Olvikolvi/cleanup.sh

## cleanup.sh
#!/bin/bash
## Executing this script is not a guarantee for a secure host!
## This script is a collection of the junk I have found on my hosts and what
## the SaltStack community gave as input. We have seen this attack evolve.
## Please have a very close look at your systems and consider reinstalling them
## to be absolutely sure you are free of malware.

# fix syslog
if [ -z /var/log/syslog ]; then rm /var/log/syslog; fi
service rsyslog restart

# remove crontab persistence
for i in 195.3.146.118 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 salt-store torsocks anagima3 sal.sh sa.sh$ c.sh$ selcdn.ru; do

  # remove for root
  crontab -l | sed "/$i/d" | crontab -

  # check other users crontabs
  for f in $(ls /var/spool/cron/crontabs/*); do
    sed -i "/$i/d" $f
  done

done
# warning! these IPs change! please manually verify your crontab with crontab -l
# to make sure there are no other malicious entries

apt-get remove --purge -y tor

# remove ssh public key added by v5
sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys

for i in $(ls /home/*/.ssh/authorized_keys); do
  sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i
done

# newer versions seem to set themselves immutable
chattr -i /tmp/salt-store
chattr -i /var/tmp/salt-store
chattr -i /tmp/salt-minions
chattr -i /usr/bin/salt-store

# remove all the trash
rm `grep -l '==' /etc/cron.d/*`
#rm /etc/salt/pki/minion/minion.pem
#rm /etc/salt/pki/minion/minion.pub
#rm /etc/salt/pki/minion/minion_master.pub
rm /tmp/salt-minions
rm /tmp/salt-store
rm /var/tmp/salt-store
rm /usr/bin/salt-store
rm /etc/selinux/config
rm -rf /tmp/.ICE*
rm -rf /var/tmp/.ICE*
rm /root/.wget-hsts
rm -rf /root/c3pool
rm /usr/sbin/purj
rm /usr/sbin/purjd

# create apparmor profiles to prevent execution
echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store
apparmor_parser -r -W /etc/apparmor.d/salt-store

echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions
apparmor_parser -r -W /etc/apparmor.d/salt-minions

# reenable nmi watchdog
sysctl kernel.nmi_watchdog=1
echo '1' >/proc/sys/kernel/nmi_watchdog
sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf

# disable hugepages
sysctl -w vm.nr_hugepages=0

# enable apparmor
#systemctl enable apparmor
#systemctl start apparmor

# kill processes and reenabler
kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}')
ps aux | egrep 'ICEd|xmrig' | grep -v grep | cut -c5-15 | xargs -n 1 kill -9

export DEBIAN_FRONTEND=noninteractive
apt-get update -y
apt-get -y -f install
dpkg --configure -a --force-confdef
apt-get upgrade -y

killall -9 salt-store
killall -9 salt-minion
killall -9 purj
killall -9 purjd
/etc/init.d/salt-minion restart
sleep 5
salt-call state.highstate
sleep 5
#reboot
	#!/bin/bash
	## Executing this script is not a guarantee for a secure host!
	## This script is a collection of the junk I have found on my hosts and what
	## the SaltStack community gave as input. We have seen this attack evolve.
	## Please have a very close look at your systems and consider reinstalling them
	## to be absolutely sure you are free of malware.

	# fix syslog
	if [ -z /var/log/syslog ]; then rm /var/log/syslog; fi
	service rsyslog restart

	# remove crontab persistence
	for i in 195.3.146.118 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 salt-store torsocks anagima3 sal.sh sa.sh$ c.sh$ selcdn.ru; do

	# remove for root
	crontab -l \| sed "/$i/d" \| crontab -

	# check other users crontabs
	for f in $(ls /var/spool/cron/crontabs/*); do
	sed -i "/$i/d" $f
	done

	done
	# warning! these IPs change! please manually verify your crontab with crontab -l
	# to make sure there are no other malicious entries

	apt-get remove --purge -y tor

	# remove ssh public key added by v5
	sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys

	for i in $(ls /home/*/.ssh/authorized_keys); do
	sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i
	done

	# newer versions seem to set themselves immutable
	chattr -i /tmp/salt-store
	chattr -i /var/tmp/salt-store
	chattr -i /tmp/salt-minions
	chattr -i /usr/bin/salt-store

	# remove all the trash
	rm `grep -l '==' /etc/cron.d/*`
	#rm /etc/salt/pki/minion/minion.pem
	#rm /etc/salt/pki/minion/minion.pub
	#rm /etc/salt/pki/minion/minion_master.pub
	rm /tmp/salt-minions
	rm /tmp/salt-store
	rm /var/tmp/salt-store
	rm /usr/bin/salt-store
	rm /etc/selinux/config
	rm -rf /tmp/.ICE*
	rm -rf /var/tmp/.ICE*
	rm /root/.wget-hsts
	rm -rf /root/c3pool
	rm /usr/sbin/purj
	rm /usr/sbin/purjd

	# create apparmor profiles to prevent execution
	echo 'profile salt-store /var/tmp/salt-store { }' \| tee /etc/apparmor.d/salt-store
	apparmor_parser -r -W /etc/apparmor.d/salt-store

	echo 'profile salt-minions /tmp/salt-minions { }' \| tee /etc/apparmor.d/salt-minions
	apparmor_parser -r -W /etc/apparmor.d/salt-minions

	# reenable nmi watchdog
	sysctl kernel.nmi_watchdog=1
	echo '1' >/proc/sys/kernel/nmi_watchdog
	sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf

	# disable hugepages
	sysctl -w vm.nr_hugepages=0

	# enable apparmor
	#systemctl enable apparmor
	#systemctl start apparmor

	# kill processes and reenabler
	kill -9 $(ps faux \| grep /tmp/.ICE \| grep -v grep \| awk '{print $2}')
	ps aux \| egrep 'ICEd\|xmrig' \| grep -v grep \| cut -c5-15 \| xargs -n 1 kill -9

	export DEBIAN_FRONTEND=noninteractive
	apt-get update -y
	apt-get -y -f install
	dpkg --configure -a --force-confdef
	apt-get upgrade -y

	killall -9 salt-store
	killall -9 salt-minion
	killall -9 purj
	killall -9 purjd
	/etc/init.d/salt-minion restart
	sleep 5
	salt-call state.highstate
	sleep 5
	#reboot