How to kill pscan2 Trojan under Linux?

pscan2 is a hacker scanner that takes up a lot of CPU, so the Trojan should be cleared in time. How do you find and clear the pscan2 Trojan? Let's take a look at how to kill the pscan2 Trojan under Linux.

First, the phenomenon

AH-site program is distributed deployment, configuration files in addition to different programs, but there is no other difference. Recently, there have been frequent failures in work order processing errors in other cities, and other cities have been running very stable.

Second, therefore, the sz host is checked, the steps are as follows:

1, restart the application, found that the application port 3456 has been occupied, through the command lsof-i: 3456, found It is the process of the user tel that occupies the port.

2, through the command ps, found that the user tel process is very familiar, but in our system, the user tel has not been created.

3, using the top command, the results are as follows:

top - 09:58:54 up 524 days, 14:31, 4 users, load average: 3.44, 4.98, 5.75

Tasks: 1715 total, 7 running, 1699 sleeping, 0 stopped, 9 zombie

Cpu(s): 23.3% us, 12.3% sy, 0.0% ni, 64.4% id, 0.0% wa, 0.0% hi, 0.0% si

Mem: 4147208k total, 2740256k used, 1406952k free, 23976k buffers

Swap: 4079600k total, 779100k used, 3300500k free, 638748k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

24201 tel 25 0 1468 476 396 R 100 0.0 0:58.78 pscan2

24510 root 17 0 4336 1916 760 R 4 0.0 0:00.30 top

The process of tel user pscan2 is found, occupying 100% of CPU resources. Through the online search for information, it is found that pscan2 is an old beautiful Trojan. His important feature is that the CPU is very large.

So it is inferred that the host was compromised and was implanted with a Trojan pscan.

Third, find the Trojan pscan2

Use the root account su to tel, view the user directory, and find a hidden directory, the name is “. . . & rdquo; , oh, the name is more confusing

, a little more than you may not see, huh, huh. Into the directory view, the Trojan program pscan2 is implanted in this directory.

#ls -al

Total usage 84

drwx------ 5 503 503 4096 August 24 10:26 .

drwxr-xr-x 4 root root 4096 2007-08-30 . .

drwxrwxr-x 6 503 503 4096 August 24 09:54 . . .

-rw------- 1 503 503 6936 August 24 10:45 .bash_history

-rw-r--r-- 1 503 503 24 2006-11- 03 .bash_logout

-rw-r--r-- 1 503 503 191 2006-11-03 .bash_profile

4. Clear the Trojan pscan, the steps are as follows:

1, delete the user tel all processes

#pkill -9 -U tel

2, delete the user tel

#userdel tel

3, delete the user Group error [

#groupdel tel

groupdel: cannot remove user‘s primary group.

4, find passwd, group file, and still find a user bossnm belongs to tel User group

The group file exists as follows, where 503 is the user group ID

tel:x:503:

The following line exists in passwd, where 503 indicates this user User group belonging to group ID 503

bossnm:x:500:503::/export/home/bossnm

5, delete bossnm user and tel user group

#userdel bossnm

#groupdel tel

6. Delete t All Trojan files under el user

After processing, the system has returned to normal.

The above is the introduction of the pscan2 Trojan search and removal method under Linux. If your computer accidentally hits the Trojan, use the method described above to eliminate it.