Shulou(Shulou.com)06/01 Report--

This article mainly introduces the Linux server is hacked how to do, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor with you to understand.

I. background

At night to see a server traffic running very high, obviously different from the usual, the traffic reached 800Mbps, the first feeling should be a Trojan horse, as a broiler, in a large number of packets.

For the best performance of our server, the firewall (iptables) and other things are not turned on, but there is a physical firewall in front of the server, and the machine is doing port mapping, which is not a common port, so it should be full of security in theory. It may be predestined with Trojans recently, always let me encounter it, and take this opportunity to record the discovery process.

2. Find and follow up

1. Check the traffic map to find problems.

The web page is very slow when viewing, and sometimes it doesn't even respond.

2. Top dynamic View process

I immediately remotely logged in to the problem server, the remote operation is very stuck, the traffic out of the network card is very large, through the top found that an abnormal process occupies high resources, the name does not read carefully really thought it was a Web service process.

3. Ps command to view the path of the process

Found that this program file in the / etc directory, is a binary program, I copied it down, put it near this article, for everyone to study on the virtual machine, .

4. End the exception process and continue to track

one

two

Killall-9 nginx1

Rm-f / etc/nginx1

After killing the process, the traffic immediately comes down, and the remote does not stutter. Do we think that the processing is completed by deleting the program file and killing the abnormal process? Think about it is certainly not that simple, this is a Trojan horse, ah, will certainly generate their own program files (as I expected, before I figured it out, it was generated again), we have to continue to track down.

5. View login record and log file secure

Everything is fine by commanding last to check the account login record. Looking at the system file message did not find anything, but when I looked at the secure file, I found some anomalies. Anyway, it was related to authentication. Should I try to connect in to control the sending of the package?

6. Ps to view the process again

In fact, the first time ps when there is this problem, then did not find, the second time is self-study to check each process, self-study to find an abnormal process, found a strange ps process.

I found a normal machine and checked the size of the ps command, which is about 81KB, but the ps on this machine is as high as 1.2m, and the command file must have been replaced.

Then go to another ps directory, see the following commands, and then I have queried the system of these commands, found that they have become very large, have reached 1.2m, these system command files must have been replaced.

7. Discovery of more exception files

Look at the scheduled task file crontab and find nothing once, then check the system startup file rc.local, there is nothing unusual, and then go to the / etc/init.d directory to check, and find the strange script files DbSecuritySpt, selinux.

The first file can be seen that he booted up the abnormal file, and the second one should be related to login. I am not very clear about the details, but there must be a problem anyway.

Since it is related to login, then find and ssh-related, found the following file, is a hidden file, this is also a Trojan file, we first record, so that the program names are very similar to our service names, just to confuse us, their size is 1.2m, they may be a file.

I took a look at the directory / tmp that Trojans like to appear, and also found abnormal files. From the name, it feels like monitoring Trojans.

When I think of this, there should be a lot of replacement commands, which can not be solved by relying on us to find them. My suggestion is to reinstall the operating system and make a good security policy. If not, I will give you my method below. Whether it is feasible or not remains to be verified.

3. Manual removal of Trojans

Now the general steps are summarized as follows:

1. Simply judge whether there are Trojans or not

one

two

three

four

five

six

seven

eight

nine

ten

# is there any of the following documents

Cat / etc/rc.d/init.d/selinux

Cat / etc/rc.d/init.d/DbSecuritySpt

Ls / usr/bin/bsd-port

Ls / usr/bin/dpkgd

# check whether the size is normal

Ls-lh / bin/netstat

Ls-lh / bin/ps

Ls-lh / usr/sbin/lsof

Ls-lh / usr/sbin/ss

2. Upload the following command to / root

one

Ps netstat ss lsof

3. Delete the following directories and files

one

two

three

four

five

six

seven

eight

nine

ten

eleven

twelve

thirteen

fourteen

fifteen

sixteen

seventeen

Rm-rf / usr/bin/dpkgd (ps netstat lsof ss)

Rm-rf / usr/bin/bsd-port # Trojan

Rm-f / usr/bin/.sshd # Trojan back door

Rm-f / tmp/gates.lod

Rm-f / tmp/moni.lod

Rm-f / etc/rc.d/init.d/DbSecuritySpt (start the Trojan variants described above)

Rm-f / etc/rc.d/rc1.d/S97DbSecuritySpt

Rm-f / etc/rc.d/rc2.d/S97DbSecuritySpt

Rm-f / etc/rc.d/rc3.d/S97DbSecuritySpt

Rm-f / etc/rc.d/rc4.d/S97DbSecuritySpt

Rm-f / etc/rc.d/rc5.d/S97DbSecuritySpt

Rm-f / etc/rc.d/init.d/selinux (default is startup / usr/bin/bsd-port/getty)

Rm-f / etc/rc.d/rc1.d/S99selinux

Rm-f / etc/rc.d/rc2.d/S99selinux

Rm-f / etc/rc.d/rc3.d/S99selinux

Rm-f / etc/rc.d/rc4.d/S99selinux

Rm-f / etc/rc.d/rc5.d/S99selinux

4. Find out the abnormal program and kill

5. Delete the Trojan command and reinstall it (or copy the uploaded normal program)

I don't seem to be able to reinstall myself. I'm looking for a normal machine to copy the command.

one

two

three

four

five

six

seven

eight

nine

ten

eleven

twelve

# ps

/ root/chattr-I-a / bin/ps & & rm / bin/ps-f

Yum reinstall procps-y or cp / root/ps / bin

# netstat

/ root/chattr-I-a / bin/netstat & & rm / bin/netstat-f

Yum reinstall net-tools-y or cp / root/netstat / bin

# lsof

/ root/chattr-I-a / bin/lsof & & rm / usr/sbin/lsof-f

Yum reinstall lsof-y or cp / root/lsof / usr/sbin

# ss

/ root/chattr-I-a / usr/sbin/ss & & rm / usr/sbin/ss-f

Yum-y reinstall iproute or cp / root/ss / usr/sbin

IV. Scanning of antivirus tools

1. Install the antivirus tool clamav

one

Yum-y install clamav clamav-milter

2. Start the service

one

Service clamd restart

3. Update the virus database

Because ClamAV is not the latest version, there is an alarm message. You can ignore or upgrade the latest version.

one

two

three

four

five

six

seven

eight

nine

ten

eleven

twelve

thirteen

fourteen

fifteen

sixteen

seventeen

[root@mobile ~] # freshclam

ClamAV update process started at Sun Jan 31 03:15:52 2016

WARNING: Can't query current.cvd.clamav.net

WARNING: Invalid DNS reply. Falling back to HTTP mode.

Reading CVD header (main.cvd): WARNING: main.cvd not found on remote server

WARNING: Can't read main.cvd header from db.cn.clamav.net (IP: 185.100.64.62)

Trying again in 5 secs...

ClamAV update process started at Sun Jan 31 03:16:25 2016

WARNING: Can't query current.cvd.clamav.net

WARNING: Invalid DNS reply. Falling back to HTTP mode.

Reading CVD header (main.cvd): Trying host db.cn.clamav.net (200.236.31.1).

OK

Main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)

Reading CVD header (daily.cvd): OK (IMS)

Daily.cvd is up to date (version: 21325, sigs: 1824133, f-level: 63, builder: neo)

Reading CVD header (bytecode.cvd): OK (IMS)

Bytecode.cvd is up to date (version: 271, sigs: 47, f-level: 63, builder: anvilleg)

4. Scanning method

You can use clamscan-h to view the appropriate help information

one

two

three

four

five

Clamscan-r / etc-- max-dir-recursion=5-l / root/etcclamav.log

Clamscan-r / bin-- max-dir-recursion=5-l / root/binclamav.log

Clamscan-r / usr-- max-dir-recursion=5-l / root/usrclamav.log

Clamscan-r-remove / usr/bin/bsd-port

Clamscan-r-remove / usr/bin/

5. Check the log and find

Delete the found command and replace the normal one.

Appendix: Linux.BackDoor.Gates.5

After querying the information, the Trojan should be Linux.BackDoor.Gates.5. Find a file with the following details:

Some users have a deep-rooted belief that there is no malware that can really threaten the Linux kernel operating system, but this concept is facing more and more challenges. Compared with April, Doctor Web technicians detected a record amount of Linux malware in May 2014, and a new family of Linux Trojans, named Linux.BackDoor.Gates, was added to the list of malware in June.

Described here is a Trojan horse in the malware family Linux.BackDoor.Gates: Linux.BackDoor.Gates.5, which combines the functions of traditional backdoor programs and DDoS attacks on Trojans and is used to infect 32-bit Linux versions. according to its characteristics, it can be concluded that it was written by the same virus writer as Linux.DnsAmp and Linux.DDoS family Trojans. The new Trojan consists of two functional modules: the basic module is a backdoor program that can execute the instructions issued by illegal elements, and the second module is saved to the hard disk during installation for DDoS attacks. During operation, Linux.BackDoor.Gates.5 collects and forwards the following information about the infected computer to lawbreakers:

The number of CPU cores read from / proc/cpuinfo.

CPU speed (read from / proc/cpuinfo).

CPU is used (read from / proc/stat).

IP of Gate'a (read from / proc/net/route).

The MAC address of Gate'a (read from / proc/net/arp).

Network interface information (read from / proc/net/dev).

The MAC address of the network device.

Memory (using the MemTotal parameter in / proc/meminfo).

The amount of data sent and received (read from / proc/net/dev).

Operating system name and version (by calling the uname command).

After startup, Linux.BackDoor.Gates.5 checks the path of its startup folder and implements four behavior modes based on the results of the check.

If the path of the executable file of the backdoor program is not the same as that of the netstat, lsof, and ps tools, the Trojan will start in the system disguised as a daemon, then initialize and extract the configuration file during the initialization process. The configuration file contains all kinds of data necessary for the Trojan horse to run, such as the management server IP address and port, backdoor program installation parameters and so on.

Depending on the value of the g_iGatsIsFx parameter in the configuration file, the Trojan either actively connects to the management server or waits for a connection: after a successful installation, the backdoor program detects the IP address of the site to which it is connected and then uses the site as a command server.

The Trojan checks the file / tmp/moni.lock during installation, and if the file is not empty, read the data (PID process) and "kill" the ID process. Linux.BackDoor.Gates.5 then checks to see if the DDoS module and the backdoor's own processes are started on the system (if so, these processes will also be "killed"). If a special flag g_iIsService is set in the configuration file, the Trojan sets itself to self-startup by writing command line #! / bin/bash\ nin the file / etc/init.d/, and then Linux.BackDoor.Gates.5 creates the following symbolic links:

one

two

three

four

Ln-s / etc/init.d/DbSecuritySpt / etc/rc1.d/S97DbSecuritySpt

Ln-s / etc/init.d/DbSecuritySpt / etc/rc2.d/S97DbSecuritySpt

Ln-s / etc/init.d/DbSecuritySpt / etc/rc3.d/S97DbSecuritySpt

Ln-s / etc/init.d/DbSecuritySpt / etc/rc4.d/S97DbSecuritySpt

If the flag g_bDoBackdoor is set in the configuration file, the Trojan will also try to open the / root/.profile file and check whether its process has root permissions. The backdoor then copies itself into / usr/bin/bsd-port/getty and starts. In the final phase of the installation, Linux.BackDoor.Gates.5 creates another copy of the folder / usr/bin/, named as the appropriate name set in the configuration file, and replaces the following tools:

one

two

three

four

five

six

seven

eight

nine

/ bin/netstat

/ bin/lsof

/ bin/ps

/ usr/bin/netstat

/ usr/bin/lsof

/ usr/bin/ps

/ usr/sbin/netstat

/ usr/sbin/lsof

/ usr/sbin/ps

The Trojan horse completes the installation and starts to invoke basic functions.

When executing the other two algorithms, the Trojan also disguises that the daemon starts on the infected computer, checking whether its component is started by reading the corresponding .lock file (or starting the component if it is not started), but using different names when saving the file and registering for self-startup.

After connecting to the command server, Linux.BackDoor.Gates.5 receives configuration data from the server and commands that need to be completed by the zombie computer. According to the instructions of lawbreakers, the Trojan can automatically update, launch or stop DDoS attacks against remote sites with specified IP addresses and ports, execute commands contained in configuration data, or execute other commands by establishing a connection with remote sites with specified IP addresses.

The main DDoS attacks of this backdoor program are Chinese servers, but lawbreakers also target other countries. The following figure shows the geographical distribution of DDoS attacks using this Trojan:

Thank you for reading this article carefully. I hope the article "what to do when the Linux server is hacked" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.