Troubleshoot malicious packet sending on the server

Troubleshoot malicious packet sending on the server

On the 30th, I found that the traffic of one server in another service line of my data center was extremely high (the outbound traffic of a single server exceeds 900 MB), and the access to the server was particularly slow due to the impact of traffic on service access. We suspect that this linux server should be infected with Trojans, so we need to take emergency measures to first shut down the WAN port of the server and then conduct the following troubleshooting:

1. troubleshoot viruses and Trojans.
1.1 Use netstat to view network connections and analyze whether suspicious sending behaviors exist. If yes, it stops.

An upper-case CRONTAB command is found on the server, and then the command is cleared and the task is scheduled for troubleshooting.

(For common linux Trojans, clear the chattr-I/usr/bin/command /. sshd; rm-f/usr/bin /. sshd; chattr-I/usr/bin /. swhd; rm-f/usr/bin /. swhd; rm-f-r/usr/bin/bsd-port; cp/usr/bin/dpkgd/ps/bin/ps; cp/usr/bin/dpkgd/netstat/bin/netstat; cp/usr/bin/dpkgd/lsof/usr/sbin/lsof; cp/usr/bin/dpkgd/ss/usr/sbin/ss; rm-r-f/root /. ssh; rm-r-f/usr/bin/bsd-port; find/proc/-name exe | xargs ls-l | grep-v task | grep deleted | awk '{print $11}' | awk-F/'{print $ NF} '| xargs killall-9 ;)

1.2 Use anti-virus software to scan and kill viruses.

2. troubleshoot and fix Server Vulnerabilities
2.1 check whether the server account is abnormal. If yes, stop deleting it.
2.2 check whether the server has a remote login. If yes, change the password to a strong password (each word + number + special symbol) in case of 10 or more characters.
2.3 check the background passwords of Jenkins, Tomcat, PhpMyadmin, WDCP, and Weblogic to increase the password strength (each word + number + special symbol) in upper and lower case, with 10 or more characters.
2.4 check whether there are vulnerabilities in WEB applications, such as struts and ElasticSearch. If yes, please upgrade.
2.5 check other password settings such as MySQL, SQLServer, FTP, and WEB management background to increase the password strength (each word + number + special symbol) by 10 characters or more.
2.6 check the remote file writing vulnerability in Redis without a password. Check/root /. ssh/SSH key file created by the hacker, delete it, modify Redis to have a password to access and use a strong password, it is best to access bind 127.0.0.1 locally without public network access.
2.7 If any third-party software is installed, follow the instructions on the official website.