DDoS Trojan attacks

Have you encountered with DDoS Trojan attack?

It’s a familiar issue to all SysAdmins, when we work on DDoS attack. Normally, the top command shows a suspicious process with a random name like, Xdrgwdjd, jjiiyaykzg etc or some system commands like ls, ifconfig, pwd, ping, awk, telnet etc.

When we kill that task another random process is being generated immediately.

Steps to fixing the attack :
———————

1) List the files under hourly cron. If you can see any .sh file, please open it.

root@vps-# ls -la /etc/cron.hourly/

++++++++++
# ls /etc/cron.hourly/
freshclam gcc.sh
++++++++++

2) If the .sh file is showing similar data as shown below, then it’s a Virus program!!

root@vps-# cat /etc/cron.hourly/gcc.sh

++++++++++
cat /etc/cron.hourly/gcc.sh
#! / Bin / sh
PATH = / bin: / sbin: / usr / bin: / usr / sbin: / usr / local / bin: / usr / local / sbin: / usr / X11R6 / bin
for i in `cat / proc / net / dev | grep: | awk -F: {‘print $ 1’}`; do ifconfig $ i up & done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
++++++++++

3) Now, please don’t be hurry! Stay calm and easy

# Do not delete gcc.sh or do not remove the crontab. If you do delete or remove it, then another process will generate immediately.

# You can either remove the culprit script or disable it. [ I prefer to disable it to show the proof to the customer ]

root@vps-# rm -f /etc/cron.hourly/gcc.sh;

OR

root@vps- # chmod 0 /etc/cron.hourly/gcc.sh; chattr +ia /etc/cron.hourly/gcc.sh; chattr + i /etc/crontab

4) Use top command to view virus or malicious file ( Eg :”mtyxkeaofa” ) PID is 16621, do not directly kill the program, otherwise it will again produce, but to stop its operation use the below command.

———————————-
root@vps- # kill -STOP 16621

# Delete files within /etc/init.d. or disable it [ I prefer to disable it to show the proof to the customer ]

root@vps-# find /etc -name '* mtyxkeaofa *' | xargs rm -f

OR

chmod 0 /usr/bin/mtyxkeaofa;
chmod 0 /etc/init.d/mtyxkeaofa;
chattr +ia /usr/bin/mtyxkeaofa;
chattr +ia /etc/init.d/mtyxkeaofa;

———————————-

6) Delete /usr/bin inside archives.

root@vps-# rm -f /usr/bin/mtyxkeaofa;

7) Check /usr/bin archives recent changes, the virus can also be deleted if the other suspect is the same directory.

root@vps-# ls -lt /usr/bin | head

8) Now kill the malicious program, it will not produce.

root@vps-# pkill mtyxkeaofa

9) Remove the virus body.

root@vps-# rm -f /lib/libudev.so

This trojan is also know as Chinese Chicken Multiplatform DoS botnets Trojan, Unix – Trojan.DDoS_XOR-1, Embedded rootkit,

Note :

~ If you are unable to find .sh file, you may please install ClamAV, RKHunter and check logs/report to find the suspicious/malicious

Isaac Adams-Hands

Full Stack Developer, Digital Marketer, and InfoSec enthusiast. He received his Bachelor’s Degree from the University of Western Sydney and his Business Diploma from Georgian College before joining various marketing positions in search portals, e-commerce, higher education, and addiction recovery services.

Follow @ twitter

Related posts

What is Disaster Recovery as a Service (DRaaS)?

With the continuous emergence of technologies in the social and mobile world, businesses have had no choice but to be more yielding and responsive in their daily activities. However, as much as these business entities have been evolving with evolving technologies, the risk of disaster striking is high. The notion behind this argument is based… Read More

How to Verify SHA1 and SHA256 Checksum on Mac

It is incredibly easy to add a malicious components (malware) to DMG files,  uploading them to file sharing websites like sourceforge.net, & infecting computers on a mass scale.  SHA checksum is added to DMG files like TransmissionBT1, & Handbrake.fr2 to detect file tampering. How to check SHA checksums: In terminal, find the file(s) you’d like to… Read More