Emergency handling of mining virus in Linux
Publish: 2021-04-28 23:55:49
1. Computer virus, then the best solution is to format the system disk or the whole disk, or re partition and then re install the system, through the system CD or the proction of U disk boot disk to install, through the shortcut key or enter the BIOS to set boot items, boot from CD or USB and then install the system, so that the computer can resume normal use and operation
2. This kind of virus is mentioned by Tencent security
you can download and install a Tencent Royal point
after opening it, you can directly check and kill this kind of computer virus by using the virus checking and killing function in it
you can download and install a Tencent Royal point
after opening it, you can directly check and kill this kind of computer virus by using the virus checking and killing function in it
3. Principle: using different MD5 values to compare files< Operation background:
1
2< 3. USB flash disk
4. Ubuntu 7.10 livecd
5. Several programs needed to compare MD5 and convert binary file format
operation process:
1. Format the whole disk and install windows at the same time (you can also use ghost to go back, but you must pay attention to the possible virus infection of other disks)
2. Export the registry under the newly installed windows. Put the exported file into the root directory of disk C. Here I name it 1. Reg
3. Enter the Ubuntu system, note that before entering F2, select simplified Chinese mode
4. Mount CD:
MKDIR / MNT / hdd1 (proction system CD mount point)
mount - t NTFS - O iocharset = cp936 / dev / hdd1 / MNT / hdd1, Pay attention to the file format and device number depending on the specific situation)
5. Mount U disk:
MKDIR / MNT / USB (generate U disk mount point)
mount - t VFAT / dev / sda1 / MNT / USB (Mount U disk to / MNT / USB, also pay attention to the file format and device number)
6. Put the exported registry information into U disk:
assume that there is a test directory on U disk, and, In the test directory, there are three programs: parse.sh, parsewinreg and showlist
CP / MNT / hdd1 / 1.reg/mnt/usb/test ( the export registry to the / MNT / USB / test directory)
CD / MNT / USB / test (enter the U disk test directory)
. / parsewinreg 1.reg origin, Calculate the MD5 value of all files on Disk C:
RM / MNT / hdd1 / pagefile.sys (this file is too big to affect the calculation speed, delete)
/ MNT / USB / test / parse.sh / MNT / hdd1 / & gt/ MNT / USB / origfile (calculate the MD5 value of the disk file and export the result to origfile in the U disk test directory)
8. Re enter windows, and at the same time, fire the virus file
note: first put the virus file into the disk, unplug the U disk, unplug the network cable, and then fire it
9. Repeat 3,4,5,6, The steps < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br /
< br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br > < br / < br > < br / < br / < br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < / hdd1 / pagef ile.sys
/mnt/usb/test/parse.sh /mnt/hdd1/ > / MNT / USB / newfile
10. So far, we get the original system information: origin, origfile, the information after the virus: newreg, newfile
11. Compare the differences of files: diff - Nur origfile newfile & gt; Filediff
12. Compare registry differences: diff - Nur origin newreg & gt; Regdiff
13. Analyze filediff and regdiff, and get the conclusion
analysis tips: generally, what appears in front of + is virus released, - is changed (infected), if MD5 value appears in pairs (one + and one -), that line is generally not, if there is no mark in front, that line is not. Let's delete the useless ones, leaving only single + or single - ones. It's best to look at the file path, that is, to get the files generated by virus or infected files.
1
2< 3. USB flash disk
4. Ubuntu 7.10 livecd
5. Several programs needed to compare MD5 and convert binary file format
operation process:
1. Format the whole disk and install windows at the same time (you can also use ghost to go back, but you must pay attention to the possible virus infection of other disks)
2. Export the registry under the newly installed windows. Put the exported file into the root directory of disk C. Here I name it 1. Reg
3. Enter the Ubuntu system, note that before entering F2, select simplified Chinese mode
4. Mount CD:
MKDIR / MNT / hdd1 (proction system CD mount point)
mount - t NTFS - O iocharset = cp936 / dev / hdd1 / MNT / hdd1, Pay attention to the file format and device number depending on the specific situation)
5. Mount U disk:
MKDIR / MNT / USB (generate U disk mount point)
mount - t VFAT / dev / sda1 / MNT / USB (Mount U disk to / MNT / USB, also pay attention to the file format and device number)
6. Put the exported registry information into U disk:
assume that there is a test directory on U disk, and, In the test directory, there are three programs: parse.sh, parsewinreg and showlist
CP / MNT / hdd1 / 1.reg/mnt/usb/test ( the export registry to the / MNT / USB / test directory)
CD / MNT / USB / test (enter the U disk test directory)
. / parsewinreg 1.reg origin, Calculate the MD5 value of all files on Disk C:
RM / MNT / hdd1 / pagefile.sys (this file is too big to affect the calculation speed, delete)
/ MNT / USB / test / parse.sh / MNT / hdd1 / & gt/ MNT / USB / origfile (calculate the MD5 value of the disk file and export the result to origfile in the U disk test directory)
8. Re enter windows, and at the same time, fire the virus file
note: first put the virus file into the disk, unplug the U disk, unplug the network cable, and then fire it
9. Repeat 3,4,5,6, The steps < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br /
< br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br > < br / < br > < br / < br / < br / < br > < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < br / < / hdd1 / pagef ile.sys
/mnt/usb/test/parse.sh /mnt/hdd1/ > / MNT / USB / newfile
10. So far, we get the original system information: origin, origfile, the information after the virus: newreg, newfile
11. Compare the differences of files: diff - Nur origfile newfile & gt; Filediff
12. Compare registry differences: diff - Nur origin newreg & gt; Regdiff
13. Analyze filediff and regdiff, and get the conclusion
analysis tips: generally, what appears in front of + is virus released, - is changed (infected), if MD5 value appears in pairs (one + and one -), that line is generally not, if there is no mark in front, that line is not. Let's delete the useless ones, leaving only single + or single - ones. It's best to look at the file path, that is, to get the files generated by virus or infected files.
4. 1. The most simple and effective way is to reload
2. To check, find the virus file and delete it; After poisoning, the CPU and memory utilization rate of general machine will be relatively high, and the machine will contract out to other abnormal situations. The troubleshooting method is briefly introced as follows:
# top command finds the process with the highest CPU utilization rate, and the general virus file naming is messy
# PS aux can be used to find the location of the virus file
# RM - f command to delete the virus file
# check the plan task, and Whether there are other files in the boot item and virus file directory can be deleted, etc.
3. Since there are latent viruses even if the virus file is deleted, it is best to back up the data of the machine and then reload it.
2. To check, find the virus file and delete it; After poisoning, the CPU and memory utilization rate of general machine will be relatively high, and the machine will contract out to other abnormal situations. The troubleshooting method is briefly introced as follows:
# top command finds the process with the highest CPU utilization rate, and the general virus file naming is messy
# PS aux can be used to find the location of the virus file
# RM - f command to delete the virus file
# check the plan task, and Whether there are other files in the boot item and virus file directory can be deleted, etc.
3. Since there are latent viruses even if the virus file is deleted, it is best to back up the data of the machine and then reload it.
5. Although Linux is higher than windows in security mechanism and more complicated in permissions, you can't ignore the virus, even if you don't explain what the symptoms are. If you insist on the existence of viruses, avast is an option. It provides two scanning methods: terminal and GUI. The most important is it & # 39; S FREE FOR PERSONAL USE! As for other antivirus software, there are still some McFee for Linux, but they have to be charged. There are still a lot of it.
Hot content