Linux Trojan Horse Experience Summary

The previous period of time the company network anomalies, access to the public network and intranet have lost packets, or even inaccessible situation. Log in to the gateway to view monitoring, found that the OA server out of the direction of traffic anomalies, and connected to a foreign IP address.

Then want to log on to the OA server troubleshooting, found that the log is not on, Ping packet serious, guessing the server CPU, number of connections or bandwidth is full, resulting in the inability to log in.

OA server is a virtual machine deployed on an ESXi, ESXi host is not logged on, first unplug the ESXi network cable, to prevent the server outsourcing.

Then put the network cable into the notebook, and the ESXi server directly connected, and set the notebook as the gateway IP192.168.1.1, so you can ping the OA server, and then remote into.

After a morning of Avira, the Trojan has been cleared, and do a firewall optimization, OA process low-privilege operation, security patches and other reinforcement measures.

After looking for clues to the intrusion, found that the hacker is through the OA software vulnerability, implanted Trojan program, all operations are recorded in the Journal of Oa, Khan. Finally contacted the vendor to submit a software vulnerability.

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/96/A8/wKioL1kkCRrQOxPqAAJ1vkz9Ctg828.png-wh_500x0-wm_ 3-wmp_4-s_131941337.png "title=" qq picture 20170523180223.png "alt=" Wkiol1kkcrrqoxpqaaj1vkz9ctg828.png-wh_50 "/>

Trojan can only be the last remedy, reduce the loss. The most important thing is to improve the safety awareness, all external servers to carry out system reinforcement, monitoring, operation Audit, timely patching. Blog Address: http://qicheng0211.blog.51cto.com

The following summarizes the Linux Trojan killing experience.

First, find traces of the invasion

View recently logged in accounts and logon hours:

Last,lastlog

To locate a successful remote login IP:

Grep-i accepted/var/log/secure

To check for scheduled tasks:

/var/spool/cron/

/etc/cron.hourly

/etc/crontab

To find the Trojan file by the last modified time of the file status:

Find/-ctime 1

Check the/etc/passwd and/etc/shadow files for suspicious users.

Check the TEMP directory/tmp,/VAT/TMP,/DEV/SHM, these directory permissions are 1777, easy to upload trojan files.

Check the port's external service logs, such as Tomcat and Nginx.

To view the currently running services:

Service--status-all | grep running

To view self-initiated services:

Chkconfig--list | Grep:on

Second, the killing Trojan commonly used commands

1. Ps,top

View the running process and process system resource usage to find the exception process.

2. Pstree

Displays the relationship between processes in a tree view.

3. lsof

You can view the files that the process opened, the process that the file or directory was occupied by, the process that opened a port, all open ports on the system, and so on.

4. Netstat

You can view all the ports the system listens on, network connectivity, find IP addresses with too many connections, and so on.

5. Iftop

Monitoring TCP connection real-time network traffic, can analyze the traffic flow and sorting, find out the traffic anomaly IP address.

6. Nethogs

Monitor the network traffic used by each process and sort from high to low to facilitate the process of finding traffic anomalies.

7. Strace

Trace the system calls performed by a process to analyze the operation of the Trojan.

8. Strings

A printable string in the output file that can be used to analyze the Trojan horse program.

Third, rootkit detection tools

Chkrootkit and Rkhunter are common tools used in Linux to find the backdoor for detecting rootkits.

1, Chkrootkit

Project home: http://www.chkrootkit.org/

Install Chkrootkit:

# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

# tar ZXVF chkrootkit.tar.gz

# CD chkrootkit-*

# yum Install gcc gcc-c++ glibc* make

# make sense

Run Check:

#./chkrootkit

Chkrootkit checks used partial system commands: awk, cut, Egrep, find, head, ID, ls, netstat, PS, strings, sed, uname.

These system commands may have been replaced on the compromised system, so the results of the chkrootkit will not be reliable. To avoid using these untrusted commands, we can use the '-P ' option to specify an alternate path for the command.

First, back up the dependent commands in another clean system:

# mkdir/backup/commands-p

# which--skip-alias awk cut egrep find head ID ls netstat PS strings sed uname | Xargs-i CP {}/backup/commands

# tar CVZFP commands.tar.gz/backup/commands

Then upload the compressed package to the server, unzip it and put it in the/backup/commands directory, perform the check:

#./chkrootkit-p/backup/commands

2, Rkhunter

The Rkhunter has a more comprehensive scanning range than the Chrootkit. In addition to rootkit signature scanning, the Rkhunter also supports port scanning, common open source software versions, and file change checking, among other things.

Project home: http://rkhunter.sourceforge.net/

Install Rkhunter:

# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

# tar XZVF rkhunter*

# CD rkhunter*

#./installer.sh--layout/usr--install

To update the Rkhunter database:

# Rkhunter--update

Start check (output Chinese):

# rkhunter--lang cn-c--sk

The--RWO parameter only outputs warning information:

# rkhunter--lang cn-c--sk--rwo

We can also specify the log to write with the-l parameter:

# rkhunter--lang cn-c--sk-l rkhunter.log

Build a proofing sample for a clean system:

# Rkhunter--PROPUPD

Timed Scan:

0 5 * * */usr/local/bin/rkhunter--cronjob-l--rwo

Iv. ClamAV Antivirus Engine

ClamAV is an open source anti-virus engine used to detect trojans, viruses, malware and other malicious threats. Supports Windows, Linux, MAC OS X multiple operating systems.

Project Address: http://www.clamav.net/

First install the Epel software Source:

# wget http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm

# RPM-IVH epel-release-6-8.noarch.rpm

# sed-i ' s/^mirrorlist=https/mirrorlist=http/'/etc/yum.repos.d/epel.repo

# Yum Makecache Fast

Download and install ClamAV:

# yum Install Yum-plugin-downloadonly-y

# yum Install clamav-y--downloadonly--downloaddir=./

# RPM-IVH clamav*

ClamAV will create a script that automatically updates the virus database in the/etc/cron.daily/directory, which is automatically executed daily.

To manually update the virus database command:

# Freshclam

To view the virus database date:

# clamscan-v

To scan a root directory using ClamAV:

# clamscan-r-I/-l/tmp/clamav.log

Further scanning of suspicious directories and removal of Trojan files

# clamscan-r-i/usr/bin--remove

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/96/A7/wKioL1kj_5DDVsL2AABs6JH0mCc548.png-wh_500x0-wm_ 3-wmp_4-s_4087536887.png "title=" Qq20170515134443.png "alt=" Wkiol1kj_5ddvsl2aabs6jh0mcc548.png-wh_50 "/>

-R folder Recursive scan

-I output only infected file information

-l Specifies the path of the scan log file

--move moving infected files to the specified directory

--remove directly remove infected files

We can also download the virus database manually:

Http://db.cn.clamav.net/daily.cvd

Http://db.cn.clamav.net/main.cvd

Http://db.cn.clamav.net/safebrowsing.cvd

Http://db.cn.clamav.net/bytecode.cvd

After downloading into a folder, we can use the-d parameter to specify the path of the virus Library folder when scanning, for example:

# clamscan-r-I/-D./clamav-db

This article is from the "Start Linux blog" blog, make sure to keep this source http://qicheng0211.blog.51cto.com/3958621/1928738

Linux Trojan Horse Experience Summary