最近遇到TeamTNT挖矿木马,新建了hilde用户,top ps等命令被修改,挖矿进程被隐藏,这里有一篇详细的分析文章,写得很好,放此收藏

TeamTNT挖矿木马变种再袭,影响上千云主机,应用腾讯云SOC可轻松处置 (qq.com)

特点:

(1)在清除竞品挖矿进程后,使用带有“TeamTNT is watching you!”字样的LOCKFILE字符串覆盖相关进程的源文件;
(2)通过计划任务、系统服务、用户profile文件等多种方式进行持久化;
(3)篡改系统ps、top、pstree等命令,隐藏自身木马进程;
(4)篡改系统与重启相关的命令和服务,防止用户重启主机;
(5)改用Redis未授权访问漏洞对云服务器进行横向攻击传播

挖矿木马相关地址:

DOMAIN:
oracle.zzhreceive.top
xmr-asia1.nanopool.org (矿池)
gulf.moneroocean.stream(矿池)
donate.v2.xmrig.com(矿池)

MD5:
bf68dfba47df6c6023ce82686ce68429
58426b3626aea9d1f96c7b8d18ac5ad0
38ba92aafbe6e0f8917eef0eebb624a8
94a3ea919da87035eae05403c00782fd

URL:
hxxp://oracle.zzhreceive.top/b2f628/idcheck/
hxxp://oracle.zzhreceive.top/b2f628/cryptostart
hxxp://oracle.zzhreceive.top/b2f628/cryptonotfount
hxxp://oracle.zzhreceive.top/b2f628/authfailed
hxxp://oracle.zzhreceive.top/b2f628/authok
hxxp://oracle.zzhreceive.top/b2f628/authfailedroot
hxxp://oracle.zzhreceive.top/b2f628/authokroot
hxxp://85.214.149.236:443/sugarcrm/themes/
default/images/mod.jpg
hxxp://85.214.149.236:443/sugarcrm/themes/
default/images/stock.jpg
hxxps://github.com/xmrig/xmrig/releases/
download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz
hxxp://oracle.zzhreceive.top/b2f628/b.sh
hxxp://oracle.zzhreceive.top/b2f628/father.jpg
hxxp://oracle.zzhreceive.top/b2f628/cf.jpg
hxxp://oracle.zzhreceive.top/b2f628/cf.jpg
hxxp://oracle.zzhreceive.top/
b2f628fff19fda999999999/b.sh
hxxp://oracle.zzhreceive.top/
b2f628fff19fda999999999/iss.sh
hxxp://oracle.zzhreceive.top/
b2f628fff19fda999999999/1.0.4.tar.gz
hxxp://oracle.zzhreceive.top/b2f628/p.tar
hxxp://oracle.zzhreceive.top/b2f628/scan
hxxp://oracle.zzhreceive.top/b2f628/rss.sh

钱包地址:
43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZW
i44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9
N5PepeajfmKp1X71EW7jx4Tpz.pokemon6