0

I am currently on Ubuntu 16.04, and I have noticed slowdowns across the server in general. Upon viewing htop, I noticed that processes with random commands are spawning, while taking the CPU usage with it; Here is the image that shows an offending process. When trying to view which user started the process, the pts shows as a '?' as shown below:

# ps -feww | grep netstat
root      7444     1 91 01:29 ?        00:01:37 netstat -antop
root     13051     1  0 01:31 ?        00:00:00 netstat -antop
root     13063     1  0 01:31 ?        00:00:00 netstat -antop

I successfully killed the process with signal 9, but after a few seconds, another process with a completely different command pops up, and ran until I killed it. Rebooting the server did not fix this.

Would appreciate some advice on this, thanks!

shprogram
  • 5
  • 3
Alucard
  • 1
  • 3

2 Answers2

0

Turns out the server was compromised from XorDos, causing it to run random process while doing a spoofed UDP flood.

Alucard
  • 1
  • 3
0

here is a solution

https://admin-ahead.com/forum/server-security-hardening/unix-trojan-ddos_xor-1-chinese-chicken-multiplatform-dos-botnets-trojan/

so your virus is in /lib/libudev.so or /lib/libudev4.so

you need to chattr -i /lib/libudev.so then remove,reboot and then delete all other crap (check URL above)

you can install ClamAV for linux https://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/

Alex Nazaruk
  • 1