Just into a company, suddenly a direct throw to the public network development test machine, there is output traffic explosion 300m+, directly lead to server load high, IDC cacti monitoring reported traffic anomaly problem, the following is the troubleshooting process:
1, vim/root/.bash_history # View root user operation command log file, any information is not, be clear
2, vim/var/log/Secure # Check the log, found a lot of login failed to try to record, I'm sure not cracked
3, PS netstat and other commands to view without any problems
None of the information was concealed, and suddenly came to mind, searching the whole system in recent modified files
1. Find/-mmin-12 | Egerp-v ' Proc|module ' >> film.txt
Look at the files that were recently modified and found that two can be started, for what?
Because most of the SELinux server is shut down, in the time of the problem can be activated, there are DBSECURITYSPT unfamiliar program start, there must be a problem, along the two problems to find the/ETC/RC.D directory.
And the big discovery is that a lot of view commands such as: PS SS Netstat lsof have been changed recently, suspect that the command used now has been changed, one will use the Find command to search, whether there are any of these commands in the system.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/EE/wKiom1ZxNqTCFdhRAAEjQ-uOCQQ332.jpg "title=" Wwwwwwwwwwww.jpg "alt=" Wkiom1zxnqtcfdhraaejq-uocqq332.jpg "/>
2. Use the Find command to scan how many directories in the/ETC/RC.D directory contain the startup information for both programs
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/77/EC/wKioL1ZxMwLSWKWTAAGxVvs3sZ8293.jpg "title=" Qqq222.jpg "alt=" Wkiol1zxmwlswkwtaagxvvs3sz8293.jpg "/>
3, use the LL-RT command to go to the/ETC/RC.D/RC3.D directory to see the recently modified files
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/77/EE/wKiom1ZxNEWw77oiAAIB_3atsjU866.jpg "title=" Qqq333.jpg "alt=" Wkiom1zxneww77oiaaib_3atsju866.jpg "/>
4. Check the contents of these two startup scripts in the/ETC/INIT.D directory
Found here two can file UNAMA with Getty
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/77/EC/wKioL1ZxNPHigRi6AAECKRBQ44k534.jpg "title=" Qqq444.jpg "alt=" Wkiol1zxnphigri6aaeckrbq44k534.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/77/ED/wKioL1ZxQIyhpUOwAACWUYsK3BI983.jpg "title=" 555555555555555555555.jpg "alt=" Wkiol1zxqiyhpuowaacwuysk3bi983.jpg "/>
5, the above has been mentioned, a lot of view commands have been modified, so now check
Search for a command look, we found this command under/USR/BIN/DPKGD.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/77/ED/wKioL1ZxOBOC4J1zAABhVzDkT8I782.jpg "title=" Qqq6666.jpg "alt=" Wkiol1zxoboc4j1zaabhvzdkt8i782.jpg "/>
6, check the modification time of these commands, the description was invaded on December 02, and modified the system parameters.
The initial estimate of these commands in the DPKGD is the original system, and now under the/bin of those commands have been modified, the estimated function is to prevent operations and maintenance personnel use these commands to view, can cover the Trojan virus information, then the solution is to put DPKGD under the command overwrite restore
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/EE/wKiom1ZxOQiRSZ7pAAFvMMR1KNI170.jpg "title=" Qqq8888.jpg "alt=" Wkiom1zxoqirsz7paafvmmr1kni170.jpg "/>
Here, almost the correlation can find the basic found, the following is to delete, overwrite the operation
1, first replace the command back, the following gives me an example of the operation
which SS # view SS Command Path
Mv/usr/sbin/ss/usr/sbin/ss. Trojans # Backup Callout/usr/sbin/ss Infected command
Cp-rfp/usr/bin/dpkgd/ss/usr/sbin # Copy the backup command to/usr/sbin
2, delete (where rc1.d---rc5.d to delete)
Rm-rf/etc/rc.d/rc2.d/s97dbsecurityspt
Rm-rf/etc/rc.d/rc2.d/s99selinux
Rm-rf/etc/rc.d/init.d/dbsecurityspt
Rm-rf/etc/rc.d/init.d/selinux
Rm-rf/usr/bin/bsd-port
Rm-rf/bin/unama virus.
Restart the server and check again
This article is from the "on the Road" blog, please be sure to keep this source http://beijing0414.blog.51cto.com/8612563/1725375
Linux Trojan virus intrusion Troubleshooting (DBSECURITYSPT)