Linux Trojan virus intrusion Troubleshooting (DBSECURITYSPT)

Just into a company, suddenly a direct throw to the public network development test machine, there is output traffic explosion 300m+, directly lead to server load high, IDC cacti monitoring reported traffic anomaly problem, the following is the troubleshooting process:

1, vim/root/.bash_history # View root user operation command log file, any information is not, be clear

2, vim/var/log/Secure # Check the log, found a lot of login failed to try to record, I'm sure not cracked

3, PS netstat and other commands to view without any problems

None of the information was concealed, and suddenly came to mind, searching the whole system in recent modified files

1. Find/-mmin-12 | Egerp-v ' Proc|module ' >> film.txt

Look at the files that were recently modified and found that two can be started, for what?

Because most of the SELinux server is shut down, in the time of the problem can be activated, there are DBSECURITYSPT unfamiliar program start, there must be a problem, along the two problems to find the/ETC/RC.D directory.

And the big discovery is that a lot of view commands such as: PS SS Netstat lsof have been changed recently, suspect that the command used now has been changed, one will use the Find command to search, whether there are any of these commands in the system.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/EE/wKiom1ZxNqTCFdhRAAEjQ-uOCQQ332.jpg "title=" Wwwwwwwwwwww.jpg "alt=" Wkiom1zxnqtcfdhraaejq-uocqq332.jpg "/>

2. Use the Find command to scan how many directories in the/ETC/RC.D directory contain the startup information for both programs

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/77/EC/wKioL1ZxMwLSWKWTAAGxVvs3sZ8293.jpg "title=" Qqq222.jpg "alt=" Wkiol1zxmwlswkwtaagxvvs3sz8293.jpg "/>

3, use the LL-RT command to go to the/ETC/RC.D/RC3.D directory to see the recently modified files

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/77/EE/wKiom1ZxNEWw77oiAAIB_3atsjU866.jpg "title=" Qqq333.jpg "alt=" Wkiom1zxneww77oiaaib_3atsju866.jpg "/>

4. Check the contents of these two startup scripts in the/ETC/INIT.D directory

Found here two can file UNAMA with Getty

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/77/EC/wKioL1ZxNPHigRi6AAECKRBQ44k534.jpg "title=" Qqq444.jpg "alt=" Wkiol1zxnphigri6aaeckrbq44k534.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/77/ED/wKioL1ZxQIyhpUOwAACWUYsK3BI983.jpg "title=" 555555555555555555555.jpg "alt=" Wkiol1zxqiyhpuowaacwuysk3bi983.jpg "/>

5, the above has been mentioned, a lot of view commands have been modified, so now check

Search for a command look, we found this command under/USR/BIN/DPKGD.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/77/ED/wKioL1ZxOBOC4J1zAABhVzDkT8I782.jpg "title=" Qqq6666.jpg "alt=" Wkiol1zxoboc4j1zaabhvzdkt8i782.jpg "/>

6, check the modification time of these commands, the description was invaded on December 02, and modified the system parameters.

The initial estimate of these commands in the DPKGD is the original system, and now under the/bin of those commands have been modified, the estimated function is to prevent operations and maintenance personnel use these commands to view, can cover the Trojan virus information, then the solution is to put DPKGD under the command overwrite restore

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/EE/wKiom1ZxOQiRSZ7pAAFvMMR1KNI170.jpg "title=" Qqq8888.jpg "alt=" Wkiom1zxoqirsz7paafvmmr1kni170.jpg "/>

Here, almost the correlation can find the basic found, the following is to delete, overwrite the operation

1, first replace the command back, the following gives me an example of the operation

which SS # view SS Command Path

Mv/usr/sbin/ss/usr/sbin/ss. Trojans # Backup Callout/usr/sbin/ss Infected command

Cp-rfp/usr/bin/dpkgd/ss/usr/sbin # Copy the backup command to/usr/sbin

2, delete (where rc1.d---rc5.d to delete)

Rm-rf/etc/rc.d/rc2.d/s97dbsecurityspt

Rm-rf/etc/rc.d/rc2.d/s99selinux

Rm-rf/etc/rc.d/init.d/dbsecurityspt

Rm-rf/etc/rc.d/init.d/selinux

Rm-rf/usr/bin/bsd-port

Rm-rf/bin/unama virus.

Restart the server and check again

This article is from the "on the Road" blog, please be sure to keep this source http://beijing0414.blog.51cto.com/8612563/1725375

Linux Trojan virus intrusion Troubleshooting (DBSECURITYSPT)