wnTKYg Process discovery

implement top

This process will be found .

wnTKYg It should be using redis Vulnerability intrusion , Added timed tasks , Send a request to a fixed address at a time , Caused by execution of mining procedure cpu And bandwidth increases , kill The process will restart automatically .

* inspect authorized_keys,known_hosts file [root@zfr ~]# cd /root/.ssh [root@zfr ~]#
cat authorized_keys  [root@zfr ~]# cat known_hosts

See if I'm logged into my account , I didn't find anything I didn't know in these two documents IP, So I let go of these two documents .

* Find mining process
secondly , I want to find the path of the virus . Executed an order :
find / -name wnTKYg*
Or in top lower , Press C You can display the path .

Find this wnTKYg What's the procedure /tmp lower .

Dealing with mining viruses

direct kill Stop the process , I didn't find it 2 minute , And found out he's rebooted . So I guess if there are any daemons .

Keep watching top And /tmp Path of the file . I found out there was a problem ddg.2003,ddg.2004
Two strange programs . So it is judged that these two files may be daemons . After clearing, it is found that it will restart every few minutes . I guess there might be a scheduled task .

* Check timing task
Check the address of the first timing task :
vi /etc/crontab

I found that there was only my own time task in it .

I searched the full text crontab
find / -name crontabs   find / -name crontab
So I found another path /var/spool/cron Very suspicious !

* see file
I looked at it first root file

/var/spool/cron/crontabs Folder root file

They all did a scheduled task , To a fixed IP Download one i.sh Script for .

I browsed this IP:

Found a virus and several scripts in it .

I downloaded this i.sh This script .

That is to add the scheduled task to the corresponding directory file . Time from IP Download script , Add execute permission to the daemons file .

I searched find / -name i.sh But the script was not found . I'll take these two root All the timing tasks in the file have been commented out .

Because I don't know if this program passed the scan /var/spool/cron/crontabs This path , To create a scheduled task , So I didn't delete it , It's just banned .


I'll try again kill The process and daemons of the virus , And put /tmp Delete the corresponding program under the path .

Observed top a span , The virus has not recurred for the time being .