LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-28-2018, 03:29 AM   #1
shipon_97
Member
 
Registered: Oct 2005
Location: Bangladesh
Posts: 504

Rep: Reputation: 31
suspecious process found on redhat-6.5


Hi ,

I am using RHEL-6.5 , have configured the server last week . After connecting in my local LAN I found some suspecious service/process takes 99% CPU , which makes my system hangs . service name : "zzxouqfdgr" , "adlwiqzihpp" .

Example :
>>Using top command :

126886 root 20 0 128m 6384 192 S 3.0 0.0 16:40.53 llnuqxepnh

>> lsof -p 126886
[root@mymensvr ~]# lsof -p 126886
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
llnuqxepn 126886 root cwd DIR 252,0 4096 2 /
llnuqxepn 126886 root rtd DIR 252,0 4096 2 /
llnuqxepn 126886 root txt REG 252,0 625878 5505847 /usr/bin/llnuqxepnh
llnuqxepn 126886 root 0u CHR 1,3 0t0 1028 /dev/null
llnuqxepn 126886 root 1u CHR 1,3 0t0 1028 /dev/null
llnuqxepn 126886 root 2u CHR 1,3 0t0 1028 /dev/null
llnuqxepn 126886 root 3u IPv4 310773 0t0 TCP mymensvr:31387->23.247.54.44:ftp (ESTABLISHED)

>> I kill the process (kill -9 126886) , but again it generates .

How can I resolve this issue ? REquire urgent help please ....
 
Old 05-28-2018, 03:35 AM   #2
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 21,692

Rep: Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275
first of all you need to unplug it, remove from your network.
Next, probably you need to find the source of it, there can be other infected hosts.
finally if it was just installed I would recommend you to reinstall again.

You also might want to check https://www.makeuseof.com/tag/free-l...irus-programs/, especially chkrootkit.
 
Old 05-28-2018, 04:51 AM   #3
shipon_97
Member
 
Registered: Oct 2005
Location: Bangladesh
Posts: 504

Original Poster
Rep: Reputation: 31
Does antivirus resolve this issue ???
 
Old 05-28-2018, 05:15 AM   #4
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 415
Blog Entries: 1

Rep: Reputation: 202Reputation: 202Reputation: 202
Quote:
Originally Posted by shipon_97 View Post
Does antivirus resolve this issue ???
Well, since we cant recreate the issue you are facing, it's on you to try and find out.

Also, I would suggest running these to find out the package name the executable came from -
Code:
rpm -qf /usr/bin/llnuqxepnh
yum provides /usr/bin/llnuqxepnh
Note that the above commands might not give a package name, but it's a good place to start.
 
Old 05-28-2018, 08:50 PM   #5
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524

Rep: Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015
Could be crypto mining malware.
 
Old 05-28-2018, 11:15 PM   #6
shipon_97
Member
 
Registered: Oct 2005
Location: Bangladesh
Posts: 504

Original Poster
Rep: Reputation: 31
I think it is not package issue . I found that some process creates on /bin /rc.d location . when I manually delete this process then it re-generate again . here I give the netstat output :
tcp 0 0 192.168.15.2:18440 122.144.15.55:8080 ESTABLISHED
tcp 0 177 192.168.15.2:20442 198.50.233.68:3306 FIN_WAIT1
tcp 12 0 192.168.15.2:64047 192.168.0.5:7822 ESTABLISHED
tcp 0 0 192.168.15.2:48194 51.38.81.99:2407 ESTABLISHED
tcp 0 0 192.168.15.2:31692 198.50.134.50:3306 ESTABLISHED
tcp 0 0 192.168.15.2:57290 192.168.15.2:1521 ESTABLISHED
tcp 0 0 192.168.15.2:27118 211.103.199.98:8080 ESTABLISHED
tcp 0 0 192.168.15.2:63316 185.61.149.22:2407 ESTABLISHED
tcp 0 0 192.168.15.2:49322 51.38.81.99:2407 ESTABLISHED
tcp 0 0 192.168.15.2:22010 211.103.199.98:8080 ESTABLISHED
tcp 0 0 192.168.15.2:46691 51.38.81.99:2407 ESTABLISHED
tcp 0 1 192.168.15.2:51758 91.195.240.82:21 SYN_SENT
tcp 0 1 192.168.15.2:51757 91.195.240.82:21 SYN_SENT
tcp 0 0 192.168.15.2:36959 155.253.18.121:8080 ESTABLISHED

where u see that most of the reap ip create session with my server . I found also this real ip comes from CANADA .

In this situation , I need expert opinions ....
 
Old 05-29-2018, 12:31 AM   #7
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 21,692

Rep: Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275
no, you need to disconnect it from network and run for example chkrootkit.
 
Old 05-29-2018, 12:52 AM   #8
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 415
Blog Entries: 1

Rep: Reputation: 202Reputation: 202Reputation: 202
Best option : wipe everything and reinstall using official repositories.

if it is not possible, we have a long troubleshooting ahead. Someone has already created a nice step-by-step here.

Also, do u have iptables installed ? You can disable any outgoing connection other than your intended ports on your known NICs
 
Old 05-29-2018, 03:19 AM   #9
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware64-15.0
Posts: 6,357

Rep: Reputation: 2739Reputation: 2739Reputation: 2739Reputation: 2739Reputation: 2739Reputation: 2739Reputation: 2739Reputation: 2739Reputation: 2739Reputation: 2739Reputation: 2739
Quote:
llnuqxepn 126886 root 3u IPv4 310773 0t0 TCP mymensvr:31387->23.247.54.44:ftp
This line tells the story. An attacker has gotten in and escalated to root privileges (weak password? kernel exploit?). There is now an established FTP link to what is likely a VPS.
The box has been powned. A good attacker will have cleared or obfuscated logs to make forensics difficult if not impossible. The only choice is a bare metal rebuild with additional hardening.
Further penetration of the LAN needs to be investigated.
 
Old 05-30-2018, 12:32 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by shipon_97 View Post
I am using RHEL-6.5 , have configured the server last week . After connecting in my local LAN I found some suspecious service/process takes 99% CPU , which makes my system hangs . service name : "zzxouqfdgr" , "adlwiqzihpp" .
IIRC this is the ".IptabLes/.IptabLex" DDoS botnet. See link in https://www.linuxquestions.org/quest...us-4175546925/. Regardless of the name of the malware, like others said: this is a root compromise, so get the machine off off the 'net stat.


Quote:
Originally Posted by shipon_97 View Post
How can I resolve this issue ? REquire urgent help please ....
You resolve the issue indeed by isolating the host, change all passwords, inform all users of the breach, inspect and sanitize any user data you backup from the machine and then cleanly installing a current, maintained Linux distribution from scratch, update when updates are released, harden the machine and audit it regularly. Please note if this is indeed ".IptabLes/.IptabLex" then the vulnerabilities started in 2011(!) so the problem isn't exactly "new" I'm afraid, so draw the proper conclusions please...

Last edited by unSpawn; 05-30-2018 at 12:33 PM.
 
2 members found this post helpful.
Old 06-05-2018, 01:11 AM   #11
PH li
LQ Newbie
 
Registered: Jun 2018
Location: China Nanjing
Posts: 1

Rep: Reputation: Disabled
llnuqxepn 126886 root 3u IPv4 310773 0t0 TCP mymensvr:31387->23.247.54.44:ftp (ESTABLISHED)

I suspect 23.247.54.44 is an attacker.In my net,more than 20 computer establish FTP connection with it.And the connection always is 10 hours per connection and rest for 14 hours.then repeat.It looks like a botnet.
But these computer that connect with 23.247.54.44 have no malignant behavior,like ddos. Now I don't know Why the attacker control them.

Does your computer have any malignant behavior after be attacked?

thank you #10

Last edited by PH li; 06-05-2018 at 01:14 AM.
 
Old 06-05-2018, 01:35 AM   #12
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 21,692

Rep: Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275Reputation: 7275
http://blog.malwaremustdie.org/2014/...on-of-elf.html
http://blog.malwaremustdie.org/2015/...tables-on.html
I don't think you need to wait for that behaviour. You need to reinstall them as soon as possible.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Chkrootkit: The tty of the following user process(es) were not found allan_registos Linux - Security 1 05-27-2018 05:16 AM
how to process a file after a pattern is found wedtorque Linux - Newbie 5 06-16-2017 07:10 PM
Problem with Slackbuilds - child process / file not found spoovy Slackware 5 11-25-2010 04:33 AM
What to do when i feel suspecious aq_mishu Linux - Security 5 03-25-2007 03:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration