Clean up Unix Trojan.DDoS_XOR-1, Chinese Chicken Multiplatform DoS botnets Trojan
So you have identified your server is infected with this Trojan
Using top you can find random proces name
Killing it will spawn another new random proces
There is nothing you can do.. just restore your server from backup
Or reinstall your server
Just kidding...
You can clean this trojan because this one is non destructive
Ok let's go!
First you have to find the pid of random process using top
You cannot use ps because it renamed the process name
Then you have to freeze those processes, do not kill it because it will spawn another random process
Use kill -STOP pid [pid] [pid] it will freeze those processes
Next we do cleaning up the trojan from file system
Truncate /lib/libudev.so /lib/libudev.so.6 So it contains nothing, because the trojan copy from this file to random name
Make it immutable (chattr +i)
Next edit /etc/crontab find lines contains gcc and remove it
Check crontab -e , and all files in /var/spool/cron/
Go to /etc/cron.d , /etc/cron.* and remove gcc.sh and another random names
Next we go to /etc/init.d find random files created today in this folder and remove it
Next go to folder /etc/ConsoleKit find files with random names and remove it, and also search in other sub folders
Remove files with random names in /etc/rc.d subfolders
Remove some files with random names in /bin
Check again new processes using top if there is still random process name you have to return to step 1
If you are sure no more new random process, you can kill -9 pids
Have fun...
Using top you can find random proces name
Killing it will spawn another new random proces
There is nothing you can do.. just restore your server from backup
Or reinstall your server
Just kidding...
You can clean this trojan because this one is non destructive
Ok let's go!
First you have to find the pid of random process using top
You cannot use ps because it renamed the process name
Then you have to freeze those processes, do not kill it because it will spawn another random process
Use kill -STOP pid [pid] [pid] it will freeze those processes
Next we do cleaning up the trojan from file system
Truncate /lib/libudev.so /lib/libudev.so.6 So it contains nothing, because the trojan copy from this file to random name
Make it immutable (chattr +i)
Next edit /etc/crontab find lines contains gcc and remove it
Check crontab -e , and all files in /var/spool/cron/
Go to /etc/cron.d , /etc/cron.* and remove gcc.sh and another random names
Next we go to /etc/init.d find random files created today in this folder and remove it
Next go to folder /etc/ConsoleKit find files with random names and remove it, and also search in other sub folders
Remove files with random names in /etc/rc.d subfolders
Remove some files with random names in /bin
Check again new processes using top if there is still random process name you have to return to step 1
If you are sure no more new random process, you can kill -9 pids
Have fun...
Comments