公司测试环境一台虚拟机被挖矿病毒感染,CPU持续飚高。记录一下临时处理记录。
安装busybox
由于系统中的链接库、依赖可能已经被病毒篡改,如果需要仔细排查的话要先安装busybox,不然直接使用ps或者top是可能看不到病毒的,我这边是直接拉起一个busybox的docker容器,把busybox从容器中复制出来,放到中毒机器的/usr/bin下面。具体步骤不再赘述。
中毒表现
ps: 这台机器已经是第三次中毒了,第一次是khugepageds,第二次是在/tmp目录下有临时文件一直生成并执行,这次是有一个* **进程在狂占CPU。手动杀掉之后过几秒就会自动拉起。
[root@test-03 proc]# busybox top
Mem: 6404212K used, 1607008K free, 403076K shrd, 32K buff, 801420K cached
CPU: 100.0% usr 0.0% sys 0.0% nic 100% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 0.07 0.33 0.22 2/437 30215
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
31431 1 root S 76236 0.9 0 99.0 * **
14179 1 root S 6211m 79.1 0 0.0 /opt/atlassian/confluence/jre//bin/java -Djava.util.logging.config.file=/opt/atlassian/confluence/conf/logging.properties -Djava.util.logging.man
9817 9621 mysql S 2419m 30.8 2 0.0 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mysqld.log --pid-file=/var/run
9549 1 root S 664m 8.4 1 0.0 /usr/sbin/rsyslogd -n
9581 1 polkitd S 517m 6.5 1 0.0 /usr/lib/polkit-1/polkitd --no-debug
9548 1 root S 513m 6.5 1 0.0 /usr/sbin/NetworkManager --no-daemon
9557 1 root S 495m 6.3 1 0.0 /usr/sbin/libvirtd
14076 1 root S 403m 5.1 0 0.0 /usr/libexec/packagekitd
9547 1 root S 328m 4.1 0 0.0 /usr/sbin/ModemManager
14084 9848 root S 142m 1.8 2 0.0 sshd: root@pts/0
29658 9848 root S 142m 1.8 2 0.0 sshd: root@pts/1
1 0 root S 122m 1.5 2 0.0 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
14093 14084 root S 113m 1.4 2 0.0 -bash
29668 29658 root S 113m 1.4 0 0.0 -bash
9621 1 mysql S 110m 1.4 2 0.0 {mysqld_safe} /bin/sh /usr/bin/mysqld_safe
9540 1 root S 107m 1.3 2 0.0 /sbin/agetty --noclear tty1 linux
9848 1 root S 82556 1.0 1 0.0 /usr/sbin/sshd -D
9580 1 root S 53060 0.6 2 0.0 /usr/sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log -P /var/r
9538 1 root S 43696 0.5 0 0.0 /usr/lib/systemd/systemd-udevd
9546 1 root S 40384 0.5 2 0.0 /usr/sbin/lvmetad -f
9539 1 root S 36816 0.4 1 0.0 /usr/lib/systemd/systemd-journald
9544 1 dbus S 28972 0.3 0 0.0 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
9543 1 root S 26396 0.3 3 0.0 /usr/lib/systemd/systemd-logind
30215 14093 root R 1292 0.0 3 0.0 busybox top
30158 1 root S 400 0.0 0 0.0 {wdgvhi} [kworker/v6:6]
30166 1 root S 288 0.0 1 0.0 {mthk} (sd-pam)
10350 1 root S 284 0.0 1 0.0 {jycbhj} [kworker/9:1]通过lsof查看该进程:
[root@test-03 ~]# lsof -p 31431
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
* 31431 root cwd DIR 253,0 4096 128 /
* 31431 root rtd DIR 253,0 4096 128 /
* 31431 root txt REG 0,33 542696 6835225 /tmp/uhtx (deleted)
* 31431 root 0r CHR 1,3 0t0 4701 /dev/null
* 31431 root 1u unix 0xffff8800350af0c0 0t0 6828783 socket
* 31431 root 2u unix 0xffff8800350af0c0 0t0 6828783 socket
* 31431 root 3u sock 0,6 0t0 6829176 protocol: NETLINK
* 31431 root 4r FIFO 0,33 0t0 6828806 /tmp/c (deleted)
* 31431 root 5r FIFO 0,33 0t0 6827876 /tmp/c (deleted)
* 31431 root 6r FIFO 0,33 0t0 6831749 /tmp/c (deleted)
* 31431 root 7r FIFO 0,33 0t0 6830646 /tmp/c (deleted)
* 31431 root 8r FIFO 0,33 0t0 6832213 /tmp/c (deleted)
* 31431 root 9u a_inode 0,9 0 4697 [eventpoll]
* 31431 root 10r FIFO 0,8 0t0 6835229 pipe
* 31431 root 11w FIFO 0,8 0t0 6835229 pipe
* 31431 root 12r FIFO 0,8 0t0 6834371 pipe
* 31431 root 13w FIFO 0,8 0t0 6834371 pipe
* 31431 root 14u a_inode 0,9 0 4697 [eventfd]
* 31431 root 15r CHR 1,3 0t0 4701 /dev/null
* 31431 root 16u IPv4 6835231 0t0 TCP test-03:40516->45.77.54.157.vultr.com:http (ESTABLISHED)可以看到我们自己的虚拟机与45.77.54.157建立了tcp连接,通过netstat也可看到,确认45.77.54.157不是属于我们自己的机器。
自己电脑上访问,是下面这个页面,应该是一个挖矿代理
安装iptables
原来的iptables已经被病毒干掉了。。。
下载了一个iptables-1.4.21-16.el7.x86_64.rpm包,传到这台虚拟机上,执行命令安装:
rpm --force -ivh iptables-1.4.21-16.el7.x86_64.rpm
添加iptables禁止访问规则
iptables -I INPUT -s 45.77.54.157 -j DROP
iptables -I OUTPUT -s 45.77.54.157 -j DROP结果
病毒进程还是会自己拉起,但是CPU已经降下来了。
[root@test-03 ~]# busybox top
Mem: 6602140K used, 1409080K free, 403076K shrd, 32K buff, 869212K cached
CPU: 2.3% usr 0.0% sys 0.0% nic 97.6% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 0.01 0.02 0.05 2/438 31847
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
14179 1 root S 6217m 79.2 0 0.0 /opt/atlassian/confluence/jre//bin/java -Djava.util.logging.config.file=/opt/atlassian/confluence/conf/logging.properties -Djava.util.logging.man
9817 9621 mysql S 2419m 30.8 0 0.0 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mysqld.log --pid-file=/var/run
9549 1 root S 664m 8.4 1 0.0 /usr/sbin/rsyslogd -n
9581 1 polkitd S 517m 6.5 1 0.0 /usr/lib/polkit-1/polkitd --no-debug
9548 1 root S 513m 6.5 3 0.0 /usr/sbin/NetworkManager --no-daemon
9557 1 root S 495m 6.3 1 0.0 /usr/sbin/libvirtd
14076 1 root S 403m 5.1 0 0.0 /usr/libexec/packagekitd
9547 1 root S 328m 4.1 0 0.0 /usr/sbin/ModemManager
14084 9848 root S 142m 1.8 2 0.0 sshd: root@pts/0
29658 9848 root S 142m 1.8 2 0.0 sshd: root@pts/1
1 0 root S 122m 1.5 2 0.0 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
14093 14084 root S 113m 1.4 3 0.0 -bash
29668 29658 root S 113m 1.4 3 0.0 -bash
9621 1 mysql S 110m 1.4 2 0.0 {mysqld_safe} /bin/sh /usr/bin/mysqld_safe
9540 1 root S 107m 1.3 2 0.0 /sbin/agetty --noclear tty1 linux
9848 1 root S 82556 1.0 2 0.0 /usr/sbin/sshd -D
31188 1 root S 76248 0.9 0 0.0 * **
9580 1 root S 53060 0.6 2 0.0 /usr/sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log -P /var/r
9538 1 root S 43696 0.5 0 0.0 /usr/lib/systemd/systemd-udevd
9546 1 root S 40384 0.5 2 0.0 /usr/sbin/lvmetad -f
9539 1 root S 36816 0.4 0 0.0 /usr/lib/systemd/systemd-journald
9544 1 dbus S 28972 0.3 1 0.0 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
543 1 root S 26396 0.3 1 0.0 /usr/lib/systemd/systemd-logind
31847 29668 root R 1292 0.0 1 0.0 busybox top
31151 1 root S 400 0.0 1 0.0 {dmpjil} [kworker/v6:6]
31736 1 root S 288 0.0 1 0.0 {chrk} (sd-pam)
31144 1 root S 284 0.0 3 0.0 {hwxkyb} [kworker/9:1]使用lsof -p查看病毒进程,已经连不上45.77.54.157那个挖矿代理了
[root@test-03 ~]# lsof -p 31188
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
* 31188 root cwd DIR 253,0 4096 128 /
* 31188 root rtd DIR 253,0 4096 128 /
* 31188 root txt REG 0,33 542696 6835225 /tmp/uhtx (deleted)
* 31188 root 0r CHR 1,3 0t0 4701 /dev/null
* 31188 root 1u unix 0xffff8800350af0c0 0t0 6828783 socket
* 31188 root 2u unix 0xffff8800350af0c0 0t0 6828783 socket
* 31188 root 3u sock 0,6 0t0 6829176 protocol: NETLINK
* 31188 root 4r FIFO 0,33 0t0 6828806 /tmp/c (deleted)
* 31188 root 5r FIFO 0,33 0t0 6827876 /tmp/c (deleted)
* 31188 root 6r FIFO 0,33 0t0 6831749 /tmp/c (deleted)
* 31188 root 7r FIFO 0,33 0t0 6830646 /tmp/c (deleted)
* 31188 root 8r FIFO 0,33 0t0 6832213 /tmp/c (deleted)
* 31188 root 9u a_inode 0,9 0 4697 [eventpoll]
* 31188 root 10r FIFO 0,8 0t0 6835229 pipe
* 31188 root 11w FIFO 0,8 0t0 6835229 pipe
* 31188 root 12r FIFO 0,8 0t0 6834371 pipe
* 31188 root 13w FIFO 0,8 0t0 6834371 pipe
* 31188 root 14u a_inode 0,9 0 4697 [eventfd]
* 31188 root 15r CHR 1,3 0t0 4701 /dev/null
* 31188 root 16u IPv4 6835231 0t0 TCP test-03:40516->45.77.54.157.vultr.com:http (SYN_SENT)参考:https://blog.csdn.net/fengwuxichen/article/details/89574599