This week one of my XenServers for testing environments was suffering from Network loss and packet loss. My ISP did only see some broadcast traffic and was not sure what was going on.
The machine was sometimes responding and had most of the time a very high ICMP reply. After checking into this I found some strange cron jobs and strange files in /usr/bin and /lib after killing they came back under a new name. Also in /etc/init.d/ i found some strange scripts. They all appeared under strange names like:
- mikrjcfxwr
- smtqqusisa
- getty
- jfcqxcpocz
Now the steps to clean this machine where:
- Check the file /etc/crontab to see if you have an entry that runs every 3 minutes and delete this line:
* /3 * * * * root /etc/cron.hourly/cron.sh - Now use the
ps -ejcommand to find the Parent process of the rootkit. This will be the first entry you see when runningps -ej - Important step is to STOP the process and NOT kill it! Stop it with the PID from the previous command
kill -STOP 1462 - Now check again to see the children have died, and the parent is still alive.
ps -ej - Next step is to delete all the files related to this virus. Check the following folders:
/usr/bin
/etc/init.d/
/bin/
/lib/libgcc4.so OR /lib/libgcc4.4.so - Check the
/etc/cron.hourly/cron.shfile to see what is was calling. Also check theinit.dfolder to see where the files are stored and remove them. - Now kill the parent process and you should be clean and up and running!
Reminder!
The process can use different names!