Unix.Trojan.DDoS_XOR-1 FOUND removal

Leave a reply

If you find something running like /usr/bin/sywhksydor
or other strange name

You need check and remove /etc/crontab:
*/3 * * * * root /etc/cron.hourly/gcc.sh

then remove form init.d:
find /etc/ -name “*sywhksydor*” | xargs rm -fv

check if no more files created in similar time:
find /etc -mtime -3 -type f -print

Remove cron files:/etc/cron.hourly:
gcc.sh
wqcpplwrlsfby.sh

Remove /lib/libudev.so file

This should be enough, but you need keep monitor server and find the reason of the issue. In my case it was Magento:

$swvJgN7=”xQC+BaIOTBpEqTcQblQx5josN1zjqjFvNxlbbYnZNehr6bIY+iP6cwGBxTaHM7+pt5hmf2i/O4aEgvfCRfdJlMGS9RF0N5b83JCApZWFy0NHCplDxGRW3SxW0wZE142Nmf+7FgrnSoIQbmGT5MtwMBPKSMwd/iJG/YimplO02wgCM10Ivq1EtfgoP+AWezctDmP46MXr8Wwa+bgP6MMpmN5T/Yvoi22WXkzhBHd8BZvIXRoIsUADqgfvefeS3TlHavJw9VtGmBdzmU+o21+AZvXDVEK6EKSIi+R7VoiBpdhJTUstir45aKFjjBj4LdR0R/3dEzoNVQRLOmGpil9DqU6Mf1ELgyKywwxZUwOne2qLh3B/qdltngudFA0s8Abgo8gezeRq2i01pSA4MywmLEaJze7k2eJ4TWjgVurEYKKIIMHbtJhlPWOJUMswpVDHRqcsImkiHb4xEI2CBlwwNCdlKRs6eCapeVknqp3tzMzgUTqEg01/pQ7Gy7TE6HAXjlrmvN

Leave a Reply

Your email address will not be published. Required fields are marked *