crond64/tsm virus in Ubuntu

malware antivirus

I had the same. The service installed rsync and got some files. I found a dota.tar.gz file in the user folder.

  1. deny port 22 outgoing in firewall (e.g. ufw deny out 22)
  2. pkill -KILL -u kodi ( this kills all running processes of user kodi)
  3. deluser kodi
  4. remove userhome
  5. remove rsync (I didn't use this)
  6. remove /tmp/.mountfs*

Please take note this will probably ruin things for kodi. Instead of removing the whole userhome you can probably only remove dota.tar.gz (if it's there) and the .ttp folder (do not forget to clean the crontab!)

After a reboot I don't see any outgoing connections anymore (check with: 

netstat -peanut | grep 22

Infection happened via a user with a weak password (kodi account with the default password maybe?)


In my case the source of infection was a user thad dind't change his unsafe password from when I created his account (of course I told him to). My server probably is on some lists: i get around 1000 bans a week from fail2ban (try 4 times with a wrong user or password and be blocked for a month)


I had the same malware. Entry was through an unsave user password via ssh (non-default port), was detected and removed after roughly 24 hours.

In my case, deleting the user's crontab, rm -rdf /tmp/.*, rm -rdf /home/user/.*, killall -u user was enough.

Related

Replacing a file inside a hidden folder via terminal
Where is the upper layer of the live cd image overlayfs root filesystem stored?
Transfer old BIOS ubuntu to new UEFI machine?
How to find required information in man [duplicate]
terminal command for Espruino Web IDE
How to mount external drive with the same name every time?
How to display error messages during .configure to the standard console?
SSH Permission Denied
Certain key combinations are not working
Update the certificates on Ubuntu 16.04 TLS [closed]
persistence: how to modify location of upper and work directories?
Human readable javascripts in chrome developer tools