An intrusion and deletion of trojan programs

An intrusion and deletion of trojan programs

An intrusion and deletion of trojan programs




The backdoor Trojan is as follows:
(Of course, this was found slowly after being calmed down afterwards. Drinking coffee at that time felt like a free man)
Trojan name
Linux. BackDoor. Gates.5
Http://forum.antichat.ru/threads/413337/




First, there were several servers with extremely high traffic at around fourteen o'clock P.M., with only a few hundred MB of traffic at ordinary times. At that time, we found that the traffic was on G. In this way, we felt that we were suffering from DDOS traffic attacks, at that time, there were a large number of servers on hand, and there were no


In my eyes, I think you can check the results. To achieve the best performance, none of our servers have opened a firewall (including hardware and iptables), that is, the servers have been running bare. These servers are running bare


There have been no problems for a few years. It seems that linux server security is quite satisfactory.


There is no clue at the beginning, that is, the ps Query Process, the netstat query port number, and the iftop query traffic. It is estimated that this was the case at the beginning, I had to give it a spoiler (this is also the hope of hackers. Obviously they know me very well.


Haha) at the moment, no exception was found, but iftop found that our server had been sending a large number of packets, and the traffic to an IP address could reach more than 600 M. Then we realized that the server was hacked, but as a zombie, attackers attack other servers.


However, the IP address of the attack is constantly changing, just as some people are remotely controlling it.


In a twinkling of an eye, it's almost time to get off work. At this time, there are about three servers. At this time, we will summarize the information we know:
A,/bin/ps,/bin/netsta programs are all 1.2M size, apparently dropped
B./usr/bin /. the Zookeeper-daemon-system process also carries a vertex, which is similar to a vertex without a dot, but it is always false. Why don't you delete or replace it, it seems that the people who write such a program have a strong legal awareness. Otherwise, the program will be promoted and will die.


Will a large CIA let him go?
C,/etc/rc. local permission changed, and added a startup Item
D. The lsattr and chattr commands are deleted.
E. Killing the process immediately becomes a headache.
F. I found some recently modified files, which are obviously left by hackers.
G. Add two items to the Automatic startup file.


At the beginning, the process was killed again, the file was deleted and automatically generated, and there was no firewall configuration in the online environment. However, I had to think of a strange trick and rename/bin/bash, it turns out that the traffic has come down, and this 10 thousand self-loss attack is really useful.
In fact, no real Trojan Horse was found at this time, but it was time to analyze and find the virus source. Two of the three modified the bash name and suddenly disconnected, so they could not log on, we had to reinstall the system. Then I found this one slowly.


And then delete it. At this time, I am in a good mood and want to write a blog record. After all, this is the first time a Trojan has been encountered in an online environment.
At around, I wrote half of my blog posts and suddenly got a fault. This time, another 7 servers failed, and my mood suddenly disappeared. The three servers were just an opening remark, the real battle has not yet begun. Therefore, the post-blog is continued.


If there are some differences, let's take a look.


I found some information on the Internet during this time and gradually became familiar with this trojan. At this time, I uploaded some normal binary programs, such as ls, netstat, chattr, and lsattr. Using the automatic program, I found the trojan program. I analyzed


The names of these trojan programs change in style, but the names are all written in/etc/rc. d/init. d/DbSecuritySpt and/etc/rc. d/init. d/selinux, And the name is similar to the normal service.


/Usr/local/zabbix/sbin/zabbix_AgentD,/usr/bin/bsd-port/getty,/usr/bin/dpkgd/ps,/usr/bin /. using-daemon -- system,/usr/bin /. sshd,/usr/bin/sshd. What is similar to your system?


When the process is running, it will confuse you with something similar. In fact, they all have the same program size.


Now you are deleting these files and killing these processes. This is an episode. Because a server has missed some undeleted files and is activated the next day, these items can be activated when you use the preceding commands, so be careful. At about 4 o'clock in the morning


At the time, the Trojans on the seven servers were cleared up. The general steps are as follows:




0. You can easily determine whether a trojan exists.
Are there any of the following files?
Cat/etc/rc. d/init. d/selinux
Cat/etc/rc. d/init. d/DbSecuritySpt
Ls/usr/bin/bsd-port
Ls/usr/bin/dpkgd
Check whether the size is normal
Ls-lh/bin/netstat
Ls-lh/bin/ps
Ls-lh/usr/sbin/lsof
Ls-lh/usr/sbin/ss




1. Upload the following command to/root:
Lsattr chattr ps netstat ss lsof




2. Delete the following directories and files.
Rm-rf/usr/bin/dpkgd (ps netstat lsof ss)
Rm-rf/usr/bin/bsd-port (Trojan Program)
Rm-f/usr/local/zabbix/sbin/zabbix_AgentD (Trojan Program)
Rm-f/usr/local/zabbix/sbin/conf. n
Rm-f/usr/bin/. sshd
Rm-f/usr/bin/sshd
Rm-f/root/cmd. n
Rm-f/root/conf. n
Rm-f/root/IP
Rm-f/tmp/gates.
Rm-f/tmp/moni.
Rm-f/tmp/Y. file Program
Rm-f/tmp/gates. lock process number
Rm-f/etc/rc. d/init. d/DbSecuritySpt (start the trojan variant programs described above)
Rm-f/etc/rc. d/rc1.d/S97DbSecuritySpt
Rm-f/etc/rc. d/rc2.d/S97DbSecuritySpt
Rm-f/etc/rc. d/rc3.d/S97DbSecuritySpt
Rm-f/etc/rc. d/rc4.d/S97DbSecuritySpt
Rm-f/etc/rc. d/rc5.d/S97DbSecuritySpt
Rm-f/etc/rc. d/init. d/selinux (start/usr/bin/bsd-port/getty by default)
Rm-f/etc/rc. d/rc1.d/S99selinux
Rm-f/etc/rc. d/rc2.d/S99selinux
Rm-f/etc/rc. d/rc3.d/S99selinux
Rm-f/etc/rc. d/rc4.d/S99selinux
Rm-f/etc/rc. d/rc5.d/S99selinux




3. Find the following program process number and kill it.
The Trojan's cpu usage is very high at a glance.
/Root/ps aux | grep-I jul29 (mainly recently started processes)
/Root/ps aux | grep-I jul30
/Root/ps aux | grep-I jul31
/Root/ps aux | grep sshd
/Root/ps aux | grep ps
/Root/ps aux | grep getty
/Root/ps aux | grep netstat
/Root/ps aux | grep lsof
/Root/ps aux | grep ss
/Root/ps aux | grep zabbix_Agetntd
/Root/ps aux | grep. Batch
Example:
/Root/ps aux | grep getty
Root 6215 0.0 0.0 93636 868? Ssl/usr/bin/bsd-port/getty
Killed 6215
/Root/ps aux | grep zabbix_AgentD
Root 2558 71.0 0.0 106052 1048? Ssl :54 117:29./zabbix _
Killed 2558
/Root/ps aux | grep "/dpkgd/ps"
Root 11173 67.8 0.0 105924 1020? Ssl/usr/bin/dpkgd/ps-p 11148-o comm =
Killed 11173


Note that this operation will occur again after deletion after kill (damage the trojan program)
>/Usr/bin/dpkgd/ps &/root/chattr + I/usr/bin/dpkgd/ps
>/Usr/bin/bsd-port/getty &/root/chattr + I/usr/bin/bsd-port/getty




4. Delete the commands containing Trojans and reinstall them (or copy the uploaded normal program)
Ps
/Root/chattr-I-a/bin/ps & rm/bin/ps-f
Yum reinstall procps-y
Or
Cp/root/ps/bin


Netstat
/Root/chattr-I-a/bin/netstat & rm/bin/netstat-f
Yum reinstall net-tools-y
Or
Cp/root/netstat/bin


Lsof
/Root/chattr-I-a/bin/lsof & rm/usr/sbin/lsof-f
Yum reinstall lsof-y
Or
Cp/root/lsof/usr/sbin


Chattr & lsattr
Yum-y reinstall e2fsprogs


Ss
/Root/chattr-I-a/usr/sbin/ss & rm/usr/sbin/ss-f
Yum-y reinstall iproute
Or
Cp/root/ss/usr/sbin


Modify the permissions of the following two programs. In this case, some of them accidentally changed the permissions of these two programs. This allows you to find that Trojans cannot download normal programs or kill processes.
/Usr/bin/killall
/Usr/bin/wget


In addition, they also modified the DNS, so we may not be able to recognize some domain names. I think it's very thoughtful.
Cat/etc/resolv. conf
Nameserver 8.8.8.8
Nameserver 8.8.4.4






5. Tool Scanning
Install anti-virus tool
Install
Yum-y install clamav *
Start
Service clamd restart
Update virus Database
Freshclam
Scan Method
Clamscan-r/etc -- max-dir-recursion = 5-l/root/etcclamav. log
Clamscan-r/bin -- max-dir-recursion = 5-l/root/binclamav. log
Clamscan-r/usr -- max-dir-recursion = 5-l/root/usrclamav. log
Clamscan-r -- remove/usr/bin/bsd-port
Clamscan-r -- remove/usr/bin/
Clamscan-r -- remove/usr/local/zabbix/sbin
View log discovery
/Bin/netstat: Linux. Trojan. Agent FOUND is a virus.
Grep FOUND/root/usrclamav. log
/Usr/bin/. sshd: Linux. Trojan. Agent FOUND
/Usr/sbin/ss: Linux. Trojan. Agent FOUND
/Usr/sbin/lsof: Linux. Trojan. Agent FOUND


6. Enhance your security
However, we do not know the cause of system intrusion. We can only consider two aspects: brute force cracking and system and service vulnerabilities.
A. yum update system (especially bash, openssh, and openssl)
B. disable unnecessary services.
C. Set ssh normal user login and use hosts. all and hosts. deny to restrict the network segments to be logged on.
D. Record the operation commands after logging on to the system
The following operations are found:
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/messages
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/httpd/access_log
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/httpd/error_log
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/xferlog
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/secure
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/auth. log
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/user. log
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/wtmp
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/lastlog
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/log/btmp
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/run/utmp
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>/var/spool/mail/root
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] echo>./. bash_history
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root] rm-rf/root/. bash_history
Jul 31 00:26:37 CHN-LZ-131 logger: [euid = root]: [/root]




7. Trojan Analysis
Later, I converted the trojan program into a hex system. After taking a look, I found that it was only a Trojan and it was capable of DDOS attacks. I did not delete the server configuration, it does not cause too much harm to the server. The procedure is as follows: