Friends, have you ever faced a situation when the server suddenly freezes for no reason, and the fan is spinning frantically? Congratulations, your computer is under a viral attack!

In this article, we will talk about how to deal with viruses on Linux servers (workstations).

Depending on the attacker and the attack method, ordinary people cannot remove the malicious software that is infected with a 100% confidence. It is recommended to reinstall the system immediately after backup of important data. After confirming that the defense is completed, when recovering user data, it is necessary to check and delete executable files and other potentially dangerous files.

It is recommended to use Live CD to launch a server for all cleaning operations described in this article, instead of directly working in the system infected with the virus. Otherwise, the password you have changed can be tracked, the restored file can be changed back in a hidden virus. And even your workflow can be controlled throughout the process.

This article uses the Shell command line and Root privileges are required to perform. If you are not familiar with this, it is recommended to refuse to read this article and reinstall the system.

Find and clean the CPU/GPU process

Use the TOP command to find the processes with the high loading of the CPU.

top

Press the C key on the keyboard in the program interface to sort processes in accordance with the use of CPU and manually find the malicious process.

You can also use the PS command to search for processes with high loading CPU.

ps -eo cmd,pcpu,pid,user --sort -pcpu | head

Having found a process with a high loading CPU, use the LS command to find the actual path to the program.

ls -l /proc/{pid}/exe

Use the Kill command to stop the process.

kill -9 {pid}

Use the RM command to delete suspicious software files (pay attention to the correctness of the command, entering the wrong command can lead to deleting incorrect data).

rm -f {path}

The process of checking the loading of the graphic processor is similar to the process described above. The official NVIDIA video card driver is supplied with the NVIDIA-SMI command to check the loading of the graphic processor. The command looks as follows:

nvidia-smi -q -d utilization -l

After starting the command, the current use of the graphic processor will continue to be displayed. After detecting the PID process, you can use the method described above to determine the actual location of the program and perform the necessary actions.

Refuse these actions:

1. If the malicious program uses the technology of concealment or disguise, the above operations may not allow to accurately determine its location.

2. If the malicious program has other implemented backdors, then the malicious program will start again.

Detection and cleaning of unknown network connections

Use the SS command to detect network monitoring and external connections. The TCP protocol uses the following commands:

ss -anpt

This command displays all TCP auditors and connections, including program names and PIDS.

Command for viewing the UDP protocol:

ss -anpu

You can also use the TCPDUMP command:

TCPDUMP -I {Network map} host {local ip} and udp port {Local port number}

From the output information of the team you can view information about the IP address and the port of the interacting node. If the information is not encrypted, you can also save the captured packages and continue debugging. After receiving the IP address, you can use the public security database to check whether the IP address is a well-known malicious IP address.

Refuse these actions:

1. Network investigation is also effective only if the malware does not use masking and concealment technologies;

2. Some attacks use dynamic IP addresses, and these IP addresses may not be recorded in a public threat analytics;

3. more and more network traffic uses encryption technology, and network capture cannot be used to effective data analysis;

4. There are also more advanced attack methods such as ICMP tunnel, DNS tunnel, etc. ordinary users are more difficult to conduct an investigation on their own, so they are not indicated here;

5. When investigating, it is necessary not only to check the connection initiated from the outside to the system, but also to check the connection, initiated locally. The firewall has little effect on the machine that has penetrated;

Find and fix unusual user accounts

Servers are infected with "miner" viruses, often due to users using weak passwords. If the root user or a user with sudo authority is using a weak password, it is recommended that you stop reading this article and reinstall directly.

It is recommended that after backing up user data, delete user and associated data and restore them. When recovering user data, you should screen out and eliminate executable files and other potentially dangerous files.

Use the root user to change any user password:

passwd {username}

Regular users can change their own passwords:

$ passwd

Linux ssh system supports passwordless login by default, if you are not familiar with this feature, it is highly recommended to learn it yourself and start using it. The default user key is located in ~/.ssh/authorized_keys and can be viewed using the following command:

$ cat ~/.ssh/authorized_keys

To prevent attackers from adding other key trust files, you can check the sshd_config configuration for confirmation:

grep AuthorizedKeysFile /etc/ssh/sshd_config

As a general rule, we recommend preventing the root user from connecting directly to the system via ssh. Instead, the administrator user first logs in as a user with normal privileges and temporarily uses the sudo command to gain root privileges when root privileges are required for operations.

We also recommend that you disable password-based remote login and force all users to log in with certificates. You can use the following command to check the current login settings of the root user.

grep Root /etc/ssh/sshd_config

Check if ssh allows password login:

grep Password /etc/ssh/sshd_config

When executing the above commands, you should also pay attention to the appropriate settings to prevent malicious changes by hackers, for example: allow users without passwords to log in remotely.

Once the authority of the system root user is lost, no user and no file on the system can be trusted. Even if no backdoor program is implemented, users can be added or the built-in user configuration of the system can be changed. You can verify this by checking the /etc/passwd and /etc/shadow files.

Use the following command to view hidden files in Linux:

ls -a

Refuse these actions:

1. An attacker can use a backdoor program to bypass the system's user management mechanism to obtain permissions;

2. Even if only ordinary users use weak passwords, attackers can still gain superuser privileges through local vulnerabilities;

3. If there is a hidden backdoor program or the system is incomplete, all actions may be meaningless;

Find and clean the system from self-running malware

The easiest way for an attacker to continue to control the attacked target is to allow the malware to run along with the system. On a Linux system, there are basically two types of startup program settings, namely the startup script in the form of SysV and the systemd system management mechanism.

SysV Startup Locations:

/etc/init

/etc/init.d

/etc/rc.d

/etc/rc[0-6].d

/etc/rc.local

/etc/inittab

systemd startup locations:

/etc/systemd

~/.config/systemd/user

SysV and systemd are not mutually exclusive. The check should check every file in every subdirectory of the corresponding location at the same time, and also check if the system script introduces other startup locations according to the distribution version, and do a recursive check.

Let's look at other starting locations.

Xserver start location:

/etc/xdg/autostart

~/.config/autostart

The system startup command line can also enter external startup parameters, which can be viewed with the following command:

cat /proc/cmdline

Refuse these actions:

1. If the Linux system startup location is huge and complex, and it differs according to different release versions, and some scenarios are extremely complex. All this determines that manual checking and searching for problems is unprofitable;

2. Installing other programs can also cause new download points to appear on startup, further complicating the investigation;

3. An attacker can use various methods such as adding files, modifying files, and linking external files. The target of an attack is often difficult to find, and especially difficult to detect through manual investigation;

4. The above test locations do not cover all elements of the run test. The exact names and locations of launch items are entirely determined by the personal habits and preferences of the developers of the version of the release being used. If they are not very familiar with a particular system, ordinary people may miss it when checking;

In the next article, we will continue to look at methods for detecting and removing viruses on a Linux system.

Mainton Company - custom software development and testing, SEO and online advertising since 2004.