BillGates Botnet
BillGates 僵尸网络 (做为肉鸡进行DDoS***)
半年来已经遇到或者听到多起遭遇这种***的案例了,某台服务器向防火墙发送大量数据包。多数时候这种流量会冲垮防火墙,使得管理员不得不临时切断这些服务器的网络。
以下是其介绍和处理办法,转自 https://github.com/ValdikSS/billgates-botnet-tracker
What's BillGates?
Well, that's a Linux botnet I've found in February, 2014. It it splitted in modules usually called atddd, cupsdd, cupsddh, ksapdd, kysapdd, sksapdd, skysapdd.
cupsdd is the main module which I call "Gates" (because it locks /tmp/gates.lock). It unpacks cupsddh ("Bill") module (the last character depends on configuration) to the directory where the cupsdd is stored (usually /etc), creates /etc/init.d/DbSecuritySpt and makes symlinks to it in /etc/rc[1-5].d/97DbSecuritySpt, establishes connection to "Gates" CnC server on IP 116.10.189.246. Newer version of "Gates" module also includes Monitor module "moni". It copies itself to /usr/bin/pojie and acts as "moni" only if ran as /usr/bin/pojie. "Bill" can perform simple DDoS.
atddd, ksapdd, kysapdd, sksapdd, skysapdd is an advanced DDoS module which I call "Melinda" (it doesn't have this name and I thought I can give it). It can perform TCP, UDP, ICMP and DNS DDoS with packet forgery. The only difference between these files is the CnC server IP address.
atddd = 202.103.178.76 ksapdd = 121.12.110.96 kysapdd = 112.90.252.76 skysapdd = 112.90.22.197 sksapdd = 112.90.252.79
How can I get this botnet?
That's pretty easy, just set your root password to "1" or something and make sure you have openssh running. You'll definitely get it in some time. It seems like the installation process is performed by an individual and not automatically.
How can I delete this botnet from my PC?
Well, I have successfully deleted this botnet by cleaning root crontab file, /etc/rc.local, /etc/init.d/DbSecuritySpt, /etc/rc[1-5].d/97DbSecuritySpt, all the botnet files from /etc (they all have SUID bit and some of them have Immunitable bit), /etc/conf.n, /etc/cmd.n, /tmp/*.lock and /usr/bin/pojie. But beware, "Bill" module has some code to execute insmod /usr/lib/xpacket.ko and write something to /usr/lib/libamplify.so so your PC could be easily infected by rootkit (although I haven't seen any).
转载于:https://blog.51cto.com/foolishfish/1536763
BillGates Botnet相关推荐
- 【干货】CNN与Transformer的强强联合!谷歌最新开源BoTNet,ImageNet达84.7%准确率
点击上方"视学算法",选择加"星标"或"置顶" 重磅干货,第一时间送达 作者丨Happy 审稿|邓富城 编辑丨极市平台 本文是伯克利与谷歌的 ...
- 僵尸网络病毒之BotNet扫盲、预防及清除
自今年伊始,就看到了有关"僵尸网络"病毒不断泛滥的报道.今天下班回家看中央台新闻频道,发现我们国家感染该病毒的用户就有几百万台(没记得很清楚),再到网络上一查,发现电信.联通,还有 ...
- CVPR 2021 更好的Backbone,伯克利谷歌提出BoTNet,精度达84.7%
本篇分享论文『Bottleneck Transformers for Visual Recognition』,由 UC Berkeley & Google Research(Transform ...
- CVPR 2021 比CNN和Transformer更好的Backbone?伯克利谷歌提出BoTNet,精度达84.7%
本篇分享论文『Bottleneck Transformers for Visual Recognition』,由 UC Berkeley & Google Research(Transform ...
- CNN 与 Transformer 的强强联合!谷歌最新开源 BoTNet,ImageNet 达 84.7%准确率
Conv+Transformer=BotNet,这是伯克利.谷歌最新提出的工作BotNet,它充分利用了CNN与自注意力的优势,在ImageNet上取得了84.7%的top1精度,同时文中各种实验分析 ...
- 百安俱乐部关于“BotNet专题讨论”资料
• BotNet专题讨论 演讲者:叶子 典型BotNet案件 •什么是BotNet •BotNet原理及其危害 BotNet的发展 § BotNet的形成 § §BotNet的传播 § §BotNet ...
- 谷歌开源BoTNet | CNN与Transformer结合!Bottleneck Transformers for Visual Recognition!CNN+Transformer!
新思路! https://arxiv.org/abs/2101.11605 无需任何技巧,基于Mask R-CNNN框架,BoTNet在COCO实例分割任务上取得了44.4%的Mask AP与49.7 ...
- botnet的追踪和追寻专题
转载地址:[url]http://www.cnhonker.org/bbs/simple/index.php?t1779.html[/url] 先发一个我以前给别人写的一个邮件的内容,他们有大网管理权 ...
- XBL用于防治botnet
botnet的预防: 1 切断CC命令,-------使用内容识别,匹配tfn, tfn2k等工具的控制命令(Control Command, CC) 2 切断命令宿主,---------使用XBL( ...
最新文章
- java封装继承多态语法,GO语言中封装,继承,和多态
- worknc的后处理如何安装_UG NX后处理安装方法(新手入门)
- acrobat 控件可以发布吗_短视频可以同时在多个平台发布吗?
- 计算机一级考试word题主要,2017年计算机一级考试word题及答案
- Unity面试题精选(7)
- “上云”很 fashion 的今天,GeekPwn 搞了个比赛……
- 7.数据对象映射模式
- 祝贺吾博文中第一篇点击超过一万的文章出现
- 登录时记住密码的实现
- jenkins ssh远程执行命令 碰到的2个坑
- \xe8\x83\xa5\xe5\xb8\x85\xe6\x9d\xb0转中文
- 迁移学习VGG16实现猫狗大战
- 微机原理与接口 极其基础知识点
- 基于AR眼镜有哪类功能可实现?
- 爬虫:Xpath定位
- 《the Great Gatsby》Day 33
- 技术面试遇到不会的问题怎么办?教你3招技巧!
- 使用Travis-CI在线build
- 针对应用层的DoS攻击
- ubuntu 系统克隆