[GTER] Processo malicioso - Linux

Juliano GigaNET juliano at giganet.net.py
Mon Dec 9 07:57:40 -03 2019 

Bom dia.

Tenho um servidor de um cliente, onde ele tem instalado o ispconfig para 
gerenciar seus dominios e o speedtest.

Ontem este servidor comecou a usar toda a banda contratada em upload e 
após uma analise, verifiquei um processo que usa quase 100% de cpu. Ao 
matar este processo normaliza porém em alguns segudos este processo 
volta a se executar automaticamente. Acredito que esta maquinha tenha 
sido comprometida, porém gostaria da ajuda de voces para saber se existe 
alguma forma de remover estes arquivos de forma que ela volte a 
normalidade e tambem, como e oq devo fazer para que isso nao volte a 
acontecer?

Procurei no disco tudo que tenha o nome do processo que se autoexecuta 
(dyqgqpffnq) e encontrei oque mostra abaixo.

/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service
/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/devices.list
/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/cgroup.clone_children
/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/devices.allow
/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/tasks
/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/notify_on_release
/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/cgroup.procs
/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/devices.deny
/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service
/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/pids.current
/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/cgroup.clone_children
/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/pids.max
/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/pids.events
/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/tasks
/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/notify_on_release
/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/cgroup.procs
/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service
/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service/cgroup.clone_children
/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service/tasks
/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service/notify_on_release
/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service/cgroup.procs
/etc/rc3.d/S02dyqgqpffnq
/etc/rc5.d/S02dyqgqpffnq
/etc/rc1.d/S02dyqgqpffnq
/etc/rc4.d/S02dyqgqpffnq
/etc/rc2.d/S02dyqgqpffnq
/etc/init.d/dyqgqpffnq
/usr/bin/dyqgqpffnq
/run/systemd/generator.late/rescue.target.wants/dyqgqpffnq.service
/run/systemd/generator.late/dyqgqpffnq.service
/run/systemd/generator.late/graphical.target.wants/dyqgqpffnq.service
/run/systemd/generator.late/multi-user.target.wants/dyqgqpffnq.service

Obrigado a todos.

Atte


Juliano

-- 

facebook <https://www.facebook.com/giganetparaguay/> 	
	instagram <https://www.instagram.com/giganetparaguay/> 	

	
	


      JulianoFrasson

Gerente de Tecnologia

GIGANET S.A.




	061 504158 <tel:061 504158 > | 0973277000 <tel:0973277000>

	juliano at giganet.net.py <mailto:juliano at giganet.net.py>

	www.giganet.com.py <//www.giganet.com.py>

	Av. Carlos Antonio López , Edificio Damasco Piso 10 , Ciudad del Este - 
Paraguay

More information about the gter mailing list