文章详情

短信预约-IT技能 免费直播动态提醒

请输入下面的图形验证码

提交验证

短信预约提醒成功

码农的黑客反击战(二)

2023-01-31 08:19

关注

前言

最近阿里云的服务器被黑客黑了做成了肉鸡,上传一次发现专门清理过一次(http://www.toutiao.com/i63432...),当时就感觉可能没有清除干净,果然,后面几天每天都会收到阿里云的报警短信,具体症状主要是ssh客户端连接不上,登录阿里云控制台重启之后就可以连,但几个小时后上面跑的服务倒是正常的。所以一直也没有顾上管,今天抽空又去清理了一次。

处理

1.处理云后台报警信息:
根据云后台报警信息,提示有后门程序存在,根据提示查找相应目录,找到后门程序并删除:

root@iZ25lwdric8Z:/usr/bin# pyth pythno python python2 python2.7 python3 python3.4 python3.4m python3m
root@iZ25lwdric8Z:/usr/bin/bsd-port# ls knerl knerl.conf

2.删除感染文件
在阿里云的后台警告里还发现有下载病毒文件的提示,根据提示查找相应文件。 [图片] 后来在boot目录下发现一堆异常文件,全部删除。

/boot abi-3.13.0-32-generic -rwxr-xr-x 1 root root 274808 Oct 7 15:53 aozxzdbfis* -rwxr-xr-x 1 root root 274808 Oct 15 19:37 bbavuhdmri* -rwxr-xr-x 1 root root 0 Oct 15 20:00 bgnqzgbufn* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 bumcwykrjj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 cnpplnjcdd* -rw-r--r-- 1 root root 75 Oct 31 12:32 conf.n -rwxr-xr-x 1 root root 274808 Oct 7 15:53 dwneynlzyw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 efrmetpcgd* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 egxrqjimuy* -rwxr-xr-x 1 root root 4096 Oct 15 18:24 extmulioke* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 eyhzuvhhij* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 fgbioungdb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fhuggtmbig* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fjxgrbljjd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fkmnpxquvu* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 godghrbbwy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 gsugoboncy* -rwxr-xr-x 1 root root 0 Oct 15 20:41 gwexawpbty* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hlkzmtramm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hygzlbpcfz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iamglpkedb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iavtgffmgw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ighesktgdm* -rwxrwxrwx 1 root root 1135000 Oct 22 10:11 iss* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jalbglrytg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 jeygefcens* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jtswtstxcr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jutumokmfy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jyajufvmib* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 keuvizznlm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 khlcattweq* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 kiwwpjblkl* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 kmrwbpxybh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 llybvcogsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 lsubdmnzih* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 mafvoardpz* -rwxr-xr-x 1 root root 274808 Oct 15 17:45 nimtgldgak* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nmcqjdvbnh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nnejyawlfq* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nptabkovas* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nuwwochtfg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 nxzytjppby* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oszqgzlqxf* -rwxr-xr-x 1 root root 0 Oct 15 20:49 oyowzphnsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oznxksrmyy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 pfwzluoxiu* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 pjpjgogzgo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 puqatevzxr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 qiayvbpmyn* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 raqifowtpw* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 rczvtbutzz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rftjduumvo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rgfyuwrcqd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 sqvaooipmd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 svszkutrqk* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 szfecatvio* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 thiibkmxvd* -rwxr-xr-x 1 root root 274808 Oct 15 17:08 tyudkxnzrs* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umalggzxer* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umuoguvill* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 uwmxnnrjvf* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 vaidcxajat* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 vsoiostmjo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wflcktfpdt* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wgswdcxppz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wljgdutvlw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ydeferhoaj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ysjmydgyhg* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 zvyfyvqbse*

找到并删除下载的病毒文件iss,删除时提示没有操作权限,修改文件权限后正常删除。

root@iZ25lwdric8Z:/boot# rm -f iss rm: cannot remove ‘iss’: Operation not permitted
root@iZ25lwdric8Z:/boot# lsattr iss ----i--------e-- iss
root@iZ25lwdric8Z:/boot# chattr -i iss root@iZ25lwdric8Z:/boot# lsattr iss -------------e-- iss root@iZ25lwdric8Z:/boot# rm -f iss

3.处理肉鸡行为
码农的黑客反击战(二)

前几天阿里云后台还报警过肉鸡行为,继续找系统里可疑的文件,后来在启动文件rc.local中发现最后一行DDosClient命令,很明显,这应该是被人当做肉鸡,用来发起DDos攻击。删除。

PATH=/sbin:/usr/sbin:/bin:/usr/bin
. /lib/init/vars.sh . /lib/lsb/init-functions
do_start() { if [ -x /etc/rc.local ]; then [ "$VERBOSE" != no ] && log_begin_msg "Running local boot scripts (/etc/rc.local)" /etc/rc.local ES=$? [ "$VERBOSE" != no ] && log_end_msg $ES return $ES fi }
case "$1" in start) do_start ;; restart|reload|force-reload) echo "Error: argument '$1' not supported" >&2 exit 3 ;; stop) ;; *) echo "Usage: $0 start|stop" >&2 exit 3 ;; esacDDosClient &

然后在文件系统中查找DDosClient文件,并删除

root@iZ25lwdric8Z:/# find -name DDosClient ./opt/dt/DDosClient

4.使用杀毒软件
下载杀毒软件,使用杀毒软件再清理一次。ClamAV安装说明。全盘扫描后,果然发现17个被感染文件。

----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 50605 Scanned files: 215736 Infected files: 17 Total errors: 14166 Data scanned: 13729.61 MB Data read: 16311.49 MB (ratio 0.84:1) Time: 1933.999 sec (32 m 13 s)
这些是被删除的感染文件。
/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Removed.

后记

经过这次清理,也不敢保证已经完全清理干净了。上次清理完安装了防火墙,这次查看也没有发现异常。后继继续观察。

阅读原文内容投诉

免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

软考中级精品资料免费领

  • 历年真题答案解析
  • 备考技巧名师总结
  • 高频考点精准押题
  • 2024年上半年信息系统项目管理师第二批次真题及答案解析(完整版)

    难度     813人已做
    查看
  • 【考后总结】2024年5月26日信息系统项目管理师第2批次考情分析

    难度     354人已做
    查看
  • 【考后总结】2024年5月25日信息系统项目管理师第1批次考情分析

    难度     318人已做
    查看
  • 2024年上半年软考高项第一、二批次真题考点汇总(完整版)

    难度     435人已做
    查看
  • 2024年上半年系统架构设计师考试综合知识真题

    难度     224人已做
    查看

相关文章

发现更多好内容

猜你喜欢

AI推送时光机
位置:首页-资讯-后端开发
咦!没有更多了?去看看其它编程学习网 内容吧
首页课程
资料下载
问答资讯