Am i hacked? unknown processes dsfref, gfhddsfew, dsfref etc are starting automatically in centos 6.5

linux security centos
12,525

Solution 1

Yes, you're hacked!

Congratulations!

It look's like you have rootkit, or vulnerability. Try to update your system and use utilities like rkhunter and clamav.

Than you need to check system files

rpm -q --verify

Or you can fully reinstall your system instead.

Solution 2

It won't be helpful even if you deleted these files: /tmp/.sshdd1401029612 or /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs

You may first delete a few (binary) files introduced to your system by the intruder:

(A) /etc/rcX.d/S99local

X = 2,3,4,5

This script will call up /etc/rc.d/rc.local to launch several attacks on your system.

(B) So, it is better to immediately delete this file as well. You see the content of this file will launch several binaries to attack your system:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./sdmfdsfhjfe
cd /etc;./gfhddsfew
cd /etc;./ferwfrre
cd /etc;./dsfrefr

It is strongly recommended to delete this file /etc/rc.d/rc.local by force.

(C) After deleting those files above, you can start to sudo to terminate processes:

(i) /etc/ssh/sshpa

which causes the creation of /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs

(ii) and to terminate processes : /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs

(D) Please delete these files immediately : /etc/ssh/sshpa, /tmp/.sshddxxxxxxxxxx, /etc/.SSH2, /etc/sfewfesfs

and use htop to make sure they are not launched in the background anymore.

(E) Updating your system, please don't forget to change root's password, and all users' passwords.

Unfortunately, chkrootkit and rkhunter may not be able to detect this intruder. Perhaps, I don't know how to fully utilize these two rootkit checkers. Or perhaps both rootkit checkers should be updated. Or perhaps there is other reason...

Share:
12,525
rrmerugu
Author by

rrmerugu

Updated on June 28, 2022

Comments

  • rrmerugu
    rrmerugu almost 2 years

    Im using centos 6.5, recently i realised that my computer is uploading something(i didn't even ask for), at upload speed 11mbps, but the scary part is my internet upload speed is 800Kbps, Every day it shows 200GB uploaded and so on.. You can see some unknown processes starting in the image 1 attached.. gfhddsfew, sdmfdsfhjfe, gfhjrtfyhuf, dsfrefr, ferwfrre, rewgtf3er4t , sfewfesfs, sdmfdsfhjfe,

    I tried to kill all the processes manually with kill command and deleted the files from /etc/ folder, but still, if i connect to internet these files get placed in /etc/ automatically, I don't see this issue in windows(my pc is dual boot).

    Note: I used chattr -i to change permissions and deleted the file sfewfesfs, when i tried to delete the file without using chattr, its says permissions cant be changed/file cant be deleted . and one more thing, when i used command #rm /etc/sfewfesfs without chattr , the computer restarted, it happened all the time i tried to delete the file without chattr. and these executables show up in running processes only when internt is connected.

    Note: Im using beam cable internet(beamtele.com ,Hyderabad, india)

    Here are the images that shows the issue

    Issue depiction #1 Issue depiction #2

  • shevy
    shevy over 9 years
    And what about those who do not use or have rpm?
  • BaBL86
    BaBL86 over 9 years
    debsums -ca. But what if you have NON REPOSITORY bin file somewhere in PATH or daemon in memory, that opens SSH with evil login/pass? RPM and debsums checks only installed packages.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What does "Require all granted" on Directory / (root) REALY means? (Apache 2.4 on CentOS7
iptables blocking from internet side on eth1?
How to disable TCP SACK for CentOS?
Why firewalld doesn't apply my drop rule?
Is there an easy way to check SSL cipher preference from the command-line?
Reset firewalld rules to default?
auditctl buffer setting - how large is this?
iptables - Block incoming on Eth1 and Allow All from eth0
Preventing - Large Number of Failed Login Attempts from IP
Which CentOS Version Should I Use?