
I have a unknown process when I run top:
Do you have any idea how I can remove it? What is this service/process? This is the exe file, when I delete it, it is coming again too.
When i check “netstat -natp” there is an establisment foreign address is 98.126.251.114:2828. When i try to add rules to iptables, it is not working. But after trying and then restart this address change to 66.102.253.30:2828 this one. OS is Debian Wheeze |
|||||||||||||||||
|
I’ll bet you a dollar it’s https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/ . All your symptoms are exactly as described. |
|||
I have some experiences about this random 10bit string trojan, It will send lots of packets for SYN flood.
The trojan has raw file coming from /lib/libudev.so, it will copy and fork again. It will also add cron.hourly job named gcc.sh, then it will add initial script in your /etc/rc*.d (Debian, CentOS may be /etc/rc.d/{init,rc{1,2,3,4,5}}.d)
If you find any suspicious files named S01xxxxxxxx (or K8xxxxxxxx), delete it.
Then the trojan should be cleaned and you can modify the folder privileges to the original values(chattr -i /lib /etc/crontab). |