Once a Linux server Trojan Avira experience

1 customer's own server due to the kind of Trojan horse, send a large number of packets, by the service provider cut off the network. Although no network can directly log on to the server, it is possible to enter the operating system via the Web Control Panel provided by the service provider.
First, use the command to view the associated connection: NETSTAT-NATP, it is obvious that the exception process is seen Getty

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/C6/wKiom1Yoo8HRa2wmAAMMhfn8vn4352.jpg "title=" A.png " alt= "Wkiom1yoo8hra2wmaammhfn8vn4352.jpg"/>

lsof-i:35308 corresponds to the process number and then kill.
Use the command last to view recent logins:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/C3/wKioL1YopAvAHc7VAATSLk0lcuw563.jpg "title=" 1.jpg " alt= "Wkiol1yopavahc7vaatslk0lcuw563.jpg"/> which has an exception IP login: 60.28.121.160 is the IP of Tianjin, and the customer is Quanzhou people. Preliminary estimate this could be the invading IP.
Use the command Histroy to see if any traces of the operation are left.

Use the command top to view the real-time process and find some strange processes:
650) this.width=650; "Src=" http://s3.51cto.com/wyfs02/M00/74/C6/ Wkiom1yopbftn35xaati9qsujvo432.jpg "title=" 6.png "alt=" wkiom1yopbftn35xaati9qsujvo432.jpg "/> Delete or remove Execute permissions.
thought that the Trojan clean up, let the service provider to open the machine, unexpectedly can not open, because the open will attack, so thought should be the Trojan did not clean up, there must be other Trojans will be automatically generated. The system starts up and there are strange processes, trying to delete a few times before the system starts and automatically generates.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/C6/wKiom1YopE_w_9a6AADeJvHmCwI617.jpg "title=" Psb.jpg "alt=" Wkiom1yope_w_9a6aadejvhmcwi617.jpg "/>
Because there is no network, can not use some network tools for Trojan killing, then follow the recommendations of the service provider into the rescue mode, and then let it remove network restrictions. The so-called rescue mode, in fact, similar to the PE startup disk, after entering the rescue mode:
Mount-o Exec,barrier=0/dev/xvda
Cd/media/xvda
MOUNT-T proc Proc proc/
MOUNT-T SYSFS SYS sys/
Mount-o Bind/dev dev/
Mount-t devpts pts dev/pts/
Chroot/media/xvda/bin/bash
Service SSH Start
Then through the service provider to remove network restrictions, so that there is a network, first of all, it is necessary to back up the data first. During the backup of the data also Avira Trojan.
Kill Soft: CLAMAV website address:Http://www.clamav.net/documents/installing-clamavHere is a detailed description of how to install, use, upgrade the virus library, this is skipped.
After installing the software,
Clamscan-r–bell-i///scan the entire root directory and find that some of the commands have been replaced.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/C6/wKiom1YopITCW3yjAAEDJB5sX0M094.jpg "title=" 5.png " alt= "Wkiom1yopitcw3yjaaedjb5sx0m094.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/C3/wKioL1YopL7RmolbAAHJc5QEpsU616.jpg "title=" 6.png " alt= "Wkiol1yopl7rmolbaahjc5qepsu616.jpg"/>

The Trojan will be deleted, of course, I am backing up the data and then reloading the system. (also useful chkrootkit found this software altogether found not, so still this clamav more powerful! )

From Cloud host technology interconnect

This article is from the "Lifelong Learning" blog, please be sure to keep this source http://chenzm.blog.51cto.com/1870788/1705291

Once a Linux server Trojan Avira experience