Trojan Horse and Clear Trojan in Linux server

I. BACKGROUND

At night to see a server traffic runs very high, obviously and usually not the same, the flow reached 800Mbps, the first feeling should be in the Trojan, was people as a broiler, in a large number of contracts.
Our server for the best performance, Firewall (iptables) or something is not open, but the server front of the physical firewall, and the machine is to do the port mapping, is not a common port, supposedly should be full of security, probably recently and Trojan destined bar, always let me meet, Also take this opportunity to record the discovery process.

II. discovery and tracking of processing

1. View Traffic Graph Discovery problem

Look at the time the page is very card, sometimes not even respond

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/97/95/wKiom1kv8JySnzsUAAFWYBBWvzU345.png "title=" 1.png "alt=" Wkiom1kv8jysnzsuaafwybbwvzu345.png "/>

2. Top Dynamic Viewing process

I immediately telnet to the problem of the server, remote operation is very card, network card out of the traffic is very large, through the top found an abnormal process occupies a high resource, the name is not carefully see also really thought is a Web service process.

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/97/95/wKiom1kv8SOgNHOXAAV0WOF4Ebs322.png "title=" 2.png "alt=" Wkiom1kv8sognhoxaav0wof4ebs322.png "/>

4. End the exception process and continue tracking

Killall-9 nginx1rm-f/etc/nginx1

After the process of killing, the traffic immediately down, remote also not Kaka, do not delete the program files, kill the abnormal process we think the processing is complete? Think also certainly not so simple, this is a Trojan Ah, certainly will also generate the program file (sure enough, I do not know, before I do not understand, the back is really generated) we have to continue to trace.

5. Check login log and log file secure

Check the account login record by command last, everything is OK. View system files Message I didn't find anything, but when I looked at the secure file, I found some exceptions, which are related to authentication, should I try to connect in the control contract?

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/97/95/wKiom1kv8lKyLvyxAAUKol0KUic428.png "title=" 3.png "alt=" Wkiom1kv8lkylvyxaaukol0kuic428.png "/>

7. Discovery of more unusual files

Viewing the timed task file crontab did not discover anything at once and then looked at the system boot file rc.local, and there was nothing unusual, and then went into the/ETC/INIT.D directory to see the more bizarre script file Dbsecurityspt, SELinux.

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/97/97/wKioL1kv8oji8GzJAAOHxiKBQig035.png "title=" 4.png "alt=" Wkiol1kv8oji8gzjaaohxikbqig035.png "/>

Third, the Trojan manual removal

Now we summarize the approximate steps as follows:

1, simple to judge whether there is no Trojan horse

#有无下列文件cat/etc/rc.d/init.d/selinuxcat/etc/rc.d/init.d/dbsecuritysptls/usr/bin/bsd-portls/usr/bin/dpkgd# See if the size is normal ls-lh/bin/netstatls-lh/bin/psls-lh/usr/sbin/lsofls-lh/usr/sbin/ss

2, upload the following command to/root

PS Netstat SS lsof

3. Delete the following directories and files

rm -rf /usr/bin/dpkgd  (PS NETSTAT LSOF SS) rm -rf /usr/bin/bsd-port  #木马程序rm  -f /usr/bin/.sshd  #木马后门rm  -f /tmp/ GATES.LODRM -F /TMP/MONI.LODRM -F /ETC/RC.D/INIT.D/DBSECURITYSPT (Start the above described Trojan variant program) rm - f /etc/rc.d/rc1.d/s97dbsecuritysptrm -f /etc/rc.d/rc2.d/s97dbsecuritysptrm -f /etc/ rc.d/rc3.d/s97dbsecuritysptrm -f /etc/rc.d/rc4.d/s97dbsecuritysptrm -f /etc/rc.d/rc5.d/ S97dbsecuritysptrm -f /etc/rc.d/init.d/selinux (default is start/usr/bin/bsd-port/getty) rm -f /etc/ Rc.d/rc1.d/s99selinuxrm -f /etc/rc.d/rc2.d/s99selinuxrm -f /etc/rc.d/rc3.d/s99selinuxrm  -f /etc/rc.d/rc4.d/s99selinuxrm -f /etc/rc.d/rc5.d/s99selinux 

4. Find out the abnormal procedure and kill

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M01/97/95/wKiom1kv8x_S4ylGAADhKRDYGvY584.png "title=" 2016215100820232.png "alt=" Wkiom1kv8x_s4ylgaadhkrdygvy584.png "/>

5, remove the Trojan Horse command and reinstall (or upload the normal program to copy the past is OK)

I reinstall myself as if I could not, I was looking for the normal machine to copy the commands.

#ps/root/chattr-i-a/bin/ps && rm/bin/ps-fyum Reinstall Procps-y or Cp/root/ps/bin#netstat/root/chattr-i-a /bin/netstat && Rm/bin/netstat-fyum Reinstall net-tools-y or Cp/root/netstat/bin#lsof/root/chattr-i-a/bin/ Lsof && Rm/usr/sbin/lsof-fyum Reinstall lsof-y or cp/root/lsof/usr/sbin#ss/root/chattr-i-a/usr/sbin/ss & ;& rm/usr/sbin/ss-fyum-y Reinstall Iproute or Cp/root/ss/usr/sbin

This article is from the "ZPP" blog, make sure to keep this source http://1439337369.blog.51cto.com/10270624/1931437

Trojan Horse and Clear Trojan in Linux server