The first time I encountered such a difficult virus Trojan horse -bash.

# cat /etc/redhat-release 
CentOS release 6.7 (Final)
# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

After process and file cleanup , It's always automatic , And then occupy 50% Of CPU

netstat-ano|more

 

Handling ideas :

* top see cpu Highest process
* then lsof -p Process number , Confirm if there are suspicious Association requests
* inspect crontab
-l Confirm whether there is abnormal timing task , And enter /var/spool/cron Confirm to view , View at the same time /var/log/cron journal , Check all /etc/cron* Task of
* Check password file /etc/passwd Check if there are abnormal users and groups
* Check the network ip Is there any abnormal connection netstat -ano|more
Commands used :

netstat -ano

find / -name bash

sar 1 10

top

ps -ef|grep curl

lsof -p Process number , You can see which processes are associated and communicate with them , You can see it here and ask for this external address :

vps-57ca5d6a.vps.ovh.net

 

see crontab –l No scripts were found . Try to enter cron catalog :

Discover existence /var/spool/cron/x The name of the mission ,

# find / -name *.x86_64*
/sbin/.x86_64
/sbin/.ssh/.x86_64

[root@test bin]# rm -f crondr
rm: Unable to delete "crondr": Operation not allowed
[root@test bin]# chattr -sia /bin/crondr
[root@test bin]# chattr -sia /bin/bprofr
[root@test bin]# rm -f /bin/crondr
[root@test bin]# rm -f /bin/bprofr
[root@test bin]# pwd
/bin
[root@test bin]# cd /sbin
[root@test sbin]# ls -lt|head
Total dosage 21252
-rwxr-xr-x. 1 root root  188636 5 month  10 02:41 binitd
-rwxr-xr-x. 1 root root  188636 5 month  10 02:41 bcrond
-rwxr-xr-x. 1 root root 2556332 5 month  10 02:39 minitd
-rwxr-xr-x. 1 root root 2556332 5 month  10 02:39 mcrond
lrwxrwxrwx. 1 root root       7 12 month  7 2018 quotaoff -> quotaon
lrwxrwxrwx. 1 root root       3 12 month  7 2018 vgscan -> lvm
lrwxrwxrwx. 1 root root       3 12 month  7 2018 vgsplit -> lvm
lrwxrwxrwx. 1 root root       3 12 month  7 2018 vgmerge -> lvm
lrwxrwxrwx. 1 root root       3 12 month  7 2018 vgmknodes -> lvm
[root@test sbin]# chattr -sia /bin/binitd
chattr: There is no such file or directory When trying to /bin/binitd conduct stat On call
[root@test sbin]# ls -lt|head
Total dosage 21252
-rwxr-xr-x. 1 root root  188636 5 month  10 02:41 binitd
-rwxr-xr-x. 1 root root  188636 5 month  10 02:41 bcrond
-rwxr-xr-x. 1 root root 2556332 5 month  10 02:39 minitd
-rwxr-xr-x. 1 root root 2556332 5 month  10 02:39 mcrond
lrwxrwxrwx. 1 root root       7 12 month  7 2018 quotaoff -> quotaon
lrwxrwxrwx. 1 root root       3 12 month  7 2018 vgscan -> lvm
lrwxrwxrwx. 1 root root       3 12 month  7 2018 vgsplit -> lvm
lrwxrwxrwx. 1 root root       3 12 month  7 2018 vgmerge -> lvm
lrwxrwxrwx. 1 root root       3 12 month  7 2018 vgmknodes -> lvm
[root@test sbin]# rm -f binitd
rm: Unable to delete "binitd": Operation not allowed
[root@test sbin]# chattr -sia /sbin/binitd
[root@test sbin]# chattr -sia /sbin/bcrond
[root@test sbin]# chattr -sia /sbin/minitd
[root@test sbin]# chattr -sia /sbin/mcrond
[root@test sbin]# rm -f binitd
[root@test sbin]# rm -f bcrond
[root@test sbin]# rm -f minitd
[root@test sbin]# rm -f mcrond
[root@test sbin]# ls -lt|head

They are crontab Out of sight , It's hidden .

according to x Then check which directories and files are associated , Drill down . Finally, delete them one by one .

 

Users need to be deleted x/ group / Home directory /x

/var/tmp File under

/tmp File under

Try to get rid of it .

But because /var/tmp

/tmp

/etc Many files cannot be deleted , The Trojan process is always aroused , To connect to the external network .

rm -rf The error report is as follows :

mv curl curl.bak Remove the download command

So try adding /etc/hosts As follows , Cheat the Trojan horse .

127.0.0.1       pw.pwndns.pw           

127.0.0.1       vps-57ca5d6a.vps.ovh.net

After adding the above ,kill process ,-bash I didn't get up again ,cpu It has been kept normal .

In addition, you can also consider blocking the source address request above in the firewall ip. It needs to be upgraded and reinforced in the future openssh And not exposed to the public network .

iptables -I INPUT -s 185.45.192.135 -j DROP
iptables -I INPUT -s 208.95.112.1 -j DROP
iptables -I INPUT -s 66.171.248.178 -j DROP
iptables -I INPUT -s 172.67.153.85 -j DROP
iptables -I INPUT -s 104.27.149.211 -j DROP
iptables -I INPUT -s 104.27.148.211 -j DROP
iptables -I INPUT -s 51.210.15.231 -j DROP

/etc/rc.d/init.d/iptables save 

 

Remove possible Trojan horse every minute : Trojan horse -bash Parent process of ID always 1 

[root@test ~]# crontab -l
* * * * * /root/k.sh # You can cancel this task after it is completely cleared
[root@test ~]# cat /root/k.sh
ps -ef|grep bash|grep "   1"|grep -v grep|awk '{print $2}'|xargs kill -9

Current operations :
1. Firewall blocks all known Trojans IP
2. Delete all Trojan files
3. Delete Trojan users and timed tasks
4. Clear Trojan process
5. Cancel the dns analysis ( This follow-up can be opened depending on the situation )

Reinforcement suggestions :
1. Internet remote 22 The connection uses the white list or closes the external network direct connection 22( Only allowed vpn/ Intranet connection )
2. upgrade openssh
3. other

Small problems left , Those files and directories that can't be changed can only be deleted under a single user ??? We need to study it ....

such dr--r--r-- What about the authority of ???root No permission to delete and modify operations .

cd /tmp/

cd /var/tmp

Technology