Skip to content

Instantly share code, notes, and snippets.

@Gsealy
Created February 5, 2021 08:14
Show Gist options
  • Save Gsealy/2c8ad20f49009c649f662b14e6825d51 to your computer and use it in GitHub Desktop.
Save Gsealy/2c8ad20f49009c649f662b14e6825d51 to your computer and use it in GitHub Desktop.
clean coin miner and tsunami back door
#!/bin/env bash
# clean coin miner and tsunami back door
# Gsealy
# 2021-2-3 21:19:17
set +e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
USER=`whoami`
function delete_it() {
echo "" > /etc/ld.so.preload
rm -rf /usr/local/lib/libprocesshider.so
chattr -ia /usr/lib/systemd/system/pwnrigl.service /usr/lib/systemd/system/ntpdate.service > /dev/null 2>&1
systemctl stop pwnrigl.service ntpdate.service && systemctl disable pwnrigl.service ntpdate.service
rm -rf /usr/lib/systemd/system/pwnrigl.service /usr/lib/systemd/system/ntpdate.service
rm -rf /var/tmp /tmp/*
pkill -f '\-bash'
chattr -ia /bin/sysdr /bin/initdr /bin/crondr /bin/bprofr /bin/-bash > /dev/null 2>&1
rm -rf /bin/sysdr /bin/initdr /bin/crondr /bin/bprofr /bin/-bash
chattr -ia /sbin/lntpdate /sbin/entpdate /sbin/bsysd /sbin/binitd /sbin/bcrond /sbin/msysd /sbin/minitd /sbin/mcrond /sbin/-bash > /dev/null 2>&1
rm -rf /sbin/lntpdate /sbin/entpdate /sbin/bsysd /sbin/binitd /sbin/bcrond /sbin/msysd /sbin/minitd /sbin/mcrond /sbin/-bash
chattr -ia /etc/init.d/ntpdate /etc/init.d/pwnrig > /dev/null 2>&1 && rm -rf /etc/init.d/ntpdate /etc/init.d/pwnrig
chattr -ia /etc/cron*/ntpdate /etc/cron*/pwnrig > /dev/null 2>&1 && rm -rf /etc/cron*/ntpdate /etc/cron*/pwnrig
pkill -f '\-bash' > /dev/null 2>&1
crontab -r && crontab -u x -r > /dev/null 2>&1
userdel -r x > /dev/null 2>&1 && rm -rf /home/x
chattr -ia /$USER/.bash_profile > /dev/null 2>&1 && sed -i '/bprofr/d' /$USER/.bash_profile
}
read -p "ATTENTION: will clean current user's cron task, y[Y] for continue;others exit " _continue
if [[ "$_continue" == [yY] ]]; then
delete_it
echo "clean finish, please change login password ASAP"
else
exit 0
fi
@halocorn
Copy link

Thanks. This was a great find. Found via google when I searched for the "lntupdate" service.

@xMlex
Copy link

xMlex commented Dec 11, 2023

and user ubuntu

crontab -r && crontab -u ubuntu -r > /dev/null 2>&1
userdel -r ubuntu > /dev/null 2>&1 && rm -rf /home/ubuntu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment