Im using centos 6.5, recently i realised that my computer is uploading something(i didn't even ask for), at upload speed 11mbps, but the scary part is my internet upload speed is 800Kbps, Every day it shows 200GB uploaded and so on.. You can see some unknown processes starting in the image 1 attached.. gfhddsfew, sdmfdsfhjfe, gfhjrtfyhuf, dsfrefr, ferwfrre, rewgtf3er4t , sfewfesfs, sdmfdsfhjfe,
I tried to kill all the processes manually with kill command and deleted the files from /etc/ folder, but still, if i connect to internet these files get placed in /etc/ automatically, I don't see this issue in windows(my pc is dual boot).
Note: I used chattr -i to change permissions and deleted the file sfewfesfs, when i tried to delete the file without using chattr, its says permissions cant be changed/file cant be deleted . and one more thing, when i used command #rm /etc/sfewfesfs without chattr , the computer restarted, it happened all the time i tried to delete the file without chattr. and these executables show up in running processes only when internt is connected.
Note: Im using beam cable internet(beamtele.com ,Hyderabad, india)
Here are the images that shows the issue
Yes, you're hacked!
Congratulations!
It look's like you have rootkit, or vulnerability. Try to update your system and use utilities like rkhunter
and clamav
.
Than you need to check system files
rpm -q --verify
Or you can fully reinstall your system instead.
It won't be helpful even if you deleted these files: /tmp/.sshdd1401029612 or /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
You may first delete a few (binary) files introduced to your system by the intruder:
(A) /etc/rcX.d/S99local
X = 2,3,4,5
This script will call up /etc/rc.d/rc.local to launch several attacks on your system.
(B) So, it is better to immediately delete this file as well. You see the content of this file will launch several binaries to attack your system:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
It is strongly recommended to delete this file /etc/rc.d/rc.local by force.
(C) After deleting those files above, you can start to sudo to terminate processes:
(i) /etc/ssh/sshpa
which causes the creation of /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
(ii) and to terminate processes : /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
(D) Please delete these files immediately : /etc/ssh/sshpa, /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs
and use htop to make sure they are not launched in the background anymore.
(E) Updating your system, please don't forget to change root's password, and all users' passwords.
Unfortunately, chkrootkit and rkhunter may not be able to detect this intruder. Perhaps, I don't know how to fully utilize these two rootkit checkers. Or perhaps both rootkit checkers should be updated. Or perhaps there is other reason...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With