Record a process of solving mining virus (process: susupdate, networkservice)
- 1. Find out the virus process
- 2. Find the location of the running file according to the process number
- 3. Delete the virus process
- 4. Delete virus files
- 5. Delete scheduled tasks (important!!)
- 6. Modify the /root/.ssh/authorized_keys file
- 7. Repair SElinux and wget, curl commands
- 8. The reason for being attacked
Last night, I suddenly received an alarm from Alibaba Cloud, and the server was attacked again. I didn’t take it seriously at first, but when I tested it at night, I found that the server became abnormally stuck. Then I went to the background to check and found that the CPU directly soared to 100%......
1. Find out the virus process
We use the top command to view the running status of the process:
(Because it has been solved that night, but I forgot to save the screenshot, the following pictures are from the Internet)
Find the process with high CPU usage. The process names may be different in different environments.
- Analyze virus execution scripts
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell"><span style="color:#2b91af"># </span>update.sh文件:
<span style="color:#2b91af"># </span>由Redis侵入,将本机密码<span style="color:#0000ff">set</span>到redis中,dump.rdb文件修改为authorized_keys,然后把文件的目录设置到/root/.ssh下,保证其可以使用 SSH 登录到服务器。
config.json (挖矿配置)、
sysupdate (XMR 挖矿软件)、
update.sh (病毒主脚本)、
networkservice(scanner扫描并入侵其他的主机)、
sysguard(watchdog 用于监控并保证病毒的正常运行以及更新)
</code></span></span>2. Find the location of the running file according to the process number
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">ls -l proc/{进程号}/exe
</code></span></span>
Under my server, its operating files are stored in the /etc directory.
3. Delete the virus process
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">kill -9 进程号
</code></span></span>4. Delete virus files
In step 2, we have found where the virus file is located, but if it is used directly, it rm -rm may show that the operation is denied, and there is no permission.
4.1 How to solve the problem that the file cannot be deleted normally?
- problem background
Sometimes it is necessary to modify the permission of the file, but even if the chmod command is used under root, the change may not be successful, and sometimes the problem of Operation not permitted may also be encountered.
Generally, the authority of the root user under Linux is the largest (the smaller the UID value of the user under Linux, the greater the authority, and you can see that the minimum value is 0, that is, the root user)
But when using chmod to change file permissions, even under the root user, you will encounter the problem of operation not permitted.
In fact, the underlying implementation of chmod is the chattr command, which is more powerful and can even lock files, even root users cannot operate this file.
- Solution
lsattr can be used to view file attributes:
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">lsattr filename
</code></span></span>If there are i and a in the file attributes, or one of them, use chattrthe command to remove:
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">chattr -ia filename
</code></span></span>To delete virus files:
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">chattr -i sysupdate
rm -f sysupdate
chattr -i sysupdates
rm -f sysupdates
chattr -i networkservice
rm -f networkservice
chattr -i sysguard
rm -f sysguard
chattr -i update.sh
rm -f update.sh
chattr -i config.json
rm -f config.json
</code></span></span>5. Delete scheduled tasks (important!!)
This step must be done. After I deleted it for the first time, I forgot to schedule the task because of permission issues. I didn’t delete it, and then restarted it after a while.
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">crontab -l 查看定时任务
crontab -r 删除所有定时任务
</code></span></span>You can also directly enter the directory /var/spool/cron to view the timing program:
Direct use of rm -f or corntab -r in this step may display: cannot remove 'root': Permission denied
Since I am already the root user at this time, and then use the ll command to check the permissions of the timing character, it really cannot be modified.
- Try to modify permissions with chomd
First use the chattr -ia filename command to remove the permissions of the file;
Directly use chmod 777 filename, the permission has been obtained after the modification, but the deletion still reports an error.
- Need permission to modify files under /var/spool/
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell"><span style="color:#2b91af"># </span>清除crontab
cd /var/spool/
chattr -i cron/
crontab -r
</code></span></span>6. Modify the /root/.ssh/authorized_keys file
The attacker is very smart, modified my authorized_keys file, and can directly ssh to my host, leaving a backdoor for himself.
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">cd /root/.ssh/
chattr -ia authorized_keys
rm -rf authorized_keys
</code></span></span>7. Repair SElinux and wget, curl commands
Feeling really speechless, I changed the wget and curl commands of the server to wge and cur.
- Modify wget and curl
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">mv /bin/wge /bin/wget
mv /bin/cur /bin/curl
mv /usr/bin/wge /usr/bin/wget
mv /usr/bin/cur /usr/bin/curl
</code></span></span>- Fix SELinux
The virus script will first try to close the SELinux subsystem. We can use the getenforce command to view the SELinux status.
If you want to reopen, you can modify the /etc/selinux/config file to change SELINUX=disabled to SELINUX=enforcing, and then restart the server.
8. The reason for being attacked
The virus problem has been solved, but what exactly caused it?
It turned out to be Redis! ! !
After installing the redis service yesterday, I forgot to open the login password, alas.
General principle analysis:
1. Redis does not take any security measures, it is directly exposed to the public network, and any redis client can connect directly.
2. After being connected by a malicious connection, generate an ssh key on his machine, then set it to redis, and finally use the redis config command to modify the dump.rdb file from the default RDB method to authorized_keys, and then change the file The directory is set to /root/.ssh.
3. In this way, it is very dangerous, the attacker can directly ssh to your linux host, and then, the root account can do whatever they want. It is not uncommon to be mined.
- Set the login password of redis
<span style="color:#2c2c2c"><span style="background-color:#ffffff"><code class="language-shell">vi /usr/local/redis/bin/redis.conf
</code></span></span>Remove the comment before requirepass yourpassword, where yourpassword is the password you set.