每小时 0:49,我的 hosts 文件就会被替换为以下内容:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
# *********<D2><D4><CF><C2><C4><DA><C8><DD>Ϊ360<B0><B2>ȫ<CE><C0>ʿΪ<C3><E2><D2><U+07FB><FA><C6><F7><B9><B7>ľ<C2><U+DCA1><B6><BE><CB><F9><CC><ED><BC><D3>******************
127.0.0.1 yu.8s7.net
127.0.0.1 1.jopanqc.com
127.0.0.1 2.joppnqq.com
127.0.0.1 wg.47255.com
127.0.0.1 1.joppnqq.com
127.0.0.1 xxx.m111.biz
127.0.0.1 1.jopenqc.com
127.0.0.1 1.jopenkk.com
127.0.0.1 xxx.vh7.biz
127.0.0.1 xxx.j41m.com
127.0.0.1 3.joppnqq.com
127.0.0.1 d.93se.com
127.0.0.1 www.868wg.com
127.0.0.1 xxx.mmma.biz
127.0.0.1 ilove.com
127.0.0.1 tp.shpzhan.cn
127.0.0.1 www.tomwg.com
127.0.0.1 www.cike007.cn
127.0.0.1 www.22aaa.com
127.0.0.1 xx.exiao01.com
127.0.0.1 www.exiao01.com
127.0.0.1 www.exiao01.com
127.0.0.1 new.749571.com
127.0.0.1 xtx.kv8.info
127.0.0.1 cao.kv8.info
127.0.0.1 1.jopmmqq.com
127.0.0.1 171817.171817.com
127.0.0.1 d2.llsging.com
127.0.0.1 down.malasc.cn
127.0.0.1 llboss.com
127.0.0.1 nx.51ylb.cn
127.0.0.1 my.531jx.cn
127.0.0.1 qqq.dzydhx.com
127.0.0.1 qqq.hao1658.com
127.0.0.1 www.333292.com
127.0.0.1 down.18dd.net
127.0.0.1 up.22x44.com
# *********<BD><E1><CA><F8>******************
# *********<D2><D4><CF><C2><C4><DA><C8><DD>Ϊ360<B0><B2>ȫ<CE><C0>ʿΪ<C3><E2><D2>ߴŵ<FA><BB><FA>dummycom<B2><A1><B6><BE><CB><F9><CC><ED><BC><D3>******************
127.0.0.1 gxgxy.net^M
# *********<C3><E2><D2>ߴŵ<FA><BB><FA>dummycom<BD><E1><CA><F8>******************
我尝试过使用auditctl
如下方法来跟踪变化:
# /sbin/auditctl -w /etc/hosts -p wa -k hosts-file
但每小时都会被替换,并且运行时/sbin/ausearch -f /etc/hosts
什么也没显示。当我手动编辑文件时,ausearch 显示我的更改。
我查看了我的用户的 crontab 和 root 的 crontab,没有发现在 :49 处运行任何可能是罪魁祸首的程序。
这可能是什么原因造成的?我该如何阻止它?我正在运行 Debian jessie/testing。
答案1
哦,天哪。我刚刚发现了这个,它恰好符合我之前描述的症状:https://askubuntu.com/questions/440919/how-to-deal-with-malware-on-my-laptop
看来我这个周末要清除系统了。