Catch Chicken Live screenshot (South African ant masterpiece)

First, log in to the system and check the overall status of the system through the top command

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7D/9E/wKiom1brpiCDUC0-AABRjMuIT0Q267.png "title=" 1.png " alt= "Wkiom1brpicduc0-aabrjmuit0q267.png"/>

There must be a problem finding the first process that consumes a lot of CPU resources

As seen from the file name, this is not a normal system process.

Pass through process ID to determine the location of the execution file, the operation is as follows:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7D/9B/wKioL1brprCzu8f8AAA5DBY8cm8722.png "style=" float: none; "title=" 2.png "alt=" Wkiol1brprczu8f8aaa5dby8cm8722.png "/>

Further review the file information under/usr/bin

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7D/9B/wKioL1brprHTgOLWAAA9bFZoYVo607.png "style=" float: none; "title=" 3.png "alt=" Wkiol1brprhtgolwaaa9bfzoyvo607.png "/>

Look at the first file, very unusual, mainly look at the file attributes

Continue to view the system process through the PS command and discover

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/7D/9E/wKiom1brpiGxzDCTAAAwplmYocQ099.png "style=" float: none; "title=" 4.png "alt=" Wkiom1brpigxzdctaaawplmyocq099.png "/>

Look at the Packers program.

/usr/bin/dpkgd/ps-ef

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/7D/9B/wKioL1brprHjHW2PAAAlYkaM9vk039.png "style=" float: none; "title=" 5.png "alt=" Wkiol1brprhjhw2paaalykam9vk039.png "/>

See, these are the orders of the Packers.

What the PS command sees is actually an illusion.

And see if crontab has daemon information.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/7D/9B/wKioL1brprHSJoDKAAAgRQtdW4A079.png "style=" float: none; "title=" 6.png "alt=" Wkiol1brprhsjodkaaagrqtdw4a079.png "/>

Found something strange, look at that kill.sh process, executed every 3 minutes

Asked to know that this is not a human-set daemon

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7D/9E/wKiom1brpiKS5iBOAAAyodulCos413.png "style=" float: none; "title=" 7.png "alt=" Wkiom1brpiks5iboaaayodulcos413.png "/>

Catch the content to see:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7D/9E/wKiom1brpiLgcR4zAAAlHjdOFmE679.png "style=" float: none; "title=" 8.png "alt=" Wkiom1brpilgcr4zaaalhjdofme679.png "/>

You see the content, you should be able to read

A simple shell.

Grab the network card and set up the status, so even if you down the network card, he can automatically start

Following

Continue to see DMESG information

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7D/9E/wKiom1brpiLhu3_JAABp4mcXAyk568.png "style=" float: none; "title=" 9.png "alt=" Wkiom1brpilhu3_jaabp4mcxayk568.png "/>

This is the kernel queue is too large, the broiler contract causes the connection queue to be covered with information

A development machine, it is impossible to have such a large flow of

This is the basic information.

Then we'll start killing these Trojans.

Rm. sshd file

And then

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7D/9B/wKioL1brprPRgilWAAArYkrOmvA645.png "style=" float: none; "title=" 10.png "alt=" Wkiol1brprprgilwaaarykromva645.png "/>

And then delete the contents of the shell.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7D/9E/wKiom1brpiOgY1vxAAAtaL8o-7g485.png "style=" float: none; "title=" 11.png "alt=" Wkiom1brpiogy1vxaaatal8o-7g485.png "/>

I have not deleted here, changed the path

After this operation, it is found that the PS command is not available

It doesn't matter, it's hard to fail us

Reinstall the PS command via Yum

How to find out which package PS is, the basic command is very important

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7D/9E/wKiom1brpiPziBzmAAAgAQi4qFs064.png "style=" float: none; "title=" 12.png "alt=" Wkiom1brpipzibzmaaagaqi4qfs064.png "/>

Well, the installation is done, again Ps-ef

Found different, and the way to show the process is not the same, because the current is the real system state

Kill the PID first, and then delete the kill.sh file from the previous crontab.

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m00/7d/9b/wkiol1brqghqnbe6aaah6igu8-u514.png "title=" 13.png "alt=" Wkiol1brqghqnbe6aaah6igu8-u514.png "/>

It seems that the Kill method does not work, there is a daemon, as long as the process is closed, it automatically restarts
"Doctor" South Africa ma 2016/3/18 15:02:30

so I'm going to order this.
"Doctor" South Africa ma 2016/3/18 15:02:45

kill-stop 4440
"Doctor" South Africa ma 2016/3/18 15:03:21

does it stop coming out?
"Doctor" South Africa ma 2016/3/18 15:03:28

and then continue observing the script .
"Doctor" South Africa ma 2016/3/18 15:03:30

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m01/7d/9e/wkiom1brqqccakkpaaatbyilt8u228.png "title=" 16.png "alt=" Wkiom1brqqccakkpaaatbyilt8u228.png "/>"Doctor" South Africa ma 2016/3/18 15:03:56

actually the culprit here cp/lib/libkill.so/lib/libkill.so.6

"Dr." South Africa MA 2016/3/18 15:05:08

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/> Now the world is quiet 650) this.width=650; " Src= "Http://s5.51cto.com/wyfs02/M01/7D/9B/wKioL1brqa6SSK0jAAAtBYilT8U419.png" title= "17.png" alt= " Wkiol1brqa6ssk0jaaatbyilt8u419.png "/>" PhD "South Africa MA 2016/3/18 15:05:16

But the problem is far from over.

"Dr." South Africa MA 2016/3/18 15:06:59

Let's do the finishing work and clear the back door.

"Dr." South Africa MA 2016/3/18 15:09:59

Lock down/etc/crontab file with Chartt +i first

"Dr." South Africa MA 2016/3/18 15:11:06

Then find the most recently generated suspicious file, and then delete the

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7D/9E/wKiom1brqk3SQgfOAAAzeRwBdyg077.png "title=" 18.png "alt=" Wkiom1brqk3sqgfoaaazerwbdyg077.png "/>

"Dr." South Africa MA 2016/3/18 15:11:20

Note the use of this command
"Dr." South Africa MA 2016/3/18 15:11:31

Through the output you can see that those are suspicious processes

"Dr." South Africa MA 2016/3/18 15:12:56

A very interesting question was found during the removal process.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7D/9C/wKioL1brqzXz1UfaAAAdSbeDNyU658.png "title=" 19.png "alt=" Wkiol1brqzxz1ufaaaadsbednyu658.png "/>

"Doctor" South African Ant
Look at this, point to the place.
15:15:23
"Dr." South Africa MA 2016/3/18 15:15:23

Obviously, these files and the pointing files are deleted.
"Dr." South Africa MA 2016/3/18 15:17:18

Of course, this can't stay.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7D/9F/wKiom1brrO7hEdO_AAAgjJ_HIJ8065.png "title=" 20.png "alt=" Wkiom1brro7hedo_aaagjj_hij8065.png "/>

"Dr." South Africa MA 2016/3/18 15:17:23

By deleting

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7D/9F/wKiom1brrUCRiZ6qAAASSlBO724854.png "title=" 21.png "alt=" Wkiom1brrucriz6qaaasslbo724854.png "/>

"Dr." South Africa MA 2016/3/18 15:22:25

/usr/bin, there's absolutely no going to leave suspicious files.
"Dr." South Africa MA 2016/3/18 15:22:31

Find the latest files to
"Dr." South Africa MA 2016/3/18 15:23:51

You can delete the file, execute the last command
"Dr." South Africa MA 2016/3/18 15:23:58

Kill-9 4440
"Dr." South Africa MA 2016/3/18 15:24:11

Just the last Trojan file

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7D/9F/wKiom1brrXiDRDUkAAAe5iKBkxc246.png "title=" 22.png "alt=" Wkiom1brrxidrdukaaae5ikbkxc246.png "/>

"Dr." South Africa MA 2016/3/18 15:26:12

Now look at whether or not new files will be generated,

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7D/9C/wKioL1brrkPxhYw3AAAhWXysO0c938.png "title=" 23.png "alt=" Wkiol1brrkpxhyw3aaahwxyso0c938.png "/>

"Dr." South Africa MA 2016/3/18 15:26:29

It's not coming back.

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s5.51cto.com/wyfs02/m01/7d/9c/wkiol1brrp_rzhafaabr6jvnyty645.png "title=" 24.png "alt=" WKioL1brrp_ Rzhafaabr6jvnyty645.png "/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

This article is from the "lake and Laughter" blog, please make sure to keep this source http://hashlinux.blog.51cto.com/9647696/1752589

Catch Chicken Live (South African ant masterpiece)