Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to find and remove Linux Trojan pscan2", the explanation content in the article is simple and clear, easy to learn and understand, please follow the idea of Xiaobian slowly in-depth, together to study and learn "how to find and remove Linux Trojan pscan2"!

I. Phenomena

AH field programs are distributed deployments, and there is no difference except for the program configuration files. Recently, city sz frequently fails to process work orders incorrectly, while other cities have been running stably.

2. Therefore, the host of sz was checked, and the steps were as follows:

1. Restart the application and find that port 3456 of the application has been occupied. Through the command lsof -i:3456, it is found that the process of user tel occupies this port.

2. Through the command ps, we found that the process of user tel is very familiar, but in our system, user tel has not been created.

3. Using the top command, the result is as follows:

top - 09:58:54 up 524 days, 14:31, 4 users, load average: 3.44, 4.98, 5.75

Tasks: 1715 total, 7 running, 1699 sleeping, 0 stopped, 9 zombie

Cpu(s): 23.3% us, 12.3% sy, 0.0% ni, 64.4% id, 0.0% wa, 0.0% hi, 0.0% si

Mem: 4147208k total, 2740256k used, 1406952k free, 23976k buffers

Swap: 4079600k total, 779100k used, 3300500k free, 638748k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

24201 tel 25 0 1468 476 396 R 100 0.0 0:58.78 pscan2

24510 root 17 0 4336 1916 760 R 4 0.0 0:00.30 top

Found tel user process pscan2, occupy CPU resources up to 100%, through the Internet to find information, found that pscan2 is an old American Trojan, his important feature is to occupy a very large CPU.

Therefore, it is inferred that the host computer has been compromised and implanted with the Trojan horse pscan.

3. Find Trojan horse pscan2

su to tel with root account, check the user directory and find a hidden directory named "... "Oh, names are confusing.

A little too soon you might not see it, eh? Enter the directory to view, trojan program pscan2 is implanted into this directory.

#ls -al

Total consumption 84

drwx----- 5 503 503 4096 August 24 10:26 .

drwxr-xr-x 4 root root 4096 2007-08-30 ..

drwxrwxr-x 6 503 503 4096 Aug 24 09:54...

-rw----- 1 503 503 6936 Aug 24 10:45 .bash_history

-rw-r--r-- 1 503 503 24 2006-11-03 .bash_logout

-rw-r--r-- 1 503 503 191 2006-11-03 .bash_profile

4. Remove Trojan pscan, the steps are as follows:

1. Delete all processes of user tel

#pkill -9 -U tel

2. Delete user tel

#userdel tel

3. Error in deleting user group

#groupdel tel

groupdel: cannot remove user's primary group.

4. Search passwd and group files, and find that there is still a user bossnm belonging to tel user group.

The group file has the following line, where 503 is the user group ID

tel:x:503:

In passwd there is a line where 503 indicates that this user belongs to the user group with group ID 503

bossnm:x:500:503::/export/home/bossnm

5. Delete bossnm user and tel user group

#userdel bossnm

#groupdel tel

6. Delete all Trojan files under tel users

After processing, the system has returned to normal.

Thank you for reading, the above is "how to find and remove Linux Trojan pscan2" content, after the study of this article, I believe we have a deeper understanding of how to find and remove Linux Trojan pscan2 this problem, the specific use of the situation also needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.