Possible Rootkit?
Posted: 2018/01/25 07:02:08
Hi there,
I have a VPS with Centos 6.9. I've just noticed that there are 4 processes that seem to be a genuine name. However, it didn't seem right as they were all using 100% CPU. After killing (Kill -n 9 pid) they respawn after a short time. If I reboot, the process name changes. So far I've seen: nginx, httpd, atd, grep, etc. If I view the exe for the process, it's something along the lines of "(deleted)/usr/local/bin/.~6A32c98". I've installed rkhunter and wasn't able to find anything. I've ensured everything is up to date. I've checked crontab and other cron.* folders to ensure there's nothing funny in there. There's a constant ESTABLISHED connection showing with "netstat -netp" from the process in question from 203.24.188.226:443. I'm unsure where to look now? For now, I've paused the process.
Any help would be greatly appreciated.
Thanks,
Jarrod.
I have a VPS with Centos 6.9. I've just noticed that there are 4 processes that seem to be a genuine name. However, it didn't seem right as they were all using 100% CPU. After killing (Kill -n 9 pid) they respawn after a short time. If I reboot, the process name changes. So far I've seen: nginx, httpd, atd, grep, etc. If I view the exe for the process, it's something along the lines of "(deleted)/usr/local/bin/.~6A32c98". I've installed rkhunter and wasn't able to find anything. I've ensured everything is up to date. I've checked crontab and other cron.* folders to ensure there's nothing funny in there. There's a constant ESTABLISHED connection showing with "netstat -netp" from the process in question from 203.24.188.226:443. I'm unsure where to look now? For now, I've paused the process.
Any help would be greatly appreciated.
Thanks,
Jarrod.