SkidMap复杂挖矿新变种排查指南<\/h1>

1. SkidMap挖矿病毒概述<\/h2>

SkidMap是一种针对Linux系统的复杂挖矿病毒，具有以下特点：<\/p>

采用多种持久化技术确保存活<\/li>
使用rootkit技术隐藏自身进程和文件<\/li>
通过SSH暴力破解传播<\/li>

主要目标是门罗币(XMR)挖矿<\/li> <\/ul>

2. 感染特征与初步识别<\/h2>

2.1 系统资源异常<\/h3>

CPU使用率异常高(但可能被rootkit隐藏)<\/li>
系统响应变慢<\/li>

网络流量异常增加<\/li> <\/ul>

2.2 可疑进程<\/h3>

存在名为ksoftirqds<\/code>、kthreadds<\/code>等模仿系统进程的恶意进程<\/li>

进程可能被隐藏，常规ps<\/code>命令无法查看<\/li>
<\/ul>
2.3 文件系统异常<\/h3>

\/etc\/ld.so.preload<\/code>被修改<\/li>
\/usr\/local\/lib\/<\/code>下存在可疑.so文件<\/li>
\/etc\/init.d\/<\/code>或\/etc\/rc.d\/<\/code>下存在可疑启动脚本<\/li>
<\/ul>
3. 详细排查步骤<\/h2>
3.1 进程排查<\/h3>
# 使用不受rootkit影响的静态编译工具<\/span>
<\/span><\/span>busybox ps aux
<\/span><\/span># 或<\/span>
<\/span><\/span>\/bin\/ps -eo pid,ppid,cmd | grep -E 'ksoftirqds|kthreadds'<\/span>
<\/span><\/span>
<\/span><\/span># 检查隐藏进程<\/span>
<\/span><\/span>cat \/proc\/[<\/span>0-9]<\/span>*\/cmdline | grep -aE 'ksoftirqds|kthreadds'<\/span>
<\/span><\/span><\/code><\/pre>3.2 网络连接排查<\/h3>
busybox netstat -antp
<\/span><\/span># 或<\/span>
<\/span><\/span>ss -antp
<\/span><\/span>
<\/span><\/span># 检查异常IP连接，特别是矿池地址<\/span>
<\/span><\/span><\/code><\/pre>3.3 文件系统排查<\/h3>
关键目录检查：<\/p>
ls -la \/etc\/ld.so.preload
<\/span><\/span>ls -la \/usr\/local\/lib\/
<\/span><\/span>ls -la \/etc\/init.d\/
<\/span><\/span>ls -la \/etc\/rc.d\/
<\/span><\/span>find \/ -name "*kthreadds*"<\/span> -o -name "*ksoftirqds*"<\/span>
<\/span><\/span><\/code><\/pre>3.4 动态链接库检查<\/h3>
# 检查LD_PRELOAD注入<\/span>
<\/span><\/span>echo $LD_PRELOAD
<\/span><\/span>cat \/etc\/ld.so.preload
<\/span><\/span><\/code><\/pre>3.5 定时任务检查<\/h3>
crontab -l
<\/span><\/span>ls -la \/etc\/cron*\/*
<\/span><\/span>ls -la \/var\/spool\/cron\/*
<\/span><\/span><\/code><\/pre>3.6 SSH后门检查<\/h3>
# 检查authorized_keys<\/span>
<\/span><\/span>ls -la ~\/.ssh\/authorized_keys
<\/span><\/span># 检查SSH配置<\/span>
<\/span><\/span>grep -E 'PermitRootLogin|PasswordAuthentication'<\/span> \/etc\/ssh\/sshd_config
<\/span><\/span><\/code><\/pre>4. SkidMap特有技术分析<\/h2>
4.1 Rootkit技术<\/h3>

修改\/etc\/ld.so.preload<\/code>预加载恶意库<\/li>
劫持系统调用隐藏进程和文件<\/li>
常见恶意库路径：

\/usr\/local\/lib\/libioset.so<\/code><\/li>
\/usr\/local\/lib\/libipset.so<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
4.2 持久化机制<\/h3>

系统服务：在\/etc\/init.d\/<\/code>或\/etc\/rc.d\/<\/code>添加启动脚本<\/li>
crontab：添加定时任务维持持久性<\/li>
SSH后门：添加公钥或修改sshd配置<\/li>
<\/ul>
4.3 进程伪装<\/h3>

使用类似系统进程的名称：ksoftirqds<\/code>、kthreadds<\/code><\/li>
父进程ID(PPID)为1(init进程)，伪装成系统进程<\/li>
<\/ul>
5. 清理步骤<\/h2>
5.1 终止恶意进程<\/h3>
# 先找到所有恶意进程PID<\/span>
<\/span><\/span>kill -9 <恶意进程PID>
<\/span><\/span><\/code><\/pre>5.2 清理恶意文件<\/h3>
# 恢复ld.so.preload<\/span>
<\/span><\/span>echo ""<\/span> > \/etc\/ld.so.preload
<\/span><\/span>
<\/span><\/span># 删除恶意库文件<\/span>
<\/span><\/span>rm -f \/usr\/local\/lib\/libioset.so
<\/span><\/span>rm -f \/usr\/local\/lib\/libipset.so
<\/span><\/span>
<\/span><\/span># 删除恶意启动脚本<\/span>
<\/span><\/span>find \/etc\/init.d\/ \/etc\/rc.d\/ -name "*kthreadds*"<\/span> -delete
<\/span><\/span><\/code><\/pre>5.3 清理定时任务<\/h3>
# 删除用户级定时任务<\/span>
<\/span><\/span>crontab -r
<\/span><\/span>
<\/span><\/span># 删除系统级定时任务<\/span>
<\/span><\/span>rm -f \/etc\/cron.d\/*
<\/span><\/span>rm -f \/var\/spool\/cron\/*
<\/span><\/span><\/code><\/pre>5.4 修复SSH配置<\/h3>
# 检查并清理authorized_keys<\/span>
<\/span><\/span>echo ""<\/span> > ~\/.ssh\/authorized_keys
<\/span><\/span>
<\/span><\/span># 修复sshd配置<\/span>
<\/span><\/span>sed -i 's\/^PermitRootLogin.*\/PermitRootLogin no\/'<\/span> \/etc\/ssh\/sshd_config
<\/span><\/span>sed -i 's\/^PasswordAuthentication.*\/PasswordAuthentication no\/'<\/span> \/etc\/ssh\/sshd_config
<\/span><\/span>systemctl restart sshd
<\/span><\/span><\/code><\/pre>5.5 修复系统命令<\/h3>
# 检查系统命令是否被替换<\/span>
<\/span><\/span>which ps
<\/span><\/span>which netstat
<\/span><\/span>which ls
<\/span><\/span>
<\/span><\/span># 从干净系统恢复或重新安装相关包<\/span>
<\/span><\/span><\/code><\/pre>6. 防御措施<\/h2>
6.1 基础安全加固<\/h3>

禁用SSH密码认证，使用密钥登录<\/li>
限制root直接登录<\/li>
定期更新系统和软件包<\/li>
<\/ul>
6.2 监控措施<\/h3>

部署文件完整性监控(FIM)<\/li>
监控异常CPU和网络使用<\/li>
设置进程白名单<\/li>
<\/ul>
6.3 应急准备<\/h3>

保留静态编译的busybox等工具<\/li>
定期备份重要数据<\/li>
制定应急响应流程<\/li>
<\/ul>
7. 排查工具推荐<\/h2>


静态编译工具<\/strong>：<\/p>

busybox<\/li>
statically compiled versions of ps, netstat, ls<\/li>
<\/ul>
<\/li>

Rootkit检测工具<\/strong>：<\/p>

rkhunter<\/li>
chkrootkit<\/li>
<\/ul>
<\/li>

网络分析工具<\/strong>：<\/p>

tcpdump<\/li>
Wireshark<\/li>
<\/ul>
<\/li>

文件分析工具<\/strong>：<\/p>

strace<\/li>
lsof<\/li>
<\/ul>
<\/li>
<\/ol>
8. 总结<\/h2>
SkidMap是一种高度复杂的Linux挖矿病毒，结合了rootkit技术、进程伪装和多种持久化机制。排查时需要：<\/p>

使用不受影响的静态工具<\/li>
全面检查进程、文件、网络和配置<\/li>
重点关注预加载库和启动项<\/li>
彻底清理后加强系统防护<\/li>
<\/ol>
通过系统化的排查和清理流程，可以有效应对SkidMap及其变种的威胁。<\/p>