  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
12 tcp  0 0  127.0.0.1: 9009  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
13 tcp  0 0  10.0.0.8: 9009  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
14 tcp  0 0  127.0.0.1: 9363  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
15 tcp  0 0  10.0.0.8: 9363  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
16 tcp  0 0  0.0.0.0: 22  0.0.0.0:* LISTEN  1800 /sshd
17 tcp  0 0  10.0.0.8: 52860  104.168.71.132: 80  ESTABLISHED  24031 /bashirc
18 tcp  0 0  10.0.0.8: 22  113.235.117.72: 60726  ESTABLISHED  761055 /sshd: root@n
19 tcp  0 0  10.0.0.8: 22  113.235.117.72: 64167  ESTABLISHED  672313 /sshd: root@p
20 tcp  0 0  10.0.0.8: 37602  185.156.179.225: 80  ESTABLISHED  778145 /kdevtmpfsi
21 tcp  0 128  10.0.0.8: 22  113.235.117.72: 3377  ESTABLISHED  761037 /sshd: root@
p
22 tcp  0 0  10.0.0.8: 22  113.235.117.72: 64168  ESTABLISHED  672322 /sshd: root@n
23 tcp  0 0  10.0.0.8: 22  113.235.117.72: 1029  ESTABLISHED  756791 /sshd: root@p
24 tcp  0 0  10.0.0.8: 56536  194.5.249.24: 8080  ESTABLISHED  777784 /dbused
25 tcp  0 0  10.0.0.8: 22  113.235.117.72: 51116  ESTABLISHED  756965 /sshd: root@n
26 tcp  0 0  10.0.0.8: 58756  209.141.40.190: 80  TIME_WAIT ‐
27 tcp6  0 0  ::: 36535  :::* LISTEN  722900 /java
28 tcp6  0 0  :: 1 : 25  :::* LISTEN  2163 /master
29 tcp6  0 0  ::: 36250  :::* LISTEN  722623 /java
30 tcp6  0 0  ::: 40481  :::* LISTEN  722900 /java
31 tcp6  0 0  ::: 39329  :::* LISTEN  722623 /java
32 tcp6  0 0  ::: 31458  :::* LISTEN  23358 /kinsing
33 tcp6  0 0  ::: 6123  :::* LISTEN  722623 /java
34 tcp6  0 0  ::: 8081  :::* LISTEN  722623 /java
35 tcp6  0 0  ::: 36117  :::* LISTEN  722900 /java
36 tcp6  0 0  127.0.0.1: 6123  127.0.0.1: 58232  ESTABLISHED  722623 /java
1
2
3
37 tcp6  0 0  127.0.0.1: 58232  127.0.0.1: 6123  ESTABLISHED  722900 /java
38 You have mail in /var/spool/mail/root
39 [root@VM‐ 0 ‐ 8 ‐centos ~]#

看到 ESTABLISHED 状态的网络连接

1
2
3
4
5
6
7
8
9
1 tcp  0 0  10.0.0.8: 52860  104.168.71.132: 80  ESTABLISHED  24031 /bashirc
2 tcp  0 0  10.0.0.8: 22  113.235.117.72: 60726  ESTABLISHED  761055 /sshd: root@n
3 tcp  0 0  10.0.0.8: 22  113.235.117.72: 64167  ESTABLISHED  672313 /sshd: root@p
4 tcp  0 0  10.0.0.8: 37602  185.156.179.225: 80  ESTABLISHED  778145 /kdevtmpfsi
5 tcp  0 128  10.0.0.8: 22  113.235.117.72: 3377  ESTABLISHED  761037 /sshd: root@p
6 tcp  0 0  10.0.0.8: 22  113.235.117.72: 64168  ESTABLISHED  672322 /sshd: root@n
7 tcp  0 0  10.0.0.8: 22  113.235.117.72: 1029  ESTABLISHED  756791 /sshd: root@p
8 tcp  0 0  10.0.0.8: 56536  194.5.249.24: 8080  ESTABLISHED  777784 /dbused
9 tcp  0 0  10.0.0.8: 22  113.235.117.72: 51116  ESTABLISHED  756965 /sshd: root@n

其中113.235.117.72 是大连本地IP访问的22端口,是正常的,其他的端口如:

52860,37602,56536等都是非法的,到腾讯安全组中重新设置,只对外开放22端口,关闭

其他端口

百度异常IP,看看
1
2
3
4
104.168.71.132 美国纽约布法罗
185.156.179.225 俄罗斯莫斯科
209.141.40.190 美国内华达拉斯维加斯
194.5.249.24 罗马尼亚

明显IP地址有问题

2. 解决方案:

2.1 解决 kdevtmpfsi 矿机问题

参考:记一次服务器被 kdevtmpfsi 变矿机

1
1 $ find / ‐name kinsing // 守护进程
1
2 $ find / ‐name kdevtmpfsi // 挖矿进程

找到 /etc/kinsing ,对此文件进行删除,之后 kill -9 PID 杀死进程

查看 网络状态

1
1 [root@VM‐ 0 ‐ 8 ‐centos /]# netstat ‐alntop

查看 crond服务状态,如果是他定时拉取木马,是否可以停止此服务再清理病毒文件呢?

1
2
3
4
5
1 service crond status
2 # 关闭crond服务
3 service crond stop
4 # 服务关闭了,但是已经启动的job不会停止,需要查看进程来杀死
5 ps ‐ef| grep cron

修改 ssh的22端口为

1
2
3
4
5
6
7
8
9
10
11
1 # 修改ssh配置文件,增加端口 23148 ,先保留 22 ,新端口测试通后再去除 22
2 [root@VM‐ 0 ‐ 8 ‐centos /]# vim /etc/ssh/sshd_config
3 ...
4 # semanage port ‐a ‐t ssh_port_t ‐p tcp #PORTNUMBER
5 #
6 Port  22
7 Port  23148
8 #AddressFamily any
9 ...
10 # 修改完后重启sshd服务
11 systemctl restart sshd.service

修改云服务商安全组,增加 23148,本地防火墙开放23148端口,本地ssh访问成功。

2.2 解决 dbused矿机问题

处理逻辑:

1. 查看进程中是否有dbused

1
1 top ‐c

2. 查看服务器的网络链接情况

1
2
3
4
5
1 [root@VM‐ 0 ‐ 8 ‐centos /]# netstat ‐antp
2 Active Internet connections (servers and established)
3 Proto Recv‐Q Send‐Q Local Address Foreign Address State PID/Program name
4 tcp  0 0  127.0.0.1: 9009  0.0.0.0:* LISTEN  2952 /clickhouse‐ser
5 tcp  0 0  10.0.0.8: 42666  212.114.52.24: 8080  ESTABLISHED  869898 /dbused
1
2
3
4
6 tcp  0 0  10.0.0.8: 22  113.235.117.72: 64167  ESTABLISHED  672313 /sshd: root@p
7 tcp  0 340  10.0.0.8: 22  113.235.117.72: 3377  ESTABLISHED  761037 /sshd: root@p
8 tcp  0 0  10.0.0.8: 22  113.235.117.72: 64168  ESTABLISHED  672322 /sshd: root@n
9 tcp  0 0  10.0.0.8: 53952  104.168.71.132: 80  ESTABLISHED  869942 /bashirc

可以看到 dbused 的进程在链接网络

3. 查看定时任务,停止crond定时服务

1
1 crontab ‐e

看到其中有矿机的定时任务,接下来研究怎么清除

停止crond服务

1
2
3
4
1 # 查看crond服务状态
2 service crond status
3 # 停止crond服务
4 service crond stop

cron服务虽然停止,但已经启动的定时job其实还是在运行的,这个时候就要手动通过 top
, -c 和 netstat -antop 命令 查找到矿机PID,通过 kill -9 xxxx 干掉,之后执行如下脚本,

清理掉矿机程序相关文件,避免死灰复燃再下载矿机程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
chattr ‐ia /var/spool/cron/crontabs/root
rm ‐f /var/spool/cron/crontabs/root
chattr ‐ia /etc/cron.d/apache~
rm ‐f /etc/cron.d/apache~
chattr ‐ia /etc/cron.d/root
rm ‐f /etc/cron.d/root
chattr ‐ia /etc/cron.d/nginx
rm ‐f /etc/cron.d/nginx
chattr ‐ia /etc/cron.hourly/pwnrig
rm ‐rf /etc/cron.hourly/pwnrig
chattr ‐ia /var/spool/cron/root
rm ‐f /var/spool/cron/root
chattr ‐ia /etc/cron.hourly/oanacroner
rm ‐f /etc/cron.hourly/oanacroner
chattr ‐ia /etc/cron.weekly/pwnrig
rm ‐rf /etc/cron.weekly/pwnrig
chattr ‐ia /etc/cron.d/pwnrig
rm ‐rf /etc/cron.d/pwnrig
chattr ‐ia /etc/cron.monthly/pwnrig
rm ‐rf /etc/cron.monthly/pwnrig
chattr ‐ia /etc/cron.daily/pwnrig
rm ‐rf /etc/cron.daily/pwnrig
chattr ‐ia /etc/cron.d/apache
rm ‐f /etc/cron.d/apache
chattr ‐ia /etc/rc.d/init.d/pwnrig
rm ‐rf /etc/rc.d/init.d/pwnrig
chattr ‐ia /etc/systemd/system/multi‐user.target.wants/pwnrige.service
rm ‐rf /etc/systemd/system/multi‐user.target.wants/pwnrige.service
chattr ‐ia /usr/lib/systemd/system/pwnrigl.service
rm ‐rf /usr/lib/systemd/system/pwnrigl.service
chattr ‐ia /etc/systemd/system/pwnrige.service
rm ‐rf /etc/systemd/system/pwnrige.service
chattr ‐ia /bin/bprofr
rm ‐rf /bin/bprofr
chattr ‐ia /bin/sysdr
rm ‐rf /bin/sysdr
chattr ‐ia /bin/crondr
rm ‐rf /bin/crondr
chattr ‐ia /bin/initdr
rm ‐rf /bin/initdr
chattr ‐ia /usr/bin/bprofr
rm ‐rf /usr/bin/bprofr
chattr ‐ia /usr/bin/sysdr
rm ‐rf /usr/bin/sysdr
chattr ‐ia /usr/bin/crondr
rm ‐rf /usr/bin/crondr
chattr ‐ia /usr/bin/initdr
rm ‐rf /usr/bin/initdr
rm ‐rf /tmp/dbused
rm ‐rf /tmp/dbusex
rm ‐rf /tmp/xms
rm ‐rf /tmp/x86_
rm ‐rf /tmp/i
rm ‐rf /tmp/go
rm ‐rf /tmp/x64b
rm ‐rf /tmp/x32bchattr

检查是否还有矿机相关文件,如果没有再查看 top -c 和 netstat -antop 如果都没有可疑进程,说明已经清除,如果还有,再冲头来一遍,操作速度要快,不等矿机程序下载恶意代码就杀死PID,清除恶意文件。

1
2
3
1 find /etc/ ‐name '*' | xargs grep 'xms' ‐n  2 >/dev/null | grep init.d
2 find /etc/ ‐name '*' | xargs grep 'dbuse' ‐n  2 >/dev/null | grep init.d
3 find /etc/ ‐name '*' | xargs grep 'dbuse' ‐n  2 >/dev/null | grep systemd

确认清理干净后,再启动crond服务

1
2
3
4
1 # 启动crond服务
2 service crond start
3 # 查看crond服务
4 service crond status

参考资料:

Linux 入侵类问题排查思路(https://cloud.tencent.com/document/product/296/9604)

dbused挖矿病毒清理(https://blog.csdn.net/qq_35506960/article/details/120486467)