Is my server hacked?
Hello All,
I see the following processes continuously run even after killing them. 13820 root 20 0 84264 1276 0 S 77.7 0.0 11:42.93 /etc/sfewfesfsh 13472 root 20 0 968 556 468 S 0.3 0.0 0:00.19 ./atack 700 14413 root 20 0 968 556 468 S 0.3 0.0 0:00.18 ./atack 700 14590 root 20 0 968 556 468 S 0.3 0.0 0:00.18 ./atack 700 14688 root 20 0 968 556 468 S 0.3 0.0 0:00.19 ./atack 700 15364 root 20 0 968 556 468 S 0.3 0.0 0:00.17 ./atack 700 15420 root 20 0 968 556 468 S 0.3 0.0 0:00.17 ./atack 700 15879 root 20 0 968 556 468 S 0.3 0.0 0:00.15 ./atack 700 15979 root 20 0 968 556 468 S 0.3 0.0 0:00.17 ./atack 700 16165 root 20 0 968 556 468 S 0.3 0.0 0:00.17 ./atack 700 cat /proc/version Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Fri Nov 22 03:15:09 UTC 2013 Is my server hacked? What steps I should do to stop this? Please advise ASAP. Thanks in advance |
first you need to check the parent process.
|
I don't think you got my question. Even if I delete the parent process, these programs restarts automatically.
|
Likely BillGates botnet, see ValdikSS/billgates-botnet-tracker.
Try searching this and post output: Code:
ITEMS="pro proh sfewfesfsh pojie DbSecuritySpt xpacket.ko libamplify.so atddd ksapdd kysapdd sksapdd skysapdd ferwfrre gfhddsfew gfhjrtfyhuf rewgtf3er4t sdmfdsfhjfe" *If you find any do contact me (or add them to http://sourceforge.net/p/rkhunter/feature-requests/) as I'd like a copy please. |
Quote:
|
2 Attachment(s)
Quote:
Thanks in advance. |
Also, I;'m not really sure why the find command takes 100% CPU.
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 18027 root 20 0 2024 532 456 R 100.0 0.0 0:14.86 find Regards |
Quote:
Code:
1322200 1492 -rwsrwsrwt 1 root root 1524643 Nov 29 02:33 /etc/ferwfrre Quote:
|
Quote:
Code:
cat -v /proc/18027/cmdline; lsof -Pwlnp 18027 |
Quote:
Apparently the way to get this is via a weak root password and sshd running. So use key based authentication if possible, and always use a strong password for root (!). btw unspawn, I didn't know you were a big security hotshot :D I went to the rootkit hunter website, and I saw your name there, and I was like, hey, I know that guy! Glad you're on our team :) |
Quote:
Quote:
Quote:
|
Quote:
|
Quote:
Code:
2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (..) #1 SMP Fri Nov 22 03:15:09 UTC 2013 Code:
2.6.32-431.17.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) #1 SMP Wed May 7 23:32:49 UTC 2014 |
Nov 2013 is hardly ancient... ;)
|
Please send me the files as requested (if the concept of reciprocity means anything to you) and know by doing so you'll be helping others.
Quote:
If unclear: ask. |
All times are GMT -5. The time now is 01:49 AM. |