Shulou(Shulou.com)05/31 Report--

How to more effectively eliminate watchdogs mining virus, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Overview of vulnerabilities

Recently, the Internet watchdogs mining virus, attackers can take advantage of Redis unauthorized access vulnerability to invade the server, through internal and external network scanning to infect more machines. The infected host has abnormal crontab tasks, system files deleted, CPU abnormal and so on, and will automatically infect more machines, seriously affecting the normal operation of the business and even lead to crash.

Here, I suggest you timely carry out Redis business self-examination and upgrade repair, to avoid business and economic losses.

Vulnerability impact

1. Data leakage. Redis is remotely controlled to leak sensitive business data

2. Virus infection. If the machine itself is not hardened, the host resources can be invaded through Redis vulnerabilities, and malicious operations such as system destruction, file deletion, mining using host resources can be carried out.

Vulnerability condition

1. Redis monitors the whole network and is exposed to the public network. Self-built Redis is easy to set up 0.0.0.0 6379, which is exposed to the Internet after binding EIP.

2. Redis has no password or weak password for authentication, so it is easy to crack.

3. The Redis service runs under a root or high-privilege account, and the user can modify crontab tasks, perform mining operations, tamper and delete files such as system netstat, and further traverse the historical login records in known_hosts to infect more machines.

Reinforcement suggestion

1. Huawei Cloud DCS Redis cloud service is recommended. DCS has been reinforced for Redis by default and is maintained by a professional team, so you can rest assured to use it.

2. Public network access to Redis is prohibited. You need to restart Redis to take effect.

3. Whether Redis is verified with no password or weak password. Please strengthen password verification. You need to restart Redis to take effect.

4. Whether the Redis service runs under the root account, please run the Redis service with low permissions. You need to restart Redis to take effect.

5. Set up security groups or firewalls to control access to the source IP

6. Disable the config command to avoid malicious operations. You can use the rename feature to rename config, making it more difficult for attackers to use config instructions.

7. Modify the default port 6379 of Redis to other ports to make it more difficult for attackers to obtain Redis entry.

Clean up the Trojan horse

If the host is found to be invaded and infected, please follow the following methods to deal with it.

1. Isolate the infected host: isolate the poisoned computer as soon as possible, close all network connections, and disable the network card.

2. Clean up unknown scheduled tasks

3. Delete malicious dynamic link library / usr/local/lib/libioset.so

4. Check whether the malicious dynamic link library in 3 is loaded in / etc/ld.so.preload.

5. Clean up crontab exception entries and delete malicious tasks (if you can't modify them, execute 7mura first)

6. Terminating the mining process

7. Check and clean up the malicious files that may remain.

A) chattr-I / usr/sbin/watchdogs / etc/init.d/watchdogs / var/spool/cron/root / etc/cron.d/root

B) chkconfig watchdogs off

C) rm-f / usr/sbin/watchdogs / etc/init.d/watchdogs

8. the relevant system commands may be deleted by the virus and can be reinstalled through the package manager or restored by other machine copies

9. Since the file is read-only and the related commands are hook, you need to install busybox and delete it through the busybox rm command.

10. Restart the machine

Be careful

Please back up the data and test it fully before fixing the vulnerability.

After reading the above, do you know how to eliminate watchdogs mining virus more effectively? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.