RPM: Random 10-character virus removal under Linux

Virus performance:
Network traffic is full of crazy to send data to an IP in Hong Kong, while in top of a random 10-letter process, see/proc inside the information, then LS,CD and other common commands, CPU utilization is also top. After the process is killed, a new process is randomly generated.

Find steps:
First,/proc/_pid/cmdline inside are forged information, PS display content is the same, basically for the following some common commands, confused administrator look query clues, verification of this one, you can try to the WHO and other uncommon commands to disable the execution of permissions, But then it turns out that the command is constantly appearing in the PS-AF:

Gnome-terminal
Ls-a
Route-n
Netstat-antop
Ifconfig
Sh
Cd/etc
Bash
W.H.O.
Cat resolv.conf
Ps-ef
Cat resolv.conf

Due to a large amount of traffic, first with iptables sealed the IP,TCP connection is not on, it will use UDP to send out, send will enter the listening state, the port can see the following lsof results.

Second, PS-AFH, shown as above command, but Ppid (parent ID) is 1, then init, so this should be related to a service.

Ps-afh
Root 17796 1 0 11:54? 00:00:00 Route-n
Root 18008 1 0 11:55? 00:00:00 Netstat-antop
Root 18011 1 0 11:55? 00:00:00 ifconfig
Root 18014 1 0 11:55? 00:00:00 SH
Root 18015 1 0 11:55? 00:00:00 cd/etc
Root 18016 1 0 11:55? 00:00:00 Bash
Root 18028 1 0 11:55? 00:00:00 who
Root 18031 1 0 11:55? 00:00:00 Cat resolv.conf
Root 18033 1 0 11:55? 00:00:00 Ps-ef

Use Pstree to see the real name:

|-irqbalance--pid=/var/run/irqbalance.pid
|-jbguikdekd
|-jbguikdekd
|-jbguikdekd
|-jbguikdekd
|-mingetty/dev/tty2
|-mingetty/dev/tty3
|-mingetty/dev/tty4
|-mingetty/dev/tty5
|-mingetty/dev/tty6

Lsof can also hold specific information, and can also see a TCP connection to 103.240.141.54.


Three, in the Crontab log, the total display performed a gcc.sh, after the search, is in the/etc/cron.hourly/inside:

# cat/etc/cron.hourly/gcc.sh
#!/bin/sh
Path=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/x11r6/bin
For i in ' Cat/proc/net/dev|grep: |awk-f: {' print '} '; Do ifconfig $i up& done
Cp/lib/libudev.so/lib/libudev.so.6
/lib/libudev.so.6

From this place you can see the virus ontology:/lib/ libudev.so, this file should look like a library file, but with file view, this file is an executable file, note the following two files, one is executable (executable) and the other is a normal shared library (Gkfx object):

# file Libudev.so
Libudev.so:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for Gnu/linux 2.6.9, not stripped

The normal library file should be:

# file Libutil-2.12.so
Libutil-2.12.so:elf 32-bit LSB Shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for G Nu/linux 2.6.18, not stripped

Remove this file from executable permissions, but the virus is still failing.


Four, because the virus constantly self-initiated, and the parent process number is 1, so it should be related to init, so look at/ETC/INIT.D, found that there is really a startup item, delete it. In/etc/rc.d/rc3.d/, there are several similar startup items, which are also deleted.
After deletion, found still cannot kill, kill immediately after rebuilding a new, with lsof view:

# Lsof-r | grep "/usr/bin"
Top 9512 9478 root txt REG 253,0 63856 421158/usr/bin/top
FHMLRQTQV 17161 1 root txt REG 253,0 625729 393335/usr/bin/fhmlrqtqvz
FGQNVQZZC 17226 1 root txt REG 253,0 625740 393427/usr/bin/fgqnvqzzck (Deleted)
FGQNVQZZC 17229 1 root txt REG 253,0 625740 393427/usr/bin/fgqnvqzzck (Deleted)
FGQNVQZZC 17232 1 root txt REG 253,0 625740 393427/usr/bin/fgqnvqzzck (Deleted)
FGQNVQZZC 17233 1 root txt REG 253,0 625740 393427/usr/bin/fgqnvqzzck (Deleted)
FGQNVQZZC 17234 1 root txt REG 253,0 625740 393427/usr/bin/fgqnvqzzck (Deleted)
# Lsof-r
FHMLRQTQV 17161 1 root cwd DIR 253,0 4096 2/
FHMLRQTQV 17161 1 root rtd DIR 253,0 4096 2/
FHMLRQTQV 17161 1 root txt REG 253,0 625729 393335/usr/bin/fhmlrqtqvz
FHMLRQTQV 17161 1 root 0u CHR 1,3 0t0 4023/dev/null
FHMLRQTQV 17161 1 root 1u CHR 1,3 0t0 4023/dev/null
FHMLRQTQV 17161 1 root 2u CHR 1,3 0t0 4023/dev/null
FHMLRQTQV 17161 1 root 3u IPv4 50163 0t0 UDP *:57331
YNMSJTLPW 17272 1 root cwd DIR 253,0 4096 2/
YNMSJTLPW 17272 1 root rtd DIR 253,0 4096 2/
YNMSJTLPW 17272 1 root txt REG 253,0 625751 393426/usr/bin/ynmsjtlpwp (Deleted)
YNMSJTLPW 17272 1 root 0u CHR 1,3 0t0 4023/dev/null
YNMSJTLPW 17272 1 root 1u CHR 1,3 0t0 4023/dev/null
YNMSJTLPW 17272 1 root 2u CHR 1,3 0t0 4023/dev/null
YNMSJTLPW 17275 1 root cwd DIR 253,0 4096 2/
YNMSJTLPW 17275 1 root rtd DIR 253,0 4096 2/

Five: Re-check init.d, found in RunLevel 3 under the two suspicious process, the two processes killed immediately after the start, very suspicious:

/usr/sbin/modem-manager
/usr/sbin/wpa_supplicant

But after careful tracing, but found by NetworkManager to start, in the/var/log/messages inside can see related records (words almost remote to NetworkManager to kill!) ）


Vi. re-war lsof:
Quick repeat view: # Lsof-r | grep "/usr/bin", found that the main process is unchanged, always produce a few secondary processes, and has been in the dedeted state, which indicates that the main process will quickly produce several sub-processes, and then the process of mutual detection, once the virus is detected by the body is deleted or changed, it will produce another.

Solve:
1, first delete the INIT system startup project, so that the Init will not initiate the virus, and these monitoring processes do not detect whether the project is deleted in Init, otherwise it will be more trouble;
2, again banned crontab inside of things, ensure not automatically start;
3. Execution: chmod 000/usr/bin/xxxxxxx && chattr +i/usr/bin
This command is a compound command that prohibits execution and then locks the/usr/bin so that the newly generated virus cannot be written inside.
4, kill the main process, delete the virus subject.
5, check the error, untie/usr/bin, remove the other viruses may be produced.


Summarize:
1, the/proc inside the thing is can change;
2, Lsof also more loyal, not directly read the information inside the/PROC, PS see is not necessarily true, top see the process is still correct.

Attached: Find-o parameter is the or of the logical operation

Attach a sbtrace on the network

RPM: Random 10-character virus removal under Linux