Linux intrusion detection virus cleaning process

News 2023-06-24 21:55:27 views: null

Linux intrusion detection virus cleaning process
1. Preface:

According to the announcement of the virus in Aliyun Express:

Redis RCE leads to the h2Miner worm virus, which uses Redis unauthorized or weak passwords as an entry point, uses master-slave synchronization to synchronize malicious modules from malicious servers, and then loads this malicious module on the target machine and executes malicious instructions. Among the common attackers or worms in the past, most of them use the method of writing timed tasks or writing ssh keys after logging in to redis to intrude. This method may not be successful due to the influence of permissions and system types. However, this attack using redis to load modules can directly execute arbitrary commands or get the shell interactive environment, which is extremely harmful.

    当服务器中毒了,使用SSH/FTPS大多连接不上的。这时候就需要到云平台,使用VNC方式登录。

2. Confirm whether Linux is poisoned

1. Use the command to view all processes in the current system

Generally, viruses that consume more than 90% of CUP or memory are basically viruses. Common mining processes: xfsdatad, rshim, YDService.exe, kinsing, kdevtmpfsi, sysupdate, systemxlv, kthreaddi, kthreaddk, etc. The first version of the virus process will follow the name of the system process similar, pay attention to distinguish

top or ps aux | less
Note: top real-time monitoring exit button: q

2. View hidden processes

If there is no abnormality found in the top command, but the server is still stuck and the server resource usage remains high, then change the command to check whether there are hidden processes

ps -aux --sort=-pcpu|head -10
3. Determine the virus attack mode

1. Use the command to view the system log:

cat /var/log/secure
1.1 Analyze the log file to see if the system password is forcibly cracked remotely, as follows: If you log in to root remotely, you need to change the root password after cleaning the virus

1.2 If it is not a remote login root, it is likely to be caused by redis remote login: 1.1.2 View redis connection records:

lsof -i:6379
If there are a large number of abnormal links, immediately find the redis installation path and open redis.conf

vim redis.conf
open bind:127.0.0.1, restart redis

ps -ef | grep redis

kill -9 PID

./src/redis-server ./redis.conf
1.1.3 If there is no problem with redis, then check other users of the system: View system users

vim /etc/shadow or vim /etc/passwd
Check if there is an abnormal username, and delete it if there is one

userdel -r username
4. View the execution log of a single process:

more /var/log/cron log | grep "process name"
3. Virus killing

1. First determine the PID of the mining process

According to the virus process found by top, use PID to view a series of related daemon processes:

systemctl status PID
to view all daemon processes, example picture:

2. According to the displayed daemon process, start killing from the highest level daemon (kill the parent class first).

Remove the topmost fule daemon:

rm -rf path or find / -name " path " | xargs rm -rf
Some tricky viruses will report: rm: cannot remove 'file name': Operation not permitted

One possibility of this situation is that you are not under the authority of root, switch to root and then operate. Possibility 2: The virus uses the chattr file locking command. We only need to execute the file unlock first, and then we can delete it normally

chattr -i filename
ps -ef | grep daemonname
or

ps -ef | grep daemon name | grep -v grep
kill -9 PID
Note that some mines will trigger self-replication when deleted, so you can control permissions and delete scheduled scans before deleting:

chmod 600 daemon path
To view the timer, you need to operate with root authority:

view all timers

crontab -l
If you confirm that the linux server has not created scheduled tasks again, you can clear them all

crontab -r
can be edited if there is a custom timer:

crontab -e
save and exit after manually deleting suspicious tasks

Many viruses will scan timers, so before clearing the scheduled tasks, you need to lower the authority of the virus files in the virus daemon process to take effect Command: chmod 600 daemon process path

The authority is lowered, and the process can be killed one by one by clearing the scheduled task. From bottom to top, kill -9 process number one by one, for example: kill 9015 first

Delete the corresponding file after killing all the processes (according to the file path in the process tree)

3. If there is no daemon process, it will be simpler, just control the file permissions first, then stop the process, clean up the scheduled tasks, and finally delete the virus path.

At this point, virus cleaning is complete.

4. Other security suggestions:

1. Prohibit root login

Log in with a custom user, and then switch Root

2. Check the public key of the SSH link and clear all suspicious public keys.

Generally, the server that only uses the username and password to log in will not have a public key file, and if it does, it will be an empty file. View the public key file:

vim /root/.ssh/authorized_keys

unlock

chattr -i /root/.ssh/authorized_keys

edit permissions

chmod 777 /root/.ssh/authorized_keys

Empty or clear authorized_keys that are not self-built

vi /root/.ssh/authorized_keys

Restore permissions after clearing

chmod 400 /root/.ssh/authorized_keys

lock authorized_keys

chattr +i /root/.ssh/authorized_keys

Prevent settings from being bypassed by renaming the .ssh folder

chattr +i /root/.ssh

3. Be sure to open the firewall

View firewall status command:

If systemctl status firewalld
does not display the active status, you need to open the firewall, and pay attention to configure the port number you need to use to penetrate

systemctl start firewalld
4. To prohibit remote access to redis as much as possible, redis must set an access password.

5. Linux virus protection software:

Install clamAV:

yum -y install clamav
update the virus database (it takes a long time, about 20~30 minutes):

freshclam
kills the current directory and deletes infected files:

clamscan -r --remove
kills the current directory and removes infected files:

clamscan -r
clamAV help command:


If there are any mistakes or better techniques in clamscan help , please leave a message to communicate. Make progress together! ! !
—————————————————
Copyright statement: This article is an original article of CSDN blogger "Carrying a Gun to the North". It follows the CC 4.0 BY-SA copyright agreement. For reprinting, please attach the original source link and this statement.
Original link: https://blog.csdn.net/ouxx2009/article/details/123479424

Guess you like

Origin blog.csdn.net/Climbman/article/details/131355400
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com