Unknown linux process with random command

ssh linux debian ubuntu virus

I have some experiences about this random 10bit string trojan, It will send lots of packets for SYN flood.

  1. Cut down your network

The trojan has raw file coming from /lib/libudev.so, it will copy and fork again. It will also add cron.hourly job named gcc.sh, then it will add initial script in your /etc/rc*.d (Debian, CentOS may be /etc/rc.d/{init,rc{1,2,3,4,5}}.d)

  1. Use root to run the script below to change the folder privileges: chmod 0000 /lib/libudev.so && rm -rf /lib/libudev.so && chattr +i /lib/

  2. Delete all /etc/rc{0,1,2,3,4,5,6,S}.d files which were created today, The name looks like S01????????.

  3. Edit your crontab, delete the gcc.sh script in your /etc/cron.hourly, delete the gcc.sh file (/etc/cron.hourly/gcc.sh) then add privileges for your crontab: sed '/gcc.sh/d' /etc/crontab && chmod 0000 /etc/crontab && chattr +i /etc/crontab

  4. Use this command to check the latest file changes: ls -lrt

If you find any suspicious files named S01xxxxxxxx (or K8xxxxxxxx), delete it.

  1. Then you should reboot without network.

Then the trojan should be cleaned and you can modify the folder privileges to the original values(chattr -i /lib /etc/crontab).


This is known as the XORDDos Linux Trojan The trick is to run kill with -STOP for the process to be paused so it doesn't create a new one.

`kill -STOP PROCESS_ID`

Related

Overriding High DPI Scaling from the Command Line
Blocking unarmed
What is the smallest iron golem spawner?
What is the difference between slugs and pellets for the Winchester?
How can I send items in-game?
Is it possible to find the Jewel of Dirgest?
How can I detonate my chicken?
Is it possible to activate the subtitles for the cinematics?
How can I save my DirectX choice in Saints Row: the Third so it stops asking me about it?
Can the Orochick (Wondrous Egg) be acquired? If so, how?
Is there a difference between map chat and team chat in WvW in Guild Wars 2?
What happens if you run out of malaria pills?