Linux – Unknown linux process with random command

debianlinuxsshUbuntuvirus

I have a unknown process when I run top:

enter image description here

  • When I kill the process it is coming again with another random name.
  • when I check the rc.d levels and init.d there are many random name similar like this one and this one is also there.
  • when I try to apt-get remove or anthing elses it is coming again.
  • when I plug in network cable it is locking our whole network.

Do you have any idea how I can remove it?

What is this service/process?

This is the exe file, when I delete it, it is coming again too.

/proc/**pid**/exe => symbolic link to /usr/bin/hgmjzjkpxa

When i check "netstat -natp" there is an establisment foreign address is 98.126.251.114:2828.
When i try to add rules to iptables, it is not working.
But after trying and then restart this address change to 66.102.253.30:2828 this one.

OS is Debian Wheeze

Best Answer

I have some experiences about this random 10bit string trojan, It will send lots of packets for SYN flood.

  1. Cut down your network

The trojan has raw file coming from /lib/libudev.so, it will copy and fork again. It will also add cron.hourly job named gcc.sh, then it will add initial script in your /etc/rc*.d (Debian, CentOS may be /etc/rc.d/{init,rc{1,2,3,4,5}}.d)

  1. Use root to run the script below to change the folder privileges: chmod 0000 /lib/libudev.so && rm -rf /lib/libudev.so && chattr +i /lib/

  2. Delete all /etc/rc{0,1,2,3,4,5,6,S}.d files which were created today, The name looks like S01????????.

  3. Edit your crontab, delete the gcc.sh script in your /etc/cron.hourly, delete the gcc.sh file (/etc/cron.hourly/gcc.sh) then add privileges for your crontab: sed '/gcc.sh/d' /etc/crontab && chmod 0000 /etc/crontab && chattr +i /etc/crontab

  4. Use this command to check the latest file changes: ls -lrt

If you find any suspicious files named S01xxxxxxxx (or K8xxxxxxxx), delete it.

  1. Then you should reboot without network.

Then the trojan should be cleaned and you can modify the folder privileges to the original values(chattr -i /lib /etc/crontab).