Small note IptabLes and IptabLex virus cleanup process

Last year, a Linux server was hacked, and I saw 5 million lines of logs (now I think it was so good at the time). Anyway, the log files at that time were over 700Mb. The first two days, my brother told me that the teacher of the information center told him that we have a server that should be invaded, used as a springboard for the intranet, and often attacked other servers in the intranet. So I went to the server overnight.

This is the first time I have been on this server. I don't know what the situation is. I only know that this server is Linux (I want to check which version of Nima is specific), and I run a website.

After you get in, let's see what the distribution is. CentOS6.5, Ubuntu, which used to play only in the past, is more or less unfamiliar. Ok, no more nonsense.

Let's go and see what page. Cd /var/below, did not see the directory such as www or htdocs, not tomcat. Searched for a moment, and sure enough. The content of the webpage will not be read first, and it should have been successfully authorized. Just go and see the server.

When I wrote the article, I realized that I shouldn’t look at other things at first. I should first back up the .bash_history first. Be a wake up for yourself.

Take a look at passwd and shadow:

[root@localhost /]# stat /etc/passwd File: "/etc/passwd" Size: 1723 Blocks: 8 IO Block: 4096 Normal File Device: fd00h/64768d Inode: 919098 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/root) Gid: ( 0/root) Access: 2014-09-21 09: 32:01.730288306 +0800 Modify: 2014-04-02 09:31:28.469644869 +0800 Change: 2014-04-02 09:31:28.503201786 +0800 [root@localhost /]# stat /etc/shadow File: "/Etc/shadow" Size: 1177 Blocks: 8 IO Block: 4096 Normal File Device: fd00h/64768d Inode: 919095 Links: 1 Access: (0000/----------) Uid: ( 0/root) Gid: ( 0/root) Access: 2014-09-21 09:40:01.734126039 +0800 Modify: 2014-04-02 09:38:11.473125883 +0800 Change: 2014-04-02 09:38:11.498275087 +0800< Br>

It seems that the invasion was successful on April 2. I looked at the directory under /home and added one more user. Still look at passwd.

[root@localhost /]#cat /etc/shadow

mysql:!!:15791:::::: tomcat:!!:15791:::::: chu: $ 6 $ kG9zMTps $ 7H61NSjXMY3 /Jc /tZrJtCuwFn1mhDyWXVg4blFghfLdbQNXr.6Li9tYt5fYVJsIlvwb0z68k /EQXsUljZK6.L0: 15793: 0: 99999: 7 ::: sqzr: $ 6 $ yBrvX /HDaim /vrK4 $ uArYMq6Zr2XM7BWTzexC16RI6HGmOp9cs65AgLR.v.yx3rN0M6YzblNCJytGsguFSbsGN18OPpcyrSG63fKKS:. 16162: 0: 99999: 7 :::

Passwd will not be written. In passwd, the user behind sqzr is the same as root, which is the root privilege. Userdel sqzr prompt can not be deleted, currently logged in, Nima, this user is to give the root a name. Modify the two files directly and delete the line. The user is cleaned up.

See the process:

21911 ? 00:00:00 .IptabLex

21917 ? 00:00:00 .IptabLes

29093 ? 00:00:02 prwpodebiq

What is this, at first glance, it is a firewall, but one more, think again, Linux is case sensitive This is not the right thing.

Baidu has found that it is indeed a virus, and there are other people recruited.

http://www.xujiansheng.cn/2014/01/linux-viruses-iptablex-iptables/

There is also the prwpodebiq, completely meaningless process name, such a large pid There must be a problem.

[root@localhost /]# find /-name prwpodebiq -print /boot/prwpodebiq /etc/rc.d/init.d/prwpodebiq

[root @localhost /]# cd /boot/[root@localhost boot]# ll Total usage 19588 -rw-r--r--. 1 root root 97862 May 20 2011 config-2.6.32-71.el6.x86_64 drwxr -xr-x. 3 root root 1024 March 27 2013 efi drwxr-xr-x. 2 root root 1024 March 27 2013 grub -rw-r--r--. 1 root root 13419499 March 27 2013 initramfs-2.6 .32-71.el6.x86_64.img lrwxrwxrwx 1 root root 25 September 16 22:31 IptabLes -> /etc/rc.d/init.d/IptabLes lrwxrwxrwx 1 root root 25 September 16 22:31 IptabLex - > /etc/rc.d/init.d/IptabLex drwx------. 2 root root 12288 March 27 2013 lost+found -rwxr-x--- 1 root root 613533 September 21 21:29 Prwpodebiq -rw-r--r--. 1 root root 160542 May 20 2011 symvers-2.6.32-71.el6.x86_64.gz -rw-r--r--. 1 root root 2226490 May 20 2011 System.map-2.6.32-71.el6.x86_64 -rwxr-xr-x. 1 root root 3791040 May 20 2011 vmlinuz-2.6.32-71.el6.x8 6_64

[root@localhost boot]# stat prwpodebiq File: "prwpodebiq" Size: 613533 Blocks: 1200 IO Block: 1024 Normal File Device: 801h/2049d Inode: 22 Links: 1 Access: (0750/-rwxr-x---) Uid: ( 0/root) Gid: ( 0/root) Access: 2014-09-21 23:16:18.000000000 +0800 Modify: 2014-09-21 21:29:26.000000000 +0800 Change: 2014-09-21 21:29:26.000000000 +0800

The 777 file is located in the virus.

[root@localhost boot]# find /-name *IptabL* -print /boot/.IptabLes /boot/.IptabLex /etc/rc.d/rc4.d/S55IptabLes /etc/rc.d /rc4.d/S55IptabLex /etc/rc.d/rc2.d/S55IptabLes /etc/rc.d/rc2.d/S55IptabLex /etc/rc.d/rc3.d/S55IptabLes /etc/rc.d/rc3 .d/S55IptabLex /etc/rc.d/rc5.d/S55IptabLes