Linux.Siggen.180

最新推荐文章于 2024-05-03 12:35:43 发布

weixin_30622107

最新推荐文章于 2024-05-03 12:35:43 发布

阅读量98

点赞数

文章标签：运维数据库

原文链接：http://www.cnblogs.com/mikeguan/p/8377822.html

版权

from: https://vms.drweb.com/virus/?i=15455134&lng=en

Linux.Siggen.180
Added to Dr.Web virus database: 2017-07-05
Virus description was added: 2017-07-05

Technical Information

To ensure autorun and distribution:

Creates or modifies the following files:

/etc/init.d/acpidtd
/etc/rc.d/rc*.d/S01acpidtd

Creates or modifies the following symlinks:

/etc/rc0.d/S01acpidtd
/etc/rc1.d/S01acpidtd
/etc/rc2.d/S01acpidtd
/etc/rc3.d/S01acpidtd
/etc/rc4.d/S01acpidtd
/etc/rc5.d/S01acpidtd
/etc/rc6.d/S01acpidtd

Malicious functions:

Launches itself as a daemon
Replaces the following system files:

/bin/ss
/bin/netstat

Launches processes:

sh -c /tmp/tmpnam_PGNdDO upgrade;sleep 1;rm -f /tmp/tmpnam_PGNdDO
/tmp/tmpnam_PGNdDO upgrade
/bin/sh ##which ss 1>/dev/null 2>&1
which ss
/bin/sh ##which ss
/bin/sh ##which netstat 1>/dev/null 2>&1
which netstat
/bin/sh ##chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /bin/ss /bin/scss /bin/netstat /bin/scnetstat 1>/dev/null 2>&1
chattr -i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /bin/ss /bin/scss /bin/netstat /bin/scnetstat
/bin/sh ##cp -f /tmp/tmpnam_PGNdDO /bin/ddus-uidge
cp -f /tmp/tmpnam_PGNdDO /bin/ddus-uidgen
cp -f /bin/ddus-uidgen /etc/init.d/acpidtd
/bin/sh ##chmod +x /bin/scss 1>/dev/null 2>&1;
chmod +x /bin/scss
##cp -f /tmp/tmpnam_PGNdDO /bin/ss 1>/dev/null 2>&1;touch -r /bin/sh /bin/ss /bin/scss 1>/dev/null 2>&1;
ln -fs /etc/init.d/acpidtd /etc/rc0.d/S01acpidtd
cp -f /tmp/tmpnam_PGNdDO /bin/ss
ln -fs /etc/init.d/acpidtd /etc/rc1.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc2.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc3.d/S01acpidtd
touch -r /bin/sh /bin/ss /bin/scss
ln -fs /etc/init.d/acpidtd /etc/rc4.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc5.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc6.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc.d/rc0.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc.d/rc1.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc.d/rc2.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc.d/rc3.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc.d/rc4.d/S01acpidtd
ln -fs /etc/init.d/acpidtd /etc/rc.d/rc5.d/S01acpidtd
/bin/sh ##chattr +i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /bin/ss /bin/scss /bin/netstat /bin/scnetstat 1>/dev/null 2>&1
ln -fs /etc/init.d/acpidtd /etc/rc.d/rc6.d/S01acpidtd
chattr +i /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd /bin/ss /bin/scss /bin/netstat /bin/scnetstat
touch -r /bin/sh /bin/ddus-uidgen /etc/init.d/acpidtd /etc/rc.d/rc*.d/S01acpidtd
/bin/sh ##chmod +x /bin/scnetstat 1>/dev/null 2>&1;
chmod +x /bin/scnetstat
##cp -f /tmp/tmpnam_PGNdDO /bin/netstat 1>/dev/null 2>&1;touch -r /bin/sh /bin/netstat /bin/scnetstat 1>/dev/null 2>&1;
cp -f /tmp/tmpnam_PGNdDO /bin/netstat
touch -r /bin/sh /bin/netstat /bin/scnetstat
sleep 1
rm -f /tmp/tmpnam_PGNdDO

Performs operations with the file system:

Modifies file access rights:

/tmp/tmpnam_PGNdDO
/bin/scss
/bin/scnetstat

Creates or modifies files:

/tmp/tmpnam_PGNdDO
/bin/ddus-uidgen
/bin/scss
/bin/scnetstat

Deletes files:

/tmp/tmpnam_PGNdDO

Network activity:

Establishes connection:

16#.##.30.212:3646
11#.##.33.59:2382
58.##.32.135:8534
22#.##.116.233:8414
22#.###.214.158:9803

DNS ASK:

12#.211
22#.204
wi###o1n3.pw

from: https://yq.aliyun.com/ask/57692

wipefs是linux自带的程序，用来擦除文件系统数据，也就是下面那个人回答的。正常的wipefs，路径在/usr/bin/wipefs，如果你没有做设置，不会自启动，也不会大量占用cpu。你可以看一下是否是 /bin/wipefs 进程，如果是，应该是你的机器被黑了，这是别人在你机器上放了挖矿程序。

此程序会：
1.进行挖矿计算，大量占用cpu。
2.复制自己到/bin/wipefs，创建服务/etc/init.d/wipefs，在 /etc/rc.d 和 /etc/rc.d/rc.d 中创建链接以实现开机启动。
3.释放子程序到 /bin/ddus-uidgen，创建服务/etc/init.d/acpidtd，并在 /etc/rc.d 和 /etc/rc.d/rc.d 中创建链接以实现开机启动。
4.修改/etc/resolv.conf, 可能是为其连接矿机服务的域名做服务。
5.修改/etc/crontab, 为自己创建定时任务，每天12点与0点开始执行。（所以你会发现第二天又启动了）

你需要做的:
1.删除 /etc/crontab 中的定时任务。
2.删除以下文件：

/bin/wipefs
/etc/init.d/wipefs
/bin/ddus-uidgen
/etc/init.d/acpidtd
/etc/rc0.d/S01wipefs
/etc/rc1.d/S01wipefs
/etc/rc2.d/S01wipefs
/etc/rc3.d/S01wipefs
/etc/rc4.d/S01wipefs
/etc/rc5.d/S01wipefs
/etc/rc6.d/S01wipefs
/etc/rc.d/rc0.d/S01wipefs
/etc/rc.d/rc1.d/S01wipefs
/etc/rc.d/rc2.d/S01wipefs
/etc/rc.d/rc3.d/S01wipefs
/etc/rc.d/rc4.d/S01wipefs
/etc/rc.d/rc5.d/S01wipefs
/etc/rc.d/rc6.d/S01wipefs
/etc/rc0.d/acpidtd
/etc/rc1.d/acpidtd
/etc/rc2.d/acpidtd
/etc/rc3.d/acpidtd
/etc/rc4.d/acpidtd
/etc/rc5.d/acpidtd
/etc/rc6.d/acpidtd
/etc/rc.d/rc0.d/acpidtd
/etc/rc.d/rc1.d/acpidtd
/etc/rc.d/rc2.d/acpidtd
/etc/rc.d/rc3.d/acpidtd
/etc/rc.d/rc4.d/acpidtd
/etc/rc.d/rc5.d/acpidtd
/etc/rc.d/rc6.d/acpidtd

检查机器漏洞，ssh权限，防火墙等，避免机器再次被攻击。

转载于:https://www.cnblogs.com/mikeguan/p/8377822.html

weixin_30622107

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Linux.Siggen.180

from: https://vms.drweb.com/virus/?i=15455134&lng=enLinux.Siggen.180Added to Dr.Web virus database: 2017-07-05Virus description was added: 2017-07-05Technical InformationTo ensure autorun and...
复制链接

扫一扫