0 x00 preface
Linux Gates Trojan is a kind of DDoS Trojan with a rich history, clever hiding techniques, and significant network attacks. The main malicious characteristics are backdoor programs, DDoS attacks, and will replace the common system files for camouflage. Trojan gets its name from its extensive use of the word Gates in naming variable functions. Analysis and removal of the Gates Trojan horse process, you can find that there are a lot of worthy of learning and reference.
0x01 Emergency Scenario
One day, the website administrator found that the CPU resources of the server were abnormal, and several abnormal processes occupied a large amount of network bandwidth:
0x02 Event Analysis
Abnormal IP connection:
Abnormal process:
The ps AUX process is abnormal. Multiple commands are found in the directory and the command may have been replaced
Log in to the server and check the system process status. Abnormal processes with irregular names and abnormal download processes are found.
Abnormal startup item
When entering the rc3.d directory, multiple exceptions can be found:
/etc/rc.d/rc3.d/S97DbSecuritySpt
/etc/rc.d/rc3.d/S99selinux
Search for virus primitives
find / -size -1223124c -size +1223122c -exec ls -id {} \; Search for files of size 1223123
From the above behaviors, it is found that the virus is somewhat similar to the “Gates Trojan horse”. Details of specific technical analysis are as follows:
Linux platform “Gates Trojan horse” analysis
www.freebuf.com/articles/sy…
Analysis of “Gates Trojan horse” on Linux platform
www.sohu.com/a/117926079…
Manual removal process:
1, simple judgment presence of Trojan horse # for the following documents cat/etc/rc. D/init. D/selinux cat/etc/rc. D/init. D/DbSecuritySpt ls/usr/bin/ls BSD - port /usr/bin/dpkgd: ls -lh /bin/netstat ls -lh /bin/ps ls -lh /usr/sbin/lsof ls -lh /usr/sbin/ss Run the following command to delete the directory: rm -rf /usr/bin/dpkgd (ps netstat lsof ss) rm -rf /usr/bin/bsd-port / usr/bin/SSHD # Trojan back door rm -f/TMP/gates. Lod rm -f/TMP/moni. Lod rm -f/etc/rc. D/init. D/DbSecuritySpt (start of the Trojan variant process described above) rm -f /etc/rc.d/rc1.d/S97DbSecuritySpt rm -f /etc/rc.d/rc2.d/S97DbSecuritySpt rm -f /etc/rc.d/rc3.d/S97DbSecuritySpt rm -f /etc/rc.d/rc4.d/S97DbSecuritySpt rm -f /etc/rc.d/rc5.d/S97DbSecuritySpt rm -f The/etc/rc. D/init. D/selinux (default is/usr/bin/launch the BSD - port/getty) rm -f/etc/rc. D/rc1. D/S99selinux rm -f/etc/rc. D/rc2. D/S99selinux The rm -f/etc/rc. D/rc3. D/S99selinux rm -f/etc/rc. D/rc4. D/S99selinux rm -f/etc/rc. D/rc5. D/S99selinux 4, find out the abnormal procedures and kill 5. Delete the command containing the Trojan horse and reinstall itCopy the code
0x03 Command replacement
RPM check
System integrity can also be verified by RPM -va to check all RPM packages, which are tampered with, so as to prevent RPM from being replaced. Upload a safe, clean and stable version RPM binary to the server for checking./ RPM -va > RPM. If there are inconsistencies, they show up. The output format is an 8-bit string, "c" for the configuration file, followed by the file name. Each 8-bit character represents the result of comparing the file to an attribute in the RPM database. The. (dot) indicates that the test passes. . The following character indicates that some test on the RPM package failed:Copy the code
Command substitution:
Rpm2cpio package name | cpio - idv. Absolute path RPM package file to extract rpm2cpio converts RPM package cpio cpio command is a standard tool for format, It is used to create software archive and extract files from the archive Cpio option < | equipment [file] - I: copy - in pattern, reduction - d: restore automatically when the new directory - v: shows that reduction processCopy the code
File extraction and restoration cases:
RPM - qf/bin/ls query which Packages are the ls command mv/bin/ls/TMP rpm2cpio/MNT/cdrom/Packages/coreutils - 8.4-19. El6. I686. RPM | cpio - idv Run the following commands to copy the ls command to the /bin/ls directory: cp /root/bin/ls /bin/ Copy the ls command to the /bin/ directory. Repair the file loss. Run the following commands to mount the RPM package: Mkdir/MNT /chrom/ Creating a mount point mount -t iso9660 /dev/cdrom/MNT /cdrom/ Mounting the CD-ROM mount/dev/sr0 / MNT /cdrom/ Unmounting command umount Device file name or mount point umount /mnt/cdrom/Copy the code
Recommended reading:
Linux Emergency Response (1) : SSH brute force cracking
Linux Emergency Response (2) : Catch short connections
Linux Emergency Response (iii) : Mining viruses
Linux Emergency Response (iv) : Gates Trojan horse
The last
Welcome to pay attention to personal wechat public number: Bypass–, an original technical dry goods every week.