- Check the file /etc/crontab. You probably have an entry to call the virus every 3 minutes
*/3 * * * * root /etc/cron.hourly/cron.sh
Delete this line. - Identify the parent process of the virus. The bfyqwykzfr in your ps -ej. The other proceses are created and killed continously.
- Stop it, dont kill it, with kill -STOP 1632
- Check with another ps -ej that only the parent lives, the children should die quickly
- Now you can delete the files in /usr/bin and /etc/init.d. There are variants of the virus that also uses /boot or /bin. Use ls -lt | head to look for files that have been modified recently.
- Check the script in /etc/cron.hourly/cron.sh. In our server it was calling another copy of the virus on /lib/libgcc.so. Delete both files.
- Now you can kill definitely the bfyqwykzfr process.
# rm /etc/cron.hourly/gcc.sh
# locate bfyqwykzfr
/etc/cron.hourly/gcc.sh
/etc/rc.d/init.d/bfyqwykzfr
/etc/rc.d/rc0.d/K90bfyqwykzfr
/etc/rc.d/rc1.d/S90bfyqwykzfr
/etc/rc.d/rc2.d/K90bfyqwykzfr
/etc/rc.d/rc3.d/K90bfyqwykzfr
/etc/rc.d/rc4.d/K90bfyqwykzfr
/etc/rc.d/rc5.d/K90bfyqwykzfr
/etc/rc.d/rc6.d/K90bfyqwykzfr
/usr/bin/bfyqwykzfr
# ls -lRt /etc/init.d/ | grep /etc/init.d/bfyqwykzfr
-rwxr-xr-x 1 root root 323 Feb 16 14:57 bfyqwykzfr
# rm /etc/init.d/bfyqwykzfr -f
# chkconfig --list
...
bfyqwykzfr 0:off 1:on 2:off 3:off 4:off 5:off 6:off
...
# chkconfig --del bfyqwykzfr
# ls -l /usr/bin/ | grep bfyqwykzfr
...
-rwxr-xr-x 1 root root 625718 Feb 12 13:23 bfyqwykzfr
...
# rm -f /usr/bin/bfyqwykzfr
installing rkhunter
--------------------------------
debian
# apt-get install rkhunter
centos
# yum install epel-release
# yum -y install rkhunter
update rkhunter database
# rkhunter --update
scan/check rootkit
# rkhunter -c
update rkhunter property
# rkhunter --propupd
installing chkrootkit
--------------------------------
debian
centos
# yum install chkrootkit
scan/check
# chkrootkit
ClamAV
--------------------------------
debian
centos
# yum install clamav -y
update virus database
# freshclam
scan directory
# clamscan -r /usr/sbin/
References:
http://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver
http://blog.amet13.name/2015/05/linux.html
http://www.woktron.com/secure/knowledgebase/79/Installation-Rootkit-Hunter-rkhunter-on-CentOS-5-and-6.html
http://www.clamav.net/documents/troubleshooting-faq
No comments:
Post a Comment