Shulou(Shulou.com)06/01 Report--

Two days ago, a server lost packets as soon as it was connected to the network, intermittently, and traffic monitoring showed that the traffic was very high. It was suspected that it was *, but after 80 ports were closed, the problem remained the same, and it was no surprise whether there was a virus in the server.

Netstat-nltp

Three suspicious links were found with the following file names

Sfewfesfs

Sshdd14XXXXXXXX (a string of random numbers)

Sshhdd14XXXXXXXX (a string of random numbers)

View the file process PID path

Ps-axu | grep-I sfewfesfs

Ps-axu | grep-I sshdd14*

Ps-axu | grep-I sshhdd14*

Found sfewfesfs and nhgbhhj under / etc

First remove the delete permission chattr-I / etc/sfewfesfs*

Rm-rf / etc/sfewfesfs*

Delete the suspicious files named nhgbhhj when you see them.

Rm-rf / etc/nhgbhhj

Rm-rf / etc/nhgbhhj*

Delete scheduled tasks to prevent the virus from reproducing

Rm-rf / var/spool/cron/root

Rm-rf / var/spool/cron/root.1

Use ls-al / etc to see .SSH2 (and possibly .SSHH2) to hide files and delete

Rm-rf / etc/.SSH2

Rm-rf / etc/.SSHH2

Use ls-al / tmp to see .sshdd14XXXXXXXX (a string of random numbers) or .sshhdd14XXXXXXXX (a string of random numbers) to hide the file, delete

Rm-rf / tmp/.sshdd14*

Rm-rf / tmp/.sshhdd14*

After restarting the server, everything returned to normal.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.