[GTER] Processo malicioso - Linux
nelson at pangeia.com.br
nelson at pangeia.com.br
Mon Jan 6 01:35:32 -03 2020
Sei que ja tem quase um mes, mas se tiver alguma info adicional
que puder me mandar em privado, seria util para eu adicinonar algum
comportamento/assinatura no chkrootkit[1].
Att,
NM
[1] - http://chkrootkit.org
Em 09/12/2019 07:57, Juliano GigaNET escreveu:
>Bom dia.
>
>Tenho um servidor de um cliente, onde ele tem instalado o
>ispconfig para gerenciar seus dominios e o speedtest.
>
>Ontem este servidor comecou a usar toda a banda contratada em
>upload e após uma analise, verifiquei um processo que usa quase
>100% de cpu. Ao matar este processo normaliza porém em alguns
>segudos este processo volta a se executar automaticamente.
>Acredito que esta maquinha tenha sido comprometida, porém gostaria
>da ajuda de voces para saber se existe alguma forma de remover
>estes arquivos de forma que ela volte a normalidade e tambem, como
>e oq devo fazer para que isso nao volte a acontecer?
>
>Procurei no disco tudo que tenha o nome do processo que se
>autoexecuta (dyqgqpffnq) e encontrei oque mostra abaixo.
>
>/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service
>/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/devices.list
>/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/cgroup.clone_children
>
>/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/devices.allow
>/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/tasks
>/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/notify_on_release
>/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/cgroup.procs
>/sys/fs/cgroup/devices/system.slice/dyqgqpffnq.service/devices.deny
>/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service
>/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/pids.current
>/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/cgroup.clone_children
>/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/pids.max
>/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/pids.events
>/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/tasks
>/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/notify_on_release
>/sys/fs/cgroup/pids/system.slice/dyqgqpffnq.service/cgroup.procs
>/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service
>/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service/cgroup.clone_children
>
>/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service/tasks
>/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service/notify_on_release
>/sys/fs/cgroup/systemd/system.slice/dyqgqpffnq.service/cgroup.procs
>/etc/rc3.d/S02dyqgqpffnq
>/etc/rc5.d/S02dyqgqpffnq
>/etc/rc1.d/S02dyqgqpffnq
>/etc/rc4.d/S02dyqgqpffnq
>/etc/rc2.d/S02dyqgqpffnq
>/etc/init.d/dyqgqpffnq
>/usr/bin/dyqgqpffnq
>/run/systemd/generator.late/rescue.target.wants/dyqgqpffnq.service
>/run/systemd/generator.late/dyqgqpffnq.service
>/run/systemd/generator.late/graphical.target.wants/dyqgqpffnq.service
>/run/systemd/generator.late/multi-user.target.wants/dyqgqpffnq.service
>
>Obrigado a todos.
>
>Atte
>
>
>Juliano
More information about the gter
mailing list