How to Troubleshoot Malicious Outbox Behavior on Linux Servers

Some virus programs send malicious packets to Linux servers, which greatly consumes the bandwidth of the server and slows the access speed of the server. As a Linux server administrator, you should regularly check the behavior of this malicious packet. How do you do this?

One: Trojan virus investigation.

1. Use netstat to check the network connection and analyze whether there is suspicious sending behavior, if any, stop.

An uppercase CRONTAB command was found on the server, followed by command cleanup and scheduled task troubleshooting.

(Linux common Trojan, clean up command chattr -i /usr/bin/.sshd; rm -f /usr/bin/.sshd; chattr -i /usr/bin/.swhd; rm -f /Usr/bin/.swhd; rm -f -r /usr/bin/bsd-port; cp /usr/bin/dpkgd/ps /bin/ps; cp /usr/bin/dpkgd/netstat /bin/netstat; cp /usr/bin/dpkgd/lsof /usr/sbin/lsof; cp /usr/bin/dpkgd/ss /usr/sbin/ss;rm -r -f /root/.ssh; rm -r -f /usr/Bin/bsd-port;find /proc/-name exe |  Xargs ls -l |  Grep -v task | Grep deleted|  Awk ‘{print $11}’ |  Awk -F/‘{print $NF}& rsquo; |  Xargs killall -9;)

2, use anti-virus software for virus killing.

Two: Server vulnerability troubleshooting and repair

1, check the server account for abnormalities, if any, stop deleting.

2. Check if the server has a different login status. If yes, change the password to a strong password (word + number + special symbol), 10 digits and above.

3, check Jenkins, Tomcat, PhpMyadmin, WDCP, Weblogic background password, improve password strength (words per + number + special symbols) uppercase, 10 and above.

4, check whether the WEB application has loopholes, such as struts, ElasticSearch, etc. If you have, please upgrade.

5, check MySQL, SQLServer, FTP, WEB management background and other places where there are passwords, improve the password strength (words per + number + special symbols) uppercase and lowercase, 10 and above.

6, check Redis no password to remotely write file vulnerabilities, check the SSH login key file created by hacker under /root/.ssh/, delete, modify Redis to have password access and use strong password, No need for public network access to the best bind 127.0.0.1 local access.

7. If you have installed third-party software, please follow the official website to fix it.

Once you find that the traffic on the Linux server is abnormally high, there is a high probability that the virus will be maliciously sent out. You should promptly remove the network and perform the above troubleshooting.