An experience of Linux Server intrusion and deletion of trojan programs
I. background
In the evening, we can see that the traffic of a server is very high. Obviously, the traffic is different from normal ones. The traffic reaches 800 Mbps. The first thought should be a medium trojan horse, which is regarded as a zombie and sending a large number of packets.
For the best performance, our server has not enabled any firewall (iptables), but there is a physical firewall in front of the server, and the machines are all port ing, which is not a common port, it should be fully secure, probably because it has recently become an issue with Trojans. I always encounter this problem and take this opportunity to record the discovery process.
Ii. Discovery and tracking
1. view the traffic diagram to find problems
When viewing the page, the page is very stuck, and sometimes it does not even respond.
2. View processes dynamically on top
I immediately remotely log on to the problematic server, and the remote operation is very slow. The traffic from the NIC is very large. I found that an abnormal process occupies high resources through top, I thought it was a Web service process.
3. Run the ps command to view the process path.
I found this program file under the/etc directory. It is a binary program. I copied it and put it near this article for you to study on the Virtual Machine. Haha.
4. Stop abnormal processes and continue Tracing
killall-9nginx1rm-f/etc/nginx1
After the process is killed, the traffic immediately goes down and the remote connection does not get stuck. Do we delete the program file and kill the abnormal process? It's certainly not that easy to think about. This is a Trojan, and it will certainly generate program files on its own (as I did not expect, it was actually generated later before I figured it out) we need to continue tracing.
5. View logon records and log files secure
Run the last command to view the Account Logon record. Everything is normal. The System File message is not found, but some exceptions are found when I view the secure file. It is related to authentication. Should I try to control the sending of packets?
6. view the process in ps again
In fact, this problem occurred during the first ps. At that time, I did not find it. The second time I learned how to view every process, and found a strange ps process.
I found a normal machine and checked the size of the ps command. The normal size is about 81KB, And the ps on this machine is as high as 1.2 MB. The command file must have been replaced.
Then go to another ps directory and see the following commands. Then I checked these commands in the system and found that they all grew to 1.2 MB, these system command files must have been replaced.
7. Discover more abnormal files
Check the crontab of the scheduled task file and check the System Startup File rc. local, there is no exception, and then enter/etc/init. d directory view, found strange script files DbSecuritySpt, selinux.
From the first file, we can see that he is the abnormal file starting from boot. The second file should be related to logon. I am not very clear about the specific file. It must be wrong.
Now that it is related to logon, find the ssh-related file. Find the following file, which is a hidden file. This file is also a trojan file. We will record it first, in this way, the program name is very similar to our service name, in order to confuse us, their size is 1.2 M, they may be a file.
I have looked at the directory/tmp that Trojans like to appear and found abnormal files. It seems like a Trojan program is monitored by name.
Think of this, there should be a lot of replacement commands, which cannot be solved by looking for them alone. I suggest you reinstall the operating system and make security policies. If you do not reinstall the operating system, I will give you the method below. The specific line is not verified.
3. manually clear Trojans
The general steps are as follows:
1. Simple Determination of Trojans
# Whether the following files are available: cat/etc/rc. d/init. d/selinuxcat/etc/rc. d/init. d/DbSecuritySptls/usr/bin/bsd-portls/usr/bin/dpkgd # Check whether the size is normal ls-lh/bin/netstatls-lh/bin/psls-lh/usr/ sbin/lsofls-lh/usr/sbin/ss
2. Upload the following command to/root
psnetstatsslsof
3. Delete the following directories and files
Rm-rf/usr/bin/dpkgd (psnetstatlsofss) rm-rf/usr/bin/bsd-port # Trojan rm-f/usr/bin /. sshd # Trojan backdoor rm-f/tmp/gates. lodrm-f/tmp/moni. lodrm-f/etc/rc. d/init. d/DbSecuritySpt (start the trojan variant programs described above) rm-f/etc/rc. d/rc1.d/S97DbSecuritySptrm-f/etc/rc. d/rc2.d/S97DbSecuritySptrm-f/etc/rc. d/rc3.d/S97DbSecuritySptrm-f/etc/rc. d/rc4.d/S97DbSecuritySptrm-f/etc/rc. d/rc5.d/S97DbSecuritySptrm-f/etc/rc. d/init. d/selinux (start/usr/bin/bsd-port/getty by default) rm-f/etc/rc. d/rc1.d/S99selinuxrm-f/etc/rc. d/rc2.d/S99selinuxrm-f/etc/rc. d/rc3.d/S99selinuxrm-f/etc/rc. d/rc4.d/S99selinuxrm-f/etc/rc. d/rc5.d/S99selinux
4. Find the Abnormal Program and kill it.
5. Delete and reinstall the commands containing Trojans (or copy the uploaded program to the System)
# Ps/root/chattr-I-a/bin/ps & rm/bin/ps-fyumreinstallprocps-y or cp/root/ps/bin # netstat/root/chattr- i-a/bin/netstat & rm/bin/netstat-fyumreinstallnet-tools-y or cp/root/netstat/bin # lsof/root/chattr-I-a/bin /lsof & rm/usr/sbin/lsof-fyumreinstalllsof-y or cp/root/lsof/usr/sbin # ss/root/chattr-I-a/usr/sbin/ ss & rm/usr/sbin/ss-fyum-yreinstalliproute or cp/root/ss/usr/sbin
Iv. Scanning with antivirus tools
1. Install the anti-virus tool clamav
yum-yinstallclamavclamav-milter
2. Start the service
serviceclamdrestart
3. Update the virus Database
Because ClamAV is not the latest version, there is an alarm. You can ignore or upgrade the latest version.
[root@mobile~]#freshclamClamAVupdateprocessstartedatSunJan3103:15:522016WARNING:Can'tquerycurrent.cvd.clamav.netWARNING:InvalidDNSreply.FallingbacktoHTTPmode.ReadingCVDheader(main.cvd):WARNING:main.cvdnotfoundonremoteserverWARNING:Can'treadmain.cvdheaderfromdb.cn.clamav.net(IP:185.100.64.62)Tryingagainin5secs...ClamAVupdateprocessstartedatSunJan3103:16:252016WARNING:Can'tquerycurrent.cvd.clamav.netWARNING:InvalidDNSreply.FallingbacktoHTTPmode.ReadingCVDheader(main.cvd):Tryinghostdb.cn.clamav.net(200.236.31.1)...OKmain.cvdisuptodate(version:55,sigs:2424225,f-level:60,builder:neo)ReadingCVDheader(daily.cvd):OK(IMS)daily.cvdisuptodate(version:21325,sigs:1824133,f-level:63,builder:neo)ReadingCVDheader(bytecode.cvd):OK(IMS)bytecode.cvdisuptodate(version:271,sigs:47,f-level:63,builder:anvilleg)
4. Scan methods
You can use clamscan-h to view the corresponding help information.
clamscan-r/etc--max-dir-recursion=5-l/root/etcclamav.logclamscan-r/bin--max-dir-recursion=5-l/root/binclamav.logclamscan-r/usr--max-dir-recursion=5-l/root/usrclamav.logclamscan-r--remove/usr/bin/bsd-portclamscan-r--remove/usr/bin/
5. view log discovery
Delete the found command and replace it with the normal
Appendix: Linux. BackDoor. Gates.5
After querying the information, this trojan should be Linux. BackDoor. Gates.5. Find a file with the following details:
Some users have a deep-rooted idea that there is no malware that can truly threaten Linux Kernel Operating systems. However, this idea is facing more and more challenges. Compared with April, the number of Linux malware detected by technicians of Doctor Web company set a new record in May 2014, and a series of new Linux Trojans were added to these malware lists in June, the new Trojan family is named Linux. backDoor. gates.
Here we describe the malware family Linux. backDoor. A Trojan in Gates: Linux. backDoor. gates.5. This malware integrates the functions of traditional Backdoor programs and DDoS attack Trojans, and is used to infect 32-bit Linux versions. According to its characteristics, it can be determined that it is different from Linux. dnsAmp and Linux. the DDoS family Trojan is the same as a virus writer. The new Trojan consists of two functional modules: the Basic module is a backdoor program that can execute instructions issued by criminals. The second module is saved to the hard disk during installation for DDoS attacks. Linux. BackDoor. Gates.5 collects and forwards the following information about the infected computer to criminals during operation:
Number of CPU cores (read from/proc/cpuinfo ).
CPU speed (read from/proc/cpuinfo ).
CPU usage (read from/proc/stat ).
The IP address of Gate 'a (read from/proc/net/route ).
The MAC address of Gate 'a (read from/proc/net/arp ).
Network Interface Information (read from/proc/net/dev ).
The MAC address of the network device.
Memory (use the MemTotal parameter in/proc/meminfo ).
Volume of data sent and received (read from/proc/net/dev ).
The name and version of the operating system (by calling the uname command ).
After the startup, Linux. BackDoor. Gates.5 checks the path of the Startup Folder and implements four behavior modes based on the check results.
If the path of the executable file of the backdoor program is inconsistent with that of the netstat, lsof, and PS tools, the trojan will pretend to be started by the daemon in the system and then initialize the program, decompress the configuration file during initialization. The configuration file contains all kinds of data required for Trojan running, such as managing Server IP addresses and ports, and installing backdoor program parameters.
Based on the g_iGatsIsFx parameter value in the configuration file, a Trojan can actively connect to the management server or wait for a connection: After the installation is successful, the backdoor program detects the IP address of the site to which it is connected, then, use the site as the command server.
During the installation process, check the file/tmp/moni. lock. If the file is not empty, read the data (PID process) and "kill" the ID process. Then Linux. BackDoor. Gates.5 checks whether the DDoS module and BackDoor program processes are started in the system (if started, these processes will also be killed "). If the configuration file contains a special flag g_iIsService, the trojan writes the command line in the file/etc/init. d #! /Bin/bash \ n Set yourself to self-start, and then create the following symbolic links for Linux. BackDoor. Gates.5:
ln-s/etc/init.d/DbSecuritySpt/etc/rc1.d/S97DbSecuritySptln-s/etc/init.d/DbSecuritySpt/etc/rc2.d/S97DbSecuritySptln-s/etc/init.d/DbSecuritySpt/etc/rc3.d/S97DbSecuritySptln-s/etc/init.d/DbSecuritySpt/etc/rc4.d/S97DbSecuritySpt
If the g_bDoBackdoor flag is set in the configuration file, the trojan will attempt to open the/root/. profile file and check whether the process has root permissions. Then the backdoor program copies itself to/usr/bin/bsd-port/getty and starts it. At the final stage of installation, Linux. BackDoor. Gates.5 creates a copy in the folder/usr/bin/, name it the name set in the configuration file, and replace the following tools:
/bin/netstat/bin/lsof/bin/ps/usr/bin/netstat/usr/bin/lsof/usr/bin/ps/usr/sbin/netstat/usr/sbin/lsof/usr/sbin/ps
Trojan to complete the installation and start calling basic functions.
When the other two algorithms are executed, the trojan will also pretend that the daemon is started on an infected computer and check whether its components are read through the corresponding. lock file startup (if not started, start the component), but use a different name when saving the file and registering the self-start.
After connecting to the Command server settings, Linux. BackDoor. Gates.5 receives configuration data from the server and the commands that need to be completed by the botnet. According to instructions from criminals, Trojans can be automatically updated to launch or stop DDoS attacks on remote sites with specified IP addresses and ports, execute the commands contained in the configuration data or establish a connection with the remote site of the specified IP address to execute other commands.
Since then, the main DDoS attack target of the program is a Chinese server. However, criminals have attacked other countries. Geographic distribution of DDoS attacks that use this Trojan:
This article from the "small water drop" blog, please be sure to keep this source http://wangzan18.blog.51cto.com/8021085/1740113