Linux Random 10-letter virus

Source: Internet
Author: User

Virus performance:

The network traffic is bursting, frantically to a Hong Kong IP hair data, while in the top of the display as a random ten -letter process, see /proc inside the information, then LS, CD andother common commands, CPU Utilization is also at the top . After the process is killed, a new process is randomly generated.

Clear virus steps:

  1. See /proc/_pid/cmdline inside all is fake information, randomly produce PS,su,top and other commands;

  2. because the virus generates a large amount of traffic, the first use iptables sealed off the export IP, when the virus detection traffic will enter the listening state, listening port;

  3. think of virus generally have detection mechanism, so find its root file,crontab,/etc/rc.d/init.d,/etc/rc3.d/,/etc/rc.d/ Rc.local,systemd, see these related documents, sure enough:650) this.width=650; "border=" 0 "width=" 554 "height=" 215 "src="/E /u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") No-repeat center;border:1px solid #ddd; "alt=" Spacer.gif "/>

This virus actually can be timed!!! Decisively comment out this line, do not delete, or it will be automatically created;

    1. view The GCC files inside /etc/cron.hourly :

650) this.width=650; "border=" 0 "width=" 554 "height=" "src=" "/e/u261/themes/default/images/spacer.gif" style= " Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" spacer.gif "/>

too 6 , impossible, incredibly, will be in the /lib directory to tamper with,

Good triumphs over, let's take care of it!

  1. to the/lib directory, view the virus file, find the executable file, and do the following:

  2. A) file libudev.so Viewing the contents of files

  3. b) rm–rf/lib/libudev.so &chattr +i/lib; restricting the/lib directory to write files

  4. c) then go back to the/etc/cron.hourly directory and delete the gcc4.sh file;

  5. Lsof-r|grep "/usr/bin" to see the process, found the randomly generated command its ppid(the husband process) is 1, then /etc/init.d A service related, view:

650) this.width=650; "border=" 0 "width=" 554 "height=" 254 "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" spacer.gif "/>

    1. View under/ETC/INIT.D, there are virus files:650) this.width=650; "border=" 0 "width=" 554 "height=" 443 "src="/e/u261/ Themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" Spacer.gif "/>

    2. To view a virus file:

650) this.width=650; "border=" 0 "width=" 554 "height=" src= "/e/u261/ Themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "alt=" spacer.gif "/>

    1. Therefore, the virus will be generated under the/bin, then Delete, delete, and then found to regenerate, decided to lock the/bin directory (I deleted a long time, is to forget this step, otherwise you can save a lot of times!) Cry! ):

    2. A) RM–RF/USR/BIN/ASDJHRSDRF & chattr +i/usr/bin

    3. At this time, if the virus is still in,top look, and then delete the main process, delete the virus generated by the relevant files OK !


Linux Random 10-letter virus

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.