online search feature
Use Baidu/google to search for abnormal characteristics of the host:
[1] Suspicious process name
[2] Suspicious domain name/IP traffic
[3] Suspicious timed tasks
[4] Suspicious file path
Suspicious process name
Use the top command to view the name of the mining process with the highest CPU usage, as follows: sysupdate.
As follows, search for the keyword "sysupdate mining".
Suspicious domain/IP traffic
Search the domain name of the gateway alarm, as follows: w.3ei.xyz:43768/crontab.sh.
Use the netstat -antp command to look for suspicious network connections, as follows: 136.243.90.99.
Suspicious cron job
Use the crontab -l command to view the scheduled tasks of the host and search for suspicious items, as follows: 45.79.9.153:8000/i.sh.
Suspicious file path
Look for suspicious files/folders in the /tmp/ and /root/ directories, as follows: .firefoxcatche.
Epidemic virus family characteristics
Virus family with suspicious timed tasks
DDG
There is a timed task of i.sh string.
SystemdMiner
There are base64-encoded malicious sh scripts in the /var/spool/cron/ and /etc/cron.d/ directories.
StartMiner
There is a scheduled task with the word start.jpg.
LSDMiner
In the initial version, the string of pastebin.com exists in the scheduled task.
Then, in the intermediate version, the string of lsd.systemten.org exists in the scheduled task.
In the latest version, the string of aliyun.one exists in the scheduled task.
XorDDos
The cron task contains strings of gcc.sh.
Virus families with suspicious filenames
Billgates
There are gates.lod and moni.lod files in the /tmp directory.
DDG
There are ELF files of ddgs.+ numbers in the tmp directory.
SystemdMiner
There are sh scripts with random names under the /root directory and the /opt directory.
StartMiner
There are virus files named x86_* in the /tmp directory.
clearing steps
Remove the virus in 3 steps:
[1] Locate the mining process & virus file
[2] Clear virus process & files
[3] Check scheduled tasks
Locate mining process & virus files
Use the top command to locate the mining process and find the process with the highest CPU usage.
Use the ls /proc[pid]/exe command to locate the file path.
Clean virus process & files
Use the command kill -9 [pid] to end the virus process, and use the command rm -rf [filepath/dir_path] to delete the corresponding file/folder.
Check cron tasks
Run the command crontab -l to check whether there are suspicious scheduled tasks on the host.
Use the command ls -l /etc/cron.d to view suspicious cron job files.
Use the command crontab -r to clear the scheduled tasks (PS: it can be used after confirming that the host has no business scheduled tasks).
Or use the command grep -r "[keyword]" /var/spool/cron to delete the specified scheduled task.
Use the command rm /etc/cron.d/[file] to delete the cron task file.
File & scheduled task deletion failed
When the file is deleted, it prompts that the operation is not allowed, because the file is added with the i or a attribute, and the file can be successfully deleted by removing these two attributes.
Insufficient permissions are prompted when deleting scheduled tasks;
Use lsattr to view file attributes, and delete them successfully after clearing attributes through chattr.
Files & scheduled tasks reappear after deletion
There are two situations where files & scheduled tasks are deleted and repeated. The virus has hijacked the system files, or there is a residual virus process that repeatedly creates virus files.
The ss, netstat, ps, and lsof commands are replaced with virus files, and the original files need to be deleted, and then the pure files should be put in.
There are download processes such as curl and wget, which repeatedly download virus files.
It is also possible that a malicious process is guarding, so kill the suspicious process first.
After the virus process is killed, it is pulled up again
Keywords to search for suspicious processes on the host: sh, wget, curl, xmr, mine, ssh.
Find the parent process and end the entire process tree, as follows, you need to kill all the processes in red font.
The host freezes but the mining process cannot be found
The host is abnormal but no suspicious process can be found. It is likely that the virus hijacked system commands to hide it. You need to use the busybox tool to check.
The CPU usage of the system is high, but no mining process is found.
Use the top command of busybox to successfully discover the mining process and parent process.
busybox download address:
wget http://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-x86_64
The host is infected with a virus after cleaning
Make sure that the virus on the host has been cleaned, but it is still infected again. In this case, the virus must have invaded again through the network. It is necessary to check the risks related to ssh and vulnerabilities.
Check whether ssh is a weak password, and whether there is a secret-free public key in ~/.ssh/authorized_keys
Redis Unauthorized Access Vulnerability