記一次伺服器被挖礦處理過程!
阿新 • • 發佈:2022-04-12
-
首先利用watch -n 1 nvidia-smi 命令檢視GPU程序時發現幾張顯示卡佔用率都是100%
-
通過程序PID檢視指令碼所在路徑
ll /proc/pid
cd /tmp/.dev #發現該目錄存在python3的指令碼程式碼 #於是接下來我做了以下兩個操作 kill -9 pid #kill掉該程序 rm -rf /tmp/.dev/python3 #刪除該指令碼 #再檢查nvidia-smi發現正常,本以為以及愉快的解決問題了,但是過了一會發現該顯示卡佔有率又是100% #於是 開始百度 網上說是存在定時指令碼 也發現了該程序還存在父程序,沒有kill乾淨 cat /proc/pid/status#根據子程序檢視父程序 kill -9 PPID crontab -l # 列出目前的時程表 #然而並沒有什麼用,其定時命令在root下並不存在 #在/tmp/.dev/目錄下 ll -a #發現檔案的所有者屬於test 且建立時間為4月30號 #然後我就開始瘋狂搜索test 和 4月30號建立的檔案 find / -name test #查詢所有test檔案 find /etc -mtime 12 #前【n-1,n】天的所有建立檔案 #最後在/var/tmp目錄下發現了指令碼 #同時在/var/spool目錄下發現了一系列的定時指令碼任務等一系列檔案,其中Makefile驚到了我,鑑賞見下面第3部分 #在/home/server/user/test目錄下發現了挖礦程式PhoenixMiner 可以斷定該挖礦是通過server使用者下面的test使用者進入到伺服器的 #在 /root/.ssh/known_hosts檔案中植入了免密登入 不得不說非常厲害,10.80.0.3 #同時利用netstat -ntu命令,發現近期訪問的也是該ip #不知道這個ip是本人還是肉雞
-
Makefile鑑賞 :感覺就是獲取伺服器的使用者、密碼、組等相關資訊的指令碼
# Makefile to (re-)generate db versions of system database files. # Copyright (C) 1996-2013 Free Software Foundation, Inc. # This file is part of the GNU C Library. # Contributed by Ulrich Drepper <[email protected]>, 1996. # # The GNU C Library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # The GNU C Library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # You should have received a copy of the GNU Lesser General Public # License along with the GNU C Library; if not, see # <http://www.gnu.org/licenses/>. DATABASES = $(wildcard /etc/passwd /etc/group /etc/ethers /etc/protocols \ /etc/rpc /etc/services /etc/shadow /etc/gshadow \ /etc/netgroup) VAR_DB = /var/db AWK = awk MAKEDB = makedb --quiet all: $(patsubst %,$(VAR_DB)/%.db,$(notdir $(DATABASES))) $(VAR_DB)/passwd.db: /etc/passwd @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS=":"; OFS=":" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$3; print }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/group.db: /etc/group @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS=":"; OFS=":" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$3; print; \ if ($$4 != "") { \ split($$4, grmems, ","); \ for (memidx in grmems) { \ mem=grmems[memidx]; \ if (members[mem] == "") \ members[mem]=$$3; \ else \ members[mem]=members[mem] "," $$3; \ } \ delete grmems; } } \ END { for (mem in members) \ printf ":%s %s %s\n", mem, mem, members[mem]; }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/ethers.db: /etc/ethers @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) '/^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$2; print }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/protocols.db: /etc/protocols @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) '/^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$2; print; \ for (i = 3; i <= NF && !($$i ~ /^#/); ++i) \ { printf ".%s ", $$i; print } }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/rpc.db: /etc/rpc @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) '/^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$2; print; \ for (i = 3; i <= NF && !($$i ~ /^#/); ++i) \ { printf ".%s ", $$i; print } }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/services.db: /etc/services @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS="[ \t/]+" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { sub(/[ \t]*#.*$$/, "");\ printf ":%s/%s ", $$1, $$3; print; \ printf ":%s/ ", $$1; print; \ printf "=%s/%s ", $$2, $$3; print; \ printf "=%s/ ", $$2; print; \ for (i = 4; i <= NF && !($$i ~ /^#/); ++i) \ { printf ":%s/%s ", $$i, $$3; print; \ printf ":%s/ ", $$i; print } }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/shadow.db: /etc/shadow @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS=":"; OFS=":" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print }' $^ | \ (umask 077 && $(MAKEDB) -o $@ -) @echo "done." @if chgrp shadow $@ 2>/dev/null; then \ chmod g+r $@; \ else \ chown 0 $@; chgrp 0 $@; chmod 600 $@; \ echo; \ echo "Warning: The shadow password database $@"; \ echo "has been set to be readable only by root. You may want"; \ echo "to make it readable by the \`shadow' group depending"; \ echo "on your configuration."; \ echo; \ fi $(VAR_DB)/gshadow.db: /etc/gshadow @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS=":"; OFS=":" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print }' $^ | \ (umask 077 && $(MAKEDB) -o $@ -) @echo "done." @if chgrp shadow $@ 2>/dev/null; then \ chmod g+r $@; \ else \ chown 0 $@; chgrp 0 $@; chmod 600 $@; \ echo; \ echo "Warning: The shadow group database $@"; \ echo "has been set to be readable only by root. You may want"; \ echo "to make it readable by the \`shadow' group depending"; \ echo "on your configuration."; \ echo; \ fi $(VAR_DB)/netgroup.db: /etc/netgroup @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { ini=1 } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { if (sub(/[ \t]*\\$$/, " ") == 0) end="\n"; \ else end=""; \ gsub(/[ \t]+/, " "); \ sub(/^[ \t]*/, ""); \ if (ini == 0) printf "%s%s", $$0, end; \ else printf ".%s %s%s", $$1, $$0, end; \ ini=end == "" ? 0 : 1; } \ END { if (ini==0) printf "\n" }' $^ | \ $(MAKEDB) -o $@ - @echo "done."
-
最後將2中的檔案統統刪掉。上報網管中心,安裝防毒軟體!至此告一段落!