kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp
sar -n DEV 1

unhide 搜寻隐藏进程, 挖矿病毒处理

https://blog.csdn.net/weixin_48958956/article/details/139812765

https://www.cnblogs.com/bonelee/p/16976768.html

cpu us 达到 100%

top ps 命令无法发现进程

进程如何隐藏

Linux系统中有一个特殊的目录:/proc/,这个目录下的内容,不是硬盘上的文件系统,而是操作系统内核暴露出的内核中进程、线程相关的数据接口,也就是procfs,里面记录了系统上正在运行的进程和线程信息

而ps、top等命令的工作原理,实质上就是遍历这个目录。

知道了原理,想实现隐藏就有以下几个思路:

命令替换

直接替换系统中的ps、top命令工具。可以从GitHub上下载它们的源码,加入对应的过滤逻辑,在遍历进程的时候,剔除挖矿进程,实现隐藏的目的。

模块注入

编写一个动态链接库so文件,在so中,HOOK遍历相关的函数(readdir/readdir64),遍历的时候,过滤挖矿进程。

通过修改LD_PRELOAD环境变量或/etc/ld.so.preload文件,配置动态链接库,实现将其注入到目标进程中。

内核级隐藏

模块注入的方式是在应用层执行函数HOOK,隐藏挖矿进程,更进一步,可以通过加载驱动程序的方式在内核空间HOOK相应的系统调用来实现隐藏。不过这对攻击者的技术要求也更高,遇到这样的病毒清理起来挑战也更大了。

揪出挖矿进程

通过上面的进程隐藏原理看得住来,都是想尽办法隐藏/proc目录下的内容,类似于“障眼法”,所以包含ps、top、ls等等在内的命令,都没办法看到挖矿进程的存在。

但蒙上眼不代表不存在,有一个叫unhide的工具,就能用来查看隐藏进程。

1
unhide proc

systemctl status pid

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@localhost ~]# systemctl status 77206
● 800a7a3e.service - Server Service
    Loaded: loaded (/usr/lib/systemd/system/800a7a3e.service; disabled; vendor preset: disabled)
   Active: activating (auto-restart) since Tue 2024-08-27 09:00:26 CST; 14min ago
  Process: 47625 ExecStart=/usr/bin/800a7a3e0df6442b 800a7a3e (code=exited, status=0/SUCCESS)
 Main PID: 47625 (code=exited, status=0/SUCCESS)
    Tasks: 22
   Memory: 19.4M
   CGroup: /system.slice/800a7a3e.service
           └─77206 /945d4139

systemctl stop xx.service
systemctl disable xx.service

/etc/rc.local被修改, lsattr被修改

先重装 e2fsprogs , 让 lsattr, chattr 可用

1
yum reinstall e2fsprogs
1
2
3
4
5
lsattr /etc/rc.local

chattr -i /etc/rc.local

chattr -a /etc/rc.local

unhide log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
[root@localhost ~]# time unhide proc
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6

Used options:
[*]Searching for Hidden processes through /proc stat scanning

Found HIDDEN PID: 77206
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77207
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77208
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77209
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77210
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77211
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77345
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77346
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77347
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77348
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77349
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77350
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77351
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77352
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77353
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77354
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77355
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77356
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77357
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77358
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77359
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77360
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/


real    25m58.149s
user    4m55.258s
sys     20m31.360s

system, base

« ic卡 钉钉API »