Handle Linux host records infiltrated by ssh-scan

In the morning, I found that a Linux AS 4 host was hacked by Hacker and had a lot of scanssh processes. Intruders usually use password dictionary files such as passwd.txt of common Linux/unixapplication services such as oracle, sybase, nagios, tuxedo, and try to log on via ssh on port 22. Search for BOTs using weak passwords in the LAN and try to intrude into the hosts. Let's look at the process. There are many ssh-scan processes. It is estimated that the password is too simple to be hacked. Solution: Find the corresponding program file of the ssh-scan process and delete it. Check the scheduled task first. No abnormal scheduled task is displayed. The final steps are as follows: 1. ps-ef | grep ssh-scan (or ps-ajxf)

ps -ef|grep ssh500       8923     1  0 Jul02 ?        00:00:22 ./scanssh500       8928     1  0 Jul02 ?        00:00:22 ./scanssh500       8929     1  0 Jul02 ?        00:00:20 ./scanssh500       8937     1  0 Jul02 ?        00:00:18 ./scanssh500       8938     1  0 Jul02 ?        00:00:21 ./scanssh500       8939     1  0 Jul02 ?        00:00:21 ./scanssh500       8941     1  0 Jul02 ?        00:00:18 ./scanssh500       8948     1  0 Jul02 ?        00:00:17 ./scanssh500       8949     1  0 Jul02 ?        00:00:14 ./scanssh500       8953     1  0 Jul02 ?        00:00:21 ./scanssh500       8955     1  0 Jul02 ?        00:00:17 ./scanssh500       8957     1  0 Jul02 ?        00:00:27 ./scanssh500       8966     1  0 Jul02 ?        00:00:22 ./scanssh500       8967     1  0 Jul02 ?        00:00:22 ./scanssh500       8968     1  0 Jul02 ?        00:00:22 ./scanssh500       8969     1  0 Jul02 ?        00:00:10 ./scanssh500       8971     1  0 Jul02 ?        00:00:21 ./scanssh500       8975     1  0 Jul02 ?        00:00:00 ./scanssh500       8980     1  0 Jul02 ?        00:00:00 ./scanssh500       8984     1  0 Jul02 ?        00:00:18 ./scanssh500       8986     1  0 Jul02 ?        00:00:06 ./scanssh500       8996     1  0 Jul02 ?        00:00:03 ./scanssh500       9015     1  0 Jul02 ?        00:00:31 ./scanssh500       9016     1  0 Jul02 ?        00:00:21 ./scanssh500       9019     1  0 Jul02 ?        00:00:19 ./scanssh500       9025     1  0 Jul02 ?        00:00:21 ./scanssh500       9026     1  0 Jul02 ?        00:00:20 ./scanssh500       9031     1  0 Jul02 ?        00:00:37 ./scanssh500       9059     1  0 Jul02 ?        00:00:00 ./scanssh500       9061     1  0 Jul02 ?        00:00:00 ./scanssh500       9062     1  0 Jul02 ?        00:00:00 ./scanssh500       9066     1  0 Jul02 ?        00:00:20 ./scanssh500       9067     1  0 Jul02 ?        00:00:21 ./scanssh500       9077     1  0 Jul02 ?        00:00:20 ./scanssh500      18696     1  0 Jun28 ?        00:00:00 ./scanssh500      18697     1  0 Jun28 ?        00:00:00 ./scanssh500      18698     1  0 Jun28 ?        00:00:00 ./scanssh500      18699     1  0 Jun28 ?        00:00:00 ./scanssh500      18706     1  0 Jun28 ?        00:00:00 ./scanssh500      18715     1  0 Jun28 ?        00:00:00 ./scanssh500      18716     1  0 Jun28 ?        00:00:05 ./scanssh500      18727     1  0 Jun28 ?        00:00:00 ./scanssh500      18731     1  0 Jun28 ?        00:00:00 ./scanssh500      18733     1  0 Jun28 ?        00:00:00 ./scanssh500      18740     1  0 Jun28 ?        00:00:00 ./scanssh500      18741     1  0 Jun28 ?        00:00:02 ./scanssh500      18747     1  0 Jun28 ?        00:00:00 ./scanssh500      18760     1  0 Jun28 ?        00:00:04 ./scanssh500      18762     1  0 Jun28 ?        00:00:00 ./scanssh500      18767     1  0 Jun28 ?        00:00:00 ./scanssh500      18770     1  0 Jun28 ?        00:00:01 ./scanssh500      18789     1  0 Jun28 ?        00:00:00 ./scanssh500      18791     1  0 Jun28 ?        00:00:00 ./scanssh500      18800     1  0 Jun28 ?        00:00:00 ./scanssh500      18821     1  0 Jun28 ?        00:00:00 ./scanssh500      18822     1  0 Jun28 ?        00:00:00 ./scanssh500      18823     1  0 Jun28 ?        00:01:10 ./scanssh500      18824     1  0 Jun28 ?        00:00:00 ./scanssh500      18828     1  0 Jun28 ?        00:01:17 ./scanssh500      18829     1  0 Jun28 ?        00:00:04 ./scanssh500      18832     1  0 Jun28 ?        00:00:00 ./scanssh500      18833     1  0 Jun28 ?        00:00:00 ./scanssh500      18836     1  0 Jun28 ?        00:00:00 ./scanssh500      18838     1  0 Jun28 ?        00:00:00 ./scanssh500      18841     1  0 Jun28 ?        00:00:02 ./scanssh500      18842     1  0 Jun28 ?        00:00:03 ./scanssh500      18863     1  0 Jun28 ?        00:00:02 ./scanssh500      18866     1  0 Jun28 ?        00:00:00 ./scanssh500      18884     1  0 Jun28 ?        00:00:00 ./scanssh500      18896     1  0 Jun28 ?        00:00:02 ./scanssh500      18899     1  0 Jun28 ?        00:00:00 ./scanssh500      18902     1  0 Jun28 ?        00:00:00 ./scanssh500      18907     1  0 Jun28 ?        00:00:00 ./scanssh500      18916     1  0 Jun28 ?        00:00:16 ./scanssh500      18917     1  0 Jun28 ?        00:00:00 ./scanssh500      18938     1  0 Jun28 ?        00:00:04 ./scanssh500      18942     1  0 Jun28 ?        00:00:00 ./scanssh500      18943     1  0 Jun28 ?        00:00:02 ./scanssh500      18947     1  0 Jun28 ?        00:00:00 ./scanssh500      18951     1  0 Jun28 ?        00:00:00 ./scanssh500      18953     1  0 Jun28 ?        00:00:00 ./scanssh500      18969     1  0 Jun28 ?        00:00:00 ./scanssh500      18982     1  0 Jun28 ?        00:00:00 ./scanssh500      18988     1  0 Jun28 ?        00:00:00 ./scanssh500      19018     1  0 Jun28 ?        00:00:13 ./scanssh500      19027     1  0 Jun28 ?        00:00:00 ./scanssh500      19053     1  0 Jun28 ?        00:00:30 ./scanssh500      19061     1  0 Jun28 ?        00:00:00 ./scanssh500      19086     1  0 Jun28 ?        00:00:19 ./scanssh500      19095     1  0 Jun28 ?        00:00:00 ./scanssh500      19103     1  0 Jun28 ?        00:00:00 ./scanssh500      19111     1  0 Jun28 ?        00:00:00 ./scansshroot     24539 27230  0 11:32 ?        00:00:00 sshd: swzj [priv]swzj     24541 24539  0 11:32 ?        00:00:00 sshd: swzj@pts/6root     27230     1  0 Apr12 ?        00:01:34 /usr/sbin/sshdroot     27657 24598  0 13:28 pts/6    00:00:00 grep ssh

 

2. Find the PID of the process ID corresponding to ssh-scan. If one is 19061. 3. Go to the/proc/PID directory, cd/proc/19061 4, ls-al, view the options corresponding to cwd and exe, and find the directory where the application is located. 5. killall-9 scanssh after killing all of them and delete the corresponding directory. Or # ps-ef | grep-v grep | grep scanssh | awk '{print $2}' | xargs kill # ps-ef | grep-v grep | grep SCREEN | awk' {print $2} '| xargs kill 6. Change all user passwords. According to netstat-an | grep 22, there are still many connections, reboot servers, and the system runs normally. For more information, see: http://www.vvvk.net/archives/311#more-311 Appendix:/PROC directory introduction Original: http://www.freeos.com/articles/2879/ The translated by bugzilla_zhuProc file system is a real-time, memory-resident file system that tracks the running status of processes on your machine and the status of your system. You can learn a lot about the/proc file system. The most shocking thing about the/proc pseudo file system is that it does not actually exist on any media. /Proc file system is a pseudo file system that is resident in virtual memory and maintains dynamic data of the operating system. Most of the/proc file system information is updated in real time to be consistent with the current operating system status. /The content of the proc file system can be read by anyone with the corresponding permissions. However, a specific part of the/proc file system can only be read by the owner and root user of the process. The content of the/proc file system is obtained and displayed from a specific/proc Directory, which has many purposes. In linux, we have tools like lscpi, scanpci, and pnpdump, which help us detect a large number of PCI, ISA hardware chip settings, and help us with io, the dma and irq values are the best choices. By viewing the/proc file, the car's mother was planted and asked to take a strong shoot. The key was blown to the name of JI Yi, who was torn by moles, And the nose was stabbed. We used the dmesg command to give an example. Bash # dmesgDmesg helps us determine the device that has been detected and initialized by the kernel. We have tools like "ps" and "top" to give us an accurate snapshot, this snapshot is about the status of processes running on the machine and a list of sober and sleep processes running on the machine before. Have you ever thought about the exact sources of the information provided through the "ps" and "top" processes? The information of these processes comes from the/proc file system and is updated at any time when the process changes. Let's take a look at the list snapshot of the root directory of the linux machine.

drwxr-xr-x 14 root root 291 Oct 25 18:47 optdr-xr-xr-x 86 root root 0 Nov 30 2000 proc <--drwx--x--x 16 root root 841 Nov 20 00:10 rootdrwxr-xr-x 5 root root 4627 Oct 15 11:42 sbin

 

Because the/proc file system is a virtual file system with resident memory, it is re-created every time when your linux machine restarts. Take a look at the above root directory. The size of the proc directory is 0 and the last modification time is the current date. Use the/proc/sys file system to parse kernel parameters. Another important part of the/proc file system is the/proc/sys directory. In this directory, you can change the specified Kernel Parameters in real time. A good example is as follows. /Proc/sys/net/ipv4/ip_forward when you cat the content of this file, you can see that ip_forward in the above file has a default value of "0 ". This means that IP forwarding through this machine is not allowed. However, by changing the value in this file from "0" to "1", this configuration can be changed in real time. Then we can immediately forward IP addresses on our linux machines without restarting the system. The/proc file system content/proc directory list is as follows. The actual list is very long. The following is a short version.

1 114 1210 1211 1212 1227 133 137 148 160 161 163 167 168 169170 171 172 173 174 186 190 193 194 195 203 206 207 208 209210 211 220 221 222 223 224 225 226 227 229 230 234 246 253 279296 3 4 5 500 501 6 667 668 669 683 684 685 7 711 712 713 737 763764 765 766 773 774 775 782 79 88 92 asound bus cmdline config.gzcpuinfo devices dma fb filesystems fs ide interrupts ioportskcore kcore_elf kmsg ksyms loadavg locks lvm mdstat meminfomemstat misc modules mounts net partitions pci rtc scsi selfslabinfo stat swaps sys tty uptime version

 

In the preceding snapshot, each number and word you see is in the/proc directory. Let's learn more about the content named by numbers in this directory. Directory named by number

1 114 1210 1211 1212 1227 133 137 148 160 161 163 167 168 169170 171 172 173 174 186 190 193 194 195 203 206 207 208 209210 211 220 221 222 223 224 225 226 227 229 230 234 246 253 279296 3 4 5 500 501 6 667 668 669 683 684 685 7 711 712 713 737 763764 765 766 773 774 775 782 79 88 92

 

A large number of directories listed here are processes. They are running on your machine when we take a snapshot of the/proc file system. Let's take a look at the contents of the directory.

freeos:~ # cd /procfreeos:/proc # ls -la 114total 0dr-xr-xr-x 3 named named 0 Nov 30 12:20 .dr-xr-xr-x 89 root root 0 Nov 30 2000 ..-r--r--r-- 1 root root 0 Nov 30 12:20 cmdlinelrwx------ 1 root root 0 Nov 30 12:20 cwd -> /var/named-r-------- 1 root root 0 Nov 30 12:20 environlrwx------ 1 root root 0 Nov 30 12:20 exe -> /usr/sbin/nameddr-x------ 2 root root 0 Nov 30 12:20 fdpr--r--r-- 1 root root 0 Nov 30 12:20 maps-rw------- 1 root root 0 Nov 30 12:20 memlrwx------ 1 root root 0 Nov 30 12:20 root -> /-r--r--r-- 1 root root 0 Nov 30 12:20 stat-r--r--r-- 1 root root 0 Nov 30 12:20 statm-r--r--r-- 1 root root 0 Nov 30 12:20 status

 

Before executing the command, we need to log on as root, because a large number of processes running on the system may be owned by others. Generally, you only have the permission to access the processes you have enabled. After logging on as the root user, execute the above command on any directory and compare it with the above output. Have you noticed any similarities between the output and the content listed above? Yes, the contents of all directories that you choose to view are the same, because these directories contain a large number of process parameters and statuses, and their PID is the name of your current directory. Of course, the values and status information of each parameter vary depending on the process. See the first line output above. -R -- 1 root 0 Nov30 cmdline "cmdline", which contains the entire command line used to generate the process. The contents of this file are the command line parameters, including all the parameters passed to start the process. All information contained in this file is the command and each startup parameter, without any format and any spaces. Lrwx ------ 1 root 0 Nov 30 cwd->/var/named "cwd", as we can see above, this is a symbolic link that points to the current working directory of the process. -R -------- 1 root 0 Nov 30 environ "environ" includes all environment variables defined for this process in VARIABL = value. Like "cmdline", the command and parameter information contained in the file does not have any format or space. Lrwx ------ 1 root 0 Nov 30 exe->/usr/sbin/named "exe", which is a symbolic link pointing to the executable file that starts the current process. Dr-x ------ 2 root 0 Nov 30 fd "fd", this directory contains the file descriptor opened by the specified process. Pr -- r -- 1 root 0 Nov 30 maps "maps". When you type the content of the named pipeline, you can see the address space of the process, currently mapped to a file. This part is from left to right: the address space related to the ing, the permissions related to the ing, And the offset from the start of the file (that is, the place where the ing starts, the device where the ing file is located, the inode Number of the file, and the file name itself. "Root", this is a symbolic link pointing to the/proc directory of the process. -R -- 1 root 0 Nov 30 status "status", this file gives you information about the process name, its current status, sleep or awake, its PID, UID, PPID, and a large amount of other basic information. This information can be seen in a simpler and structured syntax by using tools such as "ps" and "top ". The basic information about a large number of/proc/* directories already exists in LASG, Chapter 3/proc file system. /Proc/cpuinfo about the processor, such as its type, origin, model, and performance. /Proc/devices driver list of the devices configured for the currently running kernel. /Proc/dma shows that the DMA channel is currently in use. /Proc/filesystems Kernel configuration file system. /Proc/interrupts indicates the interrupt in use, and the number of times each interrupt has been used/proc/ioports which I/O port is in use