Accident Description:
Monday to the company, login mail server intermittent Xu, can not always connect. Check this machine everything is OK, this time the room call said our server bandwidth anomaly, as follows:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7C/F2/wKiom1bc_gfAMbGzAACJ9dQiws8710.png "title=" Qq20160307120456.png "alt=" Wkiom1bc_gfambgzaacj9dqiws8710.png "/>
Quickly log on to their Zabbix monitoring, desk-by-station to find the problem server:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7C/F0/wKioL1bc_yzwjqhsAAE9OE6jB_E921.png "title=" Qq20160307120755.png "alt=" Wkiol1bc_yzwjqhsaae9oe6jb_e921.png "/>
Log in to the relevant server and check the status of the NIC:
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7C/F0/wKioL1bc_7uAHQIOAACAfHNuXy8814.png "title=" Qq20160307121023.png "alt=" Wkiol1bc_7uahqioaacafhnuxy8814.png "/>
Server ran our own program and a few simple services, to check the log, did not find anomalies, check the system status, found anomalies, there is a process altogether consumption of high CPU, particularly suspicious:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7C/F2/wKiom1bdAMiwsceMAABc51b1Igc631.png "title=" Qq20160307121619.png "alt=" Wkiom1bdamiwscemaabc51b1igc631.png "/>
After killing the process, there were other processes, and it seems that the process is not so easily killed:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7C/F2/wKiom1bdAV6Q2Hp5AACDUQyitlE757.png "title=" Qq20160307121243.png "alt=" Wkiom1bdav6q2hp5aacduqyitle757.png "/>
Wow, take up the CPU higher, unexpectedly 800%, it seems that this Trojan process can not easily be killed, find the path of this command: ' which qsvtzrwjje ', view the task plan found the exception:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7C/F0/wKioL1bdAnSDx3cpAAAlEybd4II259.png "title=" Qq20160307122203.png "alt=" Wkiol1bdansdx3cpaaaleybd4ii259.png "/>
To view the contents of a script:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7C/F0/wKioL1bdAqrxhzH4AAAfBi5Fw9k888.png "title=" Qq20160307122250.png "alt=" Wkiol1bdaqrxhzh4aaafbi5fw9k888.png "/>
Delete the foot and the content involved in the file, at the time of system startup/ETC/INIT.D also found this file:
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7C/F0/wKioL1bdA1TROt6-AAA9PWaXzUY777.png "title=" Qq20160307122547.png "alt=" Wkiol1bda1trot6-aaa9pwaxzuy777.png "/>
After deleting this file, the invalid link for this file is found at each level under System startup/ETC/RCX.D, which requires one by one deletion:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7C/F0/wKioL1bdA6ewN8A5AACez2bRfyA753.png "title=" Qq20160307111210.png "alt=" Wkiol1bda6ewn8a5aacez2brfya753.png "/>
Must be cleaned out as soon as possible:
1. Remove the Execute permission and lock the directory
chmod 000/USR/BIN/EZYMIVAVHQ
Chattr +i/usr/bin/
Chattr +i/bin
Chattr +i/tmp
2. Delete files:
Rm-f/ETC/INIT.D/EZYMIVAVHQ
Rm-f/etc/rcx.d/Invalid link
3. Kill the process and execute the file
Killall EZYMIVAVHQ
Rm-f/USR/BIN/EZYMIVAVHQ
After a few minutes the inspection found the system back to normal.
Install the Rkhunter inspection system:
https://sourceforge.net/projects/rkhunter/
TAR-XF rkhunter-1.4.2.tar.gz
CD rkhunter-1.4.2
SH installer.sh--install
To perform a check:
/usr/local/bin/rkhunter-c
No exceptions were found.
This article is from the "OPS rookie" blog, please be sure to keep this source http://ckl893.blog.51cto.com/8827818/1748345
Linux virus runs full bandwidth processing