-2

My Ubuntu 12.04 server is becoming periodically non-responsive. Upon recovery (while I'm running top) I see a bunch of processes named "tang". They aren't using a ton of resources (around 3% cpu), but I have no idea what they are or what they are doing. My Google-fu is failing me on this one. Does anyone have any idea what that process is?

Thank you in advance!

Follow Up: After additional digging the server was indeed breached. It turns out there was a collection of binaries copied and running from the /root/ and /home/ directories.

There is a list below of the various binaries in case it helps anyone coming after me. I was able to quickly disable the network interfaces on the server, copy known and needed files off and then fire up a new server.

The logs were clean, so I'm assuming this was a result of not patching the heartbleed bug fast enough on the server. Attack happened April 17th.

Rogue Binaries: tang yang yangji32 yangji64 mash 999 dd.64 trffg weim3 weimiao32 weimiao64 xiaoweigj xudp 124.173

BMeiss
  • 1
  • 2
  • Can you check `ls -l /proc/$PID_OF_PROCESS/exe` and look up the full path to the binary in the repository with `dpkg -S /path/to/bin`? – mtak Apr 23 '14 at 14:08
  • The process seems to be transient, the PIDs I had seen in top before are now gone. Doing a search i found tang in /root/tang. The dpgk result: dpkg-query: no path found matching pattern /root/tang. – BMeiss Apr 23 '14 at 14:59
  • Congratulations, your server has been compromised. – Michael Hampton Apr 23 '14 at 16:04
  • You can do a bit more investigation with `netstat -tapn|grep tang` and `lsof $pid` but treat server as compromised unless proven otherwise – LinuxDevOps Apr 23 '14 at 16:17

1 Answers1

0

Copy the /root/tang to a different directory to prevent it from being deleted. If it wasn't installed by a package and you didn't install it yourself there is the possibility that your server was compromised.

Run a strings /dir/where/you/copied/it/to/tang to find any clues as to what it does (don't run it!). It might be a good precaution to disconnect the server from the network or move it to a VLAN which has no access to internal resources. If you're feeling lucky, run the program with strace tang, this should give you some insight in what it does. Make sure you take precautions before doing this like moving the server to a different VLAN and removing any sensitive information. You might also want to sniff the server's network so you can see which resources on the internet it interacts with.

mtak
  • 581
  • 4
  • 11
  • ok, thanks. I'm doing some additional investigation. I'll report back anything else i find to document it here. – BMeiss Apr 23 '14 at 15:11