进程名:syst3md

进入进程号,到/proc/【PID】下面查一下,就可以找到,其位置在/var/tmp/.miner

strings syst3md

查看可知:是个挖矿木马,具体算法为:XMRig 6.15.2 built on Oct 7 2021 with GCC

10月7号新鲜编译的目录。

其配置文件为:

"api": {
        "id": null,
        "worker-id": null
    },
    "http": {
        "enabled": false,
        "host": "127.0.0.1",
        "port": 0,
        "access-token": null,
        "restricted": true
    },
    "autosave": true,
    "background": true,
    "colors": true,
    "title": true,
    "randomx": {
        "init": -1,
        "init-avx2": -1,
        "mode": "auto",
        "1gb-pages": false,
        "rdmsr": true,
        "wrmsr": true,
        "cache_qos": false,
        "numa": true,
        "scratchpad_prefetch_mode": 1
    },
    "cpu": {
        "enabled": true,
        "huge-pages": true,
        "huge-pages-jit": false,
        "hw-aes": null,
        "priority": null,
        "memory-pool": false,
        "yield": true,
        "max-threads-hint": 100,
        "asm": true,
        "argon2-impl": null,
        "astrobwt-max-size": 550,
        "astrobwt-avx2": false,
        "cn/0": false,
        "cn-lite/0": false
    },
    "opencl": {
        "enabled": false,
        "cache": true,
        "loader": null,
        "platform": "AMD",
        "adl": true,
        "cn/0": false,
        "cn-lite/0": false
    },
    "cuda": {
        "enabled": false,
        "loader": null,
        "nvml": true,
        "cn/0": false,
        "cn-lite/0": false
    },
    "donate-level": 0,
    "donate-over-proxy": 0,
    "log-file": null,
    "pools": [
        {
            "algo": null,
            "coin": null,
            "url": "139.99.123.196:443",
            "user": "465xhvDoBKgXAe6BHj5KqLVuLhBxukQuJjTTBDCoDawJXG1Jz5qjSWUeidqKXmyH7W6SpuzdKDx3mWzh11uHyCy2JRwaGb7",
            "pass": ".miner",
            "rig-id": null,
            "nicehash": false,
            "keepalive": true,
            "enabled": true,
            "tls": true,
            "tls-fingerprint": null,
            "daemon": false,
            "socks5": null,
            "self-select": null,
            "submit-to-origin": false
        }
    ],
    "print-time": 60,
    "health-print-time": 60,
    "dmi": true,
    "retries": 5,
    "retry-pause": 5,
    "syslog": false,
    "tls": {
        "enabled": false,
        "protocols": null,
        "cert": null,
        "cert_key": null,
        "ciphers": null,
        "ciphersuites": null,
        "dhparam": null
    },
    "user-agent": null,
    "verbose": 0,
    "watch": true,
    "pause-on-battery": false,
    "pause-on-active": false
}

服务器IP属于新加坡ovh.com,反查可知域名为:https://pool.supportxmr.com

在木马程序中,还找到一段不明所以的意大利语。

通过文件时间可知是10月8日早上6点12分左右进来的。

在通过last可以看到这个时间点确实有人远程登录进来了。

通过lastb可以看到,这个人一直在进行暴力攻击。10月6号开始,9号凌晨2点结束。成功爆破了一个账号。

开始攻击时间:2021/10/06 03:10:43 IP 167.99.217.37

2021/10/10 17:20 结束

2021/10/08 06:12:05 [I] [proxy.go:162] [921b747bc32dc4df] [ZhanMei.ssh] get a user connection [164.90.219.29:54044]
2021/10/08 06:12:06 [I] [proxy.go:162] [921b747bc32dc4df] [ZhanMei.ssh] get a user connection [164.90.219.29:54072]
2021/10/08 06:12:06 [I] [proxy.go:162] [921b747bc32dc4df] [ZhanMei.ssh] get a user connection [164.90.219.29:54100]
2021/10/08 06:12:21 [I] [proxy.go:162] [921b747bc32dc4df] [ZhanMei.ssh] get a user connection [5.2.231.232:30414]
2021/10/08 06:32:49 [I] [proxy.go:162] [921b747bc32dc4df] [ZhanMei.vnc] get a user connection [164.90.176.104:41074]
2021/10/08 07:32:06 [I] [proxy.go:162] [921b747bc32dc4df] [ZhanMei.vnc] get a user connection [167.71.43.147:52620]
2021/10/08 08:21:20 [I] [service.go:449] [dffa881a6ae823d0] client login info: ip [117.89.133.69:3716] version [0.37.0] hostname [] os [darwin] arch [amd64