碼農的黑客反擊戰（二）

前言

最近阿里雲的服務器被黑客黑了作成了肉雞，上傳一次發現專門清理過一次（http://www.toutiao.com/i63432...），當時就感受可能沒有清除乾淨，果真，後面幾天天天都會收到阿里雲的報警短信，具體症狀主要是ssh客戶端鏈接不上，登陸阿里雲控制檯重啓以後就能夠連，但幾個小時後上面跑的服務卻是正常的。因此一直也沒有顧上管，今天抽空又去清理了一次。

處理

1.處理雲後臺報警信息：
根據雲後臺報警信息，提示有後門程序存在,根據提示查找相應目錄，找到後門程序並刪除：

root@iZ25lwdric8Z:/usr/bin# pyth pythno python python2 python2.7 python3 python3.4 python3.4m python3m
root@iZ25lwdric8Z:/usr/bin/bsd-port# ls knerl knerl.conf

2.刪除感染文件
在阿里雲的後臺警告裏還發現有下載病毒文件的提示，根據提示查找相應文件。 [圖片] 後來在boot目錄下發現一堆異常文件，所有刪除。

/boot abi-3.13.0-32-generic -rwxr-xr-x 1 root root 274808 Oct 7 15:53 aozxzdbfis* -rwxr-xr-x 1 root root 274808 Oct 15 19:37 bbavuhdmri* -rwxr-xr-x 1 root root 0 Oct 15 20:00 bgnqzgbufn* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 bumcwykrjj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 cnpplnjcdd* -rw-r--r-- 1 root root 75 Oct 31 12:32 conf.n -rwxr-xr-x 1 root root 274808 Oct 7 15:53 dwneynlzyw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 efrmetpcgd* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 egxrqjimuy* -rwxr-xr-x 1 root root 4096 Oct 15 18:24 extmulioke* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 eyhzuvhhij* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 fgbioungdb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fhuggtmbig* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fjxgrbljjd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fkmnpxquvu* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 godghrbbwy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 gsugoboncy* -rwxr-xr-x 1 root root 0 Oct 15 20:41 gwexawpbty* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hlkzmtramm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hygzlbpcfz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iamglpkedb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iavtgffmgw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ighesktgdm* -rwxrwxrwx 1 root root 1135000 Oct 22 10:11 iss* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jalbglrytg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 jeygefcens* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jtswtstxcr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jutumokmfy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jyajufvmib* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 keuvizznlm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 khlcattweq* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 kiwwpjblkl* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 kmrwbpxybh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 llybvcogsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 lsubdmnzih* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 mafvoardpz* -rwxr-xr-x 1 root root 274808 Oct 15 17:45 nimtgldgak* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nmcqjdvbnh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nnejyawlfq* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nptabkovas* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nuwwochtfg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 nxzytjppby* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oszqgzlqxf* -rwxr-xr-x 1 root root 0 Oct 15 20:49 oyowzphnsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oznxksrmyy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 pfwzluoxiu* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 pjpjgogzgo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 puqatevzxr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 qiayvbpmyn* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 raqifowtpw* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 rczvtbutzz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rftjduumvo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rgfyuwrcqd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 sqvaooipmd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 svszkutrqk* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 szfecatvio* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 thiibkmxvd* -rwxr-xr-x 1 root root 274808 Oct 15 17:08 tyudkxnzrs* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umalggzxer* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umuoguvill* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 uwmxnnrjvf* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 vaidcxajat* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 vsoiostmjo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wflcktfpdt* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wgswdcxppz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wljgdutvlw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ydeferhoaj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ysjmydgyhg* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 zvyfyvqbse*

找到並刪除下載的病毒文件iss，刪除時提示沒有操做權限，修改文件權限後正常刪除。

root@iZ25lwdric8Z:/boot# rm -f iss rm: cannot remove ‘iss’: Operation not permitted
root@iZ25lwdric8Z:/boot# lsattr iss ----i--------e-- iss
root@iZ25lwdric8Z:/boot# chattr -i iss root@iZ25lwdric8Z:/boot# lsattr iss -------------e-- iss root@iZ25lwdric8Z:/boot# rm -f iss

3.處理肉雞行爲
碼農的黑客反擊戰（二）

前幾天阿里雲後臺還報警過肉雞行爲，繼續找系統裏可疑的文件，後來在啓動文件rc.local中發現最後一行DDosClient命令，很明顯，這應該是被人當作肉雞，用來發起DDos攻擊。刪除。

PATH=/sbin:/usr/sbin:/bin:/usr/bin
. /lib/init/vars.sh . /lib/lsb/init-functions
do_start() { if [ -x /etc/rc.local ]; then [ "$VERBOSE" != no ] && log_begin_msg "Running local boot scripts (/etc/rc.local)" /etc/rc.local ES=$? [ "$VERBOSE" != no ] && log_end_msg $ES return $ES fi }
case "$1" in start) do_start ;; restart|reload|force-reload) echo "Error: argument '$1' not supported" >&2 exit 3 ;; stop) ;; *) echo "Usage: $0 start|stop" >&2 exit 3 ;; esacDDosClient &

而後在文件系統中查找DDosClient文件，並刪除

root@iZ25lwdric8Z:/# find -name DDosClient ./opt/dt/DDosClient

4.使用殺毒軟件
下載殺毒軟件，使用殺毒軟件再清理一次。ClamAV安裝說明。全盤掃描後，果真發現17個被感染文件。

----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 50605 Scanned files: 215736 Infected files: 17 Total errors: 14166 Data scanned: 13729.61 MB Data read: 16311.49 MB (ratio 0.84:1) Time: 1933.999 sec (32 m 13 s)
這些是被刪除的感染文件。
/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Removed.

後記

通過此次清理，也不敢保證已經徹底清理乾淨了。上次清理完安裝了防火牆，此次查看也沒有發現異常。後繼繼續觀察。