CentOS6.4 and treatment of the next stubborn virus

Virus Discovery: On The monitor screen found that the DMZ traffic suddenly reached 900M, causing the DMZ to go to the rate of delay, through to the Xia Lian port, and eventually locked the target in the academic office of a server. A CentOS6.4 is installed on the server, and a Web service is provided to the outside.

Virus Characteristics: the server has many unfamiliar processes running as root, continuously sending requests out of the ordinary, consuming a lot of CPU resources and network bandwidth, causing the request to access the server without responding.

virus Targeting: The first thing I see with the top command is the regularity of the names of these abnormal processes, each of which consists of 10 random English lowercase letters. Every time I kill these processes with kill, the other processes run up and down, and more and more.

I took a look at the location of these processes through the which command, trying to remove the programs that executed them, but failed because they were regenerated shortly after I deleted them.

I took a look at the contents of the project (i.e. file/etc/crontab) and finally made a big discovery, and I found the following line

*/3 * * * * root/etc/cron.hourly/gcc.sh

This will cause the system to execute the script every three minutes. Not only that, but I also found that the total number of tasks, the same as the above content, which means that the system will perform this task five times every three minutes, so there will be a particularly busy period.

I checked the boot file again (under the/etc/init.d/directory) and found that each of the many unfamiliar files, the filenames are composed of 10 random English lowercase letters. There are many connection files in the directory rc0.d/such as subdirectories of the/etc/rc.d/directory, which point to the exception self-starting file in the/etc/init.d/directory.

Virus Execution: the exception file will run automatically at each boot and will append tasks to the/etc/crontab file and generate gcc.sh files in the/etc/cron.hourly/directory. Even if I kill the virus process with kill, the virus process will run again every three minutes.

Virus cleanup:

The first step: Delete the contents of the/etc/crontab file, deleting the/etc/cron.hourly/gcc.sh file, so that the virus program will not run every 3 minutes. To prevent the case, we can also add the hidden attribute I (chmod +i filename) to the file/etc/crontab and directory/etc/cron.hourly/so that two files will not be easily modified.

Step two: Remove the virus process (kill-9 pid)

Step three: Delete the virus program files under directory/bin/and/usr/bin/(you can refer to the file name, which is 10 random English letters).

Fourth step: Delete the self-starter file. Delete all the exception self-starting files under directory/etc/init.d/(you can refer to the file name, that is, 10 random English letters), delete the/etc/rc.d/directory under the subdirectory linked to the/etc/init.d/directory of the virus file.

Fifth step: Remove the hidden attributes of the file/etc/crontab and directory/etc/cron.hourly/(chmod-i filename). Restart the server when you are finished.

Summary: Related Documents

/etc/init.d/ /etc/rc.d/ /etc/crontab /etc/cron.hourly/

Related command Tools

Top which kill chmod RM

This article from "JLTX_LGQ" blog, declined reprint!

CentOS6.4 and treatment of the next stubborn virus