一、症状及表现
1、CPU使用率异常,top命令显示CPU统计数数据均为0,利用busybox 查看CPU占用率之后,发现CPU被大量占用。
注:ls top ps等命令已经被病毒的动态链接库劫持,无法正常使用,大家需要下载busybox。
2、crontab 定时任务异常,存在以下内容;
3、后期病毒变异,劫持sshd,导致远程登陆失败,偶尔还会跳出定时任务失败,收到新邮件等问题
4、 存在异常文件、异常进程以及异常开机项
二、查杀方法
1、断网,停止定时任务服务;
2、查杀病毒主程序,以及保护病毒的其他进程;
3、恢复被劫持的动态链接库和开机服务;
4、重启服务器和服务;
附查杀脚本(根据情况修改)
(脚本参考(https://blog.csdn.net/u010457406/article/details/89328869))
1 #!/bin/bash
2 #可以重复执行几次,防止互相拉起导致删除失败
3
4 function installBusyBox(){
5 #参考第一段
6 busybox|grep BusyBox |grep v
7 }
8
9 function banHosts(){
10 #删除免密认证,防止继续通过ssh进行扩散,后续需自行恢复,可不执行
11 busybox echo “” > /root/.ssh/authorized_keys
12 busybox echo “” > /root/.ssh/id_rsa
13 busybox echo “” > /root/.ssh/id_rsa.pub
14 busybox echo “” > /root/.ssh/known_hosts
15 #busybox echo “” > /root/.ssh/auth
16 #iptables -I INPUT -p tcp --dport 445 -j DROP
17 busybox echo -e “\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com\n0.0.0.0 systemten.org” >> /etc/hosts
18 }
19
20
21 function fixCron(){
22 #修复crontab
23 busybox chattr -i /etc/cron.d/root 2>/dev/null
24 busybox rm -f /etc/cron.d/root
25 busybox chattr -i /var/spool/cron/root 2>/dev/null
26 busybox rm -f /var/spool/cron/root
27 busybox chattr -i /var/spool/cron/tomcat 2>/dev/null
28 busybox rm -f /var/spool/cron/tomcat
29 busybox chattr -i /var/spool/cron/crontabs/root 2>/dev/null
30 busybox rm -f /var/spool/cron/crontabs/root
31 busybox rm -rf /var/spool/cron/tmp.*
32 busybox rm -rf /var/spool/cron/crontabs
33 busybox touch /var/spool/cron/root
34 busybox chattr +i /var/spool/cron/root
35 }
36
37 function killProcess(){
38 #修复异常进程
39 #busybox ps -ef | busybox grep -v grep | busybox grep ‘khugepageds’ | busybox awk ‘{print $1}’ |busybox sed “s/root//g” | busybox xargs kill -9 2>/dev/null
40 #busybox ps -ef | busybox grep -v grep | busybox egrep ‘ksoftirqds’ | busybox awk ‘{print $1}’ |busybox sed “s/root//g” | busybox xargs kill -9 2>/dev/null
41 #busybox ps -ef | busybox grep -v grep | busybox egrep ‘kthrotlds’ | busybox awk ‘{print $1}’ |busybox sed “s/root//g” | busybox xargs kill -9 2>/dev/null
42 #busybox ps -ef | busybox grep -v grep | busybox egrep ‘kpsmouseds’ | busybox awk ‘{print $1}’ |busybox sed “s/root//g” | busybox xargs kill -9 2>/dev/null
43 #busybox ps -ef | busybox grep -v grep | busybox egrep ‘kintegrityds’ | busybox awk ‘{print $1}’ |busybox sed “s/root//g” | busybox xargs kill -9 2>/dev/null
44 busybox ps -ef | busybox grep -v grep | busybox grep ‘/usr/sbin/kerberods’ | busybox awk ‘{print $1}’ |busybox sed “s/root//g” | busybox xargs kill -9 2>/dev/null
45 busybox ps -ef | busybox grep -v grep | busybox grep ‘/usr/sbin/sshd’ | busybox awk ‘{print $1}’ |busybox sed “s/root//g” | busybox xargs kill -9 2>/dev/null
46 busybox ps -ef | busybox grep -v grep | busybox egrep ‘/tmp/kauditds’ | busybox awk ‘{print $1}’ |busybox sed “s/root//g” | busybox xargs kill -