Unknown linux process with random command

Question

I have a unknown process when I run top:

• When I kill the process it is coming again with another random name.
• when I check the rc.d levels and init.d there are many random name similar like this one and this one is also there.
• when I try to apt-get remove or anthing elses it is coming again.
• when I plug in network cable it is locking our whole network.

Do you have any idea how I can remove it?

What is this service/process?

This is the exe file, when I delete it, it is coming again too.

/proc/**pid**/exe => symbolic link to /usr/bin/hgmjzjkpxa

When i check "netstat -natp" there is an establisment foreign address is 98.126.251.114:2828. When i try to add rules to iptables, it is not working. But after trying and then restart this address change to 66.102.253.30:2828 this one.

OS is Debian Wheeze

Answer 1

This is known as the XORDDos Linux Trojan The trick is to run kill with -STOP for the process to be paused so it doesn't create a new one.

`kill -STOP PROCESS_ID`

Answer 2

I have some experiences about this random 10bit string trojan, It will send lots of packets for SYN flood.

1. Cut down your network

The trojan has raw file coming from /lib/libudev.so, it will copy and fork again. It will also add cron.hourly job named gcc.sh, then it will add initial script in your /etc/rc*.d (Debian, CentOS may be /etc/rc.d/{init,rc{1,2,3,4,5}}.d)

2. Use root to run the script below to change the folder privileges: chmod 0000 /lib/libudev.so && rm -rf /lib/libudev.so && chattr +i /lib/

3. Delete all /etc/rc{0,1,2,3,4,5,6,S}.d files which were created today, The name looks like S01????????.

4. Edit your crontab, delete the gcc.sh script in your /etc/cron.hourly, delete the gcc.sh file (/etc/cron.hourly/gcc.sh) then add privileges for your crontab: sed '/gcc.sh/d' /etc/crontab && chmod 0000 /etc/crontab && chattr +i /etc/crontab

5. Use this command to check the latest file changes: ls -lrt

If you find any suspicious files named S01xxxxxxxx (or K8xxxxxxxx), delete it.

6. Then you should reboot without network.

Then the trojan should be cleaned and you can modify the folder privileges to the original values(chattr -i /lib /etc/crontab).

Answer 3

I'll bet you a dollar it's https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ . All your symptoms are exactly as described.

Answer 4

I to got this chicken virus, when i exposed default ports inorder to connect to remote access from my home machine. in my case this site helped me out

Steps

1) List the files under hourly cron. If you can see any .sh file, please open it.

root@vps-# ls -la /etc/cron.hourly/

++++++++++
CT-24007-bash-4.1# ls /etc/cron.hourly/
freshclam  gcc.sh
CT-24007-bash-4.1# 
++++++++++

2) If the .sh file is showing similar data as shown below, then it's a Virus program!!

root@vps-#  cat /etc/cron.hourly/gcc.sh

++++++++++
 cat /etc/cron.hourly/gcc.sh
#! / Bin / sh
PATH = / bin: / sbin: / usr / bin: / usr / sbin: / usr / local / bin: / usr / local / sbin: / usr / X11R6 / bin
for i in `cat / proc / net / dev | grep: | awk -F: {'print $ 1'}`; do ifconfig $ i up & done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
++++++++++

3) Now, please don't be hurry! Stay calm and easy :D

Do not delete gcc.sh or do not remove the crontab. If you do delete or remove it, then another process will generate immediately. You can either remove the culprit script or disable it. [ I prefer to disable it to show the proof to the customer ]

root@vps-# rm -f /etc/cron.hourly/gcc.sh; 

OR

root@vps- #  chmod 0 /etc/cron.hourly/gcc.sh; chattr +ia /etc/cron.hourly/gcc.sh;  chattr + i /etc/crontab

4) Use top command to view virus or malicious file ( Eg :"mtyxkeaofa" ) PID is 16621, do not directly kill the program, otherwise it will again produce, but to stop its operation use the below command.

---

root@vps- # kill -STOP 16621

Delete files within /etc/init.d. or disable it [ I prefer to disable it to show the proof to the customer ]

root@vps-# find /etc -name '* mtyxkeaofa *' | xargs rm -f

OR

chmod 0 /usr/bin/mtyxkeaofa; 
chmod 0 /etc/init.d/mtyxkeaofa; 
chattr +ia /usr/bin/mtyxkeaofa; 
chattr +ia /etc/init.d/mtyxkeaofa; 

---

6) Delete /usr/bin inside archives.

root@vps-# rm -f /usr/bin/mtyxkeaofa;

7) Check /usr/bin archives recent changes, the virus can also be deleted if the other suspect is the same directory.

root@vps-# ls -lt /usr/bin | head

8) Now kill the malicious program, it will not produce.

root@vps-# pkill mtyxkeaofa

9) Remove the virus body.

root@vps-# rm -f /lib/libudev.so

This trojan is also know as Chinese Chicken Multiplatform DoS botnets Trojan, Unix - Trojan.DDoS_XOR-1, Embedded rootkit,

Note: If you are unable to find .sh file, you may please install ClamAV, RKHunter and check logs/report to find the suspicious/malicious

link to the actual site

https://admin-ahead.com/forum/server-security-hardening/unix-trojan-ddos_xor-1-chinese-chicken-multiplatform-dos-botnets-trojan/

Answer 5

For me there were two options:

1. For the trojan which is messing with files in /usr/bin I only did this: echo > /lib/libudev.so Kill the trojan PID

2. For the one messing with /bin (here there were always 5-10 processes running for a fraction chattr +i /bin and follow the steps mentioned by rainysia

Answer 6

We also faces the same issue, Our servers are also Hacked and i found that they brute forced the ssh login and got succes and injected trojan in our system .

Following are the details :

less /var/log/secure | grep 'Failed password' | grep '222.186.15.26' | wc -l 37772 started

and got access on below time : Accepted password for root from 222.186.15.26 port 65418 ssh2

And as per IP Location Finder this ip belongs to somewhere in china .

Corrective Steps : please follow steps given by : @rainysia

Preventive Steps : :

1. According to me some notification managemnet should be there when someone tried to ssh or acces your server and fail many times .
2. Network Rate controllers should be there if you are using any cloud platform like aws,gcp,azure etc ...