前言
最近阿里云的服务器被黑客黑了做成了肉鸡,上传一次发现专门清理过一次(http://www.toutiao.com/i63432...),当时就感觉可能没有清除干净,果然,后面几天每天都会收到阿里云的报警短信,具体症状主要是ssh客户端连接不上,登录阿里云控制台重启之后就可以连,但几个小时后上面跑的服务倒是正常的。所以一直也没有顾上管,今天抽空又去清理了一次。
处理
1.处理云后台报警信息:
根据云后台报警信息,提示有后门程序存在,根据提示查找相应目录,找到后门程序并删除:
root@iZ25lwdric8Z:/usr/bin# pyth pythno python python2 python2.7 python3 python3.4 python3.4m python3m
root@iZ25lwdric8Z:/usr/bin/bsd-port# ls knerl knerl.conf
2.删除感染文件
在阿里云的后台警告里还发现有下载病毒文件的提示,根据提示查找相应文件。 [图片] 后来在boot目录下发现一堆异常文件,全部删除。
/boot abi-3.13.0-32-generic -rwxr-xr-x 1 root root 274808 Oct 7 15:53 aozxzdbfis* -rwxr-xr-x 1 root root 274808 Oct 15 19:37 bbavuhdmri* -rwxr-xr-x 1 root root 0 Oct 15 20:00 bgnqzgbufn* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 bumcwykrjj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 cnpplnjcdd* -rw-r--r-- 1 root root 75 Oct 31 12:32 conf.n -rwxr-xr-x 1 root root 274808 Oct 7 15:53 dwneynlzyw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 efrmetpcgd* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 egxrqjimuy* -rwxr-xr-x 1 root root 4096 Oct 15 18:24 extmulioke* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 eyhzuvhhij* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 fgbioungdb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fhuggtmbig* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fjxgrbljjd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fkmnpxquvu* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 godghrbbwy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 gsugoboncy* -rwxr-xr-x 1 root root 0 Oct 15 20:41 gwexawpbty* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hlkzmtramm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hygzlbpcfz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iamglpkedb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iavtgffmgw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ighesktgdm* -rwxrwxrwx 1 root root 1135000 Oct 22 10:11 iss* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jalbglrytg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 jeygefcens* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jtswtstxcr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jutumokmfy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jyajufvmib* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 keuvizznlm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 khlcattweq* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 kiwwpjblkl* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 kmrwbpxybh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 llybvcogsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 lsubdmnzih* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 mafvoardpz* -rwxr-xr-x 1 root root 274808 Oct 15 17:45 nimtgldgak* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nmcqjdvbnh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nnejyawlfq* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nptabkovas* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nuwwochtfg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 nxzytjppby* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oszqgzlqxf* -rwxr-xr-x 1 root root 0 Oct 15 20:49 oyowzphnsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oznxksrmyy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 pfwzluoxiu* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 pjpjgogzgo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 puqatevzxr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 qiayvbpmyn* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 raqifowtpw* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 rczvtbutzz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rftjduumvo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rgfyuwrcqd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 sqvaooipmd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 svszkutrqk* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 szfecatvio* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 thiibkmxvd* -rwxr-xr-x 1 root root 274808 Oct 15 17:08 tyudkxnzrs* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umalggzxer* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umuoguvill* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 uwmxnnrjvf* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 vaidcxajat* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 vsoiostmjo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wflcktfpdt* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wgswdcxppz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wljgdutvlw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ydeferhoaj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ysjmydgyhg* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 zvyfyvqbse*
找到并删除下载的病毒文件iss,删除时提示没有操作权限,修改文件权限后正常删除。
root@iZ25lwdric8Z:/boot# rm -f iss rm: cannot remove ‘iss’: Operation not permitted
root@iZ25lwdric8Z:/boot# lsattr iss ----i--------e-- iss
root@iZ25lwdric8Z:/boot# chattr -i iss root@iZ25lwdric8Z:/boot# lsattr iss -------------e-- iss root@iZ25lwdric8Z:/boot# rm -f iss
3.处理肉鸡行为
码农的黑客反击战(二)
前几天阿里云后台还报警过肉鸡行为,继续找系统里可疑的文件,后来在启动文件rc.local中发现最后一行DDosClient命令,很明显,这应该是被人当做肉鸡,用来发起DDos攻击。删除。
PATH=/sbin:/usr/sbin:/bin:/usr/bin
. /lib/init/vars.sh . /lib/lsb/init-functions
do_start() { if [ -x /etc/rc.local ]; then [ "$VERBOSE" != no ] && log_begin_msg "Running local boot scripts (/etc/rc.local)" /etc/rc.local ES=$? [ "$VERBOSE" != no ] && log_end_msg $ES return $ES fi }
case "$1" in start) do_start ;; restart|reload|force-reload) echo "Error: argument '$1' not supported" >&2 exit 3 ;; stop) ;; *) echo "Usage: $0 start|stop" >&2 exit 3 ;; esacDDosClient &
然后在文件系统中查找DDosClient文件,并删除
root@iZ25lwdric8Z:/# find -name DDosClient ./opt/dt/DDosClient
4.使用杀毒软件
下载杀毒软件,使用杀毒软件再清理一次。ClamAV安装说明。全盘扫描后,果然发现17个被感染文件。
----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 50605 Scanned files: 215736 Infected files: 17 Total errors: 14166 Data scanned: 13729.61 MB Data read: 16311.49 MB (ratio 0.84:1) Time: 1933.999 sec (32 m 13 s)
这些是被删除的感染文件。
/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Removed.
后记
经过这次清理,也不敢保证已经完全清理干净了。上次清理完安装了防火墙,这次查看也没有发现异常。后继继续观察。
