Linux virus sfewfesfs

Linux virus sfewfesfs

Due to the accident of rm-fr/on the Intranet server A yesterday, server A is finished. After the system is reinstalled, the LAN cannot access the Internet due to the fault, finally, we found A process sfewfesfs cpu 300% of the Intranet server. The router is blocked by the network. Baidu virus: It is said that the virus is abnormal. During the first linux virus, thanks to the Intranet, it was quite refreshing. (Summary of network content, lessons learnt)

1. Virus

The server keeps sending data packets to the Internet, occupying network bandwidth, and even causing frequent vro restart.

1) through top or ps-ef, we found that there are also. sshddXXXXXXXXXXX (a string of random numbers) processes named sfewfesfs. Under/etc/, You can see files named sfewfesfs, nhgbhhj, and other strange names. After the restart, a plug-in will be executed immediately.

2) sar-n DEV can be used to view the situation of outgoing packets.

3) netstat-natlp can see which ports are used

2. analyze possible causes

I once suspected that the problem was caused by the installation of a USB flash disk. The installation disk was a boot disk created by the USB flash disk, which was formatted before being mounted to the system. I read the online materials. It should not be a problem with the USB flash drive.

Port 22 of the server ssh should be opened and ssh remote root login should be enabled. This server can be accessed through a router proxy, and the login password is not that complex. It may be hacked.

The root permission on port 22 should not be enabled, no zuo no die. The first time I experienced linux poisoning, I thought it was a very safe operating system.

3. Solution

1) first check the file/etc/rc. local modified by the attacker:

Cd/tmp;./sfewfesfs
Cd/tmp;./gfhjrtfyhuf
Cd/tmp;./rewgtf3er4t
Cd/tmp;./fdsfsfvff
Cd/tmp;./smarvtd
Cd/tmp;./whitptabil
Cd/tmp;./gdmorpen
Cd/etc;./sfewfesfs
Cd/etc;./gfhjrtfyhuf
Cd/etc;./rewgtf3er4t
Cd/etc;./fdsfsfvff
Cd/etc;./smarvtd
Cd/etc;./whitptabil
Cd/etc;./gdmorpen
Cd/tmp;./sfewfesfs
Cd/tmp;./gfhjrtfyhuf
Cd/tmp;./rewgtf3er4t
Cd/tmp;./fdsfsfvff
Cd/tmp;./smarvtd
Cd/tmp;./whitptabil
Cd/tmp;./gdmorpen
Cd/etc;./sfewfesfs
Cd/etc;./gfhjrtfyhuf
Cd/etc;./rewgtf3er4t
Cd/etc;./fdsfsfvff
Cd/etc;./smarvtd
Cd/etc;./whitptabil
Cd/etc;./gdmorpen

This is the modified content.
Here we can see that he started a series of processes and finally turned off the firewall for you.
Now it's easy. First, find all the above files and delete them.

2) Delete the Virus File sfewfesfs

Go to/etc/and find the file name corresponding to the process and delete it.

Sudo chattr-I/etc/sfewfesfs *

Sudo rm-rf/etc/sfewfesfs *

3) delete. SSH2 and. SSHH2.

This still won't work at this time, because after the program is started, many processes will be generated. In this case, delete. SSH2 and. SSHH2 under/etc. Find all the files starting with. SSH under/tmp/and delete them all.

Use ls-al to view the. SSH2 hidden file and delete it.

Rm-rf/etc/SSH2;
Rm-rf/etc/. SSHH2;
Rm-rf/tmp/. SSH *;

/Etc and/tmp may have. sshdd1401029348. You can use ls-al to hide the file and delete it.
Sudo rm-rf/tmp/. sshdd140 *

4) delete a scheduled task:

Delete root and root.1 under/var/spool/cron.

Sudo rm-rf/var/spool/cron/root
Sudo rm-rf/var/spool/cron/root.1

At this time, the virus program is basically clear and complete.

5) do not enable the root permission for port 22:

Modify Internet ing port 22 to XXXX
Change root Password
Passwd

Disable root's 22 Permissions
Remove PermitRootLogin from the/etc/ssh/sshd_config file # change
PermitRootLogin no

5) restart the server