Tuesday, June 17, 2014

How to remove Bill Gates botnet (Fedora)



1) identify and kill process running
 #top
 #killall cupsdd
 . . .

2) verify crontab

#ss -t (show current socket connections)
#crontab -l (list entries)
#crontab -e (edit current)
#crontab -r (remove all entries)

3) remove calls from start scripts
#vi /etc/rc.local   (here anotate entries )
#vi /etc/init.d
#rm /etc/*.lock  (bill.lock and gates.lock)
4) remove physical files
  atddd, cupsdd, cupsddh,ksapdd, kysadd,sksapdd, skysapdd

References

[1] http://lpages.info/billgates-linux-botnet/
[2] https://isc.sans.edu/forums/diary//17282
[3] crontab https://help.1and1.com/hosting-c37630/scripts-and-programming-languages-c85099/cron-jobs-c37727/delete-a-cron-job-a757264.html

By at
Labels:

2 comments:

Anonymous said...

This is completely incorrect. The only correct way to remove this botnet or any other malware is to format and re-install. YOU CAN NEVER AGAIN TRUST A SYSTEM THAT HAS BEEN COMPROMISED. You do not know what else an attacker may have done to the system that you did not find.

6:06 AM
Anonymous said...

AVG Antivirus Support like your page.

2:02 AM

Post a Comment

Subscribe to: Post Comments (Atom)

Firefox open multiple private window

    /opt/firefox/firefox-bin --profile $(mktemp -d) --private-window www.google.com www.bing.com