Geek Answers Handbook

Am I hacked? unknown processes dsfref, gfhddsfew, dsfref, etc. automatically start in centos 6.5

Im using centos 6.5, I recently realized that my computer is downloading something (I didn’t even ask) at a download speed of 11 Mbps, but the scary part is my internet download speed is 800 Kbps, it shows every day 200 GB downloaded, etc. You can see some unknown processes starting from image 1 attached .. gfhddsfew, sdmfdsfhjfe, gfhjrtfyhuf, dsfrefr, ferwfrre, rewgtf3er4t, sfewfesfs, sdmfdsfhjfe,

I tried to kill all the processes manually with the kill command and deleted the files from the / etc / folder, but still, if I connect to the Internet, these files go to / etc / automatically, I do not see this problem in windows (my computer has a double boot) .

Note. I used chattr -i to change permissions and deleted the sfewfesfs file, when I tried to delete the file without using chattr, its permissions are allowed / file cannot be deleted. and one more thing, when I used the command # rm / etc / sfewfesfs without chattr , the computer rebooted, this happened all the time when I tried to delete the file without chattr. and these executables are displayed in running processes only when internt is connected.

Note: Im using a bundle internet cable (beamtele.com, Hyderabad, India)

Here are the images that show the problem

Issue depiction # 1Issue depiction # 2

+6
source share
7 answers

Yes, you were hacked!

Congratulations!

It looks like you have a rootkit or vulnerability. Try updating your system and using utilities like rkhunter and clamav .

Than you need to check system files

rpm -q --verify

Or you can completely reinstall your system.

+7
source

This will not help even if you deleted these files: /tmp/.sshdd1401029612 or /tmp/.sshddxxxxxxxxxx,/etc/.SSH2,/etc/sfewfesfs

You can first delete several (binary) files entered by your system by an attacker:

(A) /etc/rcX.d/S99local

X = 2,3,4,5

This script will call /etc/rc.d/rc.local to launch several attacks on your system.

(B) So, it is better to delete this file immediately. You will see that the contents of this file will launch several binary files to attack your system:

 #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local cd /etc;./sfewfesfs cd /etc;./gfhjrtfyhuf cd /etc;./rewgtf3er4t cd /etc;./sdmfdsfhjfe cd /etc;./gfhddsfew cd /etc;./ferwfrre cd /etc;./dsfrefr cd /etc;./sfewfesfs cd /etc;./gfhjrtfyhuf cd /etc;./rewgtf3er4t cd /etc;./sdmfdsfhjfe cd /etc;./gfhddsfew cd /etc;./ferwfrre cd /etc;./dsfrefr cd /etc;./sfewfesfs cd /etc;./gfhjrtfyhuf cd /etc;./rewgtf3er4t cd /etc;./sdmfdsfhjfe cd /etc;./gfhddsfew cd /etc;./ferwfrre cd /etc;./dsfrefr cd /etc;./sfewfesfs cd /etc;./gfhjrtfyhuf cd /etc;./rewgtf3er4t cd /etc;./sdmfdsfhjfe cd /etc;./gfhddsfew cd /etc;./ferwfrre cd /etc;./dsfrefr cd /etc;./sfewfesfs cd /etc;./gfhjrtfyhuf cd /etc;./rewgtf3er4t cd /etc;./sdmfdsfhjfe cd /etc;./gfhddsfew cd /etc;./ferwfrre cd /etc;./dsfrefr cd /etc;./sfewfesfs cd /etc;./gfhjrtfyhuf cd /etc;./rewgtf3er4t cd /etc;./sdmfdsfhjfe cd /etc;./gfhddsfew cd /etc;./ferwfrre cd /etc;./dsfrefr

It is strongly recommended that you delete this /etc/rc.d/rc.local file by force.

(C) After deleting these files above, you can start sudo to terminate the processes:

(i) / etc / ssh / sshpa

which causes the creation of /tmp/.sshddxxxxxxxxxx,/etc/.SSH2,/etc/sfewfesfs

(II) and terminate the processes: /tmp/.sshddxxxxxxxxxx,/etc/.SSH2,/etc/sfewfesfs

(D) Delete these files immediately: /etc/ssh/sshpa,/tmp/.sshddxxxxxxxxxx,/etc/.SSH2,/etc/sfewfesfs

and use htop to make sure they no longer run in the background.

(E) Updating your system, please remember to change the root password and passwords of all users.

Unfortunately, chkrootkit and rkhunter may not be able to detect this attacker. Perhaps I do not know how to fully use these two rootkits. Or perhaps rootkit updates should be updated. Or maybe there is another reason ...

+1
source

I found out that there is an .SSH2 executable in the / etc / folder. Delete it. This probably causes another .sshdd1401029612 executable to be created in the / tmp / directory, which causes all the problems. I checked it with htop. The file is large. Other files gfhddsfew, sdmfdsfhjfe, gfhjrtfyhuf, dsfrefr, ferwfrre were most likely dummy files.

0
source

Thanks for sharing your issue. If you didn’t share it, it would be very difficult to get a quick conclusion.

Im also uses cable network in Mumbai. This is a virus attack. Linux ?? virus??? I was also my reaction.

Finally, I found that it was the root access path to the machine via ssh coz from a weak password (password "root").

To disable ssh root login, edit / etc / ssh / sshd _config and add / change the following line:

PermitRootLogin no

Links: https://forum.manjaro.org/index.php?topic=13806.0

0
source

Also see: https://isc.sans.edu/forums/diary/Unfriendly+crontab+additions/17282/ Your crontab might look like; In any case, get rid of these nasty entries before deleting the above files. Clamav discovered two exploits on my server, and my crontab listed www.frade8c.com, which was tracked in Beijing. After doing all of the above, including disabling remote root login, be sure to close / change port 22 (if using ssh) and randomize your root password, at least 15 characters.

0
source

This link was in the message from the viewing queue, which was automatically checked, I failed - praises. However, I thought it was interesting to see what a mischievous script could do - http://pastebin.com/9iqWhWde

Adding batches to rc.local, cleaning logs, killing processes (iptables and I assume other bots), adding stuff to cron, of course. If someone else is infected with this or similar, this will give them some good places to check for damage.

0
source

I had the same problem on the server. you need to find a way to make available disk space up to 0% or a folder that is not writable. Then delete all the files and you should be free.

0
source

More articles:


All Articles