moyue 最近的时间轴更新 moyue 最近的时间轴更新 | moyueV2EX 第 248625 号会员,加入于 2017-08-14 18:19:09 +08:00今日活跃度排名 18960 |
| 关于电脑文件监控审计 问与答 moyue 2024 年 11 月 26 日 |
| 突然想到一个问题,现在浙江地区移动上传,一般跑满多久会被限制? 宽带症候群 moyue 2024 年 3 月 14 日 最后回复来自 Fred0410 | 2 |
moyue 最近回复了
2 月 26 日 回复了 Moyyyyyyyyyyye 创建的主题 分享创造 花 4 个月和 3 万刀做了个 Agent 网页支持工具 coolvibe.io,手机/PC 都能看,支持自部署,订阅免费送! |
Y4J86UBL4N
试试
试试
1 月 31 日 回复了 izToDo 创建的主题 信息安全 飞牛 OS 疑似 0day 漏洞,许多用户设备遭到攻击,请尽快检查设备或暂停使用 |
#!/bin/bash
# FNOS 病毒专杀工具 v3.1 (精简稳定版)
# 1. 设置日志文件
OUT="/tmp/fnos_clean_$(date +%F_%H%M%S).txt"
# 2. 定义颜色
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
CYAN='\033[0;36m'
NC='\033[0m'
# 3. 定义日志函数 (直接输出并写入文件)
log() { echo -e "$1" | tee -a "$OUT"; }
warn() { echo -e "${RED}[发现威胁] $1${NC}" | tee -a "$OUT"; }
info() { echo -e "${GREEN}[安全] $1${NC}" | tee -a "$OUT"; }
action() { echo -e "${CYAN}[执行修复] $1${NC}" | tee -a "$OUT"; }
echo "========================================================" | tee -a "$OUT"
echo " FNOS 病毒检测与修复工具 " | tee -a "$OUT"
echo "========================================================" | tee -a "$OUT"
# --- 检查 cat 命令 ---
if [ ! -f /usr/bin/cat ] && [ -f /usr/bin/cat2 ]; then
warn "检测到 'cat' 命令丢失,系统已被篡改!"
read -p "是否立即修复 cat 命令?(y/n): " confirm
if [[ $cOnfirm== "y" ]]; then
mv /usr/bin/cat2 /usr/bin/cat
chmod +x /usr/bin/cat
action "已将 cat2 恢复为 cat 。"
fi
fi
# --- 定义恶意文件 ---
MALICIOUS_FILES=(
"/usr/bin/nginx"
"/usr/sbin/gots"
"/usr/trim/bin/trim_https_cgi"
"/etc/systemd/system/nginx.service"
"/etc/systemd/system/trim_https_cgi.service"
)
# --- 扫描病毒 ---
FOUND_VIRUS=0
# 1. 文件扫描
for f in "${MALICIOUS_FILES[@]}"; do
if [ -e "$f" ]; then
warn "发现病毒文件: $f"
FOUND_VIRUS=1
fi
done
# 2. 内核模块扫描
MODULE_LOADED=0
if lsmod | grep -q "snd_pcap"; then
warn "发现恶意内核模块: snd_pcap (正在运行)"
MODULE_LOADED=1
FOUND_VIRUS=1
fi
# 3. 启动脚本扫描
STARTUP_FILE="/usr/trim/bin/system_startup.sh"
INJECTED=0
if [ -f "$STARTUP_FILE" ]; then
if grep -q "151.240.13.91" "$STARTUP_FILE" || grep -q "turmp" "$STARTUP_FILE"; then
warn "启动脚本 ($STARTUP_FILE) 被注入恶意下载代码!"
INJECTED=1
FOUND_VIRUS=1
fi
fi
# 4. 端口扫描
if ss -lntp | grep -q ":57132"; then
warn "发现恶意进程正在监听端口 57132"
FOUND_VIRUS=1
fi
# --- 结果判断 ---
echo "--------------------------------------------------------"
if [ $FOUND_VIRUS -eq 0 ]; then
info "恭喜!未扫描到已知病毒特征。"
exit 0
else
echo -e "${YELLOW}警告:系统已感染!${NC}"
# 再次确认用户是否修复
read -p "是否尝试自动修复并清理所有病毒?(输入 y 确认): " choice
if [[ "$choice" != "y" ]]; then
echo "已取消修复。"
exit 0
fi
fi
echo "==================== 开始修复流程 ======================"
# --- 修复 1: 停止服务 ---
action "停止恶意服务..."
systemctl stop nginx.service trim_https_cgi.service 2>/dev/null
systemctl disable nginx.service trim_https_cgi.service 2>/dev/null
# --- 修复 2: 杀进程 ---
action "强制终止恶意进程..."
pkill -9 -f "trim_https_cgi" 2>/dev/null
pkill -9 -f "gots" 2>/dev/null
# 杀端口占用
PID_57132=$(ss -lntp | grep ":57132" | awk -F'pid=' '{print $2}' | awk -F',' '{print $1}')
if [ -n "$PID_57132" ]; then
kill -9 "$PID_57132" 2>/dev/null
action "已终止监听 57132 的进程"
fi
# --- 修复 3: 卸载模块 ---
if [ $MODULE_LOADED -eq 1 ]; then
action "尝试卸载恶意内核模块 snd_pcap..."
chattr -i /lib/modules/*/snd_pcap.ko 2>/dev/null
rmmod snd_pcap 2>/dev/null
if lsmod | grep -q "snd_pcap"; then
echo -e "${RED}[失败] 无法卸载 snd_pcap ,请修复后尝试重启。${NC}"
else
action "内核模块已卸载。"
fi
# 删除模块文件
find /lib/modules -name "snd_pcap.ko" -exec rm -f {} \;
depmod -a
fi
# --- 修复 4: 删除文件 ---
action "解锁并删除病毒文件..."
for f in "${MALICIOUS_FILES[@]}"; do
if [ -e "$f" ]; then
chattr -i "$f" 2>/dev/null
rm -f "$f"
if [ ! -e "$f" ]; then
action "已删除: $f"
fi
fi
done
# --- 修复 5: 清理启动脚本 ---
if $INJECTED -eq 1 ]; then
action "清理启动脚本中的恶意代码..."
cp "$STARTUP_FILE" "${STARTUP_FILE}.bak"
sed -i '/151.240.13.91/d' "$STARTUP_FILE"
sed -i '/turmp/d' "$STARTUP_FILE"
action "启动脚本已清理。"
fi
# --- 修复 6: 防火墙 ---
action "添加防火墙规则 (屏蔽恶意 IP)..."
if command -v nft >/dev/null 2>&1; then
nft add rule inet filter input ip saddr 45.95.212.102 drop 2>/dev/null
nft add rule inet filter input ip saddr 151.240.13.91 drop 2>/dev/null
nft add rule inet filter output ip daddr 45.95.212.102 drop 2>/dev/null
nft add rule inet filter output ip daddr 151.240.13.91 drop 2>/dev/null
else
iptables -I INPUT -s 45.95.212.102 -j DROP 2>/dev/null
iptables -I OUTPUT -d 45.95.212.102 -j DROP 2>/dev/null
iptables -I INPUT -s 151.240.13.91 -j DROP 2>/dev/null
iptables -I OUTPUT -d 151.240.13.91 -j DROP 2>/dev/null
fi
action "防火墙规则已应用。"
echo "========================================================" | tee -a "$OUT"
echo "修复完成。建议输入 'reboot' 重启系统。" | tee -a "$OUT"
自查删除脚本,基于上面的自查脚本改造
# FNOS 病毒专杀工具 v3.1 (精简稳定版)
# 1. 设置日志文件
OUT="/tmp/fnos_clean_$(date +%F_%H%M%S).txt"
# 2. 定义颜色
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
CYAN='\033[0;36m'
NC='\033[0m'
# 3. 定义日志函数 (直接输出并写入文件)
log() { echo -e "$1" | tee -a "$OUT"; }
warn() { echo -e "${RED}[发现威胁] $1${NC}" | tee -a "$OUT"; }
info() { echo -e "${GREEN}[安全] $1${NC}" | tee -a "$OUT"; }
action() { echo -e "${CYAN}[执行修复] $1${NC}" | tee -a "$OUT"; }
echo "========================================================" | tee -a "$OUT"
echo " FNOS 病毒检测与修复工具 " | tee -a "$OUT"
echo "========================================================" | tee -a "$OUT"
# --- 检查 cat 命令 ---
if [ ! -f /usr/bin/cat ] && [ -f /usr/bin/cat2 ]; then
warn "检测到 'cat' 命令丢失,系统已被篡改!"
read -p "是否立即修复 cat 命令?(y/n): " confirm
if [[ $cOnfirm== "y" ]]; then
mv /usr/bin/cat2 /usr/bin/cat
chmod +x /usr/bin/cat
action "已将 cat2 恢复为 cat 。"
fi
fi
# --- 定义恶意文件 ---
MALICIOUS_FILES=(
"/usr/bin/nginx"
"/usr/sbin/gots"
"/usr/trim/bin/trim_https_cgi"
"/etc/systemd/system/nginx.service"
"/etc/systemd/system/trim_https_cgi.service"
)
# --- 扫描病毒 ---
FOUND_VIRUS=0
# 1. 文件扫描
for f in "${MALICIOUS_FILES[@]}"; do
if [ -e "$f" ]; then
warn "发现病毒文件: $f"
FOUND_VIRUS=1
fi
done
# 2. 内核模块扫描
MODULE_LOADED=0
if lsmod | grep -q "snd_pcap"; then
warn "发现恶意内核模块: snd_pcap (正在运行)"
MODULE_LOADED=1
FOUND_VIRUS=1
fi
# 3. 启动脚本扫描
STARTUP_FILE="/usr/trim/bin/system_startup.sh"
INJECTED=0
if [ -f "$STARTUP_FILE" ]; then
if grep -q "151.240.13.91" "$STARTUP_FILE" || grep -q "turmp" "$STARTUP_FILE"; then
warn "启动脚本 ($STARTUP_FILE) 被注入恶意下载代码!"
INJECTED=1
FOUND_VIRUS=1
fi
fi
# 4. 端口扫描
if ss -lntp | grep -q ":57132"; then
warn "发现恶意进程正在监听端口 57132"
FOUND_VIRUS=1
fi
# --- 结果判断 ---
echo "--------------------------------------------------------"
if [ $FOUND_VIRUS -eq 0 ]; then
info "恭喜!未扫描到已知病毒特征。"
exit 0
else
echo -e "${YELLOW}警告:系统已感染!${NC}"
# 再次确认用户是否修复
read -p "是否尝试自动修复并清理所有病毒?(输入 y 确认): " choice
if [[ "$choice" != "y" ]]; then
echo "已取消修复。"
exit 0
fi
fi
echo "==================== 开始修复流程 ======================"
# --- 修复 1: 停止服务 ---
action "停止恶意服务..."
systemctl stop nginx.service trim_https_cgi.service 2>/dev/null
systemctl disable nginx.service trim_https_cgi.service 2>/dev/null
# --- 修复 2: 杀进程 ---
action "强制终止恶意进程..."
pkill -9 -f "trim_https_cgi" 2>/dev/null
pkill -9 -f "gots" 2>/dev/null
# 杀端口占用
PID_57132=$(ss -lntp | grep ":57132" | awk -F'pid=' '{print $2}' | awk -F',' '{print $1}')
if [ -n "$PID_57132" ]; then
kill -9 "$PID_57132" 2>/dev/null
action "已终止监听 57132 的进程"
fi
# --- 修复 3: 卸载模块 ---
if [ $MODULE_LOADED -eq 1 ]; then
action "尝试卸载恶意内核模块 snd_pcap..."
chattr -i /lib/modules/*/snd_pcap.ko 2>/dev/null
rmmod snd_pcap 2>/dev/null
if lsmod | grep -q "snd_pcap"; then
echo -e "${RED}[失败] 无法卸载 snd_pcap ,请修复后尝试重启。${NC}"
else
action "内核模块已卸载。"
fi
# 删除模块文件
find /lib/modules -name "snd_pcap.ko" -exec rm -f {} \;
depmod -a
fi
# --- 修复 4: 删除文件 ---
action "解锁并删除病毒文件..."
for f in "${MALICIOUS_FILES[@]}"; do
if [ -e "$f" ]; then
chattr -i "$f" 2>/dev/null
rm -f "$f"
if [ ! -e "$f" ]; then
action "已删除: $f"
fi
fi
done
# --- 修复 5: 清理启动脚本 ---
if $INJECTED -eq 1 ]; then
action "清理启动脚本中的恶意代码..."
cp "$STARTUP_FILE" "${STARTUP_FILE}.bak"
sed -i '/151.240.13.91/d' "$STARTUP_FILE"
sed -i '/turmp/d' "$STARTUP_FILE"
action "启动脚本已清理。"
fi
# --- 修复 6: 防火墙 ---
action "添加防火墙规则 (屏蔽恶意 IP)..."
if command -v nft >/dev/null 2>&1; then
nft add rule inet filter input ip saddr 45.95.212.102 drop 2>/dev/null
nft add rule inet filter input ip saddr 151.240.13.91 drop 2>/dev/null
nft add rule inet filter output ip daddr 45.95.212.102 drop 2>/dev/null
nft add rule inet filter output ip daddr 151.240.13.91 drop 2>/dev/null
else
iptables -I INPUT -s 45.95.212.102 -j DROP 2>/dev/null
iptables -I OUTPUT -d 45.95.212.102 -j DROP 2>/dev/null
iptables -I INPUT -s 151.240.13.91 -j DROP 2>/dev/null
iptables -I OUTPUT -d 151.240.13.91 -j DROP 2>/dev/null
fi
action "防火墙规则已应用。"
echo "========================================================" | tee -a "$OUT"
echo "修复完成。建议输入 'reboot' 重启系统。" | tee -a "$OUT"
自查删除脚本,基于上面的自查脚本改造
2024 年 4 月 19 日 回复了 kierankihn 创建的主题 分享发现 qq 更新之后开始弹广告了? |
果然是 qq
Select Language