jdpro/jd_clean_muma.py

# !/usr/bin/env python3
# -*- coding: utf-8 -*-
#最近由于很多中木马病毒，仅对该木马做检测清除
'''
new Env('病毒检测清除');
8 8 29 2 * jd_clean_muma.py
'''
import os
import shutil
import subprocess
import sys

def get_malicious_pids(process_name):
    try:
        result = subprocess.run(['pgrep', '-f', process_name], capture_output=True, text=True)
        if result.returncode == 0:
            return result.stdout.strip().split('\n')
    except Exception:
        pass
    return []

def clean_config_file(config_file_path):
    if not os.path.exists(config_file_path):
        return False

    # 备份原始文件
    backup_file_path = f"{config_file_path}.bak"
    try:
        shutil.copyfile(config_file_path, backup_file_path)
    except Exception as e:
        print(f"警告：备份文件失败: {e}")

    try:
        with open(config_file_path, 'r', encoding='utf-8', errors='ignore') as f:
            lines = f.readlines()
    except Exception as e:
        print(f"错误：读取文件 {config_file_path} 失败: {e}")
        return False

    malicious_keywords = [
        ".fullgc",
        "551911.xyz",
        "fullgc-linux",
        "fullgc-macos",
        "QL_DIR:-/ql}/data/db",
        "chmod",
        "curl",
        "{",
        "}",
        "nohup \"$b\" >/dev/null 2>&1 &"
    ]

    new_lines = []
    removed_count = 0
    for line in lines:
        is_malicious = False
        for keyword in malicious_keywords:
            if keyword in line:
                is_malicious = True
                break
        
        if is_malicious:
            removed_count += 1
            print(f"发现并移除恶意行: {line.strip()}")
        else:
            new_lines.append(line)

    if removed_count > 0:
        try:
            temp_file_path = f"{config_file_path}.tmp"
            with open(temp_file_path, 'w', encoding='utf-8') as f:
                f.writelines(new_lines)
            shutil.move(temp_file_path, config_file_path)
            print(f"成功从 {config_file_path} 中清除 {removed_count} 行恶意代码。")
            return True
        except Exception as e:
            print(f"错误：写入或替换文件 {config_file_path} 失败: {e}")
    return False

if __name__ == "__main__":
    MALICIOUS_PROCESS_NAME = ".fullgc"
    MALICIOUS_FILE = "/ql/data/db/.fullgc"

    print(f"--- 开始木马检测 [{MALICIOUS_PROCESS_NAME}] ---")

    pids = get_malicious_pids(MALICIOUS_PROCESS_NAME)
    if not pids:
        print(f"未发现名为 '{MALICIOUS_PROCESS_NAME}' 的木马进程。请注意安全，不要开到公网访问，不要弱密码！！！")
        sys.exit(0)

    print(f"‼️警告：发现 {len(pids)} 个木马进程，PID 列表: {', '.join(pids)}")
    print(f"正在强制终止这些进程...")
    try:
        subprocess.run(['pkill', '-9', '-f', MALICIOUS_PROCESS_NAME], capture_output=True)
        print(f"✅已成功终止所有木马进程。")
    except Exception as e:
        print(f"终止进程时发生错误: {e}")

    if os.path.exists(MALICIOUS_FILE):
        print(f"‼️发现恶意文件 '{MALICIOUS_FILE}'，正在删除...")
        try:
            os.remove(MALICIOUS_FILE)
            print(f"✅恶意文件 '{MALICIOUS_FILE}' 已删除。")
        except Exception as e:
            print(f"警告：无法删除恶意文件: {e}")

    print(f"正在清理配置文件中的持久化代码...")
    config_paths = ["/ql/data/config/config.sh", "/ql/config/config.sh"]
    for path in config_paths:
        if os.path.exists(path):
            clean_config_file(path)
    print("正在扫描 /ql/data/db/ 目录下的其他可疑隐藏文件...")
    if os.path.exists("/ql/data/db/"):
        found_suspicious = False
        for root, _, files in os.walk("/ql/data/db/"):
            for file in files:
                if file.startswith('.') and not file.endswith('.db'):
                    file_path = os.path.join(root, file)
                    if os.access(file_path, os.X_OK):
                        print(f"警告：发现可疑隐藏执行文件: {file_path}")
                        found_suspicious = True
        if not found_suspicious:
            print("未发现其他可疑隐藏文件。")

    print("--- 木马清理过程全部完成 ---")
    print("🚫🚫面板不要开到公网上访问，等待漏洞修复，以免再次中招！！！修改登录密码，不要弱密码")