• 欢迎访问小杰博客网站
  • 欢迎访问小杰博客网站哦

linux服务器被入侵,建立一系列定时任务

未分类 小杰 4年前 (2015-12-17) 402次浏览 已收录 0个评论

I have a unknown process when I run top:

enter image description here

  • When I kill the process it is coming again with another random name.
  • when I check the rc.d levels and init.d there are many random name similar like this one and this one is also there.
  • when I try to apt-get remove or anthing elses it is coming again.
  • when I plug in network cable it is locking our whole network.

Do you have any idea how I can remove it?

What is this service/process?

This is the exe file, when I delete it, it is coming again too.

When i check “netstat -natp” there is an establisment foreign address is 98.126.251.114:2828. When i try to add rules to iptables, it is not working. But after trying and then restart this address change to 66.102.253.30:2828 this one.

OS is Debian Wheeze

shareimprove this question
4  
Probably some botnet client (your machine is compromised). You have to find out how it is started. Utilities like cruft may come in handy to see what files do not belong to packages. – Dan Feb 14 at 13:40
2  
ps l will show you what the parent process is. Most likely, that’ll tell you what is spawning this process. Look at the PPID column for the information you want. I wouldn’t be so quick to declare this malware. – krowe Feb 14 at 14:02 
    
+1 to check the parent process. And if the file /use/bin/hgmjzjkpxa exists (could it be in /usr?) is it also a link, or something else interesting listed in ls -la, or viewed with less or strings? – Xen2050 Feb 15 at 4:02 
    
there is no any parent process, it is looking like whoami process, there is one thing when i check “netstat -natp” there is an establisment foreign address is 98.126.251.114:2828. when i try to add rules to iptables, it is not working. But after trying and then restart this address change to 66.102.253.30:2828 this one. do you have any idea about this? – user1424059 Feb 17 at 12:23 

2 Answers

I’ll bet you a dollar it’s https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ . All your symptoms are exactly as described.

shareimprove this answer

I have some experiences about this random 10bit string trojan, It will send lots of packets for SYN flood.

  1. Cut down your network

The trojan has raw file coming from /lib/libudev.so, it will copy and fork again. It will also add cron.hourly job named gcc.sh, then it will add initial script in your /etc/rc*.d (Debian, CentOS may be /etc/rc.d/{init,rc{1,2,3,4,5}}.d)

  1. Use root to run the script below to change the folder privileges: chmod 0000 /lib/libudev.so && rm -rf /lib/libudev.so && chattr +i /lib/

  2. Delete all /etc/rc{0,1,2,3,4,5,6,S}.d files which were created today, The name looks like S01????????.

  3. Edit your crontab, delete the gcc.sh script in your /etc/cron.hourly, delete the gcc.sh file (/etc/cron.hourly/gcc.sh) then add privileges for your crontab: sed ‘/gcc.sh/d’ /etc/crontab && chmod 0000 /etc/crontab && chattr +i /etc/crontab

  4. Use this command to check the latest file changes: ls -lrt

If you find any suspicious files named S01xxxxxxxx (or K8xxxxxxxx), delete it.

  1. Then you should reboot without network.

Then the trojan should be cleaned and you can modify the folder privileges to the original values(chattr -i /lib /etc/crontab).


小杰博客 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:linux服务器被入侵,建立一系列定时任务
喜欢 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址