Remember the experience of hacking a Linux server and removing Trojans _linux

I. BACKGROUND

Night to see a server running high traffic, obviously and not the same as usual, traffic reached 800Mbps, the first feeling should be in the Trojan, was treated as a chicken, in a large number of contracts.
Our server for the best performance, Firewall (iptables) What are not open, but the server front has a physical firewall, and the machine is to do the port mapping, is not a common port, is supposed to be full of security, may be recently and Trojan destined it, always let me meet, Also take this opportunity to record the discovery process.

Ii. discovering and tracking processing

1, see the flow chart found problems

When you view the Web page is very card, sometimes not even response.

2. Top Dynamic View Process

I immediately telnet to the problem of the server, remote operation is very card, the network card out of the traffic is very large, through the top found an abnormal process occupied resources are relatively high, the name does not look carefully also really thought is a Web service process.

4, end the exception process and continue tracking

Copy Code code as follows:

Killall-9 nginx1
Rm-f/etc/nginx1

After the process, the flow of traffic immediately down, the remote is not a Dayton, do you delete the program file, kill the abnormal process we think the process is complete? Think also certainly not so simple, this is a Trojan Ah, certainly will also generate the program file (I do not know what I expected, before I did not understand, the back is indeed generated) we have to continue tracing.

5. View login record and log file secure

Check the account login record at last by command, everything is OK. Viewing the system file message did not find anything, but when I looked at the secure file, I found some exceptions, which is related to authentication, should be trying to connect to the control contract?

7. Discovery of more anomaly files

View timed task Files crontab did not find anything once, and then look at the system boot file rc.local, there is nothing unusual, and then into the/ETC/INIT.D directory view, found the more bizarre script files Dbsecurityspt, SELinux.

Think of here, the replacement of the command should be a lot, alone we can not solve the problem, I suggest the best is to reload the operating system, and do a good job of security policy, if not reload, I give the following my method, the specific line is not to be verified.

Third, manual removal of Trojan Horse

Now the general summary of the approximate steps are as follows:

1, simple to judge whether there is no Trojan

Copy Code code as follows:

#有无下列文件
Cat/etc/rc.d/init.d/selinux
Cat/etc/rc.d/init.d/dbsecurityspt
Ls/usr/bin/bsd-port
Ls/usr/bin/dpkgd
#查看大小是否正常
Ls-lh/bin/netstat
Ls-lh/bin/ps
Ls-lh/usr/sbin/lsof
Ls-lh/usr/sbin/ss

2, upload the following command to/root

Copy Code code as follows:

PS Netstat SS lsof

3, delete the following directory and documents

Copy Code code as follows:

RM-RF/USR/BIN/DPKGD (PS netstat lsof ss)
Rm-rf/usr/bin/bsd-port #木马程序
Rm-f/usr/bin/.sshd #木马后门
Rm-f/tmp/gates.lod
Rm-f/tmp/moni.lod
Rm-f/ETC/RC.D/INIT.D/DBSECURITYSPT (those Trojan mutant programs that start the description above)
Rm-f/ETC/RC.D/RC1.D/S97DBSECURITYSPT
Rm-f/ETC/RC.D/RC2.D/S97DBSECURITYSPT
Rm-f/ETC/RC.D/RC3.D/S97DBSECURITYSPT
Rm-f/ETC/RC.D/RC4.D/S97DBSECURITYSPT
Rm-f/ETC/RC.D/RC5.D/S97DBSECURITYSPT
Rm-f/etc/rc.d/init.d/selinux (default is start/usr/bin/bsd-port/getty)
Rm-f/etc/rc.d/rc1.d/s99selinux
Rm-f/etc/rc.d/rc2.d/s99selinux
Rm-f/etc/rc.d/rc3.d/s99selinux
Rm-f/etc/rc.d/rc4.d/s99selinux
Rm-f/etc/rc.d/rc5.d/s99selinux

4, find the exception procedure and kill

5, remove the Trojan command and reinstall (or the upload of the normal program to copy the past also line)

I'm going to reinstall myself. I'm looking for the normal machine to copy the command.

Copy Code code as follows:

#ps
/root/chattr-i-a/bin/ps && rm/bin/ps-f
Yum Reinstall Procps-y or Cp/root/ps/bin
#netstat
/root/chattr-i-a/bin/netstat && rm/bin/netstat-f
Yum Reinstall Net-tools-y or Cp/root/netstat/bin
#lsof
/root/chattr-i-a/bin/lsof && rm/usr/sbin/lsof-f
Yum Reinstall Lsof-y or Cp/root/lsof/usr/sbin
#ss
/root/chattr-i-a/usr/sbin/ss && rm/usr/sbin/ss-f
yum-y Reinstall Iproute or Cp/root/ss/usr/sbin

Four, anti-virus tool scanning

1, install anti-virus tool ClamAV

Copy Code code as follows:

Yum-y Install ClamAV Clamav-milter

2, start the service

Copy Code code as follows:

Service CLAMD Restart

3, update the virus library

Because ClamAV is not the latest version, there is alarm information. You can ignore or upgrade the latest version.

Copy Code code as follows:

[Root@mobile ~]# Freshclam
ClamAV update process started at Sun 31 03:15:52 2016
Warning:can ' t query current.cvd.clamav.net
Warning:invalid DNS reply. Falling back to HTTP mode.
Reading CVD Header (MAIN.CVD): WARNING:MAIN.CVD not found on remote server
Warning:can ' t read MAIN.CVD header from Db.cn.clamav.net (ip:185.100.64.62)
Trying again in 5 secs ...
ClamAV update process started at Sun 31 03:16:25 2016
Warning:can ' t query current.cvd.clamav.net
Warning:invalid DNS reply. Falling back to HTTP mode.
Reading CVD Header (MAIN.CVD): Trying host db.cn.clamav.net (200.236.31.1) ...
Ok
MAIN.CVD is up to date (version:55, sigs:2424225, f-level:60, Builder:neo)
Reading CVD Header (DAILY.CVD): OK (IMS)
DAILY.CVD is up to date (version:21325, sigs:1824133, f-level:63, Builder:neo)
Reading CVD Header (BYTECODE.CVD): OK (IMS)
BYTECODE.CVD is up to date (version:271, sigs:47, f-level:63, Builder:anvilleg)

4. Scanning method

You can use Clamscan-h to view the appropriate help information

Copy Code code as follows:

Clamscan-r/etc--max-dir-recursion=5-l/root/etcclamav.log
Clamscan-r/bin--max-dir-recursion=5-l/root/binclamav.log
Clamscan-r/usr--max-dir-recursion=5-l/root/usrclamav.log
Clamscan-r--remove/usr/bin/bsd-port
Clamscan-r--remove/usr/bin/

5, check the log found

Delete the discovery order, replace the normal

Appendix: Linux.backdoor.gates.5

After inquiry data, this trojan should be linux.backdoor.gates.5, find a document, the content is as follows:
Some users have a deep-rooted belief that there is currently no malware that can really threaten the Linux kernel operating system, but this concept is facing more and more challenges. Compared with April, the number of Linux malware detected by the Doctor web Company in May 2014 has set a new record, and in June the list of malware has added a series of Linux Trojans, The new Trojan family was named Linux.BackDoor.Gates.

Described here is a Trojan horse in the malware family Linux.BackDoor.Gates: Linux.backdoor.gates.5, which combines the functionality of traditional backdoor and DDoS attack Trojans to infect 32-bit Linux versions, according to its characteristics, is associated with Linu The X.dnsamp and Linux.ddos family Trojans are in the hands of a virus writer. The new Trojan consists of two functional modules: The basic module is capable of executing the instructions of the backdoor procedures, the second module in the installation process to save to the hard disk for DDoS attacks. Linux.backdoor.gates.5 collects and forwards the following information about the infected computer to the outlaws during the operation:

The number of CPU cores (read from/proc/cpuinfo).

CPU speed (read from/proc/cpuinfo).

CPU usage (read from/proc/stat).

Gate ' A's IP (read from/proc/net/route).

Gate ' A's MAC address (read from/proc/net/arp).

Network interface information (read from/proc/net/dev).

The MAC address of the network device.

Memory (using the Memtotal parameter in/proc/meminfo).
The amount of data sent and received (read from/proc/net/dev).
The operating system name and version (by invoking the uname command).

Once started, Linux.backdoor.gates.5 checks the path to its Startup folder and implements four behavioral patterns based on the results of the check.
If the path of the backdoor executable file is inconsistent with the path of the Netstat, lsof, PS tool, the Trojan will start up in the system disguised as a daemon, then initialize and unzip the configuration file during initialization. The configuration file contains the various data necessary for the Trojan to run, such as the Management Server IP address and port, backdoor installation parameters, and so on.

Depending on the G_IGATSISFX parameter values in the configuration file, Trojan or active connection Management Server, or wait for connection: After a successful installation, the backdoor detects the IP address of the site to which it is connected, and then the site as a command server.

Trojan in the installation process to check the file/tmp/moni.lock, if the file is not empty, read the data (PID process) and "kill" the ID process. Linux.backdoor.gates.5 then checks to see if the system has started the DDoS module and the backdoor process (if it is started, these processes will also be "killed"). If the configuration file is set with a special flag g_iisservice, the Trojan is written to the command line in the file/etc/init.d/

#!/bin/bash\n<path_to_backdoor> set itself up as a self starter, and then linux.backdoor.gates.5 create the following symbolic Links:

Copy Code code as follows:

Ln-s/ETC/INIT.D/DBSECURITYSPT/ETC/RC1.D/S97DBSECURITYSPT
Ln-s/ETC/INIT.D/DBSECURITYSPT/ETC/RC2.D/S97DBSECURITYSPT
Ln-s/ETC/INIT.D/DBSECURITYSPT/ETC/RC3.D/S97DBSECURITYSPT
Ln-s/ETC/INIT.D/DBSECURITYSPT/ETC/RC4.D/S97DBSECURITYSPT

If you set a flag G_bdobackdoor in the configuration file, the Trojan will also attempt to open the/root/.profile file to check if the process has root permissions. The backdoor program then copies itself into the/usr/bin/bsd-port/getty and starts. In the final phase of the installation, Linux.backdoor.gates.5 creates a copy again in the folder/usr/bin/, named the corresponding name set in the configuration file, and replaces the following tools:

Copy Code code as follows:

/bin/netstat
/bin/lsof
/bin/ps
/usr/bin/netstat
/usr/bin/lsof
/usr/bin/ps
/usr/sbin/netstat
/usr/sbin/lsof
/usr/sbin/ps

Trojan to complete the installation and start calling basic functionality.

The Trojan also pretends to be a daemon in the execution of the other two algorithms when the infected computer starts, checking that its components are started by reading the appropriate. Lock file (starting the component if it is not started), but using a different name when saving the file and registering from startup.

After you set up a connection with the command server, Linux.backdoor.gates.5 receives the configuration data from the server and the commands that the zombie computer needs to complete. According to the Outlaws, the Trojan can implement automatic Updates, initiate or stop a DDoS attack on the remote site that specifies the IP address and port, execute the commands contained in the configuration data or establish a connection with the remote site of the specified IP address to execute other commands.

Since then the main DDoS attack Target is the Chinese server, however the Outlaws attack the object also includes other countries. The following figure is the geographic distribution of DDoS attacks using this Trojan: