前段时间的一次样本,需要给出专杀,应急中遇到的是linux中比较常见的两个家族gates和xor。
首先是xor的专杀脚本,xor样本查杀的时候需要注意的是样本的主进程和子进程相互保护(详见之前的xor ddos分析http://www.cnblogs.com/goabout2/p/4888651.html),想要杀掉的话,需要先通过kill –stop挂起主进程,再删除其他的文件,但是由于xor的进程名是随机值,同时主机上还有有gates木马(gates最显著的特征就是会替换系统文件ps,lsof,ss,netstat),因此为了避嫌,脚本必须隔离系统命令。
此处通过的是遍历/proc/pid/maps文件获取所有进程对应的程序路径,通过该路径与特征值匹配出的路径对比,从而确定主进程的pid。
import os
import re
import sys
import time
# property of the virus
sigin = "m4S4nAC/nA"
filepath = "/boot/dingzhi_random_10_word1;/lib/udev/udev"
delpath = "/etc/cron.hourly/cron.sh;/etc/init.d/fromdingzhi_"
#read file
def readfile(path):
file = open(path)
try:
content = file.read()
finally:
file.close()
return content
#scan the filesystem in the os with specify eigenvalue
def scanforeigen(path,word):
for filename in os.listdir(path):
fp = os.path.join(path,filename)
if os.path.isfile(fp):
print fp
with open(fp) as f:
for line in f:
if word in line:
print "find in the file:" + fp
return fp
break
elif os.path.isdir(fp):
scanforeigen(fp,word)
#check the specify dir thrugh property return the path in a lis
def check():
targetlist = []
bootfile = scanforeigen("/boot",sigin)
if bootfile is not None and bootfile != '':
bootfilename = bootfile.split("/")[-1]
if len(bootfilename) == 10 and re.match('^[a-z]+$',bootfilename):
targetlist.append(bootfile)
libfile = scanforeigen("/lib/udev",sigin)
if libfile is not None and libfile != '':
libfilename = libfile.split("/")[-1]
if libfilename == "udev":
targetlist.append(libfile)
return targetlist
def kill():
itemlist = []
targetlist = check()
print targetlist
boot = targetlist[0]
print "boot is " + boot
bootname = boot.split('/')[-1]
for itemnum in os.listdir("/proc"): #throught the filename to find the pid and return
if itemnum.isdigit():
print "the dir is " + itemnum
path = "/proc/" + itemnum + "/maps"
print path
mapscontent = readfile(path)
if bootname in mapscontent:
print "the pid of the " + bootname + " is " + itemnum
itemlist.append(itemnum)
print itemlist
#stop the father process
for item in itemlist:
print "item is " + item
cmd = "kill -STOP " + item
os.popen(cmd)
time.sleep(5)
print "going sleeping"
#delete the file
for target in targetlist:
print "del the" + target
cmd = "rm " + target
os.popen(cmd)
dellist = delpath.split(';')
for delfile in dellist:
print "the delfile" + delfile
if delfile.split('/')[-1] == "fromdingzhi_":
delfile = delfile.replace("fromdingzhi_",bootname)
print "del the " + delfile
cmd = "rm " + delfile
os.popen(cmd)
#kill the process
cmd = "kill -9 " + item
print cmd
os.popen(cmd)
if __name__ == '__main__':
#list = check()
if sys.argv[1] == "-check":
list = check()
elif sys.argv[1] == '-kill':
kill()
对于gates木马需要注意的是,样本运行第一次的时候的文件不会删除,通过二进制分析的时候是获取不到该样本的路径的,索性该处的路径保存在/etc/init.d/DbSecuritySpt的启动文件中。
import os
import sys
import time
#linux.tragon.bill.gates
sigin = "88FD2FE8EF8D51263B037677FD30F25CBFEB57F759F711FB41956288A85E9655F"
initpaht = "/etc/init.d/selinux;/etc/init.d/DbSecuritySpt"
filedir = "/usr/bin;/usr/sbin;/bin;/usr/bin/bsd-port;/usr/bin/dpkgd"
filepath = "/usr/bin/.sshd;/usr/bin/bsd-port/getty"
delpath = "/usr/bin/ps;/usr/bin/ss;/usr/bin/lsof;/usr/bin/netsata;/usr/sbin/ps;/usr/sbin/ss;/usr/sbin/lsof;/usr/sbin/netsata;/bin/ps;/bin/ss;/bin/lsof;/bin/netsata;/etc/init.d/selinux;/etc/init.d/DbSecuritySpt;/tmp/moni.lod;/tmp/gates.lod;/usr/bin/bsd-port/getty.lock"
configfile = "/tmp/moni.lod;/tmp/gates.lod;/usr/bin/bsd-port/getty.lock"
findlist = []
#read file
def readfile(path):
file = open(path)
try:
content = file.read()
finally:
file.close()
return content
#scan the filesystem in the os with specify eigenvalue
def scanforeigen(path,word):
for filename in os.listdir(path):
fp = os.path.join(path,filename)
if os.path.isfile(fp):
print fp
with open(fp) as f:
for line in f:
if word in line:
print "find in the file:" + fp
findlist.append(fp)
return fp
elif os.path.isdir(fp):
scanforeigen(fp,word)
#check the specify dir thrugh property return the path in a lis
def check():
targetlist = []
dirlist = filedir.split(";")
for dirpath in dirlist:
checkfile = scanforeigen(dirpath,sigin)
'''
print "the checkfile is :"
print checkfile
targetlist.append(checkfile)
'''
#start kill
def kill():
piddic = {}
check()
print findlist
#get pid
if findlist is not None:
conflist = configfile.split(";")
for confpath in conflist:
content = readfile(confpath)
print "the path " + confpath + "content is " + content
piddic[confpath] = content
print piddic
#get the filepath restart by DbSecuritySpt
specialpath = readfile("/etc/init.d/DbSecuritySpt")
specialpath = specialpath[12:]
print "dd" + specialpath
#stop the process in the pidlist
for key in piddic:
cmd = "kill -STOP " + piddic[key]
os.popen(cmd)
#start to delete the file
delfile = delpath.split(";")
for delfielpath in delfile:
cmd = "rm " + delfielpath
os.popen(cmd)
cmd = "rm " + specialpath
os.popen(cmd)
cmd = "cp /usr/bin/dpkgd/ps /bin"
os.popen(cmd)
cmd = "cp /usr/bin/dpkgd/ss /bin"
os.popen(cmd)
cmd = "cp /usr/bin/dpkgd/lsof /bin"
os.popen(cmd)
cmd = "cp /usr/bin/dpkgd/netstat /bin"
os.popen(cmd)
for key in piddic:
cmd = "kill -9 " + piddic[key]
os.popen(cmd)
if __name__ == '__main__':
#list = check()
if sys.argv[1] == "-check":
list = check()
elif sys.argv[1] == '-kill':
kill()