Symptoms after mining virus in server
a new customer recently consulted with sine security company, saying that his server often fails to open the website of the card, and the remote connection to the server is extremely slow. Sometimes the Ping value reaches 300-500, and he often switches. After listening to the customer's words,
will generally judge that he has been attacked by CC + DDoS mixed traffic, It's strange to say that there is no traffic attack on the computer room. It's not a traffic attack, but it also causes the server card and website to fail to open. What kind of attack is this? In order to solve the problem of
client server card, we immediately arranged a security engineer to carry out security detection and deployment on his Linux server
{rrrrrrr}
mining Trojan horse is also designed. If the mining process is forced to stop by customers, it will automatically start to continue mining to achieve uninterrupted mining.
careful inspection shows that it is through setting the hourly task plan, remotely downloading shell mining Trojan horse, and then executing, Check whether the current process exists or not. If not, start the Trojan horse to mine
a detailed security inspection was carried out on the client's Linux server. It was found that fortunately, there was no encrypted server data, and the worm was infected with the disease through the security detection and analysis of our security engineers, we found that the server uses Apache Tomcat environment, the open architecture of the platform is JSP + Oracle database, and Apache Tomcat uses the version of 2016, which leads to the serious remote command execution vulnerability of Apache, Through this vulnerability, the intruder can directly invade the server and get the administrator permission of the server,
virus. If the data was encrypted, the loss would be great. The client was a platform, and the client's data was very important. After finding out the mining Trojan horse,
do customers need to know how the server is attacked? Was the Trojan horse uploaded? It can prevent the attack
in the later stage
sine security engineer immediately repairs the Apache vulnerability and clears the Trojan horse. So far, the problem has been solved, the client server
runs stably, and the network station opens normally
first of all, if it is a virus written by a rookie, you can find the file path in the task manager, directly terminate the process tree, or directly find the path to delete it<
2 / 6
Second, if the other party's technology is enough, it is difficult for us to terminate the process, then we can download a computer housekeeper. Now the computer housekeeper also increases the scanning rate of mining virus, and if we find it, we can clean it directly
3 / 6
thirdly, if the computer housekeeper can't handle it, then we can check and kill avast. This program is the first in anti-virus, and it's like a sword for mining viruses<
4 / 6
Fourth, if we still suspect that there is a mining virus on the computer after using avast, we first open the process and manually put the document path to the quarantine area
5 / 6
fifthly, after we put it in the isolation area, we use avast's relaxation for analysis, and then send it to avast's staff. If we suspect that it is a mining virus, the other party will give us manual analysis. If it is, the other party will also help us delete it
6 / 6
sixthly, if we still have doubts after being determined in our profession, if it's not Daniel, then my uncle will need to install the computer again. After all, everything is clear
network experience: https://jingyan..com/article/ca41422f1d83601eae99edf3.html
thank you (≥ 8711; ≦)
the complete removal process of mining virus is as follows, please do it when the network is disconnected:
1. Stop and disable the hyper access protection agent service 2 3. Delete C: \% windows \% system32 \% vmichapagentsrv.dll. If the deletion fails, you can rename the file to another name 4. Restart the computer 5. Delete the directory C: (Windows) system32 (Sysprep themes) and C: (Windows) Sysprep themes 6. Delete C: / / Windows / system32 / secupdatehost.exe 7 https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2017/ms17-010 8
2. Poisoning diagnosis
1. Press Ctrl + Shift + ese (at the same time) to call up the Windows Task Manager to view the running processes of the system, find out the unfamiliar processes and write down their names (this requires experience). If these processes are viruses, it is convenient to clear them later. Do not end these processes temporarily, because some viruses or illegal processes may not be able to end here. Click performance to check the current status of CPU and memory. If the utilization rate of CPU is close to 100% or the occupied value of memory is high, the possibility of computer poisoning is 95%.
2. Check the service items currently started by windows, and open "service" from "management tools" in "control panel". Look at the row in the right column with the status of "start" and the start category of "automatic"; Generally speaking, a normal windows service basically has description content (except for a few forged by hackers or worms). At this time, double-click to open the service item that is considered problematic and check the path and name of the executable file in its properties. If its name and path are C: winntsystem32explored.exe, the computer will be attacked. In one case, the "control panel" can not be opened, or all the icons in it run to the left, there is a vertical scroll bar in the middle, and the right is blank. Then double click Add / delete programs or management tools, and the window is empty. This is the characteristic of the virus file winhlpp32.exe
3. Run the registry editor with regedit or regedt32 to see which programs are started with windows. It's mainly about HKEY_ Local_ And the following RunOnce, check the item value on the right side of the form to see if there are illegal startup items. Windows XP runs msconfig for the same purpose. With the accumulation of experience, you can easily determine the start of the virus
4. The previous outbreak of gaobot virus, you can go to yahoo.com, sony.com and other websites, but you can't visit websites such as www.symantec.com , www.ca.com Such a well-known security manufacturer's website, installed Symantec Norton 2004 antivirus software, can not be upgraded online
5. Unhide the attribute and view the system folder WinNT (Windows) system32. If the folder is empty after opening, it indicates that the computer has been poisoned; After opening system32, you can sort the icons by type to see if there are any popular virus execution files. By the way, check the folder tasks, wins, drivers; The file hosts in driverseetc is the object that the virus likes to tamper with. It originally only has about 700 bytes, but after being tampered, it becomes more than 1KB. This is the reason why the general website can be accessed, but the website of the security manufacturer can't, and the famous anti-virus software can't be upgraded
6. The antivirus software determines whether it is poisoned or not. If it is poisoned, the antivirus software will be automatically terminated by the virus program, and the manual upgrade fails... Antivirus, suggestions
3. Antivirus
1. Delete the illegal program started with the system in the registry, and then search all the key values in the registry to delete it. As a system service to start the virus program, will be in HKEY_ Local_ And controlset002services, find them and destroy them
2. Stop the service in question and change it to auto disable
3. If the file system32driversetchosts is tampered with, restore it, that is, only one line of valid value "127.0.0.1localhost" is left, and the rest lines are deleted. Set the host to read-only
4. Restart the computer and press F8 to enter "security mode with network". The purpose is not to start the virus program, but also to patch the windows upgrade and upgrade the antivirus software
5. Search the execution file of the virus and eliminate it manually
6. Patch windows upgrade and upgrade antivirus software
7. Turn off unnecessary system services, such as remoteregistryservice.
8. After step 6, conct a comprehensive scan of the system with anti-virus software to eliminate those who have missed the net
9. After completing the previous step, restart the computer and complete all operations< Fourthly, it is suggested that prevention of virus is far more effective than detection and killing of virus. Therefore, it is necessary to establish strict preventive measures. In the large and medium-sized networks with the necessary conditions, both hardware and software and three-dimensional protection should be applied. The ideal situation is: the access point of Internet is the external firewall; Next is the anti-virus gateway (panda guard has a high cost performance ratio); Then there is router and server area, which can configure a virus server for the application server; Inside is the intranet firewall; Set up anti-virus server in Intranet, and each user installs manageable client of anti-virus software.