0x01 Event Description#
A colleague encountered a Linux host running abnormally at a certain company, suspected of being implanted with malicious code. They asked me to take a look. At that time, my colleague found out that due to problems with the server's business, customers logged in to the server to check the situation and killed the abnormal process, restoring normal operation. However, the process would restart again afterwards.
After obtaining the login information for the server, I began to investigate.
0x02 Vulnerability Investigation#
-
An abnormal file was found in the user's home directory.
-
Checked with Huorong antivirus software.
-
Used the "stat" command to view the file's status.
- Access: The last time the file was accessed.
- Modify: The last time the file's content was modified.
- Change: The last time the file's attributes were changed.
-
Found abnormal accounts.
-
Also found an abnormal file "tufei34" in the home directory.
-
Detected it as a Trojan backdoor using an online sandbox (https://s.threatbook.cn).
-
Used "utmpdump" to extract readable content from the binary file and found many abnormal IP connections.
-
Used the "top" command to investigate the processes and found an abnormal process named "rvnshcqhiq" with process ID 13987. Analyzing the process ID, it was found to be connecting to the IP address 183.ip-178-32-145.eu, which is also an abnormal domain.
-
Used "lsof -p PID" to check the process's connections. The abnormal file was located in /usr/bin.
-
Downloaded the abnormal file "rvnshcqhiq" and further analyzed it using an online sandbox (https://s.threatbook.cn), discovering that it is the Xorddos Trojan.
-
The "pstree" command can also show the abnormal file process.
-
Used "strings /usr/bin/rvnshcqhiq" to investigate the Trojan file and found that it starts a scheduled task every three minutes.
-
Checked the task scheduling file.
-
Also found other Trojan files in the /usr/bin/ directory.
-
Checked the startup files using "ls /etc/rc*".
0x03 Using "clamav" for scanning#
Used "clamav" for scanning and analyzed one of the files in /usr/bin, finding many abnormal IP addresses.
Scanned the files in the /etc/ directory using "clamav".
The MySQL file was also found to be a Trojan.
Analyzed the login records and found that the first two successful login IP addresses were 54.36.137.146 and 37.44.212.223, both of which are foreign IP addresses.
0x04 Recommendations#
- Clean up the abnormal files on the server. Since the Trojan will regenerate, first disable the permissions of the Trojan files, delete the Trojan program and symbolic links that start up automatically, manually remove all the original Trojan files, and clear the scheduled tasks generated by the malicious files.
- Install "clamav" to scan and delete infected files.
- If conditions permit, it is recommended to redeploy the server to prevent the symptoms of virus residue.