File: //usr/tmp/.X281-unix/.rsync/clean.sh
#!/bin/bash
# cleanup-malware.sh
echo "=========================================="
echo " MALWARE CLEANUP - $(date)"
echo "=========================================="
# --- 1. KILL NAMED MALWARE PROCESSES ---
echo ""
echo "[*] Killing malware processes..."
MALWARE_NAMES=(
"kw0rker"
"kworkelr"
"llda"
"/usr/bin/.sshd"
"/etc/kswpad"
"bsd-port/getty"
"/usr/.work/work32"
"work32"
"/tmp/linux"
"/tmp/xmr"
"rsyslogd-f2cf"
"grep00.sh"
"/etc/.apache"
"./.apache"
"kswpad"
)
# SSH whitelist - these processes will never be killed
is_ssh_process() {
local pid="$1"
local exe
exe=$(readlink /proc/"$pid"/exe 2>/dev/null)
echo "$exe" | grep -qE '(/usr/sbin/sshd|/usr/bin/ssh|openssh)' && return 0
cat /proc/"$pid"/cmdline 2>/dev/null | tr '\0' ' ' | grep -qE '(sshd:|sshd-session|/usr/sbin/sshd)' && return 0
return 1
}
for name in "${MALWARE_NAMES[@]}"; do
for pid in $(pgrep -f "$name" 2>/dev/null); do
if is_ssh_process "$pid"; then
echo " [!] Skipped (SSH process): $name PID $pid"
continue
fi
kill -9 "$pid" 2>/dev/null && echo " [+] Killed: $name (PID $pid)"
done
done
# --- 2. KILL MEMFD:UPX IN-MEMORY MINERS ---
echo ""
echo "[*] Scanning for in-memory miners (memfd:upx)..."
MEMFD_FOUND=0
for pid in $(ls /proc/ 2>/dev/null | grep -E '^[0-9]+$'); do
grep -q "memfd:upx" /proc/"$pid"/maps 2>/dev/null || continue
if is_ssh_process "$pid"; then
echo " [!] Skipped (SSH): PID $pid"
continue
fi
exe=$(readlink /proc/"$pid"/exe 2>/dev/null | sed 's/ (deleted)//')
echo " [!] Found memfd:upx miner: PID=$pid EXE=$exe"
kill -9 "$pid" 2>/dev/null && echo " [+] Killed PID $pid"
MEMFD_FOUND=1
if [ -n "$exe" ]; then
chattr -ia "$exe" 2>/dev/null
rm -f "$exe"
touch "$exe" && chmod 000 "$exe" && chattr +i "$exe" 2>/dev/null
echo " [+] Locked binary: $exe"
MINER_DIR=$(dirname "$exe")
for cf in /var/spool/cron/crontabs/* /var/spool/cron/*; do
[ -f "$cf" ] || continue
chattr -ia "$cf" 2>/dev/null
sed -i "\|${MINER_DIR}|d" "$cf" 2>/dev/null
chattr +i "$cf" 2>/dev/null
done
(crontab -l 2>/dev/null | grep -v "${MINER_DIR}") | crontab - 2>/dev/null
echo " [+] Crontab entries for $MINER_DIR removed and locked"
fi
done
[ "$MEMFD_FOUND" = "0" ] && echo " [OK] No memfd:upx miners found"
# --- 3. DELETE FILES AND FOLDERS ---
echo ""
echo "[*] Deleting malware files and folders..."
MALWARE_FILES=(
"/.mod"
"/etc/kswpad"
"/etc/conf.n"
"/etc/.cfg"
"/usr/bin/.sshd"
"/usr/lib/libgdi.so.0.8.2"
"/usr/lib/systemd/systemd-kworkerd"
"/etc/systemd/system/systemd-kworkerd.service"
"/etc/profile.d/gateway.sh"
"/etc/profile.d/bash.cfg"
"/etc/profile.d/bash.cfg.sh"
"/var/tmp/.systemcache436621"
"/tmp/amd64"
"/tmp/kal64"
"/tmp/gates.lod"
"/tmp/moni.lod"
"/tmp/up.txt"
"/tmp/xmr"
"/tmp/config.json"
"/tmp/linux"
"/usr/share/man/man3/.syslog-d43bff76"
"/usr/lib/systemd/system/kswpad"
"/usr/lib/systemd/system/kswapd00"
)
MALWARE_DIRS=(
"/usr/.work"
"/usr/bin/dpkgd"
"/usr/bin/bsd-port"
)
for f in "${MALWARE_FILES[@]}"; do
if [ -f "$f" ]; then
chattr -ia "$f" 2>/dev/null
rm -f "$f" && echo " [+] Deleted: $f"
fi
done
for d in "${MALWARE_DIRS[@]}"; do
if [ -d "$d" ]; then
chattr -ia -R "$d" 2>/dev/null
rm -rf "$d" && echo " [+] Deleted folder: $d"
fi
done
# --- 4. CLEAN CRONTAB ---
echo ""
echo "[*] Cleaning crontab..."
TOTAL_REMOVED=0
# /etc/crontab (system-wide)
BEFORE=$(grep -v '^#' /etc/crontab | grep -v '^$' | wc -l)
sed -i '/\.mod/d' /etc/crontab
sed -i '/work32/d' /etc/crontab
sed -i '/kswap/d' /etc/crontab
sed -i '/kworkelr/d' /etc/crontab
sed -i '/libgdi/d' /etc/crontab
sed -i '/kworkerd/d' /etc/crontab
sed -i '/gajiku/d' /etc/crontab
sed -i '/syslog-d43b/d' /etc/crontab
sed -i '/rsyslogd-f2cf/d' /etc/crontab
sed -i '/grep00/d' /etc/crontab
sed -i '/grepb32/d' /etc/crontab
sed -i '/base64.*syslog/d' /etc/crontab
AFTER=$(grep -v '^#' /etc/crontab | grep -v '^$' | wc -l)
TOTAL_REMOVED=$(( TOTAL_REMOVED + BEFORE - AFTER ))
# /var/spool/cron/crontabs/root (Debian/Ubuntu)
# /var/spool/cron/root (CentOS/RHEL)
for ROOT_CRON in "/var/spool/cron/crontabs/root" "/var/spool/cron/root"; do
if [ -f "$ROOT_CRON" ]; then
chattr -ia "$ROOT_CRON" 2>/dev/null
BEFORE=$(grep -v '^#' "$ROOT_CRON" | grep -v '^$' | wc -l)
sed -i '/\.mod/d' "$ROOT_CRON"
sed -i '/work32/d' "$ROOT_CRON"
sed -i '/kswap/d' "$ROOT_CRON"
sed -i '/kworkelr/d' "$ROOT_CRON"
sed -i '/libgdi/d' "$ROOT_CRON"
sed -i '/kworkerd/d' "$ROOT_CRON"
sed -i '/gajiku/d' "$ROOT_CRON"
sed -i '/syslog-d43b/d' "$ROOT_CRON"
sed -i '/rsyslogd-f2cf/d' "$ROOT_CRON"
sed -i '/grep00/d' "$ROOT_CRON"
sed -i '/grepb32/d' "$ROOT_CRON"
sed -i '/base64.*syslog/d' "$ROOT_CRON"
AFTER=$(grep -v '^#' "$ROOT_CRON" | grep -v '^$' | wc -l)
TOTAL_REMOVED=$(( TOTAL_REMOVED + BEFORE - AFTER ))
fi
done
echo " [+] Malware crontab entries removed: $TOTAL_REMOVED"
# --- 5. DISABLE FAKE SERVICE AND TIMER ---
if systemctl list-units --all 2>/dev/null | grep -q 'systemd-kworkerd'; then
systemctl stop systemd-kworkerd.timer 2>/dev/null
systemctl disable systemd-kworkerd.timer 2>/dev/null
systemctl stop systemd-kworkerd.service 2>/dev/null
systemctl disable systemd-kworkerd.service 2>/dev/null
rm -f /etc/systemd/system/systemd-kworkerd.timer \
/etc/systemd/system/timers.target.wants/systemd-kworkerd.timer 2>/dev/null
systemctl daemon-reload
echo " [+] Fake service/timer systemd-kworkerd disabled"
fi
# --- 6. REINSTALL REPLACED SYSTEM BINARIES ---
echo ""
echo "[*] Checking system binaries..."
PS_SIZE=$(stat -c%s /usr/bin/ps 2>/dev/null)
PS_WORKS=$(/usr/bin/ps --version >/dev/null 2>&1; echo $?)
if [ "$PS_SIZE" = "1223123" ] || [ "$PS_WORKS" != "0" ]; then
echo " [!] Replaced/broken binaries detected - reinstalling..."
chattr -ia /usr/bin/ps /usr/bin/ss /usr/bin/lsof /usr/bin/netstat 2>/dev/null
if command -v apt-get &>/dev/null; then
killall apt apt-get dpkg 2>/dev/null
rm -f /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock /var/cache/apt/archives/lock
dpkg --configure -a 2>/dev/null
DEBIAN_FRONTEND=noninteractive timeout 120 apt-get install --reinstall procps iproute2 lsof net-tools -y \
-o DPkg::Lock::Timeout=60 2>&1 | tail -3
elif command -v zypper &>/dev/null; then
timeout 120 zypper install -f -y procps iproute2 lsof net-tools 2>&1 | tail -5
elif command -v yum &>/dev/null; then
timeout 120 yum reinstall procps-ng iproute lsof net-tools -y 2>&1 | tail -3
elif command -v dnf &>/dev/null; then
timeout 120 dnf reinstall procps-ng iproute lsof net-tools -y 2>&1 | tail -3
else
echo " [!] No package manager found - reinstall manually"
fi
echo " [+] Binaries reinstalled"
else
echo " [OK] System binaries look clean"
fi
# --- 7. FINAL CHECK ---
echo ""
echo "[*] Process check:"
for name in "${MALWARE_NAMES[@]}"; do
if pgrep -f "$name" > /dev/null 2>&1; then
echo " [!] Still running: $name PID: $(pgrep -f "$name" | tr '\n' ' ')"
else
echo " [OK] $name: clean"
fi
done
echo ""
echo "[*] File check:"
ALL_CLEAN=true
for f in "${MALWARE_FILES[@]}"; do
if [ -f "$f" ]; then
echo " [!] Still exists: $f"
ALL_CLEAN=false
fi
done
for d in "${MALWARE_DIRS[@]}"; do
if [ -d "$d" ]; then
echo " [!] Folder still exists: $d"
ALL_CLEAN=false
fi
done
$ALL_CLEAN && echo " [OK] All malware files deleted"
echo ""
echo "LOAD: $(uptime | awk -F'load average:' '{print $2}')"
echo "=========================================="