The experience of a Trojan invasion and removal program
First play through the backdoor Trojan as follows:
(Of course, this is after the calm down after the slowly search out, at that time drink coffee feel like a free man)
Trojan Name
Linux.backdoor.gates.5
http://forum.antichat.ru/threads/413337/
First of all, there are several servers around 14 o'clock in the afternoon traffic super high, usually only hundreds of m of traffic, at that time found the traffic G, to reach this amount of the first feeling is to suffer from DDoS traffic attack, when the hands of the server more, there are a few units and did not
Have the eye, think check can come out results. Just say it. In order to achieve the best performance, none of our servers have a firewall (including hardware and iptables), that is, the server has been in a bare-Ben state. These servers are running naked.
A few years has not been the problem, it seems that Linux server security this piece is quite satisfying.
At first, there is no clue, is the PS check the process Ah, netstat check the port number, iftop check the flow, estimated that everyone at the beginning of this situation is such operations, but also to play through (this is expected to be a hacker hope, obviously they know me very well
HA), did not find anything unusual, just iftop found our server has been a large number of packets, to an IP traffic can reach more than 600 m, then we realize that the server was black, but only as a broiler, to attack other servers, when
The IP of the attack is always changing, as if someone were remotely controlling it.
In the blink of an eye almost to work time, then there are about 3 servers have this situation, at this time everyone to the respective understanding of the situation summed up a bit:
A, the/bin/ps,/bin/netsta program is 1.2M size, apparently was replaced by someone
B,/usr/bin/.dbus-daemon--system process also with a point, with which does not have the point of a very similar, but after all, is false, you do not give the real deletion of the replacement, it seems that the people who write this program is very strong legal awareness, or the program spread up, dead
A large CIA will leave him alone?
C,/etc/rc.local permissions changed, and added a boot entry
D, lsattr, chattr command removed the
E, the process has been killed, and now it's getting up. This is a headache.
F, found some recently modified files, obviously these are left by hackers
g, power on auto-start file added 2 Startup items
Just started the process killed and up, file deleted and automatically generated, the online environment and no firewall configuration, helpless under had to think of a strange recruit, the/bin/bash rename, sure enough flow down, this kill 10,000 self-loss 8,000 recruit really useful.
In fact, this time has not found a real trojan, but there has been time to analyze the source of the virus, the 3 of which two modified the bash name, suddenly disconnected, so the landing can not, had to re-install the system. Later this one I looked slowly, poor
Many have been found, and then deleted. This is a good mood, ready to write a blog post, after all, this is the first time the online environment encounter Trojan.
About 22 points, the blog wrote half, suddenly received a fault, this time and 7 servers failed, a good mood suddenly did not, the original 3 is just a prologue, the real battle has not begun. So the back of the blog is continued on, tune
If the tune is not the same, you can see it.
Because this period of time on the Internet to check some information, slowly familiar with this trojan. At this time I uploaded some normal binary programs such as: Ls,netstat,chattr,lsattr so with the automatic program suddenly found a Trojan horse program, I analyzed a
, these Trojan names change the pattern, but original aim, the name is written in/ETC/RC.D/INIT.D/DBSECURITYSPT and/etc/rc.d/init.d/selinux inside, and the name and the normal service is very similar.
There are/usr/local/zabbix/sbin/zabbix_agentd,/usr/bin/bsd-port/getty,/usr/bin/dpkgd/ps,/usr/bin/.dbus-daemon--system, /usr/bin/.sshd,/usr/bin/sshd Anyway, what's your system like?
Process is running, he changed to the same to confuse you, in fact, they are a program size is the same.
Now is to delete these files, kill these processes, say an episode because a server missed some not deleted, the next day has activated, these things when you use the above command can be activated, so be careful carefully. At about 4 o'clock in the morning
When the 7 servers of the Trojan clean up almost, now comprehensive summary of the approximate steps are as follows:
0, simple to determine whether there is no Trojan horse
Are there any of the following documents
Cat/etc/rc.d/init.d/selinux
Cat/etc/rc.d/init.d/dbsecurityspt
Ls/usr/bin/bsd-port
Ls/usr/bin/dpkgd
See if the size is OK
Ls-lh/bin/netstat
Ls-lh/bin/ps
Ls-lh/usr/sbin/lsof
Ls-lh/usr/sbin/ss
1, upload the following command to/root
Lsattr chattr PS Netstat SS lsof
2, delete the following directories and files
RM-RF/USR/BIN/DPKGD (PS netstat lsof ss)
Rm-rf/usr/bin/bsd-port (Trojan Horse program)
Rm-f/usr/local/zabbix/sbin/zabbix_agentd (Trojan horse program)
Rm-f/USR/LOCAL/ZABBIX/SBIN/CONF.N
Rm-f/usr/bin/.sshd
Rm-f/usr/bin/sshd
Rm-f/ROOT/CMD.N
Rm-f/ROOT/CONF.N
Rm-f/ROOT/IP
Rm-f/tmp/gates.lod
Rm-f/tmp/moni.lod
Rm-f/tmp/notify.file Program
Rm-f/tmp/gates.lock Process Number
Rm-f/ETC/RC.D/INIT.D/DBSECURITYSPT (Start the above described Trojan variant program)
Rm-f/ETC/RC.D/RC1.D/S97DBSECURITYSPT
Rm-f/ETC/RC.D/RC2.D/S97DBSECURITYSPT
Rm-f/ETC/RC.D/RC3.D/S97DBSECURITYSPT
Rm-f/ETC/RC.D/RC4.D/S97DBSECURITYSPT
Rm-f/ETC/RC.D/RC5.D/S97DBSECURITYSPT
Rm-f/etc/rc.d/init.d/selinux (default is start/usr/bin/bsd-port/getty)
Rm-f/etc/rc.d/rc1.d/s99selinux
Rm-f/etc/rc.d/rc2.d/s99selinux
Rm-f/etc/rc.d/rc3.d/s99selinux
Rm-f/etc/rc.d/rc4.d/s99selinux
Rm-f/etc/rc.d/rc5.d/s99selinux
3, find the following program process number and kill
Top one look at that Trojan. CPU utilization is high
/root/ps aux |grep-i jul29 (mostly the most recently opened process)
/root/ps aux |grep-i jul30
/root/ps aux |grep-i jul31
/root/ps aux |grep sshd
/root/ps aux |grep PS
/root/ps aux |grep Getty
/root/ps aux |grep netstat
/root/ps aux |grep lsof
/root/ps aux |grep SS
/root/ps aux |grep zabbix_agetntd
/root/ps aux |grep. Dbus
Examples are as follows:
/root/ps aux |grep Getty
Root 6215 0.0 0.0 93636 868? SSL 20:54 0:05/usr/bin/bsd-port/getty
Kill 6215
/root/ps aux |grep zabbix_agentd
Root 2558 71.0 0.0 106052 1048? SSL 20:54 117:29./zabbix_agentd
Kill 2558
/root/ps aux |grep "/dpkgd/ps"
Root 11173 67.8 0.0 105924 1020? SSL 01:39 8:00/usr/bin/dpkgd/ps-p 11148-o comm=
Kill 11173
Note that if you delete after kill, it will appear again (Destroy Trojan)
>/usr/bin/dpkgd/ps &&/root/chattr +i/usr/bin/dpkgd/ps
>/usr/bin/bsd-port/getty &&/root/chattr +i/usr/bin/bsd-port/getty
4, remove the Trojan Horse command and reinstall (or upload the normal program to copy the past is OK)
Ps
/root/chattr-i-a/bin/ps && rm/bin/ps-f
Yum Reinstall procps-y
Or
Cp/root/ps/bin
Netstat
/root/chattr-i-a/bin/netstat && rm/bin/netstat-f
Yum Reinstall net-tools-y
Or
Cp/root/netstat/bin
Lsof
/root/chattr-i-a/bin/lsof && rm/usr/sbin/lsof-f
Yum Reinstall lsof-y
Or
Cp/root/lsof/usr/sbin
Chattr && lsattr
yum-y Reinstall E2fsprogs
Ss
/root/chattr-i-a/usr/sbin/ss && rm/usr/sbin/ss-f
yum-y Reinstall Iproute
Or
Cp/root/ss/usr/sbin
Modify the permissions of the following two programs, this is accidentally found to change the permissions of the two programs, let you find the Trojan can neither download the normal program can not kill the process
/usr/bin/killall
/usr/bin/wget
In addition they have modified the DNS to be afraid we can not recognize the domain name it, think very thoughtful ha
Cat/etc/resolv.conf
NameServer 8.8.8.8
NameServer 8.8.4.4
5, Tool scan
Installing anti-virus tools
Installation
Yum-y Install clamav*
Start
Service CLAMD Restart
Update virus Database
Freshclam
Scanning method
Clamscan-r/etc--max-dir-recursion=5-l/root/etcclamav.log
Clamscan-r/bin--max-dir-recursion=5-l/root/binclamav.log
Clamscan-r/usr--max-dir-recursion=5-l/root/usrclamav.log
Clamscan-r--remove/usr/bin/bsd-port
Clamscan-r--remove/usr/bin/
Clamscan-r--remove/usr/local/zabbix/sbin
View Log Discovery
/bin/netstat:linux.trojan.agent found for viruses
grep found/root/usrclamav.log
/usr/bin/.sshd:linux.trojan.agent FOUND
/usr/sbin/ss:linux.trojan.agent FOUND
/usr/sbin/lsof:linux.trojan.agent FOUND
6, to strengthen their own security
But at this time do not know the cause of the system intrusion, can only be considered from two aspects: brute force and system and Service vulnerability
A, yum update system (especially bash, OpenSSH, and OpenSSL)
b, to close some unnecessary services
c, set SSH normal user login and Hosts.all, Hosts.deny limit the landing network segment
D. Record commands for operation after logging into the system
The following actions are found
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/messages
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/httpd/access_log
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/httpd/error_log
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/xferlog
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/secure
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/auth.log
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/user.log
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/wtmp
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/lastlog
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/log/btmp
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/run/utmp
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >/var/spool/mail/root
Jul 00:26:37 chn-lz-131 Logger: [Euid=root]::[/root]echo >./.bash_history
Jul 00:26:37 chn-lz-131 Logger: [euid=root]::[/root]rm-rf/root/.bash_history
Jul 00:26:37 chn-lz-131 logger: [Euid=root]::[/root]
7, Trojan analysis
Later, I converted the Trojan horse program into 16, probably looked at a glance, found just a trojan and can DDoS attack, did not delete the server configuration, the server did not cause too much harm. The procedure is as follows:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/B9/wKioL1W8VKfSm0sFAAcg-wjBNTs998.jpg "style=" float: none; "title=" 3.png "alt=" Wkiol1w8vkfsm0sfaacg-wjbnts998.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/BC/wKiom1W8UrXDYjS_AAcE66FdB00880.jpg "style=" float: none; "title=" 5.png "alt=" Wkiom1w8urxdyjs_aace66fdb00880.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/B9/wKioL1W8VKiSGk7LAAbvYJ-d0Ho199.jpg "style=" float: none; "title=" 6.png "alt=" Wkiol1w8vkisgk7laabvyj-d0ho199.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/BC/wKiom1W8UrWShKtnAAaxth1oCDk114.jpg "style=" float: none; "title=" 7.png "alt=" Wkiom1w8urwshktnaaaxth1ocdk114.jpg "/>
This article from "Jerrymin" blog, declined reprint!
The experience of a Trojan invasion and removal program