How to deal with Linux mining virus
Publish: 2021-04-15 23:01:42
1. This kind of virus is mentioned by Tencent security
you can download and install a Tencent Royal point
after opening it, you can directly check and kill this kind of computer virus by using the virus checking and killing function in it
you can download and install a Tencent Royal point
after opening it, you can directly check and kill this kind of computer virus by using the virus checking and killing function in it
2.
the complete removal process of mining virus is as follows, please do it when the network is disconnected:
1. Stop and disable the hyper access protection agent service 2 3. Delete C: \% windows \% system32 \% vmichapagentsrv.dll. If the deletion fails, you can rename the file to another name 4. Restart the computer 5. Delete the directory C: (Windows) system32 (Sysprep themes) and C: (Windows) Sysprep themes 6. Delete C: / / Windows / system32 / secupdatehost.exe 7 https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2017/ms17-010 8
3. Principle: using different MD5 values to compare files< Operation background:
1
2< 3. USB flash disk
4. Ubuntu 7.10 livecd
5. Several programs needed to compare MD5 and convert binary file format
operation process:
1. Format the whole disk and install windows at the same time (you can also use ghost to go back, but you must pay attention to the possible virus infection of other disks)
2. Export the registry under the newly installed windows. Put the exported file into the root directory of disk C. Here I name it 1. Reg
3. Enter the Ubuntu system, note that before entering F2, select simplified Chinese mode
4. Mount CD:
MKDIR / MNT / hdd1 (proction system CD mount point)
mount - t NTFS - O iocharset = cp936 / dev / hdd1 / MNT / hdd1, Pay attention to the file format and device number depending on the specific situation)
5. Mount U disk:
MKDIR / MNT / USB (generate U disk mount point)
mount - t VFAT / dev / sda1 / MNT / USB (Mount U disk to / MNT / USB, also pay attention to the file format and device number)
6. Put the exported registry information into U disk:
assume that there is a test directory on U disk, and, In the test directory, there are three programs: parse.sh, parsewinreg and showlist
CP / MNT / hdd1 / 1.reg/mnt/usb/test ( the export registry to the / MNT / USB / test directory)
CD / MNT / USB / test (enter the U disk test directory)
. / parsewinreg 1.reg origin, Calculate the MD5 value of all files on Disk C:
RM / MNT / hdd1 / pagefile.sys (this file is too big to affect the calculation speed, delete)
/ MNT / USB / test / parse.sh / MNT / hdd1 / & gt/ MNT / USB / origfile (calculate the MD5 value of the disk file and export the result to origfile in the U disk test directory)
8. Re enter windows, and at the same time, fire the virus file
note: first put the virus file into the disk, unplug the U disk, unplug the network cable, and then fire it
9. Repeat 3,4,5,6, The steps < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br /
< br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br > < br / < br > < br / < br / < br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < / hdd1 / pagef ile.sys
/mnt/usb/test/parse.sh /mnt/hdd1/ > / MNT / USB / newfile
10. So far, we get the original system information: origin, origfile, the information after the virus: newreg, newfile
11. Compare the differences of files: diff - Nur origfile newfile & gt; Filediff
12. Compare registry differences: diff - Nur origin newreg & gt; Regdiff
13. Analyze filediff and regdiff, and get the conclusion
analysis tips: generally, what appears in front of + is virus released, - is changed (infected), if MD5 value appears in pairs (one + and one -), that line is generally not, if there is no mark in front, that line is not. Let's delete the useless ones, leaving only single + or single - ones. It's best to look at the file path, that is, to get the files generated by virus or infected files.
1
2< 3. USB flash disk
4. Ubuntu 7.10 livecd
5. Several programs needed to compare MD5 and convert binary file format
operation process:
1. Format the whole disk and install windows at the same time (you can also use ghost to go back, but you must pay attention to the possible virus infection of other disks)
2. Export the registry under the newly installed windows. Put the exported file into the root directory of disk C. Here I name it 1. Reg
3. Enter the Ubuntu system, note that before entering F2, select simplified Chinese mode
4. Mount CD:
MKDIR / MNT / hdd1 (proction system CD mount point)
mount - t NTFS - O iocharset = cp936 / dev / hdd1 / MNT / hdd1, Pay attention to the file format and device number depending on the specific situation)
5. Mount U disk:
MKDIR / MNT / USB (generate U disk mount point)
mount - t VFAT / dev / sda1 / MNT / USB (Mount U disk to / MNT / USB, also pay attention to the file format and device number)
6. Put the exported registry information into U disk:
assume that there is a test directory on U disk, and, In the test directory, there are three programs: parse.sh, parsewinreg and showlist
CP / MNT / hdd1 / 1.reg/mnt/usb/test ( the export registry to the / MNT / USB / test directory)
CD / MNT / USB / test (enter the U disk test directory)
. / parsewinreg 1.reg origin, Calculate the MD5 value of all files on Disk C:
RM / MNT / hdd1 / pagefile.sys (this file is too big to affect the calculation speed, delete)
/ MNT / USB / test / parse.sh / MNT / hdd1 / & gt/ MNT / USB / origfile (calculate the MD5 value of the disk file and export the result to origfile in the U disk test directory)
8. Re enter windows, and at the same time, fire the virus file
note: first put the virus file into the disk, unplug the U disk, unplug the network cable, and then fire it
9. Repeat 3,4,5,6, The steps < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br /
< br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br > < br / < br > < br / < br / < br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < / hdd1 / pagef ile.sys
/mnt/usb/test/parse.sh /mnt/hdd1/ > / MNT / USB / newfile
10. So far, we get the original system information: origin, origfile, the information after the virus: newreg, newfile
11. Compare the differences of files: diff - Nur origfile newfile & gt; Filediff
12. Compare registry differences: diff - Nur origin newreg & gt; Regdiff
13. Analyze filediff and regdiff, and get the conclusion
analysis tips: generally, what appears in front of + is virus released, - is changed (infected), if MD5 value appears in pairs (one + and one -), that line is generally not, if there is no mark in front, that line is not. Let's delete the useless ones, leaving only single + or single - ones. It's best to look at the file path, that is, to get the files generated by virus or infected files.
4. You can use the NOD32 of ESET to check and kill
the worm in Linux is similar to that in windows. It can run independently and spread itself to other computers. Worm viruses on Linux platform usually use some vulnerabilities of Linux system and services to spread. For example, ramen virus uses rpc.statd and Wu FTP of some versions of Linux (RedHat 6.2 and 7.0) to spread
prevention: to prevent this kind of virus, we need to stop the source of worm attack. From the several Linux virus outbreaks that have occurred, they all take advantage of several security vulnerabilities that have been announced by Linux. If users take corresponding security measures in time, they will not be affected by them. Unfortunately, many linux administrators do not closely track the latest information related to their own systems and services, so they still give the virus an opportunity. Users should do a good job in the security of this machine, especially care about the information of Linux security vulnerabilities. Once there are new Linux security vulnerabilities, they should take timely security measures. In addition, it can also cooperate with firewall rules to limit the spread of worms
for the prevention of virus under Linux platform, the following suggestions are summarized for reference only: (1) do a good job in system reinforcement 2) Pay attention to the security announcement and correct the loopholes in time 3) Do not use root authority for daily operation 4) Don't install device drivers of unknown origin 5) Don't run some unexplained executable programs or scripts on important servers 6) Try to install anti-virus software, and regularly upgrade the virus code base 7) For Linux servers connected to the Internet, Linux viruses should be detected regularly. Whether worms and Trojans exist 8) For the Linux server that provides file service, it is better to deploy a software that can check and kill windows and Linux viruses at the same time.
the worm in Linux is similar to that in windows. It can run independently and spread itself to other computers. Worm viruses on Linux platform usually use some vulnerabilities of Linux system and services to spread. For example, ramen virus uses rpc.statd and Wu FTP of some versions of Linux (RedHat 6.2 and 7.0) to spread
prevention: to prevent this kind of virus, we need to stop the source of worm attack. From the several Linux virus outbreaks that have occurred, they all take advantage of several security vulnerabilities that have been announced by Linux. If users take corresponding security measures in time, they will not be affected by them. Unfortunately, many linux administrators do not closely track the latest information related to their own systems and services, so they still give the virus an opportunity. Users should do a good job in the security of this machine, especially care about the information of Linux security vulnerabilities. Once there are new Linux security vulnerabilities, they should take timely security measures. In addition, it can also cooperate with firewall rules to limit the spread of worms
for the prevention of virus under Linux platform, the following suggestions are summarized for reference only: (1) do a good job in system reinforcement 2) Pay attention to the security announcement and correct the loopholes in time 3) Do not use root authority for daily operation 4) Don't install device drivers of unknown origin 5) Don't run some unexplained executable programs or scripts on important servers 6) Try to install anti-virus software, and regularly upgrade the virus code base 7) For Linux servers connected to the Internet, Linux viruses should be detected regularly. Whether worms and Trojans exist 8) For the Linux server that provides file service, it is better to deploy a software that can check and kill windows and Linux viruses at the same time.
Hot content