All putty and winscp files downloaded from unofficial websites have backdoors (with cleanup method)

 

Starting address: http://bbs.hpx-party.org/thread-9143-1-1.html

All putty and winscp files downloaded from unofficial websites have backdoors. Check them all over the company. Confirmed by Jinshan network anti-virus engineer Li tiejun.

Putty and winscp are free open-source software. How can I advertise on Baidu? They obviously have backdoors? If you don't know the putty and winscp functions, I will tell you, this is the most common software used to connect to a Linux host. Putty is the command line interface, winscp is used to upload and download files, and putty and winscp with backdoors can intercept all the server passwords you enter. If your company is a website and the server is Linux, it is very likely that the technical staff of your company will be involved. Check it right away.

Check and cleanup Methods

• Check whether/var/log is deleted #/usr/bin/STAT/var/log
  If it is deleted, it indicates it is a trick. If you cannot tell clearly, please reply to this post.
• View/var/log folder content # ls-Al/var/log
  If there are very few files, it indicates it is a trick. If you cannot tell the details, please reply to this post.
• Monitoring process named fsyslog and osysllog #/usr/bin/watch-N 1/bin/PS-afz f \ |/bin/grep Syslog
  If the process is known as fsyslog or osyslog, it indicates it is a trick. Be sure not to confuse it with the normal system log process. If you cannot tell it clearly, please paste it back.
• Check whether the/etc/init. d/sshd File Header has been tampered with #/usr/bin/head/etc/init. d/sshd
  If you cannot tell, please paste it back.
• Check whether the/etc/init. d/sendmail File Header has been tampered with #/usr/bin/head/etc/init. d/sendmail
  If you cannot tell, please paste it back.
• Check whether port 82 of the external connection exists #/bin/netstat-anp |/bin/grep ': 82'
  If yes, but you have not set it, it means you have already won the trick. If you cannot tell it, please reply to this post.
• Check whether there is a link to 98.126.55.226 #/bin/netstat-anp |/bin/grep '98 \. '-- color
  If yes, it indicates that you have already been recruited. If you cannot tell the details, please reply to this post.
• Check the hidden file. fsyslog. osyslog In The/etc folder, and check the hidden file. fsyslog. osyslog in the/lib folder.
  /Usr/bin/find/etc-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
  /Usr/bin/find/lib-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
  /Usr/bin/find/etc-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
  /Usr/bin/find/lib-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
  If you have recently modified a file named fsyslog or osyslog, it indicates that it has been completed. If you cannot tell it clearly, please paste it back.

Recover System Logs

• View the system log folder # ls-Al/var/log
• Create a system log folder #/bin/mkdir/var/log
  If deleted, you need to create
• View System Log Service #/usr/bin/find/etc/init. d/-name '* log *'
  The Log Service used by your server needs to be distinguished. If you cannot tell clearly, please paste it back.
• Disable System Log Service #/sbin/service syslog stop
  The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
• Start System Log Service #/sbin/service syslog start
  The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
• Create an error log file #/bin/touch/var/log/btmp
• Set User Group for log files with errors #/bin/chown root: utmp/var/log/btmp
• Set the logon log file permissions #/bin/chmod 600/var/log/btmp
• Create a log file #/bin/touch/var/log/wtmp
• Set logon Log File user group #/bin/chown root: utmp/var/log/wtmp
• Set logon log file permissions #/bin/chmod 664/var/log/wtmp

Restore SELinux settings

• View SELinux status #/usr/sbin/sestatus-V
• Check the security context of the/var/log folder #/sbin/restorecon-Rn-VV/var/log
• Restore the security context of the/var/log folder #/sbin/restorecon-r-VV/var/log
• Check the security context of the/etc folder #/sbin/restorecon-Rn-VV/etc 2>/dev/null
• Restore the security context of the/etc folder #/sbin/restorecon-r-VV/etc 2>/dev/null
• Check the security context of the/lib folder #/sbin/restorecon-Rn-VV/lib 2>/dev/null

(Free open-source putty software has been promoted in Baidu)

(The free open-source winscp software has been promoted in Baidu)

These two websites have the same creation time and interface style. If you look at the source code, it should be developed by the same program.

Starting address: http://bbs.hpx-party.org/thread-9143-1-1.html

All putty and winscp files downloaded from unofficial websites have backdoors. Check them all over the company. Confirmed by Jinshan network anti-virus engineer Li tiejun.

Putty and winscp are free open-source software. How can I advertise on Baidu? They obviously have backdoors? If you don't know the putty and winscp functions, I will tell you, this is the most common software used to connect to a Linux host. Putty is the command line interface, winscp is used to upload and download files, and putty and winscp with backdoors can intercept all the server passwords you enter. If your company is a website and the server is Linux, it is very likely that the technical staff of your company will be involved. Check it right away.

Check and cleanup Methods

• Check whether/var/log is deleted #/usr/bin/STAT/var/log
  If it is deleted, it indicates it is a trick. If you cannot tell clearly, please reply to this post.
• View/var/log folder content # ls-Al/var/log
  If there are very few files, it indicates it is a trick. If you cannot tell the details, please reply to this post.
• Monitoring process named fsyslog and osysllog #/usr/bin/watch-N 1/bin/PS-afz f \ |/bin/grep Syslog
  If the process is known as fsyslog or osyslog, it indicates it is a trick. Be sure not to confuse it with the normal system log process. If you cannot tell it clearly, please paste it back.
• Check whether the/etc/init. d/sshd File Header has been tampered with #/usr/bin/head/etc/init. d/sshd
  If you cannot tell, please paste it back.
• Check whether the/etc/init. d/sendmail File Header has been tampered with #/usr/bin/head/etc/init. d/sendmail
  If you cannot tell, please paste it back.
• Check whether port 82 of the external connection exists #/bin/netstat-anp |/bin/grep ': 82'
  If yes, but you have not set it, it means you have already won the trick. If you cannot tell it, please reply to this post.
• Check whether there is a link to 98.126.55.226 #/bin/netstat-anp |/bin/grep '98 \. '-- color
  If yes, it indicates that you have already been recruited. If you cannot tell the details, please reply to this post.
• Check the hidden file. fsyslog. osyslog In The/etc folder, and check the hidden file. fsyslog. osyslog in the/lib folder.
  /Usr/bin/find/etc-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
  /Usr/bin/find/lib-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
  /Usr/bin/find/etc-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
  /Usr/bin/find/lib-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
  If you have recently modified a file named fsyslog or osyslog, it indicates that it has been completed. If you cannot tell it clearly, please paste it back.

Recover System Logs

• View the system log folder # ls-Al/var/log
• Create a system log folder #/bin/mkdir/var/log
  If deleted, you need to create
• View System Log Service #/usr/bin/find/etc/init. d/-name '* log *'
  The Log Service used by your server needs to be distinguished. If you cannot tell clearly, please paste it back.
• Disable System Log Service #/sbin/service syslog stop
  The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
• Start System Log Service #/sbin/service syslog start
  The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
• Create an error log file #/bin/touch/var/log/btmp
• Set User Group for log files with errors #/bin/chown root: utmp/var/log/btmp
• Set the logon log file permissions #/bin/chmod 600/var/log/btmp
• Create a log file #/bin/touch/var/log/wtmp
• Set logon Log File user group #/bin/chown root: utmp/var/log/wtmp
• Set logon log file permissions #/bin/chmod 664/var/log/wtmp

Restore SELinux settings

• View SELinux status #/usr/sbin/sestatus-V
• Check the security context of the/var/log folder #/sbin/restorecon-Rn-VV/var/log
• Restore the security context of the/var/log folder #/sbin/restorecon-r-VV/var/log
• Check the security context of the/etc folder #/sbin/restorecon-Rn-VV/etc 2>/dev/null
• Restore the security context of the/etc folder #/sbin/restorecon-r-VV/etc 2>/dev/null
• Check the security context of the/lib folder #/sbin/restorecon-Rn-VV/lib 2>/dev/null

(Free open-source putty software has been promoted in Baidu)

(The free open-source winscp software has been promoted in Baidu)

These two websites have the same creation time and interface style. If you look at the source code, it should be developed by the same program.