Just-in-line test server continues to outsource, and the CPU lasts 100%, after remote login to see that there is a length of 10 random string process, kill, will regenerate another length of 10 string process. Deleting files will also be duplicated, very painful. Check the Crond related logs, found that the actual execution of the content is/lib/libudev.so, as a keyword query, find the following content:
1, the network traffic bursts, using top observation has at least one 10 random letter program to execute, occupy a lot of CPU utilization. Remove these programs and produce new programs on the horse.
2, check/etc/crontab every three minutes to perform gcc.sh
*/3 * * * * root/etc/cron.hourly/gcc.sh
3, see the virus program gcc.sh, you can see the virus is/lib/libudev.so.
cat/etc/cron.hourly/gcc.sh#!/bin/shpath=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/ X11r6/binfor i in ' Cat/proc/net/dev|grep: |awk-f: {' print '} '; Do ifconfig $i up& donecp/lib/libudev.so/lib/libudev.so.6/lib/libudev.so.6
4, delete the previous line of routine work gcc.sh, and set the/etc/crontab not to change, whether the horse will also produce.
[Email protected] ~]# rm-f/etc/cron.hourly/gcc.sh; Chattr +i/etc/crontab
5, using top to view the virus as Mtyxkeaofa,id 16621, do not kill the program directly, will be born again, but stop its work.
[Email protected] ~]# kill-stop 16621
6. Delete files from/ETC/INIT.D.
[Email protected] ~]# find/etc-name ' *mtyxkeaofa* ' | Xargs rm-f
7. Delete files from/usr/bin.
[Email protected] ~]# rm-f/usr/bin/mtyxkeaofa
8, view/usr/bin Recent changes, if the virus is also deleted, other suspicious records are also the same.
[Email protected] ~]# Ls-lt/usr/bin | Head
9, now kill the virus program, will not be born again.
[Email protected] ~]# Pkill Mtyxkeaofa
10, remove the virus.
[Email protected] ~]# rm-f/lib/libudev.so
To this, the virus removal is complete.
Linux 10 processing records for string command viruses