Olvikolvi · December 23, 2020 17:07
diff --git a/cleanup.sh b/cleanup.sh
 #!/bin/bash
 ## Executing this script is not a guarantee for a secure host!
 ## This script is a collection of the junk I have found on my hosts and what
 ## the SaltStack community gave as input. We have seen this attack evolve. 
 ## Please have a very close look at your systems and consider reinstalling them 
 ## to be absolutely sure you are free of malware.

 # fix syslog
 if [ -z /var/log/syslog ]; then rm /var/log/syslog; fi
 service rsyslog restart

 # remove crontab persistence
 for i in 195.3.146.118 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 salt-store torsocks anagima3 sal.sh sa.sh$ c.sh$ selcdn.ru; do

  # remove for root
  crontab -l | sed "/$i/d" | crontab -
  
  # check other users crontabs
  for f in $(ls /var/spool/cron/crontabs/*); do
    sed -i "/$i/d" $f
  done
  
 done
 # warning! these IPs change! please manually verify your crontab with crontab -l 
 # to make sure there are no other malicious entries

 apt-get remove --purge -y tor

 # remove ssh public key added by v5
 sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys

 for i in $(ls /home/*/.ssh/authorized_keys); do
  sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i
 done

 # newer versions seem to set themselves immutable
 chattr -i /tmp/salt-store
 chattr -i /var/tmp/salt-store
 chattr -i /tmp/salt-minions
 chattr -i /usr/bin/salt-store

 # remove all the trash
 rm `grep -l '==' /etc/cron.d/*`
 #rm /etc/salt/pki/minion/minion.pem
 #rm /etc/salt/pki/minion/minion.pub
 #rm /etc/salt/pki/minion/minion_master.pub
 rm /tmp/salt-minions
 rm /tmp/salt-store
 rm /var/tmp/salt-store
 rm /usr/bin/salt-store
 rm /etc/selinux/config
 rm -rf /tmp/.ICE*
 rm -rf /var/tmp/.ICE*
 rm /root/.wget-hsts
 rm -rf /root/c3pool
 rm /usr/sbin/purj
 rm /usr/sbin/purjd

 # create apparmor profiles to prevent execution
 echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store
 apparmor_parser -r -W /etc/apparmor.d/salt-store

 echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions
 apparmor_parser -r -W /etc/apparmor.d/salt-minions

 # reenable nmi watchdog
 sysctl kernel.nmi_watchdog=1
 echo '1' >/proc/sys/kernel/nmi_watchdog
 sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf

 # disable hugepages
 sysctl -w vm.nr_hugepages=0

 # enable apparmor
 #systemctl enable apparmor
 #systemctl start apparmor

 # kill processes and reenabler
 kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}')
 ps aux | egrep 'ICEd|xmrig' | grep -v grep | cut -c5-15 | xargs -n 1 kill -9

 export DEBIAN_FRONTEND=noninteractive
 apt-get update -y
 apt-get -y -f install
 dpkg --configure -a --force-confdef
 apt-get upgrade -y

 killall -9 salt-store
 killall -9 salt-minion
 killall -9 purj
 killall -9 purjd
 /etc/init.d/salt-minion restart
 sleep 5
 salt-call state.highstate
 sleep 5
 #reboot
	#!/bin/bash
	## Executing this script is not a guarantee for a secure host!
	## This script is a collection of the junk I have found on my hosts and what
	## the SaltStack community gave as input. We have seen this attack evolve.
	## Please have a very close look at your systems and consider reinstalling them
	## to be absolutely sure you are free of malware.

	# fix syslog
	if [ -z /var/log/syslog ]; then rm /var/log/syslog; fi
	service rsyslog restart

	# remove crontab persistence
	for i in 195.3.146.118 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 salt-store torsocks anagima3 sal.sh sa.sh$ c.sh$ selcdn.ru; do

	# remove for root
	crontab -l \| sed "/$i/d" \| crontab -

	# check other users crontabs
	for f in $(ls /var/spool/cron/crontabs/*); do
	sed -i "/$i/d" $f
	done

	done
	# warning! these IPs change! please manually verify your crontab with crontab -l
	# to make sure there are no other malicious entries

	apt-get remove --purge -y tor

	# remove ssh public key added by v5
	sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys

	for i in $(ls /home/*/.ssh/authorized_keys); do
	sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i
	done

	# newer versions seem to set themselves immutable
	chattr -i /tmp/salt-store
	chattr -i /var/tmp/salt-store
	chattr -i /tmp/salt-minions
	chattr -i /usr/bin/salt-store

	# remove all the trash
	rm `grep -l '==' /etc/cron.d/*`
	#rm /etc/salt/pki/minion/minion.pem
	#rm /etc/salt/pki/minion/minion.pub
	#rm /etc/salt/pki/minion/minion_master.pub
	rm /tmp/salt-minions
	rm /tmp/salt-store
	rm /var/tmp/salt-store
	rm /usr/bin/salt-store
	rm /etc/selinux/config
	rm -rf /tmp/.ICE*
	rm -rf /var/tmp/.ICE*
	rm /root/.wget-hsts
	rm -rf /root/c3pool
	rm /usr/sbin/purj
	rm /usr/sbin/purjd

	# create apparmor profiles to prevent execution
	echo 'profile salt-store /var/tmp/salt-store { }' \| tee /etc/apparmor.d/salt-store
	apparmor_parser -r -W /etc/apparmor.d/salt-store

	echo 'profile salt-minions /tmp/salt-minions { }' \| tee /etc/apparmor.d/salt-minions
	apparmor_parser -r -W /etc/apparmor.d/salt-minions

	# reenable nmi watchdog
	sysctl kernel.nmi_watchdog=1
	echo '1' >/proc/sys/kernel/nmi_watchdog
	sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf

	# disable hugepages
	sysctl -w vm.nr_hugepages=0

	# enable apparmor
	#systemctl enable apparmor
	#systemctl start apparmor

	# kill processes and reenabler
	kill -9 $(ps faux \| grep /tmp/.ICE \| grep -v grep \| awk '{print $2}')
	ps aux \| egrep 'ICEd\|xmrig' \| grep -v grep \| cut -c5-15 \| xargs -n 1 kill -9

	export DEBIAN_FRONTEND=noninteractive
	apt-get update -y
	apt-get -y -f install
	dpkg --configure -a --force-confdef
	apt-get upgrade -y

	killall -9 salt-store
	killall -9 salt-minion
	killall -9 purj
	killall -9 purjd
	/etc/init.d/salt-minion restart
	sleep 5
	salt-call state.highstate
	sleep 5
	#reboot