How to Detect and Remove Linux.BackDoor.Gates.5 Malware: A Step‑by‑Step Guide

Background

During a night shift the author noticed a server’s outbound traffic spiking to 800 Mbps, suspecting a botnet infection. The server had no firewall rules enabled locally, but a physical firewall and non‑standard port mappings were in place.

Discovery and Tracing

1. Traffic graph – The monitoring page became unresponsive, indicating heavy load. (Image omitted for brevity)

2. Top output – Remote login showed a high‑CPU process that resembled a web service.

3. ps inspection – The suspicious binary was located under /etc and copied for offline analysis.

4. Process termination – Killing the process immediately dropped the traffic, but the malware regenerated, prompting deeper investigation.

5. Log analysis – The last command showed normal logins, but the secure log contained abnormal authentication attempts.

6. Repeated ps checks – The ps binary size had grown from ~81 KB to 1.2 MB, indicating replacement.

7. Additional anomalies – Crontab, rc.local, and scripts in /etc/init.d (e.g., DbSecuritySpt, selinux) were examined and found suspicious.

8. Hidden files – A hidden SSH‑related file in /tmp appeared to be part of the backdoor.

Manual Removal

The author summarises the cleanup steps:

Determine whether a backdoor is present.

Upload diagnostic commands ( ps, netstat, ss, lsof) to /root.

Delete malicious directories and files (see image for file list).

Identify and kill abnormal processes.

Replace removed commands with clean copies from a trusted system.

ClamAV Scanning

1. Install the ClamAV antivirus package.

2. Restart the ClamAV service: service clamd restart 3. Update the virus database (note: the bundled version may be outdated).

4. Use clamscan -h for help and run scans on the infected system.

Appendix: Linux.BackDoor.Gates.5

The malware combines a traditional backdoor with DDoS capabilities and targets 32‑bit Linux systems. It gathers system information such as CPU details, network interfaces, memory, OS version, and sends them to a command‑and‑control server.

CPU cores and speed (from /proc/cpuinfo)

CPU usage (from /proc/stat)

Gateway IP and MAC (from /proc/net/route and /proc/net/arp)

Network interface stats (from /proc/net/dev)

Memory total (from /proc/meminfo)

Sent/received traffic (from /proc/net/dev)

OS name and version (via uname)

During installation the backdoor may replace common utilities ( /bin/netstat, /usr/bin/ps, etc.) with malicious versions, hide itself as a daemon, and create symbolic links to ensure persistence. It can receive commands from its C2 server to launch DDoS attacks, update itself, or execute arbitrary instructions.

Geographical analysis of DDoS attacks launched by this trojan shows a concentration on Chinese servers, but targets worldwide.