zoukankan      html  css  js  c++  java
  • 记录XorDDos木马清理步骤

    1.检查

    查看定时任务文件发现有两个异常定时任务

    [root@manage ~]# cat /etc/crontab

    # * * * * * user-name command to be executed

    #*/1 * * * * root /etc/cron.hourly/ssh_deny.sh
    #*/3 * * * * root /etc/cron.hourly/gcc4.sh

    注释掉定时任务

    通过top命令查看会有随机字符串的进程,杀掉进程后又会起来另外一个随机字符串的进程,字符串长度10

    2.安装clamav扫描并删除感染文件

    yum install -y epel-release

    yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y

    freshclam #更新数据库

    clamscan -r / --max-dir-recursion=5 -l /root/clamav.log  #扫描目录

    rm -rf `cat clamav.log | grep FOUND | awk -F':' '{print $1}' ` # 删除感染的文件

    3.应用被破坏,删除感染文件后重新安装应用

    yum -y reinstall procps lsof iproute net-tools psmisc

     4.查看进程树,红色为之前杀掉进程后新生成的进程

    [root@manage ~]# pstree

    systemd─┬─.sshd───{.sshd}

    ├─qhhpivnzdw───3*[{qhhpivnzdw}]

    ├─rsyslogd───2*[{rsyslogd}]

    ├─sshd─┬─sshd───bash───pstree

    │ └─sshd───bash

    5.查找文件位置,进程号

    [root@manage ~]# find / -name qhhpivnzdw

    /etc/rc.d/init.d/qhhpivnzdw

    /tmp/qhhpivnzdw

    [root@manage ~]# pidof /tmp/qhhpivnzdw

    7560

    6.从定时任务中查看定时脚本内容,破坏病毒文件

    [root@manage ~]# cat /etc/cron.hourly/gcc4.sh #路径在定时任务文件中
    #!/bin/sh
    PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
    cp /lib/libudev4.so /lib/libudev4.so.6
    /lib/libudev4.so.6
    [root@manage ~]# echo aa> /lib/libudev4.so #破坏文件

    [root@manage ~]# rm   /lib/libudev4.so.6 #删除拷贝文件

    7.删除开机启动项

    [root@manage ~]# chkconfig --list | grep on

    Note: This output shows SysV services only and does not include native
    systemd services. SysV configuration data might be overridden by native
    systemd configuration.

    If you want to list systemd services use 'systemctl list-unit-files'.
    To see services enabled on particular target use
    'systemctl list-dependencies [target]'.

    gijhcyyfle 0:off 1:on 2:on 3:on 4:on 5:on 6:off
    netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
    network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    qhhpivnzdw 0:off 1:on 2:on 3:on 4:on 5:on 6:off
    tmsppnlzmg 0:off 1:on 2:on 3:on 4:on 5:on 6:off
    vimzhvunzi (deleted) 0:off 1:on 2:on 3:on 4:on 5:on 6:off
    [root@manage ~]# chkconfig --del gijhcyyfle
    [root@manage ~]# chkconfig --del qhhpivnzdw
    [root@manage ~]# chkconfig --del tmsppnlzmg

    8.杀掉进程,这时候没有其他随机字符串进程起来了

    [root@manage ~]# kill -9  7560

    学而不思则罔,思而不学则殆
  • 相关阅读:
    Python MongoDB使用介绍
    算法网站
    无限级树状图css实现
    无限级别分类嵌套格式抓取
    无限级别分类
    计算多维数组到底是几维的
    获取无限级别分类
    mysql 重启
    radio 控制器function用法
    php-fpm 重启 nginx单独配置 重启
  • 原文地址:https://www.cnblogs.com/damofeisha/p/11401524.html
Copyright © 2011-2022 走看看