Possible Rootkit?

Support for security such as Firewalls and securing linux
Post Reply
shadowq
Posts: 2
Joined: 2018/01/25 06:56:14

Possible Rootkit?

Post by shadowq » 2018/01/25 07:02:08

Hi there,

I have a VPS with Centos 6.9. I've just noticed that there are 4 processes that seem to be a genuine name. However, it didn't seem right as they were all using 100% CPU. After killing (Kill -n 9 pid) they respawn after a short time. If I reboot, the process name changes. So far I've seen: nginx, httpd, atd, grep, etc. If I view the exe for the process, it's something along the lines of "(deleted)/usr/local/bin/.~6A32c98". I've installed rkhunter and wasn't able to find anything. I've ensured everything is up to date. I've checked crontab and other cron.* folders to ensure there's nothing funny in there. There's a constant ESTABLISHED connection showing with "netstat -netp" from the process in question from 203.24.188.226:443. I'm unsure where to look now? For now, I've paused the process.

Any help would be greatly appreciated.

Thanks,
Jarrod.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Possible Rootkit?

Post by TrevorH » 2018/01/25 15:58:27

By the looks of that, I'd say it was pretty likely that your system is compromised. If they have root access - and I suspect they do - then you don't have any alternative other than to back up your data, reinstall the system and restore it, carefully checking it for signs of tampering so that you don't immediatley reintroduce their backdoor(s).

203.24.188.226 is listed in whois as an Australian ip.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

shadowq
Posts: 2
Joined: 2018/01/25 06:56:14

Re: Possible Rootkit?

Post by shadowq » 2018/01/27 01:42:00

Thanks for your reply.

I checked for any authorized_keys, there's no other users and I've changed the password. How would they continue to get in?

I did notice it was an Australian IP. The IP is, however, owned by Host Sailor Ltd which is a UAE registered company. Doesn't seem as suspicious.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Possible Rootkit?

Post by Whoever » 2018/01/27 03:25:15

Firstly, you can't trust anything on your machine any more. The rootkit may be hiding processes and logins from you. The rootkit probably installed a backdoor that may also be hidden.

Trevor is correct. Back up your data and then nuke from orbit.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Possible Rootkit?

Post by TrevorH » 2018/01/27 14:09:43

Any ip which isn't yours is suspicious.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply