Alibaba cloud machine poisoning


Last night, I received a text message and e-mail from Alibaba cloud saying that the server was poisoned. The contents are as follows:

It has been detected that your cloud server (IP) has malicious contracting behavior. In order to avoid affecting the normal use of your server, please pay attention to it and deal with it as soon as possible. You need to check your security risks as soon as possible. At present, the system will not punish your machine, but you must pay attention to it.

I was afraid of being punished (near the little black house), so I quickly logged in to the server and found nothing unusual. However, I found that the machine had been running naked all the time. I quickly installed a firewall. Everything was normal. Until I received Alibaba cloud’s SMS and e-mail this afternoon, the server could not log in at all, and the CPU and bandwidth were praised. It was very slow, After waiting for a while, I still can’t enter. I directly manage the background and restart the machine. After restarting, I quickly log in and open the firewall. Only specific IP access is allowed and all other access is cut off.

Install anti-virus software ClamAV

ClamAV is a virus checking software under the command line, because it does not take anti-virus as the main function. By default, it can only detect the virus in your computer, but it cannot be removed. At most, delete the file. ClamAV can work on many platforms, but a few cannot be supported, which depends on the popularity of the platform you use. In addition, it is mainly to protect some windows viruses and Trojan horse programs. In addition, this is a server-oriented software.

Download the ClamAV installation package

Official website:…

tar xvzf zlib-1.2.7.tar.gz
cd zlib-1.2.7
make && make install

Add user group ClamAV and group member ClamAV

[[email protected] zlib-1.2.7]# groupadd clamav
[[email protected] zlib-1.2.7]# useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

Install clamav-0.99.2

[[email protected] tmp]# tar xvzf clamav-0.99.2.tar.gz
[[email protected] tmp]# cd clamav-0.99.2
[[email protected] clamav-0.99.2]# ./configure --prefix=/opt/clamav  --disable-clamav
[[email protected] clamav-0.99.2]# make
[[email protected] clamav-0.99.2]# make install

Configure ClamAV

1: Create directory

[[email protected] clamav-0.99.2]# mkdir /opt/clamav/logs 
[[email protected] clamav-0.99.2]# mkdir /opt/clamav/updata 

2: Create file

[[email protected] clamav-0.99.2]# touch /opt/clamav/logs/freshclam.log
[[email protected] clamav-0.99.2]# touch /opt/clamav/logs/clamd.log

[[email protected] clamav-0.99.2]# cd /opt/clamav/logs
[[email protected] clamav-0.99.2]# cd logs
[[email protected] clamav-0.99.2]# ls
clamd.log  freshclam.log
[[email protected] logs]# ls -lrt
total 0
-rw-r--r--. 1 root root 0 Aug 21 22:10 freshclam.log
-rw-r--r--. 1 root root 0 Aug 21 22:10 clamd.log

3: Modify owner

[[email protected] logs]# chown clamav:clamav clamd.log 
[[email protected] logs]# chown clamav:clamav freshclam.log 
[[email protected] logs]# ls -lrt
total 0
-rw-r--r--. 1 clamav clamav 0 Aug 21 22:10 freshclam.log
-rw-r--r--. 1 clamav clamav 0 Aug 21 22:10 clamd.log
[[email protected] logs]# 

4: Modify profile

[email protected]: vim /opt/clamav/etc/clamd.conf

#Example comment out this line. Line 8  

Logfile / logs / clamd.log delete the previous comments and change the directory to / opt / ClamAV / logs / clamd.log  
Pidfile / opt / ClamAV / updata / delete the previous comments and change the path to / opt / ClamAV / updata /
Databasedirectory / opt / ClamAV / updata ditto

[email protected]:/opt/clamav# vim

Comment out the example line. Otherwise, the following errors may occur when updating the anti-virus database

ERROR: Please edit the example config file /opt/clamav/etc/freshclam.conf
ERROR: Can't open/parse the config file /opt/clamav/etc/freshclam.conf

5: Upgrade virus library

[[email protected] etc]# /opt/clamav/bin/freshclam
 ERROR: Can't change dir to /opt/clamav/share/clamav

If the above error occurs, you can directly create a folder and authorize it to the ClamAV user.

[[email protected] etc]# mkdir -p /opt/clamav/share/clamav
[[email protected] etc]# /opt/clamav/etc# chown clamav:clamav /opt/clamav/share/clamav

Continue updating (very slow)

[[email protected]:/opt/clamav/etc]# /opt/clamav/bin/freshclam
ClamAV update process started at Thu Mar  9 18:33:03 2017
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.97.6 Recommended version: 0.99.2
Downloading main.cvd [100%]

main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Downloading daily.cvd [  4%]

Since ClamAV is not the latest version, there is an alarm message. You can ignore or upgrade the latest version. The virus library needs to be upgraded regularly. For example, I upgrade the virus library the next day

6: ClamAV use

You can use / opt / ClamAV / bin / clamscan – h to view the corresponding help information

·Scan the home directory of all users and use clamscan – R / home

·To scan all files on your computer and display the scanning results of all files, use clamscan – R/

·To scan all files on your computer and display the scan results of the problematic files, use clamscan – R — bell – I/

Execute the following command to scan all files under the root directory. As follows: 56 files were infected. Basically, they are linux.trojan.agent and linux.backdoor.gates.

/opt/clamav/bin/clamscan -r –bell -i

[email protected]:/opt/clamav/etc# /opt/clamav/bin/clamscan -r /bin --bell -i /
/bin/DDosClient: Unix.Trojan.Flooder-27 FOUND
/bin/ss: Unix.Trojan.Agent-37008 FOUND

Manually delete virus:

[[email protected]:/bin]#  ls DDos*
[[email protected]:/bin]#  ls DDos*
[[email protected]:/bin]#  rm DDosClient