Linux virus runs full bandwidth processing

Accident Description:

Monday to the company, login mail server intermittent Xu, can not always connect. Check this machine everything is OK, this time the room call said our server bandwidth anomaly, as follows:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7C/F2/wKiom1bc_gfAMbGzAACJ9dQiws8710.png "title=" Qq20160307120456.png "alt=" Wkiom1bc_gfambgzaacj9dqiws8710.png "/>

Quickly log on to their Zabbix monitoring, desk-by-station to find the problem server:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7C/F0/wKioL1bc_yzwjqhsAAE9OE6jB_E921.png "title=" Qq20160307120755.png "alt=" Wkiol1bc_yzwjqhsaae9oe6jb_e921.png "/>

Log in to the relevant server and check the status of the NIC:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7C/F0/wKioL1bc_7uAHQIOAACAfHNuXy8814.png "title=" Qq20160307121023.png "alt=" Wkiol1bc_7uahqioaacafhnuxy8814.png "/>

Server ran our own program and a few simple services, to check the log, did not find anomalies, check the system status, found anomalies, there is a process altogether consumption of high CPU, particularly suspicious:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7C/F2/wKiom1bdAMiwsceMAABc51b1Igc631.png "title=" Qq20160307121619.png "alt=" Wkiom1bdamiwscemaabc51b1igc631.png "/>

After killing the process, there were other processes, and it seems that the process is not so easily killed:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7C/F2/wKiom1bdAV6Q2Hp5AACDUQyitlE757.png "title=" Qq20160307121243.png "alt=" Wkiom1bdav6q2hp5aacduqyitle757.png "/>

Wow, take up the CPU higher, unexpectedly 800%, it seems that this Trojan process can not easily be killed, find the path of this command: ' which qsvtzrwjje ', view the task plan found the exception:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7C/F0/wKioL1bdAnSDx3cpAAAlEybd4II259.png "title=" Qq20160307122203.png "alt=" Wkiol1bdansdx3cpaaaleybd4ii259.png "/>

To view the contents of a script:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7C/F0/wKioL1bdAqrxhzH4AAAfBi5Fw9k888.png "title=" Qq20160307122250.png "alt=" Wkiol1bdaqrxhzh4aaafbi5fw9k888.png "/>

Delete the foot and the content involved in the file, at the time of system startup/ETC/INIT.D also found this file:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7C/F0/wKioL1bdA1TROt6-AAA9PWaXzUY777.png "title=" Qq20160307122547.png "alt=" Wkiol1bda1trot6-aaa9pwaxzuy777.png "/>

After deleting this file, the invalid link for this file is found at each level under System startup/ETC/RCX.D, which requires one by one deletion:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7C/F0/wKioL1bdA6ewN8A5AACez2bRfyA753.png "title=" Qq20160307111210.png "alt=" Wkiol1bda6ewn8a5aacez2brfya753.png "/>

Must be cleaned out as soon as possible:

1. Remove the Execute permission and lock the directory

chmod 000/USR/BIN/EZYMIVAVHQ

Chattr +i/usr/bin/

Chattr +i/bin

Chattr +i/tmp

2. Delete files:

Rm-f/ETC/INIT.D/EZYMIVAVHQ

Rm-f/etc/rcx.d/Invalid link

3. Kill the process and execute the file

Killall EZYMIVAVHQ

Rm-f/USR/BIN/EZYMIVAVHQ

After a few minutes the inspection found the system back to normal.

Install the Rkhunter inspection system:

https://sourceforge.net/projects/rkhunter/

TAR-XF rkhunter-1.4.2.tar.gz

CD rkhunter-1.4.2

SH installer.sh--install

To perform a check:

/usr/local/bin/rkhunter-c

No exceptions were found.

This article is from the "OPS rookie" blog, please be sure to keep this source http://ckl893.blog.51cto.com/8827818/1748345

Linux virus runs full bandwidth processing