Ubuntu clears a record of mining virus

It was the first time that the server was hacked and mined by others. With the help of professionals, the mining virus was found and removed. This blog is just a record of mine, and it may not be applicable to all situations, but I still hope it can give you some help.

• Found the problem : a program used a lot of GPU resources. I asked the owner of the account and found that it was not his program, and it would automatically restart after being killed as root.
  
  This program takes up a lot of GPU resources, and the video memory usage on different graphics cards is surprisingly uniform. Under normal circumstances, the program that the user runs occupies different video memory of different graphics cards. For example,
  
  through the ps -aux command, the command of the program is a folder. Anyone who has used conda knows that the python under /bin is An executable file, not a folder; let alone a pytorch folder
  
  and the folder anaconda3 does not exist at all, the server is installed with miniconda3 (guessing that the intruder invaded other servers first, other old servers do have anaconda3, and then the intruder thought that all servers had anaconda3, so they pretended to be a program in anaconda3)
  
  In addition, I checked the information on the Internet and said that the CPU usage rate is high if it is mined, but the CPU usage rate of this server is not high. , and the GPU usage is very high. Considering that mining requires a lot of graphics card resources, and the intruder may do some camouflage on the CPU usage, I preliminarily determined that the server was hacked and mined by someone else, so I sought professional help.

• Find the virus file :

  • Method 1 : Since the intruder has disguised the name of the program, it cannot be directly searched through it. So start with PID, find its files in /proc, and then find the key path
    
    . Display all virus files, you can find the keyword miner
    
    to further check the files inside, you can see ETH (Ethereum), POOL , WALLET and other keywords, the real hammer hit the mining virus.
    
    In addition, looking at the run file, you can find that the virus file is indeed disguised
    
  • Method 2 : Considering that the intruder may use certain methods to hide the virus program, here we locate the virus file by checking the user's scheduled tasks, because the virus file may be killed and the intruder will not manually execute it every time. Started, it will definitely be set to start automatically. The command to view the scheduled tasks is crontab -l
    to check whether there are multiple copies of the virus file on the server, you can use the following command to view the scheduled tasks of all users at once:

  for u in $(cat /etc/passwd | cut -d":" -f1)
  do
      echo $u>>temp.txt
      crontab -l -u $u >> temp.txt
  done
  cat temp.txt
  rm temp.txt
  

  • Method 3 : Try to locate unique keywords in virus files, such as "miner"

  updatedb
  locate miner
  
  # 由于locate命令不能查找/dev/shm之类的路径，以防万一可以使用find命令，不过会很慢
  # find / -name miner
  

• Countermeasures :

1. Delete the entire virus folder ( python), kill the related PID, and delete the related scheduled task (use the command crontab -e, or use the command if there is only one scheduled task crontab -r)

2. Change passwords for all users, and set a certain password complexity ( cracklib can be used )

3. Remove sudo privileges for all users except administrators

   admin="root,sudo,%sudo" # 填入管理员账号（前三个不能删）
   for i in $(cat /etc/sudoers|grep  "ALL=(ALL:ALL) ALL"|cut -f 1|cut -f 1 -d ' ')
   do
       echo $i
       if [ -z "$(echo $admin|grep $i)" ]
       then
           echo "*** deluser $i sudo"
           deluser $i sudo
       fi
   done
   for i in $(getent group sudo|cut -f 4 -d :|tr -s ',' '\n')
   do
       echo $i
       if [ -z "$(echo $admin|grep $i)" ]
       then
           echo "*** deluser $i sudo"
           deluser $i sudo
       fi
   done
   

4. Delete all existing keys & authorizations

   updatedb
   # 删除公钥+密钥
   for pub in $(locate .pub|grep .pub$)
   do
       u=$(ll $pub|awk '{printf $3}')
       # 根据UID判断所属用户是否为普通用户
       if [ 999 -lt $(id -u $u) ]
           then
               pri=$(echo ${
          
          pub%????})
               rm $pub
               rm $pri
               echo del  $u $pub $pri
           else
               echo save $u $pub
       fi
   done
   # 删除knowN_hosts
   for i in $(locate known_hosts|grep known_hosts$)
   do
       rm $i
       echo del $i
   done
   # 删除authorized_keys
   for i in $(locate authorized_keys|grep authorized_keys$)
   do
       rm $i
       echo del $i
   done
   
   # 查看剩余
   updatedb
   locate .pub|grep .pub$
   locate known_hosts
   locate authorized_keys
   

   You may encounter a file that cannot be deleted even with root authority.
   
   If you find that there are attributes other than e in the hidden attributeslsattr of the file using the command, use the command to remove these attributeschattr
   

5. Only keys can be used to set remote connections , passwords cannot be used

6. Prohibit using the root account for remote connection

7. Use terminal security antivirus software, intranet security monitoring products, vulnerability scanning equipment and other professional tools

PS: Garbage miners! ! !