Re: a compromised machine

[fra-dsec-no-spam@tourde.org (François TOURDE)]

Le 12989ième jour après Epoch,
Nejc Novak écrivait:

> i checked crontabs and i haven't found anything. but new processess started
>
> www-data  6705  0.0  0.1  1616  600 ?        S    21:31   0:00
> /tmp/dlciiqlno x
> www-data  6762  0.0  0.0     0    0 ?        Z    22:10   0:00 [sh]
> <defunct>
> www-data  6770  0.0  0.1  1624  608 ?        S    22:10   0:00 [bdflu
>
> and new connections were opened
>
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        0      0 193.77.81.144:33276     210.169.91.66:5454
> ESTABLISHED
> tcp        0      0 193.77.81.144:33281     193.201.53.88:6667
> ESTABLISHED
>
> Once again, /tmp/dcliiqlno doesn't exist... where is this exec file,
> because i would really like to know what exactly it does.. and what is
> bdflu?

Easy to do. The exec prog remove himself.

Try "lsof -p <hackprocessid>" and you probably see a "deleted" file.

The process probably restarted because of a corrupted command. For
example, ls or ps are corrupted, so they create /tmp/xxxx, run it and
delete it.

> I still haven't managed to find out how exactly this happened. And
> probably reinstall will be needed? What do you think?

First of all, you must unplug the machine. Second, reinstall it.

If you have important data, just backup it, but *only* data!