Remember to manually clean up the Linux mine-mining virus

Date: May 16, 2018

Cause: A company's OPS personnel on the IPs of the Green League have monitored the malicious events that have dug the "door", the affected machines are the company's big data servers and other Linux servers.

I'm also gig. For the first time to solve the mining virus event running on Linux, since there was no dedicated Linux mining cleanup tool, I began to analyze the information provided on the IPs.

Since the Department was sensitive to the protection of the data, and did not take pictures of the operation, I could only comb the whole event based on the notes I had recorded and the vaguely memorized memories.

Information provided by IPs:

1: Affected IP

2: Address of the affected host connection (158.69.133.18)

3: Event name (specific name forgotten, presumably meaning, digging the door of the currency of the malicious event), followed by the occurrence of the time

Based on this information, and combined with the lack of Linux anti-virus software This situation, I tidied up my work ideas

1: Find the mining process

2: Find related processes

3: Clean up

4: Organize your documents

If you want to clear your mind, start working.

Because at that time too pay attention to "mining" the word, I came up in that command line under the top command, ready to find those suspicious of the memory of the large-sized process, watching the process of rushing constantly in front of the flow, his heart some panic, a lot of process resources are very high. Because it is a cloud computing server, there are a lot of processes themselves are not clear, the result itself in those normal process spent a lot of time and did not find a problem process.

Then I change the key to start with, from that address (158.69.133.18) of the outreach.

Input command:NETSTAT-ANP | grep "158.69.133.18"

At that time, I was really lucky, and really found the link Baidu is the address of the Canadian IP (158.69.133.18). The reason for saying that you are lucky is because there is a "strange" phenomenon in the back.

When he found the malicious process, the next side of the operator is also very happy, hurriedly put my command to other departments, let them also find.

It is because of her positive that the following "strange" events are drawn.

Other department operators, using the command (netstat-anp | grep "158.69.133.18"), some reaction said found, some said no.

When said no, I thought they entered the wrong, the result of their own re-entered the command, returned to the unexpectedly blank.

"Did the virus maker find out that we were looking for his malicious program?" he said. "I was thinking about it and looking at the alarm on the IPs.

I suddenly think of these XXX events on the time, using the IPs condition filtering, I analyzed the Linux server IP address to the output, and select this event number, enter.

Looking at the refreshed data, I see the information I want to know, the affected host is not the real-time connection to that IP (158.69.133.18), each time the connection interval is about half an hour.

"Can't wait half an hour to analyze the problem again," I thought in my mind, and I entered NETSTAT-ANP under the command line. Watching a lot of process come out, no idea to look at a lot of data on the sleepy. Idle to go up these data, I also in the fantasy if I get a server, what I want to do, leave the back door! Hurriedly add a grep statement after NETSTAT-ANP, this time grep bash. The complete command is NETSTAT-ANP | grep bash.

Sure enough, I was still so lucky, a filtered result came out. Filtered out the results, I cautious Baidu a bit of that IP, vaguely remember is an address of the United States. Let the other OPS filter bash this keyword, also found that the abnormal process.

Follow through, keep going deep, lest this process go away again, enter the command:ps-ef | grep PID(the exception of the process IP, I did not record this ID number)

Then came out a file path, then the note was a file under the/tmp/.lsb/path

This is the file in that file, then there are two folders (H32 and h64), then copied to the computer results were directly killed by WIN10 Windows Defender. At that point was a file under the H32.

After keeping the virus sample, kill the process and delete the folder.

Finally find an unusual scheduled task in the scheduled task, delete it.

Last observed four hours, the IPs do not have this server alarm information, on the server also found no other abnormal process.

I tidied up, clean up the steps, that is, the orders, forwarded to the other in the mining of the virus of the operation and maintenance personnel. Let them deal with it themselves.

Of course during this period, also found other mining virus, some really very severe (jiao) harm (Hua), through the detection of the CPU, as long as the 25% to kill off their own.

Pay for a different file found on another server

The two files with the suffix jpg are actually two scripts, which are viewed in a text editor (section below)

If it is not the IPs on the alarm, but also really do not know that their server has become someone else's mining chicken.

Summary: daily operations to see if there is an abnormal login, to see the management of the server log. The erection of the security equipment can be with the boss to mention, or you have to look at their own responsible server to often look at the log, to see if there is a new process. Otherwise out of the matter, can not solve, ready to back the pot.

Remember to manually clean up the Linux mine-mining virus