[RESOLVED] Router reboots when I connect this machine

[Galaxy_Stranger]

My body is ready.

I'll update the firmware first and proceed from there. Prolly take me a couple days.

[Galaxy_Stranger]

UPDATE!

Ok, I got Wireshark up and running. Whilst monitoring my ethernet port, I set it to stop capturing after 5000 packets.

It got done in less than 30 seconds.

The VAST majority of packets, (after the 84th), are sending something to an ip address in China. Plus, I get random processes coming and going named "cmmfdmtgyw" and other ranom names.

[TrevorH]

Sounds suspiciously like you've been hacked to me on a quick read of that.

[aks]

Yup, I agree, you've been hacked, probably through a vulnerability at the application layer.

Now we start the tedious process of find out how to clean. You have to options:
1) Sod everything and reinstall (preferably lossing all data as well).
2) Find out where the daemon(s) (like cmmfdmtgyw) are being launched.

1 is easy, 2 may be very, very hard. How do you wish to proceed?

[TrevorH]

No, there is no option "clean". They've had access to the system for who-knows-how-long and there could be $unknown number of backdoors installed and no matter how many you find, you'll never know if you got them all.

Reinstall.

[Galaxy_Stranger]

Out of curiosity, how would one try to figure out where are the services are being launched from?

[gerald_clark]

You don''t. Wipe and re-install.

[aks]

I guess it's an academic exercise (for your own learning) but you could search through the init files, as they start at boot. It could even be in the kernel, which would be a lot harder to find.
One strong piece of advise though do not connect the machine to any network - keep it as isolated as possible and so not use any writable removable media.

[Galaxy_Stranger]

Thanks for all the feedback guys.

I just reformatted the drive and destroyed the MBR and started from scratch. That fixed everything.

[sthames42]

I have seen this on two machines. One I installed with CentOS 6.5 and another someone else installed with 6.6. I have just installed 6.6 on an HP DL380 G5 and have had no trouble of this kind. But the other 6.6 machine is doing just what Galaxy_Stranger is describing.

How can we protect against this?
Is it possible it's in the kernel? If so, how did it get in there?
Other than base, epel, extras, and updates, I use ius and chromium repos. Could these repos be infected?

BTW, in both cases I re-imaged the server. I agree, in my experience, once infected this is the only solution.

Any insight is appreciated.