banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Recording an emergency response under Linux.

0x01 Event Description#

A colleague encountered a Linux host running abnormally at a certain company, suspected of being implanted with malicious code. They asked me to take a look. At that time, my colleague found out that due to server issues, customers logged into the server to check the situation and killed the abnormal process, which restored normal operation. However, the process would restart again afterwards.

After obtaining the login information for the server, I began the investigation.

0x02 Vulnerability Investigation#

  1. An abnormal file was found in the user's home directory.

  2. Performed a scan using Huorong antivirus software.

  3. Used the stat command to view the file's status.

    • Access: The last time the file was accessed.
    • Modify: The last time the file's content was modified.
    • Change: The last time the file's attributes were changed.
  4. Identified the presence of abnormal accounts.

  5. Also found an abnormal file named "tufei34" in the home directory.

  6. Conducted a detection using an online cloud sandbox (https://s.threatbook.cn) and discovered that it was a Trojan backdoor.

  7. Used utmpdump to extract readable content from the binary file and found that it was connecting to many abnormal IP addresses.

  8. Used the top command to investigate the processes and found an abnormal process named "rvnshcqhiq" with a process ID of 13987. Analyzing the process ID revealed that it was connecting to the domain ip183.ip-178-32-145.eu, which was also an abnormal domain.

  9. Used lsof -p PID to view the process's connections. The abnormal file was located in /usr/bin.

  10. Downloaded the abnormal file "rvnshcqhiq" and performed further analysis using an online cloud sandbox (https://s.threatbook.cn), which revealed that it was the Xorddos Trojan.

  11. The pstree command also showed the presence of the abnormal file process.

  12. Used "strings /usr/bin/rvnshcqhiq" to investigate the Trojan file and found that it started a scheduled task every three minutes.

  13. Examined the task scheduling file.

  14. Additionally, other Trojan files were found in the /usr/bin/ directory.

  15. Checked the startup files using "ls /etc/rc*".

0x03 Using "clamav" for scanning#

Used clamav for scanning and the results showed infected files. Scanned the /usr/bin directory.

Analyzed one of the /usr/bin/.ssh files and found numerous abnormal IP addresses.

Scanned the files in the /etc/ directory using clamav.

The Mysql file was also a Trojan.

Analyzed the login records and found that the first two successful login IPs were 54.36.137.146 and 37.44.212.223, both of which were foreign IPs.

0x04 Recommendations for Resolution#

  • Clean up the abnormal files on the server. Since the Trojan will regenerate, first disable the permissions for the Trojan files, delete the startup Trojan program and symbolic links, manually remove all original Trojan files, and clear the scheduled tasks generated by the malicious files.
  • Install clamav for scanning and deleting infected files.
  • If conditions permit, it is recommended to redeploy the server to prevent any residual symptoms of the virus.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.