Clean up Unix Trojan.DDoS_XOR-1, Chinese Chicken Multiplatform DoS botnets Trojan

So you have identified your server is infected with this Trojan

Using top you can find random proces name

Killing it will spawn another new random proces

There is nothing you can do.. just restore your server from backup

Or reinstall your server

Just kidding...

You can clean this trojan because this one is non destructive

Ok let's go!


First you have to find the pid of random process using top

You cannot use ps because it renamed the process name

Then you have to freeze those processes, do not kill it because it will spawn another random process

Use kill -STOP pid [pid] [pid] it will freeze those processes


Next we do cleaning up the trojan from file system

Truncate /lib/libudev.so /lib/libudev.so.6 So it contains nothing, because the trojan copy from this file to random name

Make it immutable (chattr +i)

 Next edit /etc/crontab  find lines contains gcc and remove it

Check crontab -e , and all files in /var/spool/cron/

Go to /etc/cron.d , /etc/cron.* and remove gcc.sh and another random names


 Next we go to /etc/init.d find random files created today in this folder and remove it



 Next go to folder /etc/ConsoleKit find files with random names and remove it, and also search in other sub folders

Remove files with random names in /etc/rc.d subfolders

 Remove some files with random names in /bin


Check again new processes using top if there is still random process name you have to return to step 1

If you are sure no more new random process, you can kill -9 pids

Have fun...


Comments

Post a Comment

Popular posts from this blog

Ports to allow for whatsapp call

These are ports to be opened on your firewall to allow WA video call or voice call: WHATSAPP Call: TCP: 4244,5222,5223,5228,5242 UDP: 3478,45395 Reference: http://kaa.kiev.ua/blog/whatsapp-voice-calls-firewall-ports/ LINE call: TCP: 443 UDP: 2675
Read more

Manually clean up zimbra zmcat/zmcpustat exploit

Symptoms: server load high, cpu usage 300% To clean up manually follow this steps: STOP the process but dont kill it, use kill -STOP [PID] Hide from search engine (su zimbra): zmprov mcf zimbraMailKeepOutWebCrawlers TRUE +zimbraResponseHeader "X-Robots-Tag: noindex" chmod 755 /opt/zimbra/data/tmp/ chmod 755 /opt/zimbra/data/tmp/upload Delete malicious JSP, find using this command: grep -R '(request.getParameter.' /opt/zimbra/mailboxd /opt/zimbra/jetty For example: /opt/zimbra/mailboxd/webapps/zimbraAdmin/public/jsp/Alert.jsp and /opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp > /opt/zimbra/mailboxd/webapps/zimbraAdmin/public/jsp/Alert.jsp > /opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp chattr +i /opt/zimbra/mailboxd/webapps/zimbraAdmin/public/jsp/Alert.jsp /opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp Fix modified jsp files, find using: rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5' | grep .jsp For
Read more

Keychron K2 in Linux

Image
OK... I got new mechanical keyboard: Keychron K2 😀 Nice and compact keyboard layout with F-Keys and cursor keys. Brown switch and RGB Led and big battery It works nicely under Linux, I use gnome-shell, Fedora 30. Using USB cable or Bluetooth is also working. Key combo like Ctrl-Shift-PrintScreen is working and also trigger SysRq like Ctrl-Shift-Alt-PrintScreen-O is working (don't try this) To make Function keys without pressing Fn use this command: echo 2 > /sys/module/hid_apple/parameters/fnmode Ref: https://imgur.com/y3j6pUG To make it permanent, edit /etc/modprobe.d/keychron.conf and reboot: options hid-apple fnmode=2 We can also see remaining battery from Gnome Settings - Power
Read more