English
+370 5 205 5502 sales@monovm.com

Xor DDoS is a trojan-style malware that affects many Linux systems. In this article we will provide you with a step-by-step tutorial on how to remove this malware.

14

Apr, 19

How to Remove Xor DDos Trojan from Linux

(26 ratings)

Trojan Identification

Before doing anything, you need to make sure that the Trojan exists on your system.

To do this, first see the CPU status and processes through the TOP tool. If there is a process with a strange name, such as hgmijazsert, running on your server with root access, there is a high chance that this is malware infecting your server and using resources. (Note down all the information of this Trojan, including the PID, name, etc., as you will need it later). Generally, when a Linux server is infected with malware, CPU load will be high and its resources will always be almost completely used up. Once you have made sure that the Trojan is on your server, you have to follow the steps below to delete it.

Remove Trojan XORDDoS

The first step is to STOP this process, which is done by using the PID observed in TOP.

kill -STOP [pid-number]

Instead of the pid-number clause, enter the pid number of the process, as in the following command

kill -STOP 22598

Note: Do not kill this process completely, as it will start with another name.

The next step is to go to the path of this Trojan, which is commonly found in usr / lib / and find it.

cd / usr / lib

After visiting this address, enter the name of the file you see in the "nano" command to see its contents.

nano file-name

Here, you should pay attention to the type of code and its method of writing (there is no need to analyze or learn it, just remember the way its written and the type of commands). Now, check all the files in this section and each one which has similar style of code as the trojan should be deleted with the following command.

rm-f 'file-name'

Please Note: Instead of file-name, enter the name of the files you find and be careful not to delete other files accidentally.

After removing all the files from this directory, you must now find and remove the original Trojan file, commonly called libudev.so (this is not always the case). This file is generally located in the lib / directory, however if it is nor, enter the following command to find it.

Find / -type f -name libudev.so

After finding this file, remove it with the rm-f command that was mentioned in the previous steps. Then, because this file is located in the system's Cron, you must change its full access using the following the command:

/ chmod 0000 /lib/libudev.so&& rm -rf /lib/libudev.so && chattr + i / lib

Now go to etc / directory and check each directory (rc0.d, rc1.d, etc.) and check all the newly created Crons.

Tip: Use the ls-lrt command to find the latest files created and display their creation date.

Now you should examine and delete any file with strange names that were created recently.

This way, you will completely get rid of the Trojan. There is a common trend of this Trojan being deployed through Brute Force attacks, so if this trojan was present of on your server, there is a high chance that one or many of your passwords is compromised. We strongly suggest you to change the passwords for the root system, as well as all the users who have Sudo access. Please make sure that the new passwords are long, complex and contain combinations of letters, numbers and special characters.

Elizabet J

One OF my major goals is getting new experiences about ICT and what’s more making progress through this field.