DDoS Virus infection (as a unix service) on a Debian 8 VM Webserver
We suffered a similar infection on Suse, probably through ssh brute force login.
The steps to clean are:
-
Check the file
/etc/crontab
. You probably have an entry to call the virus every 3 minutes*/3 * * * * root /etc/cron.hourly/cron.sh
Delete this line.
- Identify the parent process of the virus. The
rguoywvrf
in yourps -ej
. The other proceses are created and killed continously. - Stop it, dont kill it, with
kill -STOP 1632
- Check with another
ps -ej
that only the parent lives, the children should die quickly - Now you can delete the files in
/usr/bin
and/etc/init.d
. There are variants of the virus that also uses/boot
or/bin
. Usels -lt | head
to look for files that have been modified recently. - Check the script in
/etc/cron.hourly/cron.sh
. In our server it was calling another copy of the virus on/lib/libgcc.so
. Delete both files. - Now you can kill definitely the
rguoywvrf
process.
To answer your questions:
- Without the necessary precautions (off site syslog, IDS, log monitoring, etc) you'll probably never find out what happened.
- I would have to agree with Matt. You'll invest time to get a machine running which you will never really trust. In my opinion, the best solution is to move the data off site & redo the machine.
Of course, for what it is worth, this is only my opinion. Though, when redoing the machine, you can of course take the necessary precautions & protect yourself better in the future.