xor和gates的专杀脚本

前段时间的一次样本，需要给出专杀，应急中遇到的是linux中比较常见的两个家族gates和xor。

首先是xor的专杀脚本，xor样本查杀的时候需要注意的是样本的主进程和子进程相互保护(详见之前的xor ddos分析http://www.cnblogs.com/goabout2/p/4888651.html)，想要杀掉的话，需要先通过kill –stop挂起主进程，再删除其他的文件，但是由于xor的进程名是随机值，同时主机上还有有gates木马（gates最显著的特征就是会替换系统文件ps，lsof，ss，netstat），因此为了避嫌，脚本必须隔离系统命令。

此处通过的是遍历/proc/pid/maps文件获取所有进程对应的程序路径，通过该路径与特征值匹配出的路径对比，从而确定主进程的pid。

import os
import re
import sys
import time

# property of the virus
sigin = "m4S4nAC/nA"
filepath = "/boot/dingzhi_random_10_word1;/lib/udev/udev"
delpath = "/etc/cron.hourly/cron.sh;/etc/init.d/fromdingzhi_"

#read file
def readfile(path):
file = open(path)
try:
content = file.read()
finally:
file.close()
return content

#scan the filesystem in the os with specify eigenvalue
def scanforeigen(path,word):
for filename in os.listdir(path):
fp = os.path.join(path,filename)
if os.path.isfile(fp):
print fp
with open(fp) as f:
for line in f:
if word in line:
print "find in the file:" + fp
return fp
break
elif os.path.isdir(fp):
scanforeigen(fp,word)

#check the specify dir thrugh property return the path in a lis
def check():
targetlist = []
bootfile = scanforeigen("/boot",sigin)
if bootfile is not None and bootfile != '':
bootfilename = bootfile.split("/")[-1]
if len(bootfilename) == 10 and re.match('^[a-z]+$',bootfilename):
targetlist.append(bootfile)
libfile = scanforeigen("/lib/udev",sigin)
if libfile is not None and libfile != '':
libfilename = libfile.split("/")[-1]
if libfilename == "udev":
targetlist.append(libfile)
return targetlist

def kill():
itemlist = []
targetlist = check()
print targetlist
boot = targetlist[0]
print "boot is " + boot
bootname = boot.split('/')[-1]
for itemnum in os.listdir("/proc"):                   #throught the filename to find the pid and return
if itemnum.isdigit():
print "the dir is " + itemnum
path = "/proc/" + itemnum + "/maps"
print path
mapscontent = readfile(path)
if bootname in mapscontent:
print "the pid of the " + bootname + " is " + itemnum
itemlist.append(itemnum)
print itemlist

#stop the father process
for item in itemlist:
print "item is " + item
cmd = "kill -STOP " + item
os.popen(cmd)
time.sleep(5)
print "going sleeping"

#delete the file
for target in targetlist:
print "del the" + target
cmd = "rm " + target
os.popen(cmd)

dellist = delpath.split(';')
for delfile in dellist:
print "the delfile" + delfile
if delfile.split('/')[-1] == "fromdingzhi_":
delfile = delfile.replace("fromdingzhi_",bootname)

print "del the " + delfile
cmd = "rm " + delfile
os.popen(cmd)

#kill the process
cmd = "kill -9 " + item
print cmd
os.popen(cmd)

if __name__ == '__main__':
#list = check()
if sys.argv[1] == "-check":
list = check()
elif sys.argv[1] == '-kill':
kill()

对于gates木马需要注意的是，样本运行第一次的时候的文件不会删除，通过二进制分析的时候是获取不到该样本的路径的，索性该处的路径保存在/etc/init.d/DbSecuritySpt的启动文件中。

import os
import sys
import time

#linux.tragon.bill.gates

sigin = "88FD2FE8EF8D51263B037677FD30F25CBFEB57F759F711FB41956288A85E9655F"
initpaht = "/etc/init.d/selinux;/etc/init.d/DbSecuritySpt"
filedir = "/usr/bin;/usr/sbin;/bin;/usr/bin/bsd-port;/usr/bin/dpkgd"
filepath = "/usr/bin/.sshd;/usr/bin/bsd-port/getty"
delpath = "/usr/bin/ps;/usr/bin/ss;/usr/bin/lsof;/usr/bin/netsata;/usr/sbin/ps;/usr/sbin/ss;/usr/sbin/lsof;/usr/sbin/netsata;/bin/ps;/bin/ss;/bin/lsof;/bin/netsata;/etc/init.d/selinux;/etc/init.d/DbSecuritySpt;/tmp/moni.lod;/tmp/gates.lod;/usr/bin/bsd-port/getty.lock"
configfile = "/tmp/moni.lod;/tmp/gates.lod;/usr/bin/bsd-port/getty.lock"

findlist = []

#read file
def readfile(path):
file = open(path)
try:
content = file.read()
finally:
file.close()
return content

#scan the filesystem in the os with specify eigenvalue
def scanforeigen(path,word):
for filename in os.listdir(path):
fp = os.path.join(path,filename)
if os.path.isfile(fp):
print fp
with open(fp) as f:
for line in f:
if word in line:
print "find in the file:" + fp
findlist.append(fp)
return fp

elif os.path.isdir(fp):
scanforeigen(fp,word)

#check the specify dir thrugh property return the path in a lis
def check():
targetlist = []
dirlist = filedir.split(";")
for dirpath in dirlist:
checkfile = scanforeigen(dirpath,sigin)
'''
print "the checkfile is :"
print checkfile
targetlist.append(checkfile)
'''
#start kill
def kill():
piddic = {}
check()
print findlist
#get pid
if findlist is not None:
conflist = configfile.split(";")
for confpath in conflist:
content = readfile(confpath)
print "the path " + confpath + "content is " + content
piddic[confpath] = content
print piddic

#get the filepath restart by DbSecuritySpt
specialpath = readfile("/etc/init.d/DbSecuritySpt")
specialpath = specialpath[12:]
print "dd" + specialpath

#stop the process in the pidlist
for key in piddic:
cmd = "kill -STOP " + piddic[key]
os.popen(cmd)

#start to delete the file
delfile = delpath.split(";")
for delfielpath in delfile:
cmd = "rm " + delfielpath
os.popen(cmd)

cmd = "rm " + specialpath
os.popen(cmd)

cmd = "cp /usr/bin/dpkgd/ps /bin"
os.popen(cmd)
cmd = "cp /usr/bin/dpkgd/ss /bin"
os.popen(cmd)
cmd = "cp /usr/bin/dpkgd/lsof /bin"
os.popen(cmd)
cmd = "cp /usr/bin/dpkgd/netstat /bin"
os.popen(cmd)

for key in piddic:
cmd = "kill -9 " + piddic[key]
os.popen(cmd)

if __name__ == '__main__':
#list = check()
if sys.argv[1] == "-check":
list = check()
elif sys.argv[1] == '-kill':
kill()