wnTKYg Process discovery
*
implement top
This process will be found .
wnTKYg It should be using redis Vulnerability intrusion , Added timed tasks , Send a request to a fixed address at a time , Caused by execution of mining procedure cpu And bandwidth increases , kill The process will restart automatically .
* inspect authorized_keys,known_hosts file [root@zfr ~]# cd /root/.ssh [root@zfr ~]#
cat authorized_keys [root@zfr ~]# cat known_hosts
See if I'm logged into my account , I didn't find anything I didn't know in these two documents IP, So I let go of these two documents .
* Find mining process
secondly , I want to find the path of the virus . Executed an order :
find / -name wnTKYg*
Or in top lower , Press C You can display the path .
Find this wnTKYg What's the procedure /tmp lower .
Dealing with mining viruses
direct kill Stop the process , I didn't find it 2 minute , And found out he's rebooted . So I guess if there are any daemons .
Keep watching top And /tmp Path of the file . I found out there was a problem ddg.2003,ddg.2004
Two strange programs . So it is judged that these two files may be daemons . After clearing, it is found that it will restart every few minutes . I guess there might be a scheduled task .
* Check timing task
Check the address of the first timing task :
vi /etc/crontab
I found that there was only my own time task in it .
I searched the full text crontab
find / -name crontabs find / -name crontab
So I found another path /var/spool/cron Very suspicious !
* see file
I looked at it first root file
/var/spool/cron/crontabs Folder root file
They all did a scheduled task , To a fixed IP Download one i.sh Script for .
I browsed this IP:
Found a virus and several scripts in it .
I downloaded this i.sh This script .
That is to add the scheduled task to the corresponding directory file . Time from IP Download script , Add execute permission to the daemons file .
I searched find / -name i.sh But the script was not found . I'll take these two root All the timing tasks in the file have been commented out .
Because I don't know if this program passed the scan /var/spool/cron/crontabs This path , To create a scheduled task , So I didn't delete it , It's just banned .
result
I'll try again kill The process and daemons of the virus , And put /tmp Delete the corresponding program under the path .
Observed top a span , The virus has not recurred for the time being .
Technology