{"id":5032,"date":"2019-06-17T11:00:17","date_gmt":"2019-06-17T09:00:17","guid":{"rendered":"https:\/\/assistance.groupemagiconline.com\/?post_type=ht_kb&p=5032"},"modified":"2020-06-12T11:14:35","modified_gmt":"2020-06-12T09:14:35","slug":"nettoyer-mon-serveur-prive","status":"publish","type":"ht_kb","link":"https:\/\/assistance.groupemagiconline.com\/en\/knowledge-base\/nettoyer-mon-serveur-prive\/","title":{"rendered":"Clean up my private server"},"content":{"rendered":"
\n

Each\u00a0CMS<\/acronym>\u00a0(joomla, wordpress, drupal, etc.) is a potential source of infection. The same applies to software installed on your servers<\/a>.<\/strong> The infection of your server can be used to install, for example, a\u00a0Botnet<\/a><\/strong>software, or a\u00a0Bitcoin Mining<\/a><\/strong><\/p>\n<\/div>\n

Make a diagnosis<\/h2>\n
\n

In the case of a bitcoin miner, your server's resources will be very busy, so it's quite easy to find the offending process with the command\u00a0top<\/code>\u00a0in\u00a0SSH<\/acronym><\/p>\n

In the case of a botnet, this becomes a bit more critical. We can offer you our help in\u00a0Managed services credit hours<\/a><\/strong>\u00a0if you encounter any difficulties.<\/p>\n

Generally, the procedure is as follows; we start by using the command\u00a0ss<\/code>\u00a0(replacement for\u00a0netstat<\/code>) :<\/p>\n

ss -lntpaue|grep -i 6667<\/pre>\n
This command determines which process communicates via port 6667 (IRC<\/acronym>)<\/p>\n
tcp SYN-SENT 0 1 ip.de.votre.serveur:44098 ip.malicious:6667 timer:(on,30sec,5) users:((\"perl\",7908,4)) uid:10013 ino:34808658 sk:ffff8805c23680c0\r\ntcp SYN-SENT 0 1 ip.de.votre.serveur:47601 ip.malicious.2:6667 timer:(on,28sec,5) users:((\"perl\",17998,4)) uid:10013 ino:34808090 sk:ffff881086770f40\r\ntcp SYN-SENT 0 1 ip.de.your.server:42479 ip.malicious.3:6667 timer:(on,10sec,4) users:((\"perl\",27298,4)) uid:10013 ino:34810070 sk:ffff88000e852e40\r\ntcp SYN-SENT 0 1 ip.de.your.server:48434 ip.malicious.4:6667 timer:(on,10sec,4) users:((\"perl\",27312,4)) uid:10013 ino:34810069 sk:ffff881ee98b8280<\/pre>\n
We then know that PID 7908, a perl process, has sent a\u00a0SYN<\/a><\/strong>\u00a0to the IP \"ip.malicious\".<\/p>\n<\/div>\n
Detecting the infection<\/h2>\n
Identify the script(s)<\/h4>\n
\n
Whether the problem is a bitcoin miner, a botnet, a spam script or anything else, generally the approach is the same.<\/p>\n
Once we have the PID of the script in question, we just have to apply the command\u00a0lsof<\/code>\u00a0using the parameter\u00a0-p<\/code>\u00a0in order to identify the files opened by the kernel of your server, via the identified process.<\/p>\n
root@server:\/# lsof -p 7908\r\nCOMMAND PID USER FD TYPE DEVICE SIZE\/OFF NODE NAME\r\nperl 7908 www-data cwd DIR 0,147 4096 65774431 \/var\/www\/vhosts\/monserver.ispfr.net\/www\/images\/partners\r\nperl 7908 www-data rtd DIR 0,147 4096 64882566 \/\r\nperl 7908 www-data txt REG 0.147 6928 64907675 \/usr\/bin\/perl\r\nperl 7908 www-data mem REG 0.147 80712 66365480 \/lib\/libresolv-2.11.3.so\r\nperl 7908 www-data mem REG 0.147 22928 66365674 \/lib\/libnss_dns-2.11.3.so\r\nperl 7908 www-data mem REG 0.147 51728 66365701 \/lib\/libnss_files-2.11.3.so\r\nperl 7908 www-data mem REG 0.147 43552 66365618 \/lib\/libnss_nis-2.11.3.so\r\nperl 7908 www-data mem REG 0.147 89064 66365442 \/lib\/libnsl-2.11.3.so\r\nperl 7908 www-data mem REG 0.147 31616 66365673 \/lib\/libnss_compat-2.11.3.so\r\nperl 7908 www-data mem REG 0.147 17640 42543840 \/usr\/lib\/perl\/5.10.1\/auto\/Digest\/MD5\/MD5.so\r\nperl 7908 www-data mem REG 0.147 13992 42543857 \/usr\/lib\/perl\/5.10.1\/auto\/MIME\/Base64\/Base64.so\r\nperl 7908 www-data mem REG 0.147 25976 36315140 \/usr\/lib\/perl\/5.10.1\/auto\/Socket\/Socket.so\r\nperl 7908 www-data mem REG 0.147 86072 42550019 \/usr\/lib\/perl\/5.10.1\/auto\/Storable\/Storable.so\r\nperl 7908 www-data mem REG 0.147 18120 36241410 \/usr\/lib\/perl\/5.10.1\/auto\/Fcntl\/Fcntl.so\r\nperl 7908 www-data mem REG 0.147 19920 36282369 \/usr\/lib\/perl\/5.10.1\/auto\/IO\/IO.so\r\nperl 7908 www-data mem REG 0.147 35104 66365563 \/lib\/libcrypt-2.11.3.so\r\nperl 7908 www-data mem REG 0.147 1437064 66365693 \/lib\/libc-2.11.3.so\r\nperl 7908 www-data mem REG 0,147 131258 66365502 \/lib\/libpthread-2.11.3.so\r\nperl 7908 www-data mem REG 0.147 530736 66365430 \/lib\/libm-2.11.3.so\r\nperl 7908 www-data mem REG 0,147 14696 66365682 \/lib\/libdl-2.11.3.so\r\nperl 7908 www-data mem REG 0,147 1494792 65005681 \/usr\/lib\/libperl.so.5.10.1\r\nperl 7908 www-data mem REG 0.147 128744 66365635 \/lib\/ld-2.11.3.so\r\nperl 7908 www-data 0r CHR 1,3 0t0 64890531 \/dev\/null\r\nperl 7908 www-data 1w FIFO 0,8 0t0 880179538 pipe\r\nperl 7908 www-data 2w FIFO 0,8 0t0 880179538 pipe\r\nperl 7908 www-data 3u IPv4 2691366378 0t0 TCP monserveur.ispfr.net:41386->87.250.73.120:ircd (SYN_SENT)\r\nperl 7908 www-data 54r FIFO 0,8 0t0 875280500 pipe\r\nperl 7908 www-data 55w FIFO 0,8 0t0 875280500 pipe\r\nperl 7908 www-data 56r FIFO 0.8 0t0 875280501 pipe\r\nperl 7908 www-data 57w FIFO 0.8 0t0 875280501 pipe<\/pre>\n
We can see that the first line identifies the incriminated file:\u00a0perl 7908 www-data cwd DIR 0.147 4096 65774431 \/var\/www\/vhosts\/monserver.ispfr.net\/www\/images\/partners<\/code><\/p>\n
The directory\u00a0\/var\/www\/vhosts\/monserver.ispfr.net\/www\/images\/partners<\/code>\u00a0therefore contains the incriminated file.<\/p>\n
So we open the file, in order to know what it contains:<\/p>\n
root@monserveur:\/var\/www\/vhosts\/monserveur.ispfr.net\/www\/images\/partenaires# ls\r\nDeNia.phtml image55.jpg jrtv.jpg d.jpg index.html xml.phtml<\/pre>\n
If you open the file\u00a0DeNia.phtml<\/code><\/p>\n
?php\r\n\/*******************************************\/\r\n\/* c99 injektor v.9 (C) 2011 *\/\r\n\/* Re-coded and modified By DeNia *\/\r\n\/* #Denia@irc.allnetwork.org *\/\r\n\/*******************************************\/<\/pre>\n
We can then find\u00a0some traces on the Internet<\/a><\/strong>\u00a0of the origin of the attack. We can, therefore, assume that all the sites on your server that are on the same\u00a0CMS<\/acronym>\u00a0are all infected in the same way.<\/p>\n
The files in\u00a0.jpg<\/code>\u00a0present in this folder are not necessarily all legitimate; if we open the first one in the list :<\/p>\n
# head image55.jpg\r\n#!\/usr\/bin\/perl\r\nuse HTTP::Request;\r\nuse LWP::UserAgent;\r\nuse IO::Socket;\r\nuse IO::Select;\r\nuse Socket;\r\nuse MIME::Base64;\r\nuse File::Basename;\r\nuse URI::Escape;\r\nuse Digest::MD5 qw(md5_hex);<\/pre>\n
You can see that this is a malicious script. The same goes for the following image:<\/p>\n
# head d.jpg\r\n#!\/usr\/bin\/perl\r\n\r\nuse HTTP::Request;\r\nuse HTTP::Request::Common;\r\nuse HTTP::Request::Common qw(POST);\r\nuse LWP::Simple;\r\nuse LWP 5.64;\r\nuse LWP::UserAgent;\r\nuse Socket;\r\nuse IO::Socket;<\/pre>\n<\/div>\n
Eliminate the problem<\/h4>\n
\n
Once you are sure you have identified the malicious scripts, you should cut off the threat.<\/p>\n
For this, a simple and radical way works very well:<\/p>\n
cd \/the\/path\/my\/folder\/content\/files\/infected\/\r\nchmod -R 0 *<\/pre>\n
Then we cut off the botnet activity:<\/p>\n
kill -9 7908<\/pre>\n
(7908<\/strong>\u00a0corresponding of course to the PID of the script)<\/p>\n<\/div>\n
Update<\/h4>\n
\n
The\u00a0CMS<\/acronym>\u00a0are no exception to the need to update. It is therefore\u00a0primordial<\/strong>\u00a0to take care of the update of your\u00a0CMS<\/acronym>\u00a0in the most consistent manner possible.<\/p>\n
We invite you to turn to your system administrator if you need help, in case this documentation is not sufficient.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"
Every CMS (joomla, wordpress, drupal, etc.) is a potential source of infection. The same goes for the software installed on your server. The infection of your server can be used to install, for example, a Botnet, or Bitcoin Mining software. Make a diagnosis In the case of a Bitcoin miner, the resources...<\/p>","protected":false},"author":52,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[591,590],"ht-kb-tag":[667],"class_list":["post-5032","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-serveur-dedie-physique","ht_kb_category-serveur-prive-virtuel","ht_kb_tag-serveur-prive"],"_links":{"self":[{"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/ht-kb\/5032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/users\/52"}],"replies":[{"embeddable":true,"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/comments?post=5032"}],"version-history":[{"count":0,"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/ht-kb\/5032\/revisions"}],"wp:attachment":[{"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/media?parent=5032"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/ht-kb-category?post=5032"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/assistance.groupemagiconline.com\/en\/wp-json\/wp\/v2\/ht-kb-tag?post=5032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}