Virus intrusion solutions

scenario

In recent days, I have been cpu100%, but I did not notice the normal service invocation, until Tencent sent an email warning that my server is invading port 6379 of other servers, I am normal use can not invade other people’s system, this is illegal.

screening

Since port 6379 was invaded, I suspected that my system was accessed through my Redis service. Since my Redis service is accessible from the public network, I closed the remote access of Redis service and restarted the server. After that, it was normal, but half an hour later, I found the CPU was 100% again.

This time show Trojan already invaded, not be instant of invasion.

Therefore, top, PS, Crontab and other schemes were naturally used for investigation

  • top

    The CPU usage of top is 100%, but no process occupies much CPU.

  • ps -aux > /usr/local/ps; vim /usr/local/ps

    I found two abnormal processes in the process list are both newinit.sh, I do not have such a script, so it must be the fault of this process

    So we only need to kill this process, so we use the kill command to kill both processes and restart the server

    . Again normal, and after half an hour and CPU100%, this time thought that there must be a timer or boot from the service, through ps view, kill the two processes again have…

    Here I am. I didn’t even think about deleting the file. I just thought about killing the process

    Piss me off……

  • crontab -l

    Oh, there is a timer

    It can be seen from both timer and PS that the file /etc/newinit.sh is automatically running. I did not record the content of this file and directly deleted it, of course it wasted a lot of effort.

To solve

If there is an unknown scheduled task in the timer, we must delete the scheduled task, that is, use crontab -e to modify the scheduled task

. Dare not believe, at this time I use the root user did not have the permission to modify

Rm -rf /etc/newinit.sh to delete the newinit.sh file

. It also shows no permission to delete

Use lsattr /etc/newinit.sh to view files that have hidden permissions. Sure enough, there are many AI permissions in the hidden permissions

  • A The file cannot be deleted
  • I Files cannot be deleted

No screenshots, you must know what I’m talking about when you encounter this kind of problem, it must be not only this file has AI permission, Trojan modified many of my files, others have screenshots

Never, never, never…

Chattr: /usr/bin: chattr: chattr: /usr/bin

Run the chattr -ai /etc/newinit.sh command to change the file permissions

You guessed correctly, failed to modify, no permissions… This is…

Can’t go to see chattr command authority (according to the blogger blog.csdn.net/handsomezls…

[root@daniel bin]# ls -lh chattr; lsattr chattr -rw-r--r--. chattr ----i------------ chattrCopy the code

I can’t copy this command. Fortunately, CP didn’t give me permission to modify it, otherwise it will be invalid

[root@daniel bin]# cp chattr chattr.new
[root@daniel bin]# chmod u+x chattr.new
[root@daniel bin]# chattr.new -i chattr
[root@daniel bin]# rm -rf chattr.new
[root@daniel bin]# chmod u+x chattr
Copy the code

At this point, the chattr command can be used normally

Run the chattr -ai /etc/newinit.sh command to delete the file, and run the kill command to kill the corresponding process. At this time, the CPU usage is still 100%, because the task has been executed, and the server is being invaded

Now it’s time to clear your scheduled tasks

Chattr -ai /usr/bin/crontab: chattr -ai /usr/bin/crontab

Chattr -ai /etc/bin/cron.d restores cron.d privileges to cron

The same method restores the instructions below /etc, including but not limited to the cron instruction

In this case, the crontab command can be used normally. In other cases, /var/spool/cron does not have permission. This is the storage file of cron command chattr -ai /var/spool/cron; Chattr -ai /var/spool/cron/root Changes the hidden attributes

In this case, the crontab -e can run normally and delete scheduled tasks

This is where the virus is actually killed. The current CPU100% problem only needs to restart the server.

The core

The disgusting place of this Trojan is to modify the permissions of files and instructions, so that you do not know what to do, as long as you understand the implementation principle of this Trojan is very simple.

Unfortunately won’t Trojan guard, ask for advice again.