FOR MEMO...
To check some service abnormal, and found lots of zmeu processes there ...
$ ps aux
:
:
root 3413 0.0 0.7 9024 7556 ? S Jul09 0:01 /bin/sh ./goa 70
root 6402 0.0 0.0 768 560 ? S Jul09 1:35 ./zmeu ip.80 vuln.txt 100 cgi
root 8742 0.0 0.0 772 580 ? S 13:23 0:00 ./zmeu ip.80 vuln.txt 100 cgi
root 9011 0.0 0.0 772 580 ? S 13:23 0:00 ./zmeu ip.80 vuln.txt 100 cgi
root 9649 0.0 0.0 772 580 ? S 13:27 0:00 ./zmeu ip.80 vuln.txt 100 cgi
root 9700 89.5 0.0 772 576 ? R Jul08 6504:52 ./zmeu ip.80 vuln.txt 100 cgi
:
:
root 9930 0.0 0.0 772 580 ? S 13:28 0:00 ./zmeu ip.80 vuln.txt 100 cgi
root 9932 0.0 0.0 772 580 ? S 13:28 0:00 ./zmeu ip.80 vuln.txt 100 cgi
$ find . | grep zmeu
./var/cache/man/. /pma/zmeu
$ cd ./var/cache/man/.\ /pma/zmeu
$ pwd
/var/cache/man/. /pma
$ tree
.
|-- PRIVATE
| |-- L
| |-- x
| `-- x.php
|-- cgi
|-- global
|-- goa
|-- gob
|-- ip.txt
|-- nohup.out
|-- rand
|-- ss
|-- x
`-- zmeu
$ cd ..
$ mv .\ / Zmmm
$ killall -9 zmeu
$ ps aux
:
root 11876 0.0 0.4 16964 4384 ? R 13:36 0:00 php PRIVATE/exploitx.php -a http://70.84.8.139/phpMyAdmin/
:
$ kill -9 11876
$ rm -rf Zmmm
====================================
$ vi .htaccess
RewriteEngine On
### ZmEu attack
RewriteCond %{HTTP_USER_AGENT} ^ZmEu
RewriteRule .* - [F]
