前言最近阿里云的服务器被黑客黑了变成bot,上传一次发现被清理一次(http://www.toutiao.com/i63432...),当时就觉得可能没清理干净。果然,接下来几天每天都会收到阿里云的报警短信。之后,上面运行的服务就正常了。所以一直没管管,今天又抽空清理了一遍。处理1、处理云端后台告警信息:根据云端后台告警信息,提示有后门程序,根据提示搜索相应目录,找到后门程序并删除:root@iZ25lwdric8Z:/usr/bin#pythpythnopythonpython2python2.7python3python3.4python3.4mpython3mroot@iZ25lwdric8Z:/usr/bin/bsd-port#lsknerlknerl.conf2.删除感染文件在阿里云后台警告中,还有下载病毒文件的提示,按照提示找到对应的文件即可。[图片]后来在boot目录下发现了一堆不正常的文件,全部删除了。/bootabi-3.13.0-32-generic-rwxr-xr-x1rootroot274808Oct715:53aozxzdbfis*-rwxr-xr-x1rootroot274808Oct1519:37bbavuhdmri*-rwxr-xr-x1rootroot0Oct1520:00bgnqzgbufn*-rwxr-xr-x1rootroot274808Oct715:45bumcwykrjj*-rwxr-xr-x1rootroot274808Oct715:53cnpplnjcdd*-rw-r--r--1rootroot75Oct3112:32conf.n-rwxr-xr-x1rootroot274808Oct715:53dwneynlzyw*-rwxr-xr-x1rootroot274808Oct715:53efrmetpcgd*-rwxr-xr-x1根根27480810月7日15:45egxrqjimuy*-rwxr-xr-x1根根409610月15日18:24extmulioke*-rwxr-xr-x1根根27480810月7日15:53eyhzuvhhij*-rwxr-xr-x1rootroot274808Oct715:45fgbioungdb*-rwxr-xr-x1rootroot274808Oct715:53fhuggtmbig*-rwxr-xr-x1root27480810月7日15:53fjxgrbljjd*-rwxr-xr-x1根根27480810月7日15:53fkmnpxquvu*-rwxr-xr-x1根根27480810月7日15:53godghrbbwy*-rwxr-xr-x1根根27480810月7日15:53gsugoboncy*-rwxr-xr-x1根根0Oct1520:41gwexawpbty*-rwxr-xr-x1根根27480810月7日15:53hlkzmtramm*-rwxr-xr-x1根根27480810月7日15:53hygzlbpcfz*-rwxr-xr-x1根根27480810月7日15:53iamglpkedb*-rwxr-xr-x1根27480810月7日15:53iavtgffmgw*-rwxr-xr-x1根27480810月7日15:53ighesktgdm*-rwxrwxrwx1根113500010月22日10:11iss*-rwxr-xr-x1根根27480810月7日15:53jalbglrytg*-rwxr-xr-x1根根27480810月7日15:45jeygefcens*-rwxr-xr-x1根根27480810月715:53jtswtstxcr*-rwxr-xr-x1根根27480810月7日15:53jutumokmfy*-rwxr-xr-x1根根27480810月7日15:53jyajufvmib*-rwxr-xr-x1根根27480810月7日15:53keuvizznlm*-rwxr-xr-x1根根27480810月7日15:53khlcattweq*-rwxr-xr-x1根根27480810月7日15:45kiwwpjblkl*-rwxr-xr-x1根根27480810月7日15:53kmrwbpxybh*-rwxr-xr-x1根根27480810月7日15:53llybvcogsm*-rwxr-xr-x1根根27480810月7日15:45lsubdmnzih*-rwxr-xr-x1根根27480810月7日15:53mafvoardpz*-rwxr-xr-x1根根27480810月15日17:45nimtgldgak*-rwxr-xr-x1根根27480810月7日15:53nmcqjdvbnh*-rwxr-xr-x1根根27480810月7日15:53nnejyawlfq*-rwxr-xr-x1根根27480810月7日15:53nptabkovas*-rwxr-xr-x1根根27480810月7日15:53nuwwochtfg*-rwxr-xr-x1rootroot274808Oct715:45nxzytjppby*-rwxr-xr-x1rootroot274808Oct715:53oszqgzlqxf*-rwxr-xr-x1rootroot0十月1520:49oyowzphnsm*-rwxr-xr-x1rootroot274808Oct715:53oznxksrmyy*-rwxr-xr-x1rootroot274808Oct715:53pfwzluoxiu*-rwxr-xr-x1root274808Oct715:45pjpjgogzgo*-rwxr-xr-x1rootroot274808Oct715:53puqatevzxr*-rwxr-xr-x1rootroot274808Oct715:53qiayvbpmyn*-rwxr-xr-x1root274808Oct715:53raqifowtpw*-rwxr-xr-x1rootroot274808Oct715:45rczvtbutzz*-rwxr-xr-x1rootroot274808Oct715:53rftjduumvo*-rwxr-xr-x1root274808Oct715:53rgfyuwrcqd*-rwxr-xr-x1rrootroot274808Oct715:53sqvaooipmd*-rwxr-xr-x1rootroot274808Oct715:53svszkutrqk*-rwxr-xr-x1rootroot27480810月715:45szfecatvio*-rwxr-xr-x1rootroot274808Oct715:45thiibkmxvd*-rwxr-xr-x1rootroot274808Oct1517:08tyudkxnzrs*-rwxr-xr-x1root274808Oct715:53umalggzxer*-rwxr-xr-x1rootroot274808Oct715:53umuoguvill*-rwxr-xr-x1rootroot274808Oct715:45uwmxnnrjvf*-rwxr-xr-x1root274808Oct715:53vaidcxajat*-rwxr-xr-x1rootroot274808Oct715:45vsoiostmjo*-rwxr-xr-x1rootroot274808Oct715:53wflcktfpdt*-rwxr-xr-x1root根27480810月7日15:53wgswdcxppz*-rwxr-xr-x1根根27480810月7日15:53wljgdutvlw*-rwxr-xr-x1根根27480810月7日15:53ydeferhoaj*-rwxr-xr-x1rootroot274808Oct715:53ysjmydgyhg*-rwxr-xr-x1rootroot274808Oct715:53zvyfyvqbse*发现并删除了下载的病毒文件iss,删除时,它提示没有操作权限,修改文件权限后正常删除root@iZ25lwdric8Z:/boot#rm-fissrm:无法删除'iss':不允许操作root@iZ25lwdric8Z:/boot#lsattriss----i--------e--issroot@iZ25lwdric8Z:/boot#chattr-iissroot@iZ25lwdric8Z:/boot#lsattriss----------e--issroot@iZ25lwdric8Z:/boot#rm-fiss3。应对肉鸡行为黑客反击(二)日前,阿里云后台上报了bot行为,并继续在系统中寻找可疑文件。后来在启动文件rc.local中找到了最后一行DDosClient命令。显然,这应该算是Broiler,用来发起DDos攻击。删除。PATH=/sbin:/usr/sbin:/bin:/usr/bin。/lib/init/vars.sh。/lib/lsb/init-functionsdo_start(){if[-x/etc/rc.local];然后["$VERBOSE"!=no]&&log_begin_msg"Runninglocalbootscripts(/etc/rc.local)"/etc/rc.localES=$?["$VERBOSE"!=no]&&log_end_msg$ESreturn$ESfi}case"$1"instart)do_start;;restart|reload|force-reload)echo"Error:argument'$1'notsupported">&2exit3;;停止);;*)echo"Usage:$0start|stop">&2exit3;;esacDDosClient&然后在文件系统中找到DDosClient文件,删除root@iZ25lwdric8Z:/#find-nameDDosClient./opt/dt/DDosClient4.使用杀毒软件下载杀毒软件,使用杀毒软件再次清理。ClamAV安装说明。全盘扫描后,发现了17个受感染的文件。----------扫描摘要------------已知病毒:5018129引擎版本:0.99.2扫描目录:50605扫描文件:215736受感染文件:17错误总数:14166扫描的数据:13729.61MB读取的数据:16311.49MB(比率0.84:1)时间:1933.999秒(32米13秒)这些是已删除的受感染文件。/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps:Removed./var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat:Removed./var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-港口/盖蒂:已删除。/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd:已删除。/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof:Removed./var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok:Removed./var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps:Removed./var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/21f655b807d282535260115288a7f1dfe42337aff054449563b2/bin/netstat:已删除。/var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2:Removed./var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu:Removed./var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma:Removed./var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff6205e/76fs6205/21e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty:已删除。/var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd:Removed./var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof:Unix.Trojan.Agent-37008FOUND/var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof:Removed.经过这次清理,我不能保证它已经完全清理干净了。上次清理并安装了防火墙,这次检查了一下,没有发现异常。继续观察。
