The experience of a Trojan invasion and removal program

Source: Internet
Author: User
Tags nameserver

The experience of a Trojan invasion and removal program



First play through the backdoor Trojan as follows:

(Of course, this is after the calm down after the slowly search out, at that time drink coffee feel like a free man)

Trojan Name

Linux.backdoor.gates.5

http://forum.antichat.ru/threads/413337/



First of all, there are several servers around 14 o'clock in the afternoon traffic super high, usually only hundreds of m of traffic, at that time found the traffic G, to reach this amount of the first feeling is to suffer from DDoS traffic attack, when the hands of the server more, there are a few units and did not


Have the eye, think check can come out results. Just say it. In order to achieve the best performance, none of our servers have a firewall (including hardware and iptables), that is, the server has been in a bare-Ben state. These servers are running naked.


A few years has not been the problem, it seems that Linux server security this piece is quite satisfying.


At first, there is no clue, is the PS check the process Ah, netstat check the port number, iftop check the flow, estimated that everyone at the beginning of this situation is such operations, but also to play through (this is expected to be a hacker hope, obviously they know me very well


HA), did not find anything unusual, just iftop found our server has been a large number of packets, to an IP traffic can reach more than 600 m, then we realize that the server was black, but only as a broiler, to attack other servers, when


The IP of the attack is always changing, as if someone were remotely controlling it.


In the blink of an eye almost to work time, then there are about 3 servers have this situation, at this time everyone to the respective understanding of the situation summed up a bit:

A, the/bin/ps,/bin/netsta program is 1.2M size, apparently was replaced by someone

B,/usr/bin/.dbus-daemon--system process also with a point, with which does not have the point of a very similar, but after all, is false, you do not give the real deletion of the replacement, it seems that the people who write this program is very strong legal awareness, or the program spread up, dead


A large CIA will leave him alone?

C,/etc/rc.local permissions changed, and added a boot entry

D, lsattr, chattr command removed the

E, the process has been killed, and now it's getting up. This is a headache.

F, found some recently modified files, obviously these are left by hackers

g, power on auto-start file added 2 Startup items


Just started the process killed and up, file deleted and automatically generated, the online environment and no firewall configuration, helpless under had to think of a strange recruit, the/bin/bash rename, sure enough flow down, this kill 10,000 self-loss 8,000 recruit really useful.

In fact, this time has not found a real trojan, but there has been time to analyze the source of the virus, the 3 of which two modified the bash name, suddenly disconnected, so the landing can not, had to re-install the system. Later this one I looked slowly, poor


Many have been found, and then deleted. This is a good mood, ready to write a blog post, after all, this is the first time the online environment encounter Trojan.

About 22 points, the blog wrote half, suddenly received a fault, this time and 7 servers failed, a good mood suddenly did not, the original 3 is just a prologue, the real battle has not begun. So the back of the blog is continued on, tune


If the tune is not the same, you can see it.


Because this period of time on the Internet to check some information, slowly familiar with this trojan. At this time I uploaded some normal binary programs such as: Ls,netstat,chattr,lsattr so with the automatic program suddenly found a Trojan horse program, I analyzed a


, these Trojan names change the pattern, but original aim, the name is written in/ETC/RC.D/INIT.D/DBSECURITYSPT and/etc/rc.d/init.d/selinux inside, and the name and the normal service is very similar.


There are/usr/local/zabbix/sbin/zabbix_agentd,/usr/bin/bsd-port/getty,/usr/bin/dpkgd/ps,/usr/bin/.dbus-daemon--system, /usr/bin/.sshd,/usr/bin/sshd Anyway, what's your system like?


Process is running, he changed to the same to confuse you, in fact, they are a program size is the same.


Now is to delete these files, kill these processes, say an episode because a server missed some not deleted, the next day has activated, these things when you use the above command can be activated, so be careful carefully. At about 4 o'clock in the morning


When the 7 servers of the Trojan clean up almost, now comprehensive summary of the approximate steps are as follows:



0, simple to determine whether there is no Trojan horse

Are there any of the following documents

Cat/etc/rc.d/init.d/selinux

Cat/etc/rc.d/init.d/dbsecurityspt

Ls/usr/bin/bsd-port

Ls/usr/bin/dpkgd

See if the size is OK

Ls-lh/bin/netstat

Ls-lh/bin/ps

Ls-lh/usr/sbin/lsof

Ls-lh/usr/sbin/ss



1, upload the following command to/root

Lsattr chattr PS Netstat SS lsof



2, delete the following directories and files

RM-RF/USR/BIN/DPKGD (PS netstat lsof ss)

Rm-rf/usr/bin/bsd-port (Trojan Horse program)

Rm-f/usr/local/zabbix/sbin/zabbix_agentd (Trojan horse program)

Rm-f/USR/LOCAL/ZABBIX/SBIN/CONF.N

Rm-f/usr/bin/.sshd

Rm-f/usr/bin/sshd

Rm-f/ROOT/CMD.N

Rm-f/ROOT/CONF.N

Rm-f/ROOT/IP

Rm-f/tmp/gates.lod

Rm-f/tmp/moni.lod

Rm-f/tmp/notify.file Program

Rm-f/tmp/gates.lock Process Number

Rm-f/ETC/RC.D/INIT.D/DBSECURITYSPT (Start the above described Trojan variant program)

Rm-f/ETC/RC.D/RC1.D/S97DBSECURITYSPT

Rm-f/ETC/RC.D/RC2.D/S97DBSECURITYSPT

Rm-f/ETC/RC.D/RC3.D/S97DBSECURITYSPT

Rm-f/ETC/RC.D/RC4.D/S97DBSECURITYSPT

Rm-f/ETC/RC.D/RC5.D/S97DBSECURITYSPT

Rm-f/etc/rc.d/init.d/selinux (default is start/usr/bin/bsd-port/getty)

Rm-f/etc/rc.d/rc1.d/s99selinux

Rm-f/etc/rc.d/rc2.d/s99selinux

Rm-f/etc/rc.d/rc3.d/s99selinux

Rm-f/etc/rc.d/rc4.d/s99selinux

Rm-f/etc/rc.d/rc5.d/s99selinux



3, find the following program process number and kill

Top one look at that Trojan. CPU utilization is high

/root/ps aux |grep-i jul29 (mostly the most recently opened process)

/root/ps aux |grep-i jul30

/root/ps aux |grep-i jul31

/root/ps aux |grep sshd

/root/ps aux |grep PS

/root/ps aux |grep Getty

/root/ps aux |grep netstat

/root/ps aux |grep lsof

/root/ps aux |grep SS

/root/ps aux |grep zabbix_agetntd

/root/ps aux |grep. Dbus

Examples are as follows:

/root/ps aux |grep Getty

Root 6215 0.0 0.0 93636 868? SSL 20:54 0:05/usr/bin/bsd-port/getty

Kill 6215

/root/ps aux |grep zabbix_agentd

Root 2558 71.0 0.0 106052 1048? SSL 20:54 117:29./zabbix_agentd

Kill 2558

/root/ps aux |grep "/dpkgd/ps"

Root 11173 67.8 0.0 105924 1020? SSL 01:39 8:00/usr/bin/dpkgd/ps-p 11148-o comm=

Kill 11173


Note that if you delete after kill, it will appear again (Destroy Trojan)

>/usr/bin/dpkgd/ps &&/root/chattr +i/usr/bin/dpkgd/ps

>/usr/bin/bsd-port/getty &&/root/chattr +i/usr/bin/bsd-port/getty



4, remove the Trojan Horse command and reinstall (or upload the normal program to copy the past is OK)

Ps

/root/chattr-i-a/bin/ps && rm/bin/ps-f

Yum Reinstall procps-y

Or

Cp/root/ps/bin


Netstat

/root/chattr-i-a/bin/netstat && rm/bin/netstat-f

Yum Reinstall net-tools-y

Or

Cp/root/netstat/bin


Lsof

/root/chattr-i-a/bin/lsof && rm/usr/sbin/lsof-f

Yum Reinstall lsof-y

Or

Cp/root/lsof/usr/sbin


Chattr && lsattr

yum-y Reinstall E2fsprogs


Ss

/root/chattr-i-a/usr/sbin/ss && rm/usr/sbin/ss-f

yum-y Reinstall Iproute

Or

Cp/root/ss/usr/sbin


Modify the permissions of the following two programs, this is accidentally found to change the permissions of the two programs, let you find the Trojan can neither download the normal program can not kill the process

/usr/bin/killall

/usr/bin/wget


In addition they have modified the DNS to be afraid we can not recognize the domain name it, think very thoughtful ha

Cat/etc/resolv.conf

NameServer 8.8.8.8

NameServer 8.8.4.4




5, Tool scan

Installing anti-virus tools

Installation

Yum-y Install clamav*

Start

Service CLAMD Restart

Update virus Database

Freshclam

Scanning method

Clamscan-r/etc--max-dir-recursion=5-l/root/etcclamav.log

Clamscan-r/bin--max-dir-recursion=5-l/root/binclamav.log

Clamscan-r/usr--max-dir-recursion=5-l/root/usrclamav.log

Clamscan-r--remove/usr/bin/bsd-port

Clamscan-r--remove/usr/bin/

Clamscan-r--remove/usr/local/zabbix/sbin

View Log Discovery

/bin/netstat:linux.trojan.agent found for viruses

grep found/root/usrclamav.log

/usr/bin/.sshd:linux.trojan.agent FOUND

/usr/sbin/ss:linux.trojan.agent FOUND

/usr/sbin/lsof:linux.trojan.agent FOUND


6, to strengthen their own security

But at this time do not know the cause of the system intrusion, can only be considered from two aspects: brute force and system and Service vulnerability

A, yum update system (especially bash, OpenSSH, and OpenSSL)

b, to close some unnecessary services

c, set SSH normal user login and Hosts.all, Hosts.deny limit the landing network segment

D. Record commands for operation after logging into the system

The following actions are found

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/messages

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/httpd/access_log

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/httpd/error_log

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/xferlog

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/secure

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/auth.log

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/user.log

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/wtmp

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/lastlog

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/btmp

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/run/utmp

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/spool/mail/root

Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >./.bash_history

Jul 00:26:37 chn-lz-131 Logger: [euid=root]::[/root]rm-rf/root/.bash_history

Jul 00:26:37 chn-lz-131 logger: [Euid=root]::[/root]



7, Trojan analysis

Later, I converted the Trojan horse program into 16, probably looked at a glance, found just a trojan and can DDoS attack, did not delete the server configuration, the server did not cause too much harm. The procedure is as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/B9/wKioL1W8VKfSm0sFAAcg-wjBNTs998.jpg "style=" float: none; "title=" 3.png "alt=" Wkiol1w8vkfsm0sfaacg-wjbnts998.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/BC/wKiom1W8UrXDYjS_AAcE66FdB00880.jpg "style=" float: none; "title=" 5.png "alt=" Wkiom1w8urxdyjs_aace66fdb00880.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/B9/wKioL1W8VKiSGk7LAAbvYJ-d0Ho199.jpg "style=" float: none; "title=" 6.png "alt=" Wkiol1w8vkisgk7laabvyj-d0ho199.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/BC/wKiom1W8UrWShKtnAAaxth1oCDk114.jpg "style=" float: none; "title=" 7.png "alt=" Wkiom1w8urwshktnaaaxth1ocdk114.jpg "/>


This article from "Jerrymin" blog, declined reprint!

The experience of a Trojan invasion and removal program

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.