(1)在清除竞品挖矿进程后,使用带有“TeamTNT is watching you!”字样的LOCKFILE字符串覆盖相关进程的源文件; (2)通过计划任务、系统服务、用户profile文件等多种方式进行持久化; (3)篡改系统ps、top、pstree等命令,隐藏自身木马进程; (4)篡改系统与重启相关的命令和服务,防止用户重启主机; (5)改用Redis未授权访问漏洞对云服务器进行横向攻击传播
挖矿木马相关地址:DOMAIN: oracle.zzhreceive.top xmr-asia1.nanopool.org (矿池) gulf.moneroocean.stream(矿池) donate.v2.xmrig.com(矿池)
MD5: bf68dfba47df6c6023ce82686ce68429 58426b3626aea9d1f96c7b8d18ac5ad0 38ba92aafbe6e0f8917eef0eebb624a8 94a3ea919da87035eae05403c00782fd
URL: hxxp://oracle.zzhreceive.top/b2f628/idcheck/ hxxp://oracle.zzhreceive.top/b2f628/cryptostart hxxp://oracle.zzhreceive.top/b2f628/cryptonotfount hxxp://oracle.zzhreceive.top/b2f628/authfailed hxxp://oracle.zzhreceive.top/b2f628/authok hxxp://oracle.zzhreceive.top/b2f628/authfailedroot hxxp://oracle.zzhreceive.top/b2f628/authokroot hxxp://85.214.149.236:443/sugarcrm/themes/ default/images/mod.jpg hxxp://85.214.149.236:443/sugarcrm/themes/ default/images/stock.jpg hxxps://github.com/xmrig/xmrig/releases/ download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz hxxp://oracle.zzhreceive.top/b2f628/b.sh hxxp://oracle.zzhreceive.top/b2f628/father.jpg hxxp://oracle.zzhreceive.top/b2f628/cf.jpg hxxp://oracle.zzhreceive.top/b2f628/cf.jpg hxxp://oracle.zzhreceive.top/ b2f628fff19fda999999999/b.sh hxxp://oracle.zzhreceive.top/ b2f628fff19fda999999999/iss.sh hxxp://oracle.zzhreceive.top/ b2f628fff19fda999999999/1.0.4.tar.gz hxxp://oracle.zzhreceive.top/b2f628/p.tar hxxp://oracle.zzhreceive.top/b2f628/scan hxxp://oracle.zzhreceive.top/b2f628/rss.sh
钱包地址: 43Xbgtym2GZWBk87XiYbCpTKGPBTxYZZW i44SWrkqqvzPZV6Pfmjv3UHR6FDwvPgePJyv9 N5PepeajfmKp1X71EW7jx4Tpz.pokemon6