1

One of my "CentOS 7" servers is showing very strange behavior. A user named "impress+" executes a command called "cron". This "cron" command is executed with a high CPU consumption.

I worry because I suspect it may be malware...

This server has nothing installed, just "sshd" running.

Top output!

QUESTION: What can I do to find out more about this "impress+" user and this "cron" command?

Thanks! =D

Eduardo Lucio
  • 664
  • 2
  • 13
  • 34

1 Answers1

-1

Unfortunately my server is infected... =\

Part of the Chkrootkit security utility output ( http://www.chkrootkit.org/ )...

NOTE: Information confirmed via system analysis!

[...]
Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
/tmp/.X19-unix/.rsync/c/lib/64/libc.so.6
/tmp/.X19-unix/.rsync/c/lib/64/libpthread.so.0
/tmp/.X19-unix/.rsync/c/lib/64/tsm
/tmp/.X19-unix/.rsync/c/lib/32/libc.so.6
/tmp/.X19-unix/.rsync/c/lib/32/libpthread.so.0
/tmp/.X19-unix/.rsync/c/lib/32/tsm
/tmp/.X19-unix/.rsync/c/lib/arm/libc.so.6
/tmp/.X19-unix/.rsync/c/lib/arm/libpthread.so.0
/tmp/.X19-unix/.rsync/c/lib/arm/tsm
/tmp/.X19-unix/.rsync/c/slow
/tmp/.X19-unix/.rsync/c/tsm
/tmp/.X19-unix/.rsync/c/watchdog
/tmp/.X19-unix/.rsync/c/run
/tmp/.X19-unix/.rsync/c/go
/tmp/.X19-unix/.rsync/c/tsm32
/tmp/.X19-unix/.rsync/c/tsmv7
/tmp/.X19-unix/.rsync/c/start
/tmp/.X19-unix/.rsync/c/tsm64
/tmp/.X19-unix/.rsync/c/stop
/tmp/.X19-unix/.rsync/c/v
/tmp/.X19-unix/.rsync/c/golan
/tmp/.X19-unix/.rsync/c/dir.dir
/tmp/.X19-unix/.rsync/c/n
/tmp/.X19-unix/.rsync/c/aptitude
/tmp/.X19-unix/.rsync/init
/tmp/.X19-unix/.rsync/init2
/tmp/.X19-unix/.rsync/initall
/tmp/.X19-unix/.rsync/a/anacron
/tmp/.X19-unix/.rsync/a/run
/tmp/.X19-unix/.rsync/a/stop
/tmp/.X19-unix/.rsync/a/a
/tmp/.X19-unix/.rsync/a/cron
/tmp/.X19-unix/.rsync/a/init0
/tmp/.X19-unix/.rsync/b/run
/tmp/.X19-unix/.rsync/b/stop
/tmp/.X19-unix/.rsync/b/a
/tmp/.X19-unix/.rsync/1
/tmp/.X19-unix/.rsync/dir.dir
[...]

ACTIONS TAKEN: Destroy the compromised server. Change "root" passwords in the local Infrastructure. Change passwords for users able to run as "root".

TIP: Chkrootkit is installed and configured by the private_tux tool ( https://github.com/eduardolucioac/private_tux ). It installs and configures security utilities and performs various security diagnostics automatically.

Disclosure: I am the author of private_tux.

terdon
  • 234,489
  • 66
  • 447
  • 667
Eduardo Lucio
  • 664
  • 2
  • 13
  • 34
  • 1
    Hi and welcome! This looks like your own tool. If you mention your own tool in your posts, [our rules require](https://unix.stackexchange.com/help/promotion) that you clearly state that it is your tool. Please ensure you always do this because otherwise, your posts will be deleted as spam by the system. – terdon Feb 17 '20 at 00:34
  • @terdon Thanks for the information! Change accepted. I take this opportunity to clarify that private_tux has no commercial purpose (BSD-3-Clause license). Thanks! = D – Eduardo Lucio Feb 17 '20 at 13:13
  • 1
    Oh, I don't doubt that! It's just that the post was flagged as spam and we have rather specific requirements about disclosure here, so I thought I'd let you know. It was perfectly clear to me you were _not_ trying to spam here, don't worry. You did nothing wrong, you could not have known the rules :) – terdon Feb 17 '20 at 13:17