最近遇到TeamTNT挖矿木马,新建了hilde用户,top ps等命令被修改,挖矿进程被隐藏,这里有一篇详细的分析文章,写得很好,放此收藏 TeamTNT挖矿木马变种再袭,影响上千云主机,应用腾讯云SOC可轻松处置 (qq.com) 特点:

(1)在清除竞品挖矿进程后,使用带有“TeamTNT is watching you!”字样的LOCKFILE字符串覆盖相关进程的源文件; (2)通过计划任务、系统服务、用户profile文件等多种方式进行持久化; (3)篡改系统ps、top、pstree等命令,隐藏自身木马进程; (4)篡改系统与重启相关的命令和服务,防止用户重启主机; (5)改用Redis未授权访问漏洞对云服务器进行横向攻击传播

挖矿木马相关地址:

DOMAIN: oracle.zzhreceive.top xmr-asia1.nanopool.org (矿池) gulf.moneroocean.stream(矿池) donate.v2.xmrig.com(矿池)

MD5: bf68dfba47df6c6023ce82686ce68429 58426b3626aea9d1f96c7b8d18ac5ad0 38ba92aafbe6e0f8917eef0eebb624a8 94a3ea919da87035eae05403c00782fd

URL: hxxp://oracle.zzhreceive.top/b2f628/idcheck/ hxxp://oracle.zzhreceive.top/b2f628/cryptostart hxxp://oracle.zzhreceive.top/b2f628/cryptonotfount hxxp://oracle.zzhreceive.top/b2f628/authfailed hxxp://oracle.zzhreceive.top/b2f628/authok hxxp://oracle.zzhreceive.top/b2f628/authfailedroot hxxp://oracle.zzhreceive.top/b2f628/authokroot hxxp://85.214.149.236:443/sugarcrm/themes/ default/images/mod.jpg hxxp://85.214.149.236:443/sugarcrm/themes/ default/images/stock.jpg hxxps://github.com/xmrig/xmrig/releases/ download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz hxxp://oracle.zzhreceive.top/b2f628/b.sh hxxp://oracle.zzhreceive.top/b2f628/father.jpg hxxp://oracle.zzhreceive.top/b2f628/cf.jpg hxxp://oracle.zzhreceive.top/b2f628/cf.jpg hxxp://oracle.zzhreceive.top/ b2f628fff19fda999999999/b.sh hxxp://oracle.zzhreceive.top/ b2f628fff19fda999999999/iss.sh hxxp://oracle.zzhreceive.top/ b2f628fff19fda999999999/1.0.4.tar.gz hxxp://oracle.zzhreceive.top/b2f628/p.tar hxxp://oracle.zzhreceive.top/b2f628/scan hxxp://oracle.zzhreceive.top/b2f628/rss.sh

钱包地址: 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZW i44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9 N5PepeajfmKp1X71EW7jx4Tpz.pokemon6