Linux Random 10-letter virus

Virus performance:

The network traffic is bursting, frantically to a Hong Kong IP hair data, while in the top of the display as a random ten -letter process, see /proc inside the information, then LS, CD andother common commands, CPU Utilization is also at the top . After the process is killed, a new process is randomly generated.

Clear virus steps:

2. See /proc/_pid/cmdline inside all is fake information, randomly produce PS,su,top and other commands;

4. because the virus generates a large amount of traffic, the first use iptables sealed off the export IP, when the virus detection traffic will enter the listening state, listening port;

6. think of virus generally have detection mechanism, so find its root file,crontab,/etc/rc.d/init.d,/etc/rc3.d/,/etc/rc.d/ Rc.local,systemd, see these related documents, sure enough:650) this.width=650; "border=" 0 "width=" 554 "height=" 215 "src="/E /u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") No-repeat center;border:1px solid #ddd; "alt=" Spacer.gif "/>

This virus actually can be timed!!! Decisively comment out this line, do not delete, or it will be automatically created;

1. view The GCC files inside /etc/cron.hourly :

650) this.width=650; "border=" 0 "width=" 554 "height=" "src=" "/e/u261/themes/default/images/spacer.gif" style= " Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" spacer.gif "/>

too 6 , impossible, incredibly, will be in the /lib directory to tamper with,

Good triumphs over, let's take care of it!

2. to the/lib directory, view the virus file, find the executable file, and do the following:

4. A) file libudev.so Viewing the contents of files

6. b) rm–rf/lib/libudev.so &chattr +i/lib; restricting the/lib directory to write files

8. c) then go back to the/etc/cron.hourly directory and delete the gcc4.sh file;

10. Lsof-r|grep "/usr/bin" to see the process, found the randomly generated command its ppid(the husband process) is 1, then /etc/init.d A service related, view:

650) this.width=650; "border=" 0 "width=" 554 "height=" 254 "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" spacer.gif "/>

1. View under/ETC/INIT.D, there are virus files:650) this.width=650; "border=" 0 "width=" 554 "height=" 443 "src="/e/u261/ Themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" Spacer.gif "/>

2. To view a virus file:

650) this.width=650; "border=" 0 "width=" 554 "height=" src= "/e/u261/ Themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" spacer.gif "/>

1. Therefore, the virus will be generated under the/bin, then Delete, delete, and then found to regenerate, decided to lock the/bin directory (I deleted a long time, is to forget this step, otherwise you can save a lot of times!) Cry! ):

2. A) RM–RF/USR/BIN/ASDJHRSDRF & chattr +i/usr/bin

3. At this time, if the virus is still in,top look, and then delete the main process, delete the virus generated by the relevant files OK !

Linux Random 10-letter virus