Linux应急响应：消灭挖矿木马全面指南<\/h1>

一、应急响应启动判断<\/h2>
当发现以下情况时，主机很可能已被植入挖矿木马：<\/p>
CPU占用率持续居高不下<\/li>
系统响应变慢<\/li>
异常网络连接<\/li> <\/ul>
二、处理流程<\/h2>

1. 主机隔离<\/h3>
网络隔离措施：<\/strong><\/p>
# 允许维护人员的IP访问<\/span>
<\/span><\/span>iptables -I INPUT -s xx.xxx.xx.xx -p tcp -j ACCEPT
<\/span><\/span>
<\/span><\/span># 禁止入站流量<\/span>
<\/span><\/span>iptables -A INPUT -p tcp -j DROP
<\/span><\/span>
<\/span><\/span># 禁止出站流量<\/span>
<\/span><\/span>iptables -A OUTPUT -p tcp -j DROP
<\/span><\/span>
<\/span><\/span># 清除现有规则<\/span>
<\/span><\/span>iptables -F
<\/span><\/span><\/code><\/pre>2. 系统命令完整性检查<\/h3>
检查命令是否被篡改：<\/strong><\/p>
rpm -Vf \/usr\/bin\/*
<\/span><\/span>rpm -Vf \/usr\/sbin\/*
<\/span><\/span>
<\/span><\/span># 关键标志解释：<\/span>
<\/span><\/span># S - 文件大小变化<\/span>
<\/span><\/span># 5 - MD5值变化<\/span>
<\/span><\/span># T - 文件时间变化<\/span>
<\/span><\/span><\/code><\/pre>常见被篡改命令：<\/strong><\/p>

ps<\/li>
top<\/li>
kill<\/li>
ls<\/li>
rc.local<\/li>
<\/ul>
处理方案：<\/strong><\/p>

删除被篡改的命令文件<\/li>
从备份恢复原始命令文件<\/li>
<\/ol>
3. 恶意脚本分析<\/h3>
典型挖矿木马脚本示例：<\/strong><\/p>
if<\/span> ! pgrep -x "king"<\/span> > \/dev\/null
<\/span><\/span>then<\/span>
<\/span><\/span>    chmod +x \/etc\/rc.local & > \/dev\/null
<\/span><\/span>    grep king \/etc\/rc.local > \/dev\/null ||<\/span> echo "nohup \/var\/lib\/king &"<\/span> >> \/etc\/rc.local
<\/span><\/span>    grep king \/etc\/cron.hourly\/nginx > \/dev\/null ||<\/span> echo "nohup \/var\/lib\/king &"<\/span> >> \/etc\/cron.hourly\/nginx
<\/span><\/span>    grep king \/etc\/cron.daily\/nginx > \/dev\/null ||<\/span> echo "nohup \/var\/lib\/king &"<\/span> >> \/etc\/cron.daily\/nginx
<\/span><\/span>    grep king \/var\/spool\/cron\/root > \/dev\/null ||<\/span> echo "*nohup \/var\/lib\/king &"<\/span> >> \/var\/spool\/cron\/root
<\/span><\/span>    cp -arf \/var\/yp\/king.sh \/var\/lib\/king & > \/dev\/null
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>脚本功能解析：<\/strong><\/p>

检查"king"进程是否运行<\/li>
如果没有运行，则：

修改rc.local权限<\/li>
向多个位置添加自启动项<\/li>
复制恶意文件<\/li>
<\/ul>
<\/li>
<\/ol>
4. 动态链接库劫持检测<\/h3>
检查点：<\/strong><\/p>
# 检查是否存在预加载库<\/span>
<\/span><\/span>ls -la \/etc\/ld.so.preload
<\/span><\/span>
<\/span><\/span># 删除恶意预加载配置<\/span>
<\/span><\/span>rm -f \/etc\/ld.so.preload
<\/span><\/span>
<\/span><\/span># 检查并删除恶意动态链接库<\/span>
<\/span><\/span>rm -f \/lib64\/libupload.so
<\/span><\/span><\/code><\/pre>5. 恶意进程处理<\/h3>
识别异常进程：<\/strong><\/p>
ps aux
<\/span><\/span>top
<\/span><\/span>netstat -antp
<\/span><\/span><\/code><\/pre>处理流程：<\/strong><\/p>

暂停可疑进程（防止守护进程重启）<\/li>
<\/ol>
kill -STOP <PID>
<\/span><\/span>kill -STOP $(<\/span>pgrep king)<\/span>
<\/span><\/span>pkill <进程名>
<\/span><\/span><\/code><\/pre>
定位进程文件<\/li>
<\/ol>
lsof -p <PID>
<\/span><\/span><\/code><\/pre>
删除恶意文件（注意特殊权限）<\/li>
<\/ol>
lsattr <文件路径>
<\/span><\/span>chattr -i <文件路径>  # 移除不可更改属性<\/span>
<\/span><\/span>rm -f <文件路径>
<\/span><\/span><\/code><\/pre>6. 持久化机制清除<\/h3>
检查点：<\/strong><\/p>

计划任务<\/li>
<\/ol>
ls \/etc\/cron.*
<\/span><\/span>grep king \/etc\/cron.*\/*
<\/span><\/span>find \/etc\/ -mtime -1
<\/span><\/span>atq  # 查看at计划任务<\/span>
<\/span><\/span><\/code><\/pre>
开机启动项<\/li>
<\/ol>
\/etc\/rc.local
<\/span><\/span>\/etc\/rc.d\/rc0.d\/  # rc0-rc6<\/span>
<\/span><\/span>\/etc\/init.d\/
<\/span><\/span>\/usr\/lib\/systemd\/system\/
<\/span><\/span>find \/usr\/lib\/systemd\/system -mtime -1
<\/span><\/span><\/code><\/pre>
SSH公钥<\/li>
<\/ol>
cat ~\/.ssh\/authorized_keys
<\/span><\/span><\/code><\/pre>
环境变量<\/li>
<\/ol>
grep king \/etc\/profile \/etc\/profile.d\/* \/etc\/bashrc ~\/.bashrc ~\/.bash_profile
<\/span><\/span><\/code><\/pre>7. 系统配置恢复<\/h3>
检查内核参数：<\/strong><\/p>
cat \/etc\/sysctl.conf
<\/span><\/span><\/code><\/pre>重点关注异常的内存参数，如：<\/p>
vm.nr_hugepages=4069
<\/code><\/pre>
三、溯源分析<\/h2>
1. 日志分析<\/h3>
关键日志文件：<\/strong><\/p>

\/var\/log\/secure<\/code> - 认证日志<\/li>
\/var\/log\/audit\/audit.log<\/code> - 审计日志<\/li>
~\/.bash_history<\/code> - 命令历史<\/li>
中间件日志（Apache\/Nginx\/Tomcat等）<\/li>
<\/ul>
常用分析命令：<\/strong><\/p>

定位爆破root的IP：<\/li>
<\/ol>
grep "Failed password for root"<\/span> \/var\/log\/secure | awk '{print $11}'<\/span> | sort | uniq -c | sort -nr | more
<\/span><\/span><\/code><\/pre>
提取所有爆破IP：<\/li>
<\/ol>
grep "Failed password"<\/span> \/var\/log\/secure | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"<\/span> | sort | uniq -c | sort -nr
<\/span><\/span><\/code><\/pre>
查看成功登录IP：<\/li>
<\/ol>
grep "Accepted "<\/span> \/var\/log\/secure | awk '{print $11}'<\/span> | sort | uniq -c | sort -nr | more
<\/span><\/span><\/code><\/pre>
用户添加记录：<\/li>
<\/ol>
grep "useradd"<\/span> \/var\/log\/secure
<\/span><\/span><\/code><\/pre>
sudo授权执行记录：<\/li>
<\/ol>
grep "sudo"<\/span> \/var\/log\/secure
<\/span><\/span><\/code><\/pre>
爆破用户名统计：<\/li>
<\/ol>
grep "Failed password"<\/span> \/var\/log\/secure | awk '{if ($9 == "invalid") print $11; else print $9}'<\/span> | sort | uniq -c | sort -nr
<\/span><\/span><\/code><\/pre>四、加固建议<\/h2>


系统清理：<\/strong><\/p>

使用专业杀毒软件全面扫描<\/li>
手动清理残留文件和配置<\/li>
<\/ul>
<\/li>

系统更新：<\/strong><\/p>

及时安装安全补丁<\/li>
保持所有软件最新<\/li>
<\/ul>
<\/li>

计划任务管理：<\/strong><\/p>

定期检查cron任务<\/li>
限制脚本执行权限<\/li>
<\/ul>
<\/li>

文件完整性监控：<\/strong><\/p>

部署Tripwire等工具<\/li>
监控关键系统文件<\/li>
<\/ul>
<\/li>

审计机制：<\/strong><\/p>

启用系统日志审计<\/li>
实施网络流量监控<\/li>
<\/ul>
<\/li>

权限管理：<\/strong><\/p>

遵循最小权限原则<\/li>
实施强密码策略<\/li>
<\/ul>
<\/li>

防护系统：<\/strong><\/p>

合理配置防火墙规则<\/li>
部署入侵检测系统(IDS)<\/li>
<\/ul>
<\/li>
<\/ol>
五、典型挖矿木马特征<\/h2>


常见行为：<\/strong><\/p>

修改系统命令(ps, top等)<\/li>
设置多种持久化机制<\/li>
使用守护进程监控<\/li>
隐藏进程和文件<\/li>
<\/ul>
<\/li>

常见文件路径：<\/strong><\/p>

\/var\/lib\/king<\/code><\/li>
\/var\/yp\/king.sh<\/code><\/li>
\/etc\/.init\/watchdog<\/code><\/li>
\/var\/.X11CE\/<\/code><\/li>
<\/ul>
<\/li>

常见进程名：<\/strong><\/p>

king<\/li>
watchdog<\/li>
kthreadd<\/li>
<\/ul>
<\/li>
<\/ol>
通过以上全面的应急响应流程，可以有效识别、清除和防御挖矿木马，恢复系统安全状态。<\/p>