我的服务器中了挖矿病毒kdevtmpfsi

网络安全
1

今天我突然发现我的PHP8容器占用了近乎所有的内存和CPU,我觉得很奇怪,就查看了日志。

[07-Jun-2024 15:02:57] NOTICE: fpm is running, pid 1
[07-Jun-2024 15:02:57] NOTICE: ready to handle connections
172.18.0.1 -  07/Jun/2024:15:03:23 +0800 "GET /index.php" 200
172.18.0.1 -  07/Jun/2024:15:04:57 +0800 "GET /index.php" 200
chattr: setting flags on /tmp/: Operation not permitted
chattr: setting flags on /var/tmp/: Operation not permitted
chattr: setting flags on /var/spool/cron: Operation not permitted
chattr: can't open '/var/spool/cron/crontabs': Symbolic link loop
chattr: can't stat '/etc/crontab': No such file or directory
sh: ufw: not found
sh: iptables: not found
sh: sudo: not found
sh: can't create /proc/sys/kernel/nmi_watchdog: Read-only file system
sh: can't create /etc/sysctl.conf: Permission denied
userdel: user 'akay' does not exist
userdel: user 'vfinder' does not exist
chattr: can't stat '/root/.ssh/': Permission denied
chattr: can't stat '/root/.ssh/authorized_keys': Permission denied
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sed: /tmp/.X11-unix/01: No such file or directory
cat: can't open '/tmp/.X11-unix/01': No such file or directory
sed: /tmp/.X11-unix/11: No such file or directory
cat: can't open '/tmp/.X11-unix/11': No such file or directory
sed: /tmp/.X11-unix/22: No such file or directory
cat: can't open '/tmp/.X11-unix/22': No such file or directory
sed: /tmp/.systemd.1: No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sed: /tmp/.systemd.2: No such file or directory
cat: can't open '/tmp/.systemd.2': No such file or directory
sed: /tmp/.systemd.3: No such file or directory
cat: can't open '/tmp/.systemd.3': No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.2': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.3': No such file or directory
sh: you need to specify whom to kill
sed: /tmp/.pg_stat.0: No such file or directory
cat: can't open '/tmp/.pg_stat.0': No such file or directory
sed: /tmp/.pg_stat.1: No such file or directory
cat: can't open '/tmp/.pg_stat.1': No such file or directory
sed: /home/www-data/data/./oka.pid: No such file or directory
cat: can't open '/home/www-data/data/./oka.pid': No such file or directory
sed: /tmp/.ICE-unix/d: No such file or directory
cat: can't open '/tmp/.ICE-unix/d': No such file or directory
sed: /tmp/.ICE-unix/m: No such file or directory
cat: can't open '/tmp/.ICE-unix/m': No such file or directory
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
	-o COL1,COL2=HEADER	Select columns for display
	-T			Show threads
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
	-o COL1,COL2=HEADER	Select columns for display
	-T			Show threads
kill: invalid number 'USER'
grep: bad regex 'kworker -c\': Trailing backslash
kill: invalid number 'USER'
kill: invalid number 'www-data'
kill: invalid number 'www-data'
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sh: systemctl: not found
killall: log_rot: no process killed
chattr: can't stat '/etc/ld.so.preload': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.3': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.3': No such file or directory
rm: can't remove '/var/tmp/lib': No such file or directory
rm: can't remove '/var/tmp/.lib': No such file or directory
chattr: can't stat '/tmp/lok': No such file or directory
chmod: /tmp/lok: No such file or directory
sh: docker: not found
sh: docker: not found
sh: docker: not found
sh: setenforce: not found
sh: can't create /etc/selinux/config: nonexistent directory
sh: service: not found
sh: systemctl: not found
sh: service: not found
sh: systemctl: not found
/tmp/kinsing is b3039abf2ad5202f4a9363b418002351
crontab: must be suid to work properly
crontab: must be suid to work properly
144.202.29.195 -  07/Jun/2024:15:09:55 +0800 "POST /usr/local/lib/php/PEAR.php" 200

我当场看麻了,里面一堆权限错误,还有奇怪的crontab命令,最重要的是其中的kinsing是一个知名的挖矿病毒。随后我用top查看了系统占用

1730×1078 279 KB

占用最高的就是那个kdevtmpfsi。
恳请有大佬告诉我接下来该怎么办?
目前的状况是,停止php8容器后,挖矿进程停止了,如果再启动容器,大概几分钟后又会运行。此外,服务器ssh我是只能使用密钥登录,应该不存在ssh被破解的可能,而且服务器端口只开放了ssh、http和https端口,没有开放其它端口

出问题的php8容器是在1panel里官方下载的,也就是建站时直接选择的运行环境

1498×1566 156 KB

2 个赞
2

不懂,学习一下

3

一样的问题我遇到过两次,我的解决方案就是备份数据,删除并重新跑一个容器,我用的是 php:7.2-fpm,主要用来解析 PHP 动态请求,出问题后我就关闭了容器的 9000 端口,使用 Docker 的网桥在容器内访问 PHP,也不知道有没有效果

4

我觉得主要问题是9000端口暴露在公网的问题,把9000关掉在容器内通过网桥访问,应该可以解决,回答仅供参考哈,我不懂PHP这是我自己琢磨的

1 个赞
5

可是我没有暴露过9000端口 :smiling_face_with_tear:

6

这个可以参考一下…

前段时间我们接的项目的服务器也中了。除了几个明显的病毒进程之外,还有:
1.感染了其他程序(当时我们是activemq好像),并伪装成正常进程。
2.用其他用户设置了定时任务
3.添加了名为bot.service的开机自启动
4.把防火墙关了,ssh登不上

于是乎我们:跟着gpt一步步做,最后貌似搞好了。印象深刻的是安装了一个clamav,全盘扫描了一遍。然后最后最后,又新开了一个虚拟机 :rofl:

5 个赞
7

系统重装,环境重建是最安全的

2 个赞
8

啊!这题我会!

2 个赞
9

php8容器跑了什么东西,大概率是项目有洞

1 个赞
10

我就中过这病毒!
你似乎只是容器,重装容器即可

1 个赞
11

佬们我解决了,原来ufw防火墙不能禁用docker映射的端口 :laughing:,我看了下我好几个服务都是映射在0.0.0.0上的,改成127.0.0.1就好了。搞半天我一堆服务往公网一扔,那不是等着挨打吗 :rofl:

12

XD 我也是

14

好挖