#!/bin/bashSHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/

1. #!/bin/bash
2. SHELL=/bin/sh
3. PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
4.  
5. me=$( whoami )
6.  
7. function cleanup() {
8. rm -rf /bin/httpntp /bin/ftpsdns
9. cat /etc/crontab | grep -v "##" | grep -v "/bin/httpsntp" | grep -v "/bin/ftpsntp" > /etc/crontab.bak && mv /etc/crontab.bak /etc/crontab
10. rm -rf /etc/cron.d/root /etc/cron.d/apache /etc/cron.d/system /var/spool/cron/root /var/spool/cron/crontabs/root
11. rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane
12. rm -rf /bin/config.json /bin/watchbog /bin/config.txt /bin/cpu.txt /bin/pools.txt
13. rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/
14. }
15.  
16. function allcron() {
17. for user in $(cut -f1 -d: /etc/passwd);
18. do
19. pa=$(crontab -u $user -l|grep 'pastebin'|wc -l)
20. if [ ${pa} -ne 0 ];then
21. echo "$user is infected"
22. crontab -u $user -r
23. fi
24. done
25. }
26.  
27. function killdog() {
28. ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9
29. pkill -f watchbog
30. }
31.  
32. if [ "$me" == "root" ];then
33. echo "Removing All Persistence Methods And Killing Miner"
34. cleanup
35. allcron
36. killdog
37. else
38. echo "You $me Have To Run This Sctipt For Total Cleanup"
39. fi