Shulou(Shulou.com)06/01 Report--

Phenomenon:

A random letter-named process that eats a lot of cpu and network bandwidth. As shown in the figure:

Lsof can see the virus IP 59.36.97.141 IP in Dongguan

Immediately after killing, give birth to a random letter process and continue to do evil, as shown in the picture:

There may be two reasons: there is another process guarding it, or the system service has relevant settings.

1. The process of finding the guardian virus

Pstree can see that there are actually two such processes, which are also processes with 10 random letters.

One performance exception is set to An and one hidden behind is set to B.

2. Take a look at the system service settings:

I looked at crontab and found that a script was executed in 3 minutes. As a result, I found a program disguised as a library, file it, found it a real executable file, ps, found that the process without this name was probably changed its name, hidden, what does it have to do with B? Then conveniently delete the library file libudev.so, TMD, unexpectedly found that like A, immediately reborn, here wonder if they protect each other. Try to kill them at the same time, but it still doesn't work.

Let's take a look at the init.d result and find that / usr/bin/An is the local of A. previously, pwdx could not find out the path of A, so it is estimated to modify the information in / proc/pid. There are also link files to init.d in rcX.d, both / etc/rc.d/rc.d and / etc/rc.d.

Read the information above and get the solution:

Kill.sh:

S90 = "S90 ${1}"

K90 = "K90 ${1}"

Rm-f / etc/rc0.d/$ {k90} / etc/rc4.d/$ {S90} / etc/rc5.d/$ {S90} / etc/rc6.d/$ {K90} / etc/rc1.d/$ {s90} / etc/rc2.d/$ {S90} / etc/rc3.d/$ {s90}

Rm-f / etc/rc.d/rc0.d/$ {k90} / etc/rc.d/rc4.d/$ {S90} / etc/rc.d/rc5.d/$ {S90} / etc/rc.d/rc6.d/$ {K90} / etc/rc.d/rc1.d/$ {s90} / etc/rc.d/rc2.d/$ {S90} / etc/rc.d/rc3.d/$ {s90}

# remove the item that is executed every 3 minutes in crontab

Rm-f / etc/cron.hourly/gcc.sh

# stop the rebirth virus program

Chmod 000 / usr/bin/$ {1} & & chattr+i / usr/bin

Chmod 000 / bin/$ {1} & & chattr + i/bin

Chmod 000 / sbin/$ {1} & & chattr + i/sbin

Chmod 000 / usr/bin/$ {1} & & chattr+i / usr/bin

Chmod 000 / usr/sbin/$ {1} & & chattr+i / usr/sbin

Chmod 000 / usr/local/bin/$ {1} & & chattr + I / usr/local/bin

Chmod 000 / usr/local/sbin/$ {1} & & chattr + I / usr/local/sbin

Chmod 000 / usr/X11R6/bin/$ {1} & & chattr + I / usr/X11R6/bin

Chmod 000 / tmp/$ {1} & & chattr + i/tmp

# Kill the virus

Kill-9 ${2}

Rm-f / lib/libudev.so*

After killing, execute the recovery.sh

Chattr-I / usr/bin

Chattr-I / bin

Chattr-I / sbin

Chattr-I / usr/bin

Chattr-I / usr/sbin

Chattr-I / usr/local/bin

Chattr-I / usr/local/sbin

Chattr-I / usr/X11R6/bin

Chattr-I / tmp

Reflection:

When and how did the virus get in?

Some of the characteristics of the virus are instructive for server development.

Novice on the road, master, please give me some advice.

Please leave a mark on the forwarding.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.