Trojan and Trojan removal in Linux server

1. View Traffic Graph Discovery problem

Look at the time the page is very card, sometimes not even respond

2. Top Dynamic Viewing process

I immediately telnet to the problem of the server, remote operation is very card, network card out of the traffic is very large, through the top found an abnormal process occupies a high resource, the name is not carefully see also really thought is a Web service process.

4. End the exception process and continue tracking

1. Killall-9 nginx1
2. Rm-f/etc/nginx1

After the process, the traffic immediately down, remote also not Kaka, do we delete the program files, kill the abnormal process we think the processing has been completed? Think about it is not so simple, this is a Trojan Ah, certainly will also generate program files (really not what I expected, before I did not understand, the back is indeed generated) We've got to keep chasing it.

5. Check login log and log file secure

Check the account login record by command last, everything is OK. View system files Message I didn't find anything, but when I looked at the secure file, I found some exceptions, which are related to authentication, should I try to connect in the control contract?

7. Discovery of more unusual files

Viewing the timed task file crontab did not discover anything at once and then looked at the system boot file rc.local, and there was nothing unusual, and then went into the/ETC/INIT.D directory to see the more bizarre script file Dbsecurityspt, SELinux.

Third, the Trojan manual removal

Now we summarize the approximate steps as follows:

1, simple to judge whether there is no Trojan horse

1. #有无下列文件
2. Cat/etc/rc.d/init.d/selinux
3. Cat/etc/rc.d/init.d/dbsecurityspt
4. Ls/usr/bin/bsd-port
5. Ls/usr/bin/dpkgd
6. #查看大小是否正常
7. Ls-lh/bin/netstat
8. Ls-lh/bin/ps
9. Ls-lh/usr/sbin/lsof
10. Ls-lh/usr/sbin/ss

2, upload the following command to/root

1. PS Netstat SS lsof

3. Delete the following directories and files

2. RM-RF/USR/BIN/DPKGD (PS netstat lsof ss)
4. Rm-rf/usr/bin/bsd-port #木马程序
6. Rm-f/usr/bin/.sshd #木马后门
8. Rm-f/tmp/gates.lod
10. Rm-f/tmp/moni.lod
12. Rm-f/ETC/RC.D/INIT.D/DBSECURITYSPT (Start the above described Trojan variant program)
14. Rm-f/ETC/RC.D/RC1.D/S97DBSECURITYSPT
16. Rm-f/ETC/RC.D/RC2.D/S97DBSECURITYSPT
18. Rm-f/ETC/RC.D/RC3.D/S97DBSECURITYSPT
20. Rm-f/ETC/RC.D/RC4.D/S97DBSECURITYSPT
22. Rm-f/ETC/RC.D/RC5.D/S97DBSECURITYSPT
24. Rm-f/etc/rc.d/init.d/selinux (default is start/usr/bin/bsd-port/getty)
26. Rm-f/etc/rc.d/rc1.d/s99selinux
28. Rm-f/etc/rc.d/rc2.d/s99selinux
30. Rm-f/etc/rc.d/rc3.d/s99selinux
32. Rm-f/etc/rc.d/rc4.d/s99selinux
34. Rm-f/etc/rc.d/rc5.d/s99selinux

4. Find out the abnormal procedure and kill

5, remove the Trojan Horse command and reinstall (or upload the normal program to copy the past is OK)

I reinstall myself as if I could not, I was looking for the normal machine to copy the commands.

2. #ps
4. /root/chattr-i-a/bin/ps && rm/bin/ps-f
6. Yum Reinstall Procps-y or Cp/root/ps/bin
8. #netstat
10. /root/chattr-i-a/bin/netstat && rm/bin/netstat-f
12. Yum Reinstall Net-tools-y or Cp/root/netstat/bin
14. #lsof
16. /root/chattr-i-a/bin/lsof && rm/usr/sbin/lsof-f
18. Yum Reinstall Lsof-y or Cp/root/lsof/usr/sbin
20. #ss
22. /root/chattr-i-a/usr/sbin/ss && rm/usr/sbin/ss-f
24. yum-y Reinstall Iproute or Cp/root/ss/usr/sbin

Trojan and Trojan removal in Linux server