Suspicious process: /tmp/init -c /tmp/init12.cfg
Soon after the 2020 new year's holiday, I found a suspicious process on my web server:
11777 ? Ssl 30038:48 /tmp/init -c /tmp/init12.cfg It was using almost 100% cpu, and it was now shown in "netstat -plnt" output. > ls -l /tmp/init -rwxr-xr-x 1 root root 902084 Jul 16 2015 /tmp/init > file /tmp/init /tmp/init: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped These was another file in /tmp: > ls -l javax -rwxr-xr-x 1 root root 3 Jan 19 01:47 javax > file javax javax: ASCII text, with no line terminators > cat javax 748 And there were a bunch of immutable empty directories in /tmp: Demon.x86 NoIr_x.86 Ouija_x.86 Yui.x86 a a_thk ai.x86 baby config.json cross.sh efjins evolutions httpdz ini initdz kerberods kh kionai ksoftirqds kthrotlds kworkerds lilpip log_rot mcoin mcoin-ankit migrations networkservice php pvds pvds2 pvds3 r.sh racks_s rogue_s rzx seasame skfednw46d.mips skfednw46d.x86 sqlcan syscb sysguard sysnpmc sysr.sh sysupdate update.sh watchbog watchdogs x86 x86_64 xdsf xfsalloc xmrig_s They all belonged to root user and had a mode of r-xr-xr-x. I had to run "chattr -i -a" and "chmod 755" on them before removing them. I killed the /tmp/init process and removed all the above files and directories in /tmp, and things seemed to be ok. But today, I found that exactly the same thing happened again, a "/tmp/init -c /tmp/init12.cfg" process using 99% to 100% cpu, and seemingly the same immutable empty directories in /tmp. Here is the "netstat -plnt" output of my nginx web server: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6519/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 21043/nginx tcp 0 0 0.0.0.0:26725 0.0.0.0:* LISTEN 17922/sshd tcp 0 0 0.0.0.0:18983 0.0.0.0:* LISTEN 1336/java tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 2340/php-fpm.conf) tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 2340/php-fpm.conf) tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 26649/mysqld tcp 0 0 127.0.0.1:7983 0.0.0.0:* LISTEN 1336/java tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21043/nginx tcp 0 0 0.0.0.0:41490 0.0.0.0:* LISTEN 1336/java tcp 0 0 0.0.0.0:8983 0.0.0.0:* LISTEN 1336/java tcp6 0 0 :::26725 :::* LISTEN 17922/sshd This is Ubuntu 14.04.5 LTS x86_64 with kernel 3.13.0-45-generic, nginx 1.4.6-1ubuntu3.5, php 5.6.23, openssl 1.0.2h, openjdk-7-jre 7u111-2.6.7-0ubuntu0.14.04.3. Any idea about the root cause or security hole, the hacking method used, measures for security hardening is apreciated, thanks! |
just reinstall. Immediately. https://linux-audit.com/intrusion-de...inux-rootkits/
|
All times are GMT -5. The time now is 05:41 PM. |