Trojan in the Linux server, manual removal method

Since I have encountered this situation, just read this article, first reprinted. It is quite useful.

First of all, the backdoor Trojan is as follows:

(Of course, this is slowly found after calming down, and drinking coffee at that time feels like a free man)

Trojan name

Linux.BackDoor.Gates.5

http://forum.antichat.ru/threads/413337/

First of all, there are several servers in the afternoon around 14 o'clock, the traffic is very high, usually only a few hundred M of traffic, then the traffic is found on G, the first feeling is to suffer from DDOS traffic attacks, then There are a lot of servers on hand, and there are a few devices that are not

There is a look in the eyes, I think the results can be found. To put it bluntly, in order to achieve the best performance, none of our servers have firewalls (including hardware and iptables), that is, the server has been streaking. These servers are streaking

There have been no problems for a few years. It seems that Linux server security is quite satisfactory.

There is no clue at the beginning, that is, ps check process, netstat check port number, iftop check traffic, it is estimated that everyone started this kind of operation at first, and it is spoiled. Under (this is estimated to be hackers hope, obviously they know me very well, etc.

Ha), I have not found any abnormality for a while, but iftop found that our server has been sending out a large number of packages. , the traffic to an IP can reach more than 600 M, then we realized that the server was hacked, but only became a broiler, attacking other servers, when

The IP is also changing all the time, just as someone is in remote control.

In the blink of an eye, it’s almost time to get off work. At this time, there are about 3 servers with this kind of situation. At this time, everyone summarizes the situation they know:

a, /bin/ps, /bin/netsta programs are 1.2M size, apparently being dropped out of the package

b, /usr/bin/.dbus-daemon--system process also brought A point is very similar to which one is not, but it is a fake. You don’t really want to delete it. It seems that people who write this program have a strong sense of law, otherwise the program is promoted and dead.

A large CIA will let him go?

c, /etc/rc.local permissions have been changed, and a boot entry has been added

d, lsattr, chattr command deleted

e, the process killed immediately and got up again this is a headache

f, found some recently modified files, obviously these All are hackers left

g, boot automatically start file to add 2 startup items

At the beginning of the process kill and get up again, the file is deleted and automatically generated, There is no firewall configuration in the online environment. In desperation, I have to think of a strange trick. Rename /bin/bash, and sure enough traffic has come down. This kind of killing enemy 10,000 is worthy of 8 thousand.

Actually, I haven't found a real Trojan at this time, but I have time to analyze and find the source of the virus. Two of the three have modified the bash name and suddenly disconnected, so I can't log in, so I have to Installed the system. Later, I slowly searched for it, and it was not

I found it, and then deleted it. At this time, I feel very good, and I am ready to write a blog post to record it. After all, this is the first time the online environment has encountered a Trojan.

At about 22 o'clock, the blog post was written halfway, and suddenly it was faulty. This time, seven servers failed, and the mood was gone. The original three were just an opening statement. The real battle has not yet begun. So the blog behind is continued, tune

The tone is a bit different, just look at it.

Due to the online search of some information during this time, I gradually became familiar with this Trojan. At this time, I uploaded some normal binary programs such as: ls, netstat, chattr, lsattr, and I found the Trojan program with an automatic program. I analyzed one

The names of these Trojans have changed, but they are all invariable. The names are written in /etc/rc.d/init.d/DbSecuritySpt and /etc/rc.d/init.d/selinux, and the names and The normal service is very similar.

There are /usr/local/zabbix/sbin/zabbix_AgentD, /usr/bin/bsd-port/getty, /usr /bin/dpkgd/ps, /usr/bin/. Dbus-daemon--system, /usr/bin/.sshd, /usr/bin/sshd Anyway, what is the similarity of your system

When the process is running, he changes to almost the same To confuse you, in fact, they are all the same size of a program.

Now is to delete these files, kill these processes, say a small episode because a server missed some did not delete, the next day is activated, these things when you use The above command can be activated, so be careful. At about 4 o'clock in the morning

, the Trojans of these 7 servers have been cleaned up. Now the general steps are summarized as follows:

0, simply determine whether there is a Trojan

Is there any of the following files

cat /etc/rc.d/init.d/selinux

cat /etc/rc.d/init.d/DbSecuritySpt

ls /usr/bin/bsd-port

ls /usr/bin/dpkgd

Check if the size is normal

ls -lh /bin/netstat

ls -lh /bin/ps

ls -lh /usr/sbin/lsof

ls -lh /usr/sbin/ss

1. Upload the following command to /root

lsattr chattr ps netstat ss lsof

2, delete the following directories and files

rm -rf /usr/bin/dpkgd (ps netstat lsof ss)

rm -rf /usr/bin/bsd-port (trojan)

rm -f /usr/local/zabbix/sbin/zabbix_AgentD (trojan)

rm -f /usr/local/zabbix /sbin/conf.n

rm -f /usr/bin/.sshd

rm -f /usr/bin/sshd

rm -f /root/cmd .n

rm -f /root/conf.n

rm -f /root /IP

rm -f /tmp/gates.lod

rm -f /tmp/moni.lod

rm -f /tmp/notify.file Program

rm -f /tmp/gates.lock process number

rm -f /etc/rc.d/init.d/DbSecuritySpt (start the Trojan variants described above)
< Rm -f /etc/rc.d/rc1.d/S97DbSecuritySpt

rm -f /etc/rc.d/rc2.d/S97DbSecuritySpt

rm -f /etc/Rc.d/rc3.d/S97DbSecuritySpt

rm -f /etc/rc.d/rc4.d/S97DbSecuritySpt

rm -f /etc/rc.d/rc5.d/S97DbSecuritySpt

rm -f /etc/rc.d/init.d/selinux (default is /usr/bin/bsd-port/getty)

rm -f /etc/rc .d/rc1.d/S99selinux

rm -f /etc/rc.d/rc2.d/S99selinux

rm -f /etc/rc.d/rc3.d/S99selinux

rm -f /etc/rc.d/rc4.d/S99selinux

rm -f /etc/rc.d/rc5.d/S99selinux

3, find the following program process number and kill

top You can see that Trojan cpu utilization is very high at a glance

/root/ps aux | Grep -i jul29 (mainly the most recently opened process)

/root/ps aux | Grep -i jul30

/root/ps aux | Grep -i jul31

/root/ps aux | Grep sshd

/root/ps aux | Grep ps

/root/ps aux | Grep getty

/root/ps aux | Grep netstat

/root/ps aux | Grep lsof

/root/ps aux | Grep ss

/root/ps aux | Grep zabbix_Agetntd

/root/ps aux | Grep .dbus

Examples are as follows: