前言

最近阿里云的服務器被黑客黑了做成了肉雞，上傳一次發現專門清理過一次（http://www.toutiao.com/i6343255123229147650/），當時就感覺可能沒有清除干凈，果然，后面幾天每天都會收到阿里云的報警短信，具體癥狀主要是ssh客戶端連接不上，登錄阿里云控制臺重啟之后就可以連，但幾個小時后上面跑的服務倒是正常的。所以一直也沒有顧上管，今天抽空又去清理了一次。

處理

1.處理云后臺報警信息：

根據云后臺報警信息，提示有后門程序存在

根據提示查找相應目錄，找到后門程序并刪除：

root@iZ25lwdric8Z:/usr/bin# pyth pythno python python2 python2.7 python3 python3.4 python3.4m python3m

root@iZ25lwdric8Z:/usr/bin/bsd-port# ls knerl knerl.conf

2.刪除感染文件

在阿里云的后臺警告里還發現有下載病毒文件的提示，根據提示查找相應文件。 [圖片] 后來在boot目錄下發現一堆異常文件，全部刪除。

/boot abi-3.13.0-32-generic -rwxr-xr-x 1 root root 274808 Oct 7 15:53 aozxzdbfis* -rwxr-xr-x 1 root root 274808 Oct 15 19:37 bbavuhdmri* -rwxr-xr-x 1 root root 0 Oct 15 20:00 bgnqzgbufn* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 bumcwykrjj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 cnpplnjcdd* -rw-r--r-- 1 root root 75 Oct 31 12:32 conf.n -rwxr-xr-x 1 root root 274808 Oct 7 15:53 dwneynlzyw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 efrmetpcgd* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 egxrqjimuy* -rwxr-xr-x 1 root root 4096 Oct 15 18:24 extmulioke* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 eyhzuvhhij* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 fgbioungdb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fhuggtmbig* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fjxgrbljjd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 fkmnpxquvu* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 godghrbbwy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 gsugoboncy* -rwxr-xr-x 1 root root 0 Oct 15 20:41 gwexawpbty* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hlkzmtramm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 hygzlbpcfz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iamglpkedb* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 iavtgffmgw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ighesktgdm* -rwxrwxrwx 1 root root 1135000 Oct 22 10:11 iss* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jalbglrytg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 jeygefcens* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jtswtstxcr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jutumokmfy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 jyajufvmib* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 keuvizznlm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 khlcattweq* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 kiwwpjblkl* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 kmrwbpxybh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 llybvcogsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 lsubdmnzih* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 mafvoardpz* -rwxr-xr-x 1 root root 274808 Oct 15 17:45 nimtgldgak* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nmcqjdvbnh* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nnejyawlfq* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nptabkovas* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 nuwwochtfg* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 nxzytjppby* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oszqgzlqxf* -rwxr-xr-x 1 root root 0 Oct 15 20:49 oyowzphnsm* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 oznxksrmyy* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 pfwzluoxiu* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 pjpjgogzgo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 puqatevzxr* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 qiayvbpmyn* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 raqifowtpw* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 rczvtbutzz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rftjduumvo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 rgfyuwrcqd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 sqvaooipmd* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 svszkutrqk* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 szfecatvio* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 thiibkmxvd* -rwxr-xr-x 1 root root 274808 Oct 15 17:08 tyudkxnzrs* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umalggzxer* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 umuoguvill* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 uwmxnnrjvf* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 vaidcxajat* -rwxr-xr-x 1 root root 274808 Oct 7 15:45 vsoiostmjo* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wflcktfpdt* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wgswdcxppz* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 wljgdutvlw* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ydeferhoaj* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 ysjmydgyhg* -rwxr-xr-x 1 root root 274808 Oct 7 15:53 zvyfyvqbse*

找到并刪除下載的病毒文件iss，刪除時提示沒有操作權限，修改文件權限后正常刪除。

root@iZ25lwdric8Z:/boot# rm -f iss rm: cannot remove ‘iss’: Operation not permitted

root@iZ25lwdric8Z:/boot# lsattr iss ----i--------e-- iss

root@iZ25lwdric8Z:/boot# chattr -i iss root@iZ25lwdric8Z:/boot# lsattr iss -------------e-- iss root@iZ25lwdric8Z:/boot# rm -f iss

3.處理肉雞行為

前幾天阿里云后臺還報警過肉雞行為，繼續找系統里可疑的文件，后來在啟動文件rc.local中發現最后一行DDosClient命令，很明顯，這應該是被人當做肉雞，用來發起DDos攻擊。刪除。

PATH=/sbin:/usr/sbin:/bin:/usr/bin

. /lib/init/vars.sh . /lib/lsb/init-functions

do_start() { if [ -x /etc/rc.local ]; then [ "$VERBOSE" != no ] && log_begin_msg "Running local boot scripts (/etc/rc.local)" /etc/rc.local ES=$? [ "$VERBOSE" != no ] && log_end_msg $ES return $ES fi }

case "$1" in start) do_start ;; restart|reload|force-reload) echo "Error: argument '$1' not supported" >&2 exit 3 ;; stop) ;; *) echo "Usage: $0 start|stop" >&2 exit 3 ;; esacDDosClient &

然后在文件系統中查找DDosClient文件，并刪除

root@iZ25lwdric8Z:/# find -name DDosClient ./opt/dt/DDosClient

4.使用殺毒軟件

下載殺毒軟件，使用殺毒軟件再清理一次。ClamAV安裝說明。全盤掃描后，果然發現17個被感染文件。

----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 50605 Scanned files: 215736 Infected files: 17 Total errors: 14166 Data scanned: 13729.61 MB Data read: 16311.49 MB (ratio 0.84:1) Time: 1933.999 sec (32 m 13 s)

這些是被刪除的感染文件。

/var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/ps: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/bin/netstat: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/usr/bin/lsof: Removed. /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/66b7e760fc98049ff109fa4b6a4f1d71ce2e4822e77fdeb722836675c232c62d/etc/aipok: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/ps: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/bin/netstat: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/A2: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/fu: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/root/ltma: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/bsd-port/getty: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/.sshd: Removed. /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Unix.Trojan.Agent-37008 FOUND /var/lib/docker/aufs/diff/21f65507d020e17628e0b722b8535260115288a7f1dfe42337aff054449563b2/usr/bin/lsof: Removed.

后記

經過這次清理，也不敢保證已經完全清理干凈了。上次清理完安裝了防火墻，這次查看也沒有發現異常。后繼繼續觀察。