This topic provides a best practice to detect and remove Trojans in the Linux operating system.

Background information

When your Linux operating system has vulnerabilities or lacks protection, Trojans may be implanted into your system. After Trojans are removed, you must improve system security by using multiple measures, such as security patches, system permission control, operation audits, and log analysis.

Step 1: Use Security Center to detect Trojans

  1. Respond to Security Center alerts promptly and remove the detected Trojans. For more information, see View and handle security events.
  2. Fix vulnerabilities to improve system security as soon as possible. For more information, see Linux software vulnerabilities.

Step 2: Query attack details

  • Run the last and lastlog commands to query the last logon and the relevant account. This helps you find exceptions.
  • Run the grep -i Accepted /var/log/secure command to query the IP addresses that remotely logged on to your system.
  • Run the following commands to query cron jobs:
    /var/spool/cron/
    /etc/cron.hourly
    /etc/crontab
  • Run the find / -ctime 1 command to query the last update of the file status. This helps you find Trojan files.
  • Check the /etc/passwd and /etc/shadow files for malicious users.
  • Check the /tmp, /vat/tmp, and /dev/shm temporary directories. The permission of these directories is 1777. Therefore, these directories can be easily used to upload Trojan files.
  • Check for exceptions in logs of services such as Tomcat and NGINX, whose service ports are accessible from the Internet.
  • Run the service --status-all | grep running command to check whether exceptions exist in services that are running.
  • Run the chkconfig --list | grep :on command to check whether exceptions exist in services that automatically start.
  • Run the ls -lt /etc/init.d/ | head command to check whether abnormal startup scripts exist.

Step 3: Run commonly used Trojan scan commands

Command Function
ps and top You can run these commands to query the status of the running processes and the system resource usage. This helps you find abnormal processes.
pstree You can run this command to display the relationship among processes in a tree map.
lsof You can run this command to query folders and files opened by a process, processes that used a directory or port, and all the open ports in the system.
netstat You can run this command to query all the ports monitored by the system, network connection status, and IP addresses that have established excessive connections.
iftop You can run this command to monitor the network traffic forwarded through TCP connections in real time. This helps you distinguish between and sort inbound and outbound traffic, and find IP addresses that have abnormal network traffic.
nethogs You can run this command to monitor the network traffic used by each process and sort the processes by traffic volume in descending order.
strace You can run this command to trace system calls requested by a specific process. This helps you analyze the running status of Trojans.
strings You can run this command to output strings of printable characters in files. This helps you analyze Trojans.