because yesterday in the intranet server A accidentally RM-FR/, causing Server A to die, after reloading the system, do not know what the reason, LAN paralysis can not surf the internet, and finally found a process of intranet server a SFEWFESFS CPU 300%. the router is blocked by the network. So Baidu this virus: All said the virus is very abnormal. the first time in the Linux virus, thanks to the Intranet, feel relatively cool. (Summarize network content, warning)
1. Viral phenomena
server constantly send packet to the extranet, accounting for network wide, even Causes the router to restart frequently.
1) A process named Sfewfesfs is found through top or ps-ef , and A. Sshddxxxxxxxxxxx (a string of random numbers). /etc/can see a file named Sfewfesfs,nhgbhhj and many other strange names. Restart the network cable immediately after the start of execution
2) through Sar-n DEV you can see the case of the outgoing packet.
3) NETSTAT-NATLP can see which ports are used
2. Analysis of possible causes
Once suspected to be the installation of the U-disk problem, the installation disk is the U-disk system installation boot disk, before the system is installed in the format. Read the information on the Internet, should not be, the problem of u disk.
You should open the server's SSH 22 port and open SSH's remote root login. This server can also be proxied through the router, and the login password is not so complicated. may have been hacked.
22 port root permission or not to open, no Zuo no die, the first experience of Linux poisoning was once thought to be a very safe operating system.
3. Solutions
1" first look at the attacker's modified:/etc/rc.local file:
CD/TMP; /sfewfesfs
Cd/tmp;. /gfhjrtfyhuf
Cd/tmp;. /REWGTF3ER4T
Cd/tmp;. /FDSFSFVFF
Cd/tmp;. /SMARVTD
Cd/tmp;. /whitptabil
Cd/tmp;. /gdmorpen
Cd/etc;. /sfewfesfs
Cd/etc;. /gfhjrtfyhuf
Cd/etc;. /REWGTF3ER4T
Cd/etc;. /FDSFSFVFF
Cd/etc;. /SMARVTD
Cd/etc;. /whitptabil
Cd/etc;. /gdmorpen
Cd/tmp;. /sfewfesfs
Cd/tmp;. /gfhjrtfyhuf
Cd/tmp;. /REWGTF3ER4T
Cd/tmp;. /FDSFSFVFF
Cd/tmp;. /SMARVTD
Cd/tmp;. /whitptabil
Cd/tmp;. /gdmorpen
Cd/etc;. /sfewfesfs
Cd/etc;. /gfhjrtfyhuf
Cd/etc;. /REWGTF3ER4T
Cd/etc;. /FDSFSFVFF
Cd/etc;. /SMARVTD
Cd/etc;. /whitptabil
Cd/etc;. /gdmorpen
This is the modified content.
Here you can see that he started a series of processes and finally turned off the firewall for you.
That's good to be done now. First find all of the above corresponding files all deleted.
2) delete virus files Sfewfesfs
go to/etc/and find the file name that corresponds to the process and delete it.
sudo chattr-i/etc/sfewfesfs*
sudo rm-rf/etc/sfewfesfs*
3) Delete . SSH2 and SSHH2.
This time still does not work, because this program starts, will derive a lot of process. This time, find the/etc/. SSH2 and. SSHH2 deleted. After finding/tmp/below all with. SSH to start the file, all deleted.
See with Ls-al. SSH2 hidden files, deleting
rm-rf/etc/ SSH2;
rm-rf/etc/ . SSHH2;
rm-rf/tmp/. ssh*;
/etc and/tmp may have . sshdd1401029348 hidden files with ls-al See, delete
sudo rm-rf/tmp/.sshdd140*
4) Delete Scheduled tasks:
/var/spool/cron/the root and root.1 down.
sudo rm-rf/var/spool/cron/root
sudo rm-rf/var/spool/cron/root.1
At this time, the virus program is basically clear and complete.
5)The root privilege of Port 22 still does not open:
Modify the Extranet map 22 port to XXXX
Change root password
passwd
22 permissions to turn off root
find Permitrootlogin in/etc/ssh/sshd_config file Remove # change to
Permitrootlogin No
5) Restart the server
Linux virus Sfewfesfs