Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Am i hacked? unknown processes dsfref, gfhddsfew, dsfref etc are starting automatically in centos 6.5

Im using centos 6.5, recently i realised that my computer is uploading something(i didn't even ask for), at upload speed 11mbps, but the scary part is my internet upload speed is 800Kbps, Every day it shows 200GB uploaded and so on.. You can see some unknown processes starting in the image 1 attached.. gfhddsfew, sdmfdsfhjfe, gfhjrtfyhuf, dsfrefr, ferwfrre, rewgtf3er4t , sfewfesfs, sdmfdsfhjfe,

I tried to kill all the processes manually with kill command and deleted the files from /etc/ folder, but still, if i connect to internet these files get placed in /etc/ automatically, I don't see this issue in windows(my pc is dual boot).

Note: I used chattr -i to change permissions and deleted the file sfewfesfs, when i tried to delete the file without using chattr, its says permissions cant be changed/file cant be deleted . and one more thing, when i used command #rm /etc/sfewfesfs without chattr , the computer restarted, it happened all the time i tried to delete the file without chattr. and these executables show up in running processes only when internt is connected.

Note: Im using beam cable internet(beamtele.com ,Hyderabad, india)

Here are the images that shows the issue

Issue depiction #1Issue depiction #2

like image 530
rrmerugu Avatar asked Apr 25 '14 12:04

rrmerugu


2 Answers

Yes, you're hacked!

Congratulations!

It look's like you have rootkit, or vulnerability. Try to update your system and use utilities like rkhunter and clamav.

Than you need to check system files

rpm -q --verify

Or you can fully reinstall your system instead.

like image 86
BaBL86 Avatar answered Oct 31 '22 19:10

BaBL86


It won't be helpful even if you deleted these files: /tmp/.sshdd1401029612 or /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs

You may first delete a few (binary) files introduced to your system by the intruder:

(A) /etc/rcX.d/S99local

X = 2,3,4,5

This script will call up /etc/rc.d/rc.local to launch several attacks on your system.

(B) So, it is better to immediately delete this file as well. You see the content of this file will launch several binaries to attack your system:


#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr

It is strongly recommended to delete this file /etc/rc.d/rc.local by force.

(C) After deleting those files above, you can start to sudo to terminate processes:

(i) /etc/ssh/sshpa

which causes the creation of /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs

(ii) and to terminate processes : /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs

(D) Please delete these files immediately : /etc/ssh/sshpa, /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs

and use htop to make sure they are not launched in the background anymore.

(E) Updating your system, please don't forget to change root's password, and all users' passwords.

Unfortunately, chkrootkit and rkhunter may not be able to detect this intruder. Perhaps, I don't know how to fully utilize these two rootkit checkers. Or perhaps both rootkit checkers should be updated. Or perhaps there is other reason...

like image 39
Isospin Avatar answered Oct 31 '22 21:10

Isospin