Home > Developer > Linux

A contact with the Linux virus

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Environment Description:

1.linux Version Information

Linux version 2.6.18-308.el5pae ([email protected]) (GCC version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Fri Jan 27 17:4 0:09 EST 2012

2. Two servers installed with dual-machine software, the same Linux version

Phenomenon:

Users reflect the problem of dual-computer software, remote connection in the past is very slow, and later their room staff found that the two servers abnormal, dial off one of the network cable, the net back to normal.

The specific inspection process is as follows:

1.top command

An exception process is found, as shown below

PID USER PR NI VIRT RES SHR S%cpu%MEM time+ COMMAND
3681 Root 0 102m 1072 S 99.2 0.0 140:04.00 tufei34

2. Download this file upload to the virus analysis website for analysis confirmed as a virus

Http://r.virscan.org/report/5888f36785a5cc5122d5b1083e55f7df

3.ps command View related processes (Pstree-p process number view process tree information)

Ps-ef | grep tufei34

4. See which files are open under this process

Lsof-p 3618

COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
tufei34 3618 root cwd DIR 104,2 4096 21594182/ETC/RC.D/INIT.D
tufei34 3618 root RTD DIR 104,2 4096 2/
tufei34 3618 root txt REG 104,2 1223123 21594129/etc/tufei34

5.proc enter the corresponding folder must see several files

CmdLine, environ, exe

After the above analysis probably know the operation principle of the virus, carried out a simple processing

Should belong to SSH intrusion, record the corresponding account password by mail send/var/spool/mail/under the corresponding files are all account password, process startup, through SSH connection copy execution virus file

and long-term occupancy CPU, bandwidth

1.init.d folder

An instruction to run a virus in the/ETC/RC.D/INIT.D/DBSECURITYSPT is screened out

#!/bin/bash
#/etc/tufei34

2. Find virus execution File Delete

Whereis tufei34 or Find/-type f-name tufei34

3. Closing the relevant process

Killall-g tufei34

4. Change the SSH connection port to restart the SSHD service

Vi/etc/ssh/sshd_config

5. Two services have been related to the processing

Dual-machine software input service, switch the dual machine and restart the standby machine, test normal, so far all normal

A contact with the Linux virus

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
a certification jobs with no experience linux virus scanner free contact form with captcha contact form with attachment php ajax contact form with validation wordpress the field get the permalink

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More