Starting address: http://bbs.hpx-party.org/thread-9143-1-1.html
All putty and winscp files downloaded from unofficial websites have backdoors. Check them all over the company. Confirmed by Jinshan network anti-virus engineer Li tiejun.
Putty and winscp are free open-source software. How can I advertise on Baidu? They obviously have backdoors? If you don't know the putty and winscp functions, I will tell you, this is the most common software used to connect to a Linux host. Putty is the command line interface, winscp is used to upload and download files, and putty and winscp with backdoors can intercept all the server passwords you enter. If your company is a website and the server is Linux, it is very likely that the technical staff of your company will be involved. Check it right away.
Check and cleanup Methods
- Check whether/var/log is deleted #/usr/bin/STAT/var/log
If it is deleted, it indicates it is a trick. If you cannot tell clearly, please reply to this post.
- View/var/log folder content # ls-Al/var/log
If there are very few files, it indicates it is a trick. If you cannot tell the details, please reply to this post.
- Monitoring process named fsyslog and osysllog #/usr/bin/watch-N 1/bin/PS-afz f \ |/bin/grep Syslog
If the process is known as fsyslog or osyslog, it indicates it is a trick. Be sure not to confuse it with the normal system log process. If you cannot tell it clearly, please paste it back.
- Check whether the/etc/init. d/sshd File Header has been tampered with #/usr/bin/head/etc/init. d/sshd
If you cannot tell, please paste it back.
- Check whether the/etc/init. d/sendmail File Header has been tampered with #/usr/bin/head/etc/init. d/sendmail
If you cannot tell, please paste it back.
- Check whether port 82 of the external connection exists #/bin/netstat-anp |/bin/grep ': 82'
If yes, but you have not set it, it means you have already won the trick. If you cannot tell it, please reply to this post.
- Check whether there is a link to 98.126.55.226 #/bin/netstat-anp |/bin/grep '98 \. '-- color
If yes, it indicates that you have already been recruited. If you cannot tell the details, please reply to this post.
- Check the hidden file. fsyslog. osyslog In The/etc folder, and check the hidden file. fsyslog. osyslog in the/lib folder.
/Usr/bin/find/etc-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
/Usr/bin/find/lib-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
/Usr/bin/find/etc-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
/Usr/bin/find/lib-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
If you have recently modified a file named fsyslog or osyslog, it indicates that it has been completed. If you cannot tell it clearly, please paste it back.
Recover System Logs
- View the system log folder # ls-Al/var/log
- Create a system log folder #/bin/mkdir/var/log
If deleted, you need to create
- View System Log Service #/usr/bin/find/etc/init. d/-name '* log *'
The Log Service used by your server needs to be distinguished. If you cannot tell clearly, please paste it back.
- Disable System Log Service #/sbin/service syslog stop
The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
- Start System Log Service #/sbin/service syslog start
The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
- Create an error log file #/bin/touch/var/log/btmp
- Set User Group for log files with errors #/bin/chown root: utmp/var/log/btmp
- Set the logon log file permissions #/bin/chmod 600/var/log/btmp
- Create a log file #/bin/touch/var/log/wtmp
- Set logon Log File user group #/bin/chown root: utmp/var/log/wtmp
- Set logon log file permissions #/bin/chmod 664/var/log/wtmp
Restore SELinux settings
- View SELinux status #/usr/sbin/sestatus-V
- Check the security context of the/var/log folder #/sbin/restorecon-Rn-VV/var/log
- Restore the security context of the/var/log folder #/sbin/restorecon-r-VV/var/log
- Check the security context of the/etc folder #/sbin/restorecon-Rn-VV/etc 2>/dev/null
- Restore the security context of the/etc folder #/sbin/restorecon-r-VV/etc 2>/dev/null
- Check the security context of the/lib folder #/sbin/restorecon-Rn-VV/lib 2>/dev/null
(Free open-source putty software has been promoted in Baidu)
(The free open-source winscp software has been promoted in Baidu)
These two websites have the same creation time and interface style. If you look at the source code, it should be developed by the same program.
Starting address: http://bbs.hpx-party.org/thread-9143-1-1.html
All putty and winscp files downloaded from unofficial websites have backdoors. Check them all over the company. Confirmed by Jinshan network anti-virus engineer Li tiejun.
Putty and winscp are free open-source software. How can I advertise on Baidu? They obviously have backdoors? If you don't know the putty and winscp functions, I will tell you, this is the most common software used to connect to a Linux host. Putty is the command line interface, winscp is used to upload and download files, and putty and winscp with backdoors can intercept all the server passwords you enter. If your company is a website and the server is Linux, it is very likely that the technical staff of your company will be involved. Check it right away.
Check and cleanup Methods
- Check whether/var/log is deleted #/usr/bin/STAT/var/log
If it is deleted, it indicates it is a trick. If you cannot tell clearly, please reply to this post.
- View/var/log folder content # ls-Al/var/log
If there are very few files, it indicates it is a trick. If you cannot tell the details, please reply to this post.
- Monitoring process named fsyslog and osysllog #/usr/bin/watch-N 1/bin/PS-afz f \ |/bin/grep Syslog
If the process is known as fsyslog or osyslog, it indicates it is a trick. Be sure not to confuse it with the normal system log process. If you cannot tell it clearly, please paste it back.
- Check whether the/etc/init. d/sshd File Header has been tampered with #/usr/bin/head/etc/init. d/sshd
If you cannot tell, please paste it back.
- Check whether the/etc/init. d/sendmail File Header has been tampered with #/usr/bin/head/etc/init. d/sendmail
If you cannot tell, please paste it back.
- Check whether port 82 of the external connection exists #/bin/netstat-anp |/bin/grep ': 82'
If yes, but you have not set it, it means you have already won the trick. If you cannot tell it, please reply to this post.
- Check whether there is a link to 98.126.55.226 #/bin/netstat-anp |/bin/grep '98 \. '-- color
If yes, it indicates that you have already been recruited. If you cannot tell the details, please reply to this post.
- Check the hidden file. fsyslog. osyslog In The/etc folder, and check the hidden file. fsyslog. osyslog in the/lib folder.
/Usr/bin/find/etc-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
/Usr/bin/find/lib-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
/Usr/bin/find/etc-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
/Usr/bin/find/lib-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
If you have recently modified a file named fsyslog or osyslog, it indicates that it has been completed. If you cannot tell it clearly, please paste it back.
Recover System Logs
- View the system log folder # ls-Al/var/log
- Create a system log folder #/bin/mkdir/var/log
If deleted, you need to create
- View System Log Service #/usr/bin/find/etc/init. d/-name '* log *'
The Log Service used by your server needs to be distinguished. If you cannot tell clearly, please paste it back.
- Disable System Log Service #/sbin/service syslog stop
The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
- Start System Log Service #/sbin/service syslog start
The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
- Create an error log file #/bin/touch/var/log/btmp
- Set User Group for log files with errors #/bin/chown root: utmp/var/log/btmp
- Set the logon log file permissions #/bin/chmod 600/var/log/btmp
- Create a log file #/bin/touch/var/log/wtmp
- Set logon Log File user group #/bin/chown root: utmp/var/log/wtmp
- Set logon log file permissions #/bin/chmod 664/var/log/wtmp
Restore SELinux settings
- View SELinux status #/usr/sbin/sestatus-V
- Check the security context of the/var/log folder #/sbin/restorecon-Rn-VV/var/log
- Restore the security context of the/var/log folder #/sbin/restorecon-r-VV/var/log
- Check the security context of the/etc folder #/sbin/restorecon-Rn-VV/etc 2>/dev/null
- Restore the security context of the/etc folder #/sbin/restorecon-r-VV/etc 2>/dev/null
- Check the security context of the/lib folder #/sbin/restorecon-Rn-VV/lib 2>/dev/null
(Free open-source putty software has been promoted in Baidu)
(The free open-source winscp software has been promoted in Baidu)
These two websites have the same creation time and interface style. If you look at the source code, it should be developed by the same program.