xor和gates的专杀脚本
2016-01-21 17:32
471 查看
前段时间的一次样本,需要给出专杀,应急中遇到的是linux中比较常见的两个家族gates和xor。
首先是xor的专杀脚本,xor样本查杀的时候需要注意的是样本的主进程和子进程相互保护(详见之前的xor ddos分析http://www.cnblogs.com/goabout2/p/4888651.html),想要杀掉的话,需要先通过kill –stop挂起主进程,再删除其他的文件,但是由于xor的进程名是随机值,同时主机上还有有gates木马(gates最显著的特征就是会替换系统文件ps,lsof,ss,netstat),因此为了避嫌,脚本必须隔离系统命令。
此处通过的是遍历/proc/pid/maps文件获取所有进程对应的程序路径,通过该路径与特征值匹配出的路径对比,从而确定主进程的pid。
对于gates木马需要注意的是,样本运行第一次的时候的文件不会删除,通过二进制分析的时候是获取不到该样本的路径的,索性该处的路径保存在/etc/init.d/DbSecuritySpt的启动文件中。
首先是xor的专杀脚本,xor样本查杀的时候需要注意的是样本的主进程和子进程相互保护(详见之前的xor ddos分析http://www.cnblogs.com/goabout2/p/4888651.html),想要杀掉的话,需要先通过kill –stop挂起主进程,再删除其他的文件,但是由于xor的进程名是随机值,同时主机上还有有gates木马(gates最显著的特征就是会替换系统文件ps,lsof,ss,netstat),因此为了避嫌,脚本必须隔离系统命令。
此处通过的是遍历/proc/pid/maps文件获取所有进程对应的程序路径,通过该路径与特征值匹配出的路径对比,从而确定主进程的pid。
import os import re import sys import time # property of the virus sigin = "m4S4nAC/nA" filepath = "/boot/dingzhi_random_10_word1;/lib/udev/udev" delpath = "/etc/cron.hourly/cron.sh;/etc/init.d/fromdingzhi_" #read file def readfile(path): file = open(path) try: content = file.read() finally: file.close() return content #scan the filesystem in the os with specify eigenvalue def scanforeigen(path,word): for filename in os.listdir(path): fp = os.path.join(path,filename) if os.path.isfile(fp): print fp with open(fp) as f: for line in f: if word in line: print "find in the file:" + fp return fp break elif os.path.isdir(fp): scanforeigen(fp,word) #check the specify dir thrugh property return the path in a lis def check(): targetlist = [] bootfile = scanforeigen("/boot",sigin) if bootfile is not None and bootfile != '': bootfilename = bootfile.split("/")[-1] if len(bootfilename) == 10 and re.match('^[a-z]+$',bootfilename): targetlist.append(bootfile) libfile = scanforeigen("/lib/udev",sigin) if libfile is not None and libfile != '': libfilename = libfile.split("/")[-1] if libfilename == "udev": targetlist.append(libfile) return targetlist def kill(): itemlist = [] targetlist = check() print targetlist boot = targetlist[0] print "boot is " + boot bootname = boot.split('/')[-1] for itemnum in os.listdir("/proc"): #throught the filename to find the pid and return if itemnum.isdigit(): print "the dir is " + itemnum path = "/proc/" + itemnum + "/maps" print path mapscontent = readfile(path) if bootname in mapscontent: print "the pid of the " + bootname + " is " + itemnum itemlist.append(itemnum) print itemlist #stop the father process for item in itemlist: print "item is " + item cmd = "kill -STOP " + item os.popen(cmd) time.sleep(5) print "going sleeping" #delete the file for target in targetlist: print "del the" + target cmd = "rm " + target os.popen(cmd) dellist = delpath.split(';') for delfile in dellist: print "the delfile" + delfile if delfile.split('/')[-1] == "fromdingzhi_": delfile = delfile.replace("fromdingzhi_",bootname) print "del the " + delfile cmd = "rm " + delfile os.popen(cmd) #kill the process cmd = "kill -9 " + item print cmd os.popen(cmd) if __name__ == '__main__': #list = check() if sys.argv[1] == "-check": list = check() elif sys.argv[1] == '-kill': kill()
对于gates木马需要注意的是,样本运行第一次的时候的文件不会删除,通过二进制分析的时候是获取不到该样本的路径的,索性该处的路径保存在/etc/init.d/DbSecuritySpt的启动文件中。
import os import sys import time #linux.tragon.bill.gates sigin = "88FD2FE8EF8D51263B037677FD30F25CBFEB57F759F711FB41956288A85E9655F" initpaht = "/etc/init.d/selinux;/etc/init.d/DbSecuritySpt" filedir = "/usr/bin;/usr/sbin;/bin;/usr/bin/bsd-port;/usr/bin/dpkgd" filepath = "/usr/bin/.sshd;/usr/bin/bsd-port/getty" delpath = "/usr/bin/ps;/usr/bin/ss;/usr/bin/lsof;/usr/bin/netsata;/usr/sbin/ps;/usr/sbin/ss;/usr/sbin/lsof;/usr/sbin/netsata;/bin/ps;/bin/ss;/bin/lsof;/bin/netsata;/etc/init.d/selinux;/etc/init.d/DbSecuritySpt;/tmp/moni.lod;/tmp/gates.lod;/usr/bin/bsd-port/getty.lock" configfile = "/tmp/moni.lod;/tmp/gates.lod;/usr/bin/bsd-port/getty.lock" findlist = [] #read file def readfile(path): file = open(path) try: content = file.read() finally: file.close() return content #scan the filesystem in the os with specify eigenvalue def scanforeigen(path,word): for filename in os.listdir(path): fp = os.path.join(path,filename) if os.path.isfile(fp): print fp with open(fp) as f: for line in f: if word in line: print "find in the file:" + fp findlist.append(fp) return fp elif os.path.isdir(fp): scanforeigen(fp,word) #check the specify dir thrugh property return the path in a lis def check(): targetlist = [] dirlist = filedir.split(";") for dirpath in dirlist: checkfile = scanforeigen(dirpath,sigin) ''' print "the checkfile is :" print checkfile targetlist.append(checkfile) ''' #start kill def kill(): piddic = {} check() print findlist #get pid if findlist is not None: conflist = configfile.split(";") for confpath in conflist: content = readfile(confpath) print "the path " + confpath + "content is " + content piddic[confpath] = content print piddic #get the filepath restart by DbSecuritySpt specialpath = readfile("/etc/init.d/DbSecuritySpt") specialpath = specialpath[12:] print "dd" + specialpath #stop the process in the pidlist for key in piddic: cmd = "kill -STOP " + piddic[key] os.popen(cmd) #start to delete the file delfile = delpath.split(";") for delfielpath in delfile: cmd = "rm " + delfielpath os.popen(cmd) cmd = "rm " + specialpath os.popen(cmd) cmd = "cp /usr/bin/dpkgd/ps /bin" os.popen(cmd) cmd = "cp /usr/bin/dpkgd/ss /bin" os.popen(cmd) cmd = "cp /usr/bin/dpkgd/lsof /bin" os.popen(cmd) cmd = "cp /usr/bin/dpkgd/netstat /bin" os.popen(cmd) for key in piddic: cmd = "kill -9 " + piddic[key] os.popen(cmd) if __name__ == '__main__': #list = check() if sys.argv[1] == "-check": list = check() elif sys.argv[1] == '-kill': kill()
相关文章推荐
- eclipse集成maven3后,创建java项目详细图解
- jenkins:应用篇(Gatling plugin的使用)
- 【特征检测】LIOP特征描述算法
- Sobel图像处理详解
- ExtJS之Ext.Ajax.request用法详解
- Iaas,Paas,SaaS
- virtualbox中安装完Ubuntu分辨率可选项很少的一种解决办法
- atom 安装插件emmet和atom-miku
- MFC---程序中动态设置控件可见性
- JavaScript 常用功能总结
- Python 多线程学习05 条件变量 Condition
- C语言基本数据类型简介
- powershell导入AD用户和启用邮箱
- OC Block、Swift Closure以及C# Lambda的对比
- 程序员,一个吃青春饭的行业
- nethogs 查看进程流量
- mysql主从配置
- 用人类的思维方式去写更容易维护的代码——用<抽象-基础-逻辑>模式开发Java(Android)程序
- 我开始学python了(2)
- UI组件之 ProgressBar及其子类(一)ProgressBar进度条的使用