All putty and winscp files downloaded from unofficial websites have backdoors (with cleanup method)

Source: Internet
Author: User
Tags syslog

 

Starting address: http://bbs.hpx-party.org/thread-9143-1-1.html

All putty and winscp files downloaded from unofficial websites have backdoors. Check them all over the company. Confirmed by Jinshan network anti-virus engineer Li tiejun.

Putty and winscp are free open-source software. How can I advertise on Baidu? They obviously have backdoors? If you don't know the putty and winscp functions, I will tell you, this is the most common software used to connect to a Linux host. Putty is the command line interface, winscp is used to upload and download files, and putty and winscp with backdoors can intercept all the server passwords you enter. If your company is a website and the server is Linux, it is very likely that the technical staff of your company will be involved. Check it right away.

Check and cleanup Methods
  • Check whether/var/log is deleted #/usr/bin/STAT/var/log
    If it is deleted, it indicates it is a trick. If you cannot tell clearly, please reply to this post.
  • View/var/log folder content # ls-Al/var/log
    If there are very few files, it indicates it is a trick. If you cannot tell the details, please reply to this post.
  • Monitoring process named fsyslog and osysllog #/usr/bin/watch-N 1/bin/PS-afz f \ |/bin/grep Syslog
    If the process is known as fsyslog or osyslog, it indicates it is a trick. Be sure not to confuse it with the normal system log process. If you cannot tell it clearly, please paste it back.
  • Check whether the/etc/init. d/sshd File Header has been tampered with #/usr/bin/head/etc/init. d/sshd
    If you cannot tell, please paste it back.
  • Check whether the/etc/init. d/sendmail File Header has been tampered with #/usr/bin/head/etc/init. d/sendmail
    If you cannot tell, please paste it back.
  • Check whether port 82 of the external connection exists #/bin/netstat-anp |/bin/grep ': 82'
    If yes, but you have not set it, it means you have already won the trick. If you cannot tell it, please reply to this post.
  • Check whether there is a link to 98.126.55.226 #/bin/netstat-anp |/bin/grep '98 \. '-- color
    If yes, it indicates that you have already been recruited. If you cannot tell the details, please reply to this post.
  • Check the hidden file. fsyslog. osyslog In The/etc folder, and check the hidden file. fsyslog. osyslog in the/lib folder.
    /Usr/bin/find/etc-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
    /Usr/bin/find/lib-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
    /Usr/bin/find/etc-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
    /Usr/bin/find/lib-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
    If you have recently modified a file named fsyslog or osyslog, it indicates that it has been completed. If you cannot tell it clearly, please paste it back.
Recover System Logs
  • View the system log folder # ls-Al/var/log
  • Create a system log folder #/bin/mkdir/var/log
    If deleted, you need to create
  • View System Log Service #/usr/bin/find/etc/init. d/-name '* log *'
    The Log Service used by your server needs to be distinguished. If you cannot tell clearly, please paste it back.
  • Disable System Log Service #/sbin/service syslog stop
    The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
  • Start System Log Service #/sbin/service syslog start
    The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
  • Create an error log file #/bin/touch/var/log/btmp
  • Set User Group for log files with errors #/bin/chown root: utmp/var/log/btmp
  • Set the logon log file permissions #/bin/chmod 600/var/log/btmp
  • Create a log file #/bin/touch/var/log/wtmp
  • Set logon Log File user group #/bin/chown root: utmp/var/log/wtmp
  • Set logon log file permissions #/bin/chmod 664/var/log/wtmp
Restore SELinux settings
  • View SELinux status #/usr/sbin/sestatus-V
  • Check the security context of the/var/log folder #/sbin/restorecon-Rn-VV/var/log
  • Restore the security context of the/var/log folder #/sbin/restorecon-r-VV/var/log
  • Check the security context of the/etc folder #/sbin/restorecon-Rn-VV/etc 2>/dev/null
  • Restore the security context of the/etc folder #/sbin/restorecon-r-VV/etc 2>/dev/null
  • Check the security context of the/lib folder #/sbin/restorecon-Rn-VV/lib 2>/dev/null
(Free open-source putty software has been promoted in Baidu)

(The free open-source winscp software has been promoted in Baidu)

These two websites have the same creation time and interface style. If you look at the source code, it should be developed by the same program.

Starting address: http://bbs.hpx-party.org/thread-9143-1-1.html

All putty and winscp files downloaded from unofficial websites have backdoors. Check them all over the company. Confirmed by Jinshan network anti-virus engineer Li tiejun.

Putty and winscp are free open-source software. How can I advertise on Baidu? They obviously have backdoors? If you don't know the putty and winscp functions, I will tell you, this is the most common software used to connect to a Linux host. Putty is the command line interface, winscp is used to upload and download files, and putty and winscp with backdoors can intercept all the server passwords you enter. If your company is a website and the server is Linux, it is very likely that the technical staff of your company will be involved. Check it right away.

Check and cleanup Methods
  • Check whether/var/log is deleted #/usr/bin/STAT/var/log
    If it is deleted, it indicates it is a trick. If you cannot tell clearly, please reply to this post.
  • View/var/log folder content # ls-Al/var/log
    If there are very few files, it indicates it is a trick. If you cannot tell the details, please reply to this post.
  • Monitoring process named fsyslog and osysllog #/usr/bin/watch-N 1/bin/PS-afz f \ |/bin/grep Syslog
    If the process is known as fsyslog or osyslog, it indicates it is a trick. Be sure not to confuse it with the normal system log process. If you cannot tell it clearly, please paste it back.
  • Check whether the/etc/init. d/sshd File Header has been tampered with #/usr/bin/head/etc/init. d/sshd
    If you cannot tell, please paste it back.
  • Check whether the/etc/init. d/sendmail File Header has been tampered with #/usr/bin/head/etc/init. d/sendmail
    If you cannot tell, please paste it back.
  • Check whether port 82 of the external connection exists #/bin/netstat-anp |/bin/grep ': 82'
    If yes, but you have not set it, it means you have already won the trick. If you cannot tell it, please reply to this post.
  • Check whether there is a link to 98.126.55.226 #/bin/netstat-anp |/bin/grep '98 \. '-- color
    If yes, it indicates that you have already been recruited. If you cannot tell the details, please reply to this post.
  • Check the hidden file. fsyslog. osyslog In The/etc folder, and check the hidden file. fsyslog. osyslog in the/lib folder.
    /Usr/bin/find/etc-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
    /Usr/bin/find/lib-name '. * '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
    /Usr/bin/find/etc-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
    /Usr/bin/find/lib-name 'syslog '-printf' % A % C % T % m % G: % u % P \ n' |/bin/grep 2012 -- color
    If you have recently modified a file named fsyslog or osyslog, it indicates that it has been completed. If you cannot tell it clearly, please paste it back.
Recover System Logs
  • View the system log folder # ls-Al/var/log
  • Create a system log folder #/bin/mkdir/var/log
    If deleted, you need to create
  • View System Log Service #/usr/bin/find/etc/init. d/-name '* log *'
    The Log Service used by your server needs to be distinguished. If you cannot tell clearly, please paste it back.
  • Disable System Log Service #/sbin/service syslog stop
    The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
  • Start System Log Service #/sbin/service syslog start
    The Log service name of your server may be another name. If you cannot tell clearly, please reply to this post.
  • Create an error log file #/bin/touch/var/log/btmp
  • Set User Group for log files with errors #/bin/chown root: utmp/var/log/btmp
  • Set the logon log file permissions #/bin/chmod 600/var/log/btmp
  • Create a log file #/bin/touch/var/log/wtmp
  • Set logon Log File user group #/bin/chown root: utmp/var/log/wtmp
  • Set logon log file permissions #/bin/chmod 664/var/log/wtmp
Restore SELinux settings
  • View SELinux status #/usr/sbin/sestatus-V
  • Check the security context of the/var/log folder #/sbin/restorecon-Rn-VV/var/log
  • Restore the security context of the/var/log folder #/sbin/restorecon-r-VV/var/log
  • Check the security context of the/etc folder #/sbin/restorecon-Rn-VV/etc 2>/dev/null
  • Restore the security context of the/etc folder #/sbin/restorecon-r-VV/etc 2>/dev/null
  • Check the security context of the/lib folder #/sbin/restorecon-Rn-VV/lib 2>/dev/null
(Free open-source putty software has been promoted in Baidu)

(The free open-source winscp software has been promoted in Baidu)

These two websites have the same creation time and interface style. If you look at the source code, it should be developed by the same program.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.