Unknown linux process with random command

Question

I have a unknown process when I run top:

When I kill the process it is coming again with another random name.
when I check the rc.d levels and init.d there are many random name similar like this one and this one is also there.
when I try to apt-get remove or anthing elses it is coming again.
when I plug in network cable it is locking our whole network.

Do you have any idea how I can remove it?

What is this service/process?

This is the exe file, when I delete it, it is coming again too.

/proc/**pid**/exe =&gt; symbolic link to /usr/bin/hgmjzjkpxa

1	/proc/pid/exe => symbolic link to /usr/bin/hgmjzjkpxa

When i check “netstat -natp” there is an establisment foreign address is 98.126.251.114:2828. When i try to add rules to iptables, it is not working. But after trying and then restart this address change to 66.102.253.30:2828 this one.

OS is Debian Wheeze

Probably some botnet client (your machine is compromised). You have to find out how it is started. Utilities like cruft may come in handy to see what files do not belong to packages. — Dan, Feb 14 at 13:40
ps l will show you what the parent process is. Most likely, that’ll tell you what is spawning this process. Look at the PPID column for the information you want. I wouldn’t be so quick to declare this malware. — krowe, Feb 14 at 14:02
+1 to check the parent process. And if the file /use/bin/hgmjzjkpxa exists (could it be in /usr?) is it also a link, or something else interesting listed in ls -la, or viewed with less or strings? — Xen2050, Feb 15 at 4:02
there is no any parent process, it is looking like whoami process, there is one thing when i check “netstat -natp” there is an establisment foreign address is 98.126.251.114:2828. when i try to add rules to iptables, it is not working. But after trying and then restart this address change to 66.102.253.30:2828 this one. do you have any idea about this? — user1424059, Feb 17 at 12:23

Colin Rosenthal · Answer 1

up vote1down vote

I’ll bet you a dollar it’s https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ . All your symptoms are exactly as described.

answered Feb 18 at 7:46

Colin Rosenthal

162

add a comment

score 0 · Answer 2

I have some experiences about this random 10bit string trojan, It will send lots of packets for SYN flood.

Cut down your network

The trojan has raw file coming from /lib/libudev.so, it will copy and fork again. It will also add cron.hourly job named gcc.sh, then it will add initial script in your /etc/rc*.d (Debian, CentOS may be /etc/rc.d/{init,rc{1,2,3,4,5}}.d)

Use root to run the script below to change the folder privileges: chmod 0000 /lib/libudev.so && rm -rf /lib/libudev.so && chattr +i /lib/
Delete all /etc/rc{0,1,2,3,4,5,6,S}.d files which were created today, The name looks like S01????????.
Edit your crontab, delete the gcc.sh script in your /etc/cron.hourly, delete the gcc.sh file (/etc/cron.hourly/gcc.sh) then add privileges for your crontab: sed ‘/gcc.sh/d’ /etc/crontab && chmod 0000 /etc/crontab && chattr +i /etc/crontab
Use this command to check the latest file changes: ls -lrt

If you find any suspicious files named S01xxxxxxxx (or K8xxxxxxxx), delete it.