Troubleshoot malicious packet sending on the server

Source: Internet
Author: User
Tags strong password

Troubleshoot malicious packet sending on the server

On the 30th, I found that the traffic of one server in another service line of my data center was extremely high (the outbound traffic of a single server exceeds 900 MB), and the access to the server was particularly slow due to the impact of traffic on service access. We suspect that this linux server should be infected with Trojans, so we need to take emergency measures to first shut down the WAN port of the server and then conduct the following troubleshooting:

1. troubleshoot viruses and Trojans.
1.1 Use netstat to view network connections and analyze whether suspicious sending behaviors exist. If yes, it stops.

An upper-case CRONTAB command is found on the server, and then the command is cleared and the task is scheduled for troubleshooting.

(For common linux Trojans, clear the chattr-I/usr/bin/command /. sshd; rm-f/usr/bin /. sshd; chattr-I/usr/bin /. swhd; rm-f/usr/bin /. swhd; rm-f-r/usr/bin/bsd-port; cp/usr/bin/dpkgd/ps/bin/ps; cp/usr/bin/dpkgd/netstat/bin/netstat; cp/usr/bin/dpkgd/lsof/usr/sbin/lsof; cp/usr/bin/dpkgd/ss/usr/sbin/ss; rm-r-f/root /. ssh; rm-r-f/usr/bin/bsd-port; find/proc/-name exe | xargs ls-l | grep-v task | grep deleted | awk '{print $11}' | awk-F/'{print $ NF} '| xargs killall-9 ;)

1.2 Use anti-virus software to scan and kill viruses.


2. troubleshoot and fix Server Vulnerabilities
2.1 check whether the server account is abnormal. If yes, stop deleting it.
2.2 check whether the server has a remote login. If yes, change the password to a strong password (each word + number + special symbol) in case of 10 or more characters.
2.3 check the background passwords of Jenkins, Tomcat, PhpMyadmin, WDCP, and Weblogic to increase the password strength (each word + number + special symbol) in upper and lower case, with 10 or more characters.
2.4 check whether there are vulnerabilities in WEB applications, such as struts and ElasticSearch. If yes, please upgrade.
2.5 check other password settings such as MySQL, SQLServer, FTP, and WEB management background to increase the password strength (each word + number + special symbol) by 10 characters or more.
2.6 check the remote file writing vulnerability in Redis without a password. Check/root /. ssh/SSH key file created by the hacker, delete it, modify Redis to have a password to access and use a strong password, it is best to access bind 127.0.0.1 locally without public network access.
2.7 If any third-party software is installed, follow the instructions on the official website.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.