initial

Author: G4rb3n

Billgates/1809/killer/billgates.sh

@@ -0,0 +1,274 @@
+#!/bin/bash
+
+# 上次修改时间 --> 2020-8-25
+# --------------------------------------------------
+# 创建备份目录，以清除时间命名
+
+time=$(date | awk '{print $5}')
+log_dir="/tmp/botgank/billgates-$time"
+log_file="$log_dir/log"
+if [ ! -d "/tmp/botgank/billgates-$time/" ]
+then
+    # 创建定时任务、文件、进程备份目录
+    mkdir -p $log_dir
+    mkdir -p $log_dir/crontab
+    mkdir -p $log_dir/file
+    mkdir -p $log_dir/process
+    touch $log_file
+fi
+
+echo "[+] start clean --> $(date)" | tee -a $log_file
+
+
+# --------------------------------------------------
+# 函数定义
+
+# 文件清除函数
+kill_file()
+{
+    if [ -f "$1" ]
+    then
+        cp -n $1 $log_dir/file
+        chattr -ia $1
+        echo 'botgank' > $1
+        chattr +ia $1
+        echo "[+] clean file --> $1" | tee -a $log_file
+    fi
+}
+
+# 目录清除函数
+kill_dir()
+{
+    cp -r $1 $log_dir/file
+    chattr -ia $1
+    rm -rf $1
+    echo "[+] clean dir --> $1" | tee -a $log_file
+}
+
+# 进程清除函数
+kill_proc()
+{
+    if [ -n "$1" ]
+    then
+        proc_name=$(basename $(ps -fp $1 | awk 'NR>=2 {print $8}'))
+        cat /proc/$1/exe >> $log_dir/process/$1-$proc_name.dump
+        echo "[+] clean process --> $(ps -fp $1 | awk 'NR>=2 {print $2,$8}')" | tee -a $log_file
+        kill -9 $1
+    fi
+}
+
+cron_dirs=("/var/spool/cron/" "/etc/cron.d/" "/etc/cron.hourly/")
+
+# 定时任务清除函数
+kill_cron()
+{
+    cron_dirs=("/var/spool/cron/" "/etc/cron.d/" "/etc/cron.hourly/")
+    for cron_dir in ${cron_dirs[@]}
+    do
+        if [ -n "$(grep -Er $1 $cron_dir)" ]
+        then
+            crontab=$(grep -Er $1 $cron_dir)
+            cron_file=$(grep -Er $1 $cron_dir | awk '{print $1}' | cat | cut -d : -f 1 | uniq)
+            cp -n $cron_file $log_dir/crontab
+            chattr -ia $cron_file
+            sed -i "/$1/d" $cron_file > /dev/null 2>&1
+            if [ $? != 0 ]
+            then
+                echo '' > $cron_file
+            fi
+            echo "[+] clean crontab --> $crontab" | tee -a $log_file
+        fi
+    done
+}
+
+# --------------------------------------------------
+# 恢复系统程序
+
+# 恢复系统文件netstat
+if [ -f "/usr/bin/dpkgd/netstat" ]
+then
+	$busybox chattr -i /bin/netstat
+	rm -f /bin/netstat
+	cp -n -f /usr/bin/dpkgd/netstat /bin/
+	
+	$busybox chattr -i /usr/bin/netstat
+	rm -f /usr/bin/netstat
+	cp -n -f /usr/bin/dpkgd/netstat /usr/bin/
+    
+    echo "[+] recover file --> netstat" | tee -a $log_file
+fi
+
+# 恢复系统文件lsof
+if [ -f "/usr/bin/dpkgd/lsof" ]
+then
+	$busybox chattr -i /bin/lsof
+	rm -f /bin/lsof
+	cp -n -f /usr/bin/dpkgd/lsof /bin/
+	
+	$busybox chattr -i /usr/bin/lsof 
+	rm -f /usr/bin/lsof
+	cp -n -f /usr/bin/dpkgd/lsof /usr/bin/
+
+    echo "[+] recover file --> lsof" | tee -a $log_file
+fi
+
+# 恢复系统文件ps
+if [ -f "/usr/bin/dpkgd/ps" ]
+then
+	$busybox chattr -i /bin/ps
+	rm -f /bin/ps
+	cp -n -f /usr/bin/dpkgd/ps /bin/
+	
+	$busybox chattr -i /usr/bin/ps
+	rm -f /usr/bin/ps
+	cp -n -f /usr/bin/dpkgd/ps /usr/bin/
+
+    echo "[+] recover file --> ps" | tee -a $log_file
+fi
+
+# 恢复系统文件ss
+if [ -f "/usr/bin/dpkgd/ss" ]
+then
+	$busybox chattr -i /bin/ss
+	rm -f /bin/ss
+	cp -n -f /usr/bin/dpkgd/ss /bin/
+	
+	$busybox chattr -i /usr/bin/ss
+	rm -f /usr/bin/ss
+	cp -n -f /usr/bin/dpkgd/ss /usr/bin/
+
+    echo "[+] recover file --> ss" | tee -a $log_file
+fi
+
+# --------------------------------------------------
+# 下载busybox工具
+busybox='/tmp/busybox'
+
+if [ ! -f "$busybox" ]
+then
+    echo "[+] downloading busybox..."
+    wget -q --timeout=5 http://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-$(uname -m) -O $busybox
+    echo "[+] download busybox success --> /tmp/busybox" | tee -a $log_file
+    chmod a+x $busybox
+fi
+
+busybox_size=$(ls -l $busybox | awk '{print $5}')
+if [ $busybox_size -eq 0 ]
+then
+    busybox=''
+fi
+
+# --------------------------------------------------
+# 清除billgates病毒进程
+
+# 结束守护进程sshd
+if [ -f "/tmp/moni.lod" ]
+then
+    proc_id="$(cat /tmp/moni.lod)"
+    if [ -n "$(echo $proc_id | egrep '[0-9]{3,6}')" ]
+    then
+        if [ -n "$($busybox ps -elf | grep $proc_id | grep -v grep)" ]
+        then
+            cat /proc/$proc_id/exe >> $log_dir/process/$proc_id-sshd.dump
+            echo "[+] clean process --> $proc_id" | tee -a $log_file
+            kill -9 $proc_id
+        fi
+    fi
+fi
+
+# 结束母体进程getty
+if [ -f "/tmp/gates.lod" ]
+then
+    proc_id="$(cat /tmp/gates.lod)"
+    if [ -n "$(echo $proc_id | egrep '[0-9]{3,6}')" ]
+    then
+        if [ -n "$($busybox ps -elf | grep $proc_id | grep -v grep)" ]
+        then
+            cat /proc/$proc_id/exe >> $log_dir/process/$proc_id-getty.dump
+            echo "[+] clean process --> $proc_id" | tee -a $log_file
+            kill -9 $proc_id
+        fi
+    fi
+fi
+
+if [ -f "/usr/bin/bsd-port/getty.lock" ]
+then
+    proc_id="$(cat /usr/bin/bsd-port/getty.lock)"
+    if [ -n "$(echo $proc_id | egrep '[0-9]{3,6}')" ]
+    then
+        if [ -n "$($busybox ps -elf | grep $proc_id | grep -v grep)" ]
+        then
+            cat /proc/$proc_id/exe >> $log_dir/process/$proc_id-getty2.dump
+            echo "[+] clean process --> $proc_id" | tee -a $log_file
+            kill -9 $proc_id
+        fi
+    fi
+fi
+
+# 清除病毒进程
+pids="$(ps -elf | grep '/tmp/9999' | grep -v grep | awk '{print $4}')"
+if [ -n "$pids" ]
+then
+    for pid in $pids; do kill_proc $pid; done
+fi
+
+pids="$(ps -elf | grep '/usr/bin/bsd-port/getty' | grep -v grep | awk '{print $4}')"
+if [ -n "$pids" ]
+then
+    for pid in $pids; do kill_proc $pid; done
+fi
+
+pids="$(ps -elf | grep '/usr/bin/.sshd' | grep -v grep | awk '{print $4}')"
+if [ -n "$pids" ]
+then
+    for pid in $pids; do kill_proc $pid; done
+fi
+
+# --------------------------------------------------
+# 清除billgates病毒文件
+
+if [ -f "/tmp/9999" ]
+then
+    kill_file /tmp/9999
+fi
+
+# 删除病毒程序文件
+if [ -f "/usr/bin/.sshd" ]
+then
+    kill_file /usr/bin/.sshd
+fi
+
+# 删除病毒目录
+if [ -d "/usr/bin/bsd-port" ]
+then
+    kill_dir /usr/bin/bsd-port
+fi
+
+# 删除垃圾文件
+if [ -f "/tmp/moni.lod" ]
+then
+    kill_file /tmp/moni.lod
+fi
+
+if [ -f "/tmp/gates.lod" ]
+then
+    kill_file /tmp/gates.lod
+fi
+
+# 删除自启动文件
+if [ -f "/etc/init.d/selinux" ]
+then
+    kill_file /etc/init.d/selinux
+fi
+
+if [ -f "/etc/init.d/DbSecuritySpt" ]
+then
+    kill_file $(sed -n '$p' /etc/init.d/DbSecuritySpt)
+    kill_file /etc/init.d/DbSecuritySpt
+fi
+
+rm -f /etc/rc[1-5].d/S97DbSecuritySpt
+rm -f /etc/rc[1-5].d/S99selinux
+echo "[+] clean file --> /etc/rc[1-5].d" | tee -a $log_file
+
+echo "[+] end clean --> $(date)" | tee -a $log_file

Billgates/1809/malbox/Readme.md

@@ -0,0 +1,5 @@
+```
+参考链接：https://github.com/G4rb3n/Malware-Picture/tree/master/Worm/BillGates
+```
+
+![效果图](https://github.com/G4rb3n/Malbox/blob/main/Billgates/1809/billgates.png)

Billgates/1809/malbox/billgates.png

@@ -0,0 +1,30 @@
+version: '3'
+services:
+ malware:
+  container_name: billgates
+  image: g4rb3n/malbox
+  volumes:
+   - ./etc/cron.d/:/etc/cron.d/
+   - ./etc/cron.daily/:/etc/cron.daily/
+   - ./etc/cron.hourly/:/etc/cron.hourly/
+   - ./etc/cron.weekly/:/etc/cron.weekly/
+   - ./etc/init.d/:/etc/init.d/
+   - ./usr/bin/bsd-port/:/usr/bin/bsd-port/
+   - ./usr/bin/dpkgd/:/usr/bin/dpkgd/
+   - ./usr/bin/.sshd:/usr/bin/.sshd
+   - ./var/spool/cron/:/var/spool/cron/
+   - ./opt/:/opt/
+   - ./root/:/root/
+   - ./tmp/:/tmp/
+  command:
+   - /bin/bash
+   - -c
+   - |
+    service cron start &
+    service ssh start &
+    service rsyslog start &
+    chmod 777 /usr/bin/bsd-port/* &
+    chmod 777 /usr/bin/.sshd &
+    /usr/bin/bsd-port/getty &
+    /usr/bin/.sshd &
+    tail -f /dev/null

Billgates/1809/malbox/docker-compose.yml

@@ -0,0 +1,2 @@
+# DO NOT EDIT OR REMOVE
+# This file is a simple placeholder to keep dpkg from removing this directory

Billgates/1809/malbox/etc/cron.d/.placeholder

@@ -0,0 +1,2 @@
+30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron
+10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r

Billgates/1809/malbox/etc/cron.d/e2scrub_all

@@ -0,0 +1,14 @@
+#
+# Start john everyday at the same to try to crack the passwords. The
+# second line will then later stop the process so that it doesn't
+# consume system resources that are needed otherwise. You are
+# encouraged to change the times.
+#
+# Also notice that John is 'nice'd, if you don't like this (you 
+# believe that your system can run fine with john doing its work)
+# just remove the 'nice' call
+#
+# JOHN_OPTIONS = foo bar (man 5 crontab)
+#
+#00 1	* * *	root	[ -x /usr/share/john/cronjob ] && nice /usr/share/john/cronjob start
+#00 7	* * *	root	[ -x /usr/share/john/cronjob ] && /usr/share/john/cronjob stop

Billgates/1809/malbox/etc/cron.d/john

@@ -0,0 +1,14 @@
+# /etc/cron.d/php@PHP_VERSION@: crontab fragment for PHP
+#  This purges session files in session.save_path older than X,
+#  where X is defined in seconds as the largest value of
+#  session.gc_maxlifetime from all your SAPI php.ini files
+#  or 24 minutes if not defined.  The script triggers only
+#  when session.save_handler=files.
+#
+#  WARNING: The scripts tries hard to honour all relevant
+#  session PHP options, but if you do something unusual
+#  you have to disable this script and take care of your
+#  sessions yourself.
+
+# Look for and purge old sessions every 30 minutes
+09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi

Billgates/1809/malbox/etc/cron.d/php

@@ -0,0 +1,9 @@
+# The first element of the path is a directory where the debian-sa1
+# script is located
+PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Activity reports every 10 minutes everyday
+5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
+
+# Additional run at 23:59 to rotate the statistics file
+59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2

Billgates/1809/malbox/etc/cron.d/sysstat

@@ -0,0 +1,2 @@
+# DO NOT EDIT OR REMOVE
+# This file is a simple placeholder to keep dpkg from removing this directory