Case description
received in the morning IDC 's telephone, said that one of our network segment IP non- stop outsourcing, should be attacked, specifically which IP does not know, let us check.
The logical analysis and solution
first of all we have to determine which machine is the network card in the outgoing package, fortunately we have Zabbix monitoring, I just one of the checks, found that there is a flow full, the problem should appear on the machine above.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/8B/AD/wKiom1hUm_Oy2XCKAAbkZftLUrw035.png "title=" 1.png " alt= "Wkiom1hum_oy2xckaabkzftlurw035.png"/> I log in to the machine inside, check the network card traffic, my goodness, incredibly ran this multi-flow.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/8B/A9/wKioL1hUnBuArH50AAe96G8Is4I339.png "title=" 2.png " alt= "Wkiol1hunbuarh50aae96g8is4i339.png"/>
This machine is mainly running a Tomcat web service and Oracle Database, the problem should not appear on the web Services and databases above, I checked WEB log, no exception found, view the database is also normal, there is no error log, view the system log, and see nothing unusual, but the system log is cleared,
I hurried to check the current running process, to see if there is any abnormal process, a view, sure enough to find a few abnormal process, not carefully see it really does not look out, these processes are not normal.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/8B/A9/wKioL1hUnGmhXDQ2AA9ngwpftkQ553.png "title=" 3.png " alt= "Wkiol1hungmhxdq2aa9ngwpftkq553.png"/>
What is this process, I ps-ef every time is not the same, has been changing, process number one has been in the change, I want to see the process open what files are OK, at the moment, think of here, I suddenly realized that this should be some sub-process, by a master process to manage, So it's useless to look at these sub-processes, and even if I kill them, there will be a new generation, the first to catch the king, we go to the main process, I use the top D1 Real-time view of the process using resources to see if there is an abnormal process consuming CPU Memory and other resources, found a strange process, usually not seen. This should be the Trojan master process we are looking for.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/8B/AD/wKiom1hUnKLidHhpAAoYDW23AK4020.png "title=" 4.png " alt= "Wkiom1hunklidhhpaaoydw23ak4020.png"/>
I try to kill this process,killall-9 Ueksinzina, but after killing Ps-ef to see or have those sub-processes, didn't kill? Again top D1 view, found there is a other main process, it seems to kill is not killed, if so easy to kill is not a Trojan horse.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/8B/A9/wKioL1hUnRDSfesUAAe4UfIin58080.png "title=" 1.png " alt= "Wkiol1hunrdsfesuaae4ufiin58080.png"/>
Let's see what he really is, "which obgqtvdunq" found this command in /usr/bin Span style= "Font-family:tahoma;" >/usr/bin The directory is generated below, think of what program should be listening to the status of this process may also have any scheduled tasks, the discovery process died in the re-execution, I looked at the current way of thinking about the /etc/crontab Timed tasks and /etc/init.d startup script, all found to be problematic.
can see there is a scheduled task gcc4.sh, this is not our set, look at the content is more strange, this should be the listener is dead and then started, we have to delete the relevant configuration, and delete /lib/ Libudev4.so.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/8B/AD/wKiom1hUnUTSzh5AAATEYuLL8CY821.png "title=" 2.png " alt= "Wkiom1hunutszh5aaateyull8cy821.png"/>
This file was also found under the/etc/init.d/directory.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/8B/AD/wKiom1hUnWvxe34pAArZ2QMlfi4713.png "title=" 3.png " alt= "Wkiom1hunwvxe34paarz2qmlfi4713.png"/>
Inside the content is the boot start information, this we also to delete.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/8B/AD/wKiom1hUnZDjVzoCAAKRMdAgkhs275.png "title=" 1.png " alt= "Wkiom1hunzdjvzocaakrmdagkhs275.png"/>
above two is a start-up when the Trojan horse, a Trojan horse program to start the Trojan, but at present we kill the Trojan horse did not die, but immediately change the name to switch to another program file run , so we kill directly is useless, our purpose is to prevent the new program file generation, first we cancel the program's execution permissions and the program files into the directory /usr/bin
chmod 000/ Usr/bin/obgqtvdunq
chattr +i/usr/bin
then we kill the process "killall-9 obgqtvdunq"and then we look at the /etc/init.d/ directory and see that he has created a new process, and the directory has changed to /bin below the directory, as above, the Execute permission is canceled and the /bin directory lock, do not let him spawn here, kill and then view he has generated a new file, this time he is not in the environment variable directory, in / tmp inside, we put / tmp The directory is locked, and then the process is ended.
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8B/A9/wKioL1hUnbXjBb99AAPlPfPEKw8034.png "title=" 1.png " alt= "Wkiol1hunbxjbb99aaplpfpekw8034.png"/>
so far, there is no new Trojan process generation, the principle is that the end of the Trojan horse program, the back of the job is to clear the files produced by these directories, after I find, first clear the/ETC/INIT.D directory under the Trojan start script, and then clear /etc/rc#.d/ the connection file under the directory.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/8B/A9/wKioL1hUndiS103aAAswcN_Df1w717.png "title=" 2.png " alt= "Wkiol1hundis103aaaswcn_df1w717.png"/>
later I look at the change time of the file in/etc directory, found the ssh directory also has a newly generated file, do not know if there is a problem.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/8B/AD/wKiom1hUnf2C87j5AAPz8ZNPU1Y251.png "title=" 2.png " alt= "Wkiom1hunf2c87j5aapz8znpu1y251.png"/>
cleanup almost after we have to clean up just a few files generated, a directory clear, such as "Chattr-i/tmp", and then delete the Trojan file, and so on delete /bin, /usr/bin Directory below the Trojan, to this Trojan cleanup finished.
Fast-Clean Trojan flow
If the name of the Trojan is nshbsjdy, if top is not visible, you can view it under the /etc/init.d directory .
1, first lock three directories, can not let the new Trojan file generation
chmod 000/usr/bin/nshbsjdy
chattr +i/usr/bin
chattr +i/bin
chattr +i/tmp
2,Delete Scheduled tasks and files and boot files
Delete Scheduled tasks and files
rm-f/etc/init.d/nshbsjdy
rm-f/etc/rc#.d/Trojan Connection File
3, kill the Trojan process
Killall-9 Nshbsjdy
4,clean up the Trojan process
chattr-i/usr/bin
rm-f/usr/bin/nshbsjdy
Once the processing is complete, check the above directories again, especially the most recently modified files under the/etc directory.
5, if it is a rootkit trojan, you can use the following software to check
SoftwareChkrootkit:
SoftwareRkhunter:
the installation is very simple and I use Rkhunter a simple check, did not find any major problems, but this does not mean that there is no problem, because our detection command is also dependent on a number of system commands, if the system command is infected that is not detected, preferably a system of command backup a check, No more, just back up the data reload.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/8B/A9/wKioL1hUnjfiBR79AAc67fCwQzc416.png "title=" 1.png " alt= "Wkiol1hunjfibr79aac67fcwqzc416.png"/>
This article is from the It Dick thread blog, so be sure to keep this source http://68686789.blog.51cto.com/10438688/1883533
Solve the Linux virus caused bandwidth to run the process of full, you can refer to the reference