#!/bin/bash
# 可疑文件列表
SUSPICIOUS_FILES=(
"/root/.dragosteftp"
"/bin/CZEdY7oP"
"/data/rcu_scheb"
"/dev/shm/netmonxd"
"/usr/bin/mslog/.cfg/rcu_scheb"
"/tmp/.cfg"
"/var/tmp/logxwatch"
"/tmp/taskxclean"
"/tmp/*x*"
"/bin/nOabp95U"
"/bin/CZEdY7oP"
"/usr/bin/udeb"
"/etc/security/dev_/dev_b573d3af"
"/usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron"
"/sbin/e2scrub_all"
"/usr/bin/35b0083b"
)
# 可疑目录列表
SUSPICIOUS_DIRS=(
"/root/.cfg"
"/dev/shm/.cfg"
"/dev/shm/*x*"
"/tmp/.cfg"
"/usr/bin/mslog/.cfg"
"/etc/cron.*"
)
# 可疑进程字段列表
SUSPICIOUS_PROC_FIELDS=(
"/root/.cfg"
"/dev/shm"
"/var/tmp"
"/tmp"
"mining"
"crypto"
"miner"
"^/[^/]*[a-zA-Z0-9]{8}$"
)
# 获取所有进程及其command信息
get_all_procs() {
ps -eo pid,cmd=
}
# 处理可疑进程(已更新)
process_suspicious_procs() {
all_procs=$(get_all_procs)
match_pids=()
while IFS= read -r line; do
pid=$(echo $line | awk '{print $1}')
cmd=$(echo $line | awk '{print $2}')
for field in "${SUSPICIOUS_PROC_FIELDS[@]}"; do
if [[ $cmd =~ $field ]]; then
match_pids+=("$pid")
echo "$(date '+%Y-%m-%d %H:%M:%S') - Matched Command with suspicious field '$field': $cmd, PID: $pid"
break
fi
done
done <<< "$all_procs"
if [ ${#match_pids[@]} -gt 0 ]; then
echo "$(date '+%Y-%m-%d %H:%M:%S') - Found processes with suspicious fields: ${match_pids[*]}"
for pid in "${match_pids[@]}"; do
COMMAND_INFO=$(ps -p $pid -o command=)
if kill -0 $pid 2>/dev/null; then
sudo kill -9 $pid
if [ $? -eq 0 ]; then
echo "$(date '+%Y-%m-%d %H:%M:%S') - Killed process with PID: $pid, Command: $COMMAND_INFO"
else
echo "$(date '+%Y-%m-%d %H:%M:%S') - Failed to kill process with PID: $pid, Command: $COMMAND_INFO"
fi
else
echo "$(date '+%Y-%m-%d %H:%M:%S') - Process with PID: $pid does not exist, Command: $COMMAND_INFO"
fi
done
fi
}
# 处理可疑文件
process_suspicious_files() {
for file in "${SUSPICIOUS_FILES[@]}"; do
if [ -f "$file" ]; then
echo "$(date '+%Y-%m-%d %H:%M:%S') - Found suspicious file: $file"
sudo rm -f "$file"
if [ $? -eq 0 ]; then
echo "$(date '+%Y-%m-%d %H:%M:%S') - Deleted suspicious file: $file"
else
echo "$(date '+%Y-%m-%d %H:%M:%S') - Failed to delete suspicious file: $file"
fi
fi
done
}
# 处理可疑目录
process_suspicious_dirs() {
for dir in "${SUSPICIOUS_DIRS[@]}"; do
if [ -d "$dir" ]; then
echo "$(date '+%Y-%m-%d %H:%M:%S') - Found suspicious directory: $dir"
sudo rm -rf "$dir"
if [ $? -eq 0 ]; then
echo "$(date '+%Y-%m-%d %H:%M:%S') - Deleted suspicious directory: $dir"
else
echo "$(date '+%Y-%m-%d %H:%M:%S') - Failed to delete suspicious directory: $dir"
fi
fi
done
}
# 主循环
while true; do
# 快速查杀可疑进程
process_suspicious_procs
# 较慢频率查杀可疑文件
process_suspicious_files
# 较慢频率查杀可疑目录
process_suspicious_dirs
# 设置不同任务的执行间隔
sleep 0.5 # 进程查杀间隔
sleep 1 # 文件和目录查杀间隔
done
10-10