C2地址为bash.givemexyz.in||205.185.116.78||bash.givemexyz.xyz
以下不能确认完全清除,如果病毒更换文件名请参考使用,
sudo kill -9 $(pidof python) || kill -9 $(pidof curl) || ps aux
包含干掉python和curl的功能,请逐条谨慎执行!!!!
systemctl stop crond
sudo kill -9 $(pidof python) || kill -9 $(pidof curl) || ps aux
rm -f /tmp/go /tmp/i686 /tmp/x64b /tmp/x86_64 /tmp/x86_643 /tmp/dbusex /tmp/hxx
chattr -ia /var/spool/cron/root /var/spool/cron/crontabs/root
rm -f /var/spool/cron/root /var/spool/cron/crontabs/root
chattr -ia /usr/bin/bprofr /usr/bin/crondr /usr/bin/initdr /usr/bin/sysdr
rm -f /usr/bin/bprofr /usr/bin/crondr /usr/bin/initdr /usr/bin/sysdr
kill -9 $(pidof dbused)
chattr -ia ~/.bash_profile
sed -i '$d' ~/.bash_profile
chattr -ia /etc/init.d/down /etc/init.d/pwnrig
rm -f /etc/init.d/down /etc/init.d/pwnrig
chattr -ia /etc/cron.d/apache /etc/cron.d/nginx /etc/cron.d/pwnrig /etc/cron.d/root
rm -f /etc/cron.d/apache /etc/cron.d/nginx /etc/cron.d/pwnrig /etc/cron.d/root
chattr -ia /etc/cron.daily/pwnrig
rm -f /etc/cron.daily/pwnrig
chattr -ia /etc/cron.hourly/pwnrig /etc/cron.hourly/oanacroner1
rm -f /etc/cron.hourly/pwnrig /etc/cron.hourly/oanacroner1
chattr -ia /etc/cron.monthly/pwnrig
rm -f /etc/cron.monthly/pwnrig
chattr -ia /etc/cron.weekly/pwnrig
rm -f /etc/cron.weekly/pwnrig
rm -f /etc/rc0.d/K60pwnrig
rm -f /etc/rc1.d/K60pwnrig
rm -f /etc/rc2.d/S90pwnrig
rm -f /etc/rc3.d/S90pwnrig
rm -f /etc/rc4.d/S90pwnrig
rm -f /etc/rc5.d/S90pwnrig
rm -f /etc/rc6.d/K60pwnrig
chattr -ia /etc/systemd/system/pwnrige.service /etc/systemd/system/multi-user.target.wants/pwnrige.service /etc/systemd/system/multi-user.target.wants/pwnrigl.service /usr/lib/systemd/system/pwnrigl.service
rm -f /etc/systemd/system/pwnrige.service etc/systemd/system/pwnrige.service /etc/systemd/system/multi-user.target.wants/pwnrige.service /etc/systemd/system/multi-user.target.wants/pwnrigl.service /usr/lib/systemd/system/pwnrigl.service
systemctl start crond
已经改名了一个叫dbusex 一个叫dbused
还好没有侵入系统文件,最重要先把chattr给移走,然后病毒就不能搞怪了。