Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using RHEL-6.5 , have configured the server last week . After connecting in my local LAN I found some suspecious service/process takes 99% CPU , which makes my system hangs . service name : "zzxouqfdgr" , "adlwiqzihpp" .
first of all you need to unplug it, remove from your network.
Next, probably you need to find the source of it, there can be other infected hosts.
finally if it was just installed I would recommend you to reinstall again.
I think it is not package issue . I found that some process creates on /bin /rc.d location . when I manually delete this process then it re-generate again . here I give the netstat output :
tcp 0 0 192.168.15.2:18440 122.144.15.55:8080 ESTABLISHED
tcp 0 177 192.168.15.2:20442 198.50.233.68:3306 FIN_WAIT1
tcp 12 0 192.168.15.2:64047 192.168.0.5:7822 ESTABLISHED
tcp 0 0 192.168.15.2:48194 51.38.81.99:2407 ESTABLISHED
tcp 0 0 192.168.15.2:31692 198.50.134.50:3306 ESTABLISHED
tcp 0 0 192.168.15.2:57290 192.168.15.2:1521 ESTABLISHED
tcp 0 0 192.168.15.2:27118 211.103.199.98:8080 ESTABLISHED
tcp 0 0 192.168.15.2:63316 185.61.149.22:2407 ESTABLISHED
tcp 0 0 192.168.15.2:49322 51.38.81.99:2407 ESTABLISHED
tcp 0 0 192.168.15.2:22010 211.103.199.98:8080 ESTABLISHED
tcp 0 0 192.168.15.2:46691 51.38.81.99:2407 ESTABLISHED
tcp 0 1 192.168.15.2:51758 91.195.240.82:21 SYN_SENT
tcp 0 1 192.168.15.2:51757 91.195.240.82:21 SYN_SENT
tcp 0 0 192.168.15.2:36959 155.253.18.121:8080 ESTABLISHED
where u see that most of the reap ip create session with my server . I found also this real ip comes from CANADA .
This line tells the story. An attacker has gotten in and escalated to root privileges (weak password? kernel exploit?). There is now an established FTP link to what is likely a VPS.
The box has been powned. A good attacker will have cleared or obfuscated logs to make forensics difficult if not impossible. The only choice is a bare metal rebuild with additional hardening.
Further penetration of the LAN needs to be investigated.
I am using RHEL-6.5 , have configured the server last week . After connecting in my local LAN I found some suspecious service/process takes 99% CPU , which makes my system hangs . service name : "zzxouqfdgr" , "adlwiqzihpp" .
IIRC this is the ".IptabLes/.IptabLex" DDoS botnet. See link in https://www.linuxquestions.org/quest...us-4175546925/. Regardless of the name of the malware, like others said: this is a root compromise, so get the machine off off the 'net stat.
Quote:
Originally Posted by shipon_97
How can I resolve this issue ? REquire urgent help please ....
You resolve the issue indeed by isolating the host, change all passwords, inform all users of the breach, inspect and sanitize any user data you backup from the machine and then cleanly installing a current, maintained Linux distribution from scratch, update when updates are released, harden the machine and audit it regularly. Please note if this is indeed ".IptabLes/.IptabLex" then the vulnerabilities started in 2011(!) so the problem isn't exactly "new" I'm afraid, so draw the proper conclusions please...
I suspect 23.247.54.44 is an attacker.In my net,more than 20 computer establish FTP connection with it.And the connection always is 10 hours per connection and rest for 14 hours.then repeat.It looks like a botnet.
But these computer that connect with 23.247.54.44 have no malignant behavior,like ddos. Now I don't know Why the attacker control them.
Does your computer have any malignant behavior after be attacked?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.