挖矿蠕虫分析解决

转载

江南辉哥 2019-08-27 16:05:01 博主文章分类：安全

文章标签 系统安全 文章分类 运维

1.Watchdogs挖矿蠕虫主要特征及变种为kthrotlds特征。

ps -ef | grep watchdogs # 存在恶意进程watchdogs
ps -ef | grep ksoftirqds # 存在恶意进程ksoftirqds
chkconfig | grep watchdogs # 存在恶意启动项watchdogs
ldd `which ps` | grep libioset.so # ps、rm等命令被so劫持
crontab -l | grep pastebin # 存在恶意的蠕虫下载计划任务

watchdogs进程变更为kthrotlds
libioset.so变更为libcset.so
watchdogs开机启动项名称变更为netdns

2.解决办法上传busybox到系统的/bin/目录下，执行脚本clear.sh和clear_kthrotlds.sh。 busybox下载地址：https://github.com/MoreSecLab/DDG_MalWare_Clean_Tool 脚本参考： clear.sh定义:

service crond stop
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libioset.so
chattr -i /etc/ld.so.preload
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libioset.so
**# 清理异常进程**
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'watchdogs' | busybox awk '{print $1}' | busybox xargs kill -9
busybox rm -f /tmp/watchdogs
busybox rm -f /etc/cron.d/tomcat
busybox rm -f /etc/cron.d/root
busybox rm -f /var/spool/cron/root
busybox rm -f /var/spool/cron/crontabs/root
busybox rm -f /etc/rc.d/init.d/watchdogs
busybox rm -f /usr/sbin/watchdogs
ldconfig
**# 再次清理异常进程**
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'watchdogs' | busybox awk '{print $1}' | busybox xargs kill -9
**# 清理开机启动项**
chkconfig watchdogs off
chkconfig –del watchdogs
service crond start
echo "Done, Please reboot!"

clear_kthrotlds.sh定义：

service crond stop
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcset.so
chattr -i /etc/ld.so.preload
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcset.so
**# 清理异常进程**
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox rm -f /tmp/kthrotlds
busybox rm -f /etc/cron.d/tomcat
busybox rm -f /etc/cron.d/root
busybox rm -f /var/spool/cron/root
busybox rm -f /var/spool/cron/crontabs/root
busybox rm -f /etc/rc.d/init.d/kthrotlds
busybox rm -f /usr/sbin/kthrotlds
busybox rm -f /etc/init.d/netdns
ldconfig
**# 再次清理异常进程**
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
**# 清理开机启动项**
chkconfig netdns off
chkconfig –del netdns
service crond start
echo "Done, Please reboot!"