Linux virus runs full bandwidth processing

Source: Internet
Author: User

Accident Description:

Monday to the company, login mail server intermittent Xu, can not always connect. Check this machine everything is OK, this time the room call said our server bandwidth anomaly, as follows:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7C/F2/wKiom1bc_gfAMbGzAACJ9dQiws8710.png "title=" Qq20160307120456.png "alt=" Wkiom1bc_gfambgzaacj9dqiws8710.png "/>

Quickly log on to their Zabbix monitoring, desk-by-station to find the problem server:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7C/F0/wKioL1bc_yzwjqhsAAE9OE6jB_E921.png "title=" Qq20160307120755.png "alt=" Wkiol1bc_yzwjqhsaae9oe6jb_e921.png "/>

Log in to the relevant server and check the status of the NIC:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7C/F0/wKioL1bc_7uAHQIOAACAfHNuXy8814.png "title=" Qq20160307121023.png "alt=" Wkiol1bc_7uahqioaacafhnuxy8814.png "/>

Server ran our own program and a few simple services, to check the log, did not find anomalies, check the system status, found anomalies, there is a process altogether consumption of high CPU, particularly suspicious:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7C/F2/wKiom1bdAMiwsceMAABc51b1Igc631.png "title=" Qq20160307121619.png "alt=" Wkiom1bdamiwscemaabc51b1igc631.png "/>


After killing the process, there were other processes, and it seems that the process is not so easily killed:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7C/F2/wKiom1bdAV6Q2Hp5AACDUQyitlE757.png "title=" Qq20160307121243.png "alt=" Wkiom1bdav6q2hp5aacduqyitle757.png "/>

Wow, take up the CPU higher, unexpectedly 800%, it seems that this Trojan process can not easily be killed, find the path of this command: ' which qsvtzrwjje ', view the task plan found the exception:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7C/F0/wKioL1bdAnSDx3cpAAAlEybd4II259.png "title=" Qq20160307122203.png "alt=" Wkiol1bdansdx3cpaaaleybd4ii259.png "/>

To view the contents of a script:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7C/F0/wKioL1bdAqrxhzH4AAAfBi5Fw9k888.png "title=" Qq20160307122250.png "alt=" Wkiol1bdaqrxhzh4aaafbi5fw9k888.png "/>

Delete the foot and the content involved in the file, at the time of system startup/ETC/INIT.D also found this file:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7C/F0/wKioL1bdA1TROt6-AAA9PWaXzUY777.png "title=" Qq20160307122547.png "alt=" Wkiol1bda1trot6-aaa9pwaxzuy777.png "/>

After deleting this file, the invalid link for this file is found at each level under System startup/ETC/RCX.D, which requires one by one deletion:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7C/F0/wKioL1bdA6ewN8A5AACez2bRfyA753.png "title=" Qq20160307111210.png "alt=" Wkiol1bda6ewn8a5aacez2brfya753.png "/>

Must be cleaned out as soon as possible:

1. Remove the Execute permission and lock the directory

chmod 000/USR/BIN/EZYMIVAVHQ

Chattr +i/usr/bin/

Chattr +i/bin

Chattr +i/tmp

2. Delete files:

Rm-f/ETC/INIT.D/EZYMIVAVHQ

Rm-f/etc/rcx.d/Invalid link

3. Kill the process and execute the file

Killall EZYMIVAVHQ

Rm-f/USR/BIN/EZYMIVAVHQ


After a few minutes the inspection found the system back to normal.

Install the Rkhunter inspection system:

https://sourceforge.net/projects/rkhunter/

TAR-XF rkhunter-1.4.2.tar.gz

CD rkhunter-1.4.2

SH installer.sh--install

To perform a check:

/usr/local/bin/rkhunter-c

No exceptions were found.

This article is from the "OPS rookie" blog, please be sure to keep this source http://ckl893.blog.51cto.com/8827818/1748345

Linux virus runs full bandwidth processing

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.