1

I have a process named "stealth" that has infected my server (slamming my CPU) and I can't figure out where it is to remove it for good. Everytime I kill the process it somehow starts itself again...

ps -ef | grep stealth gives me this:

ps showing stealth process

But I have no idea where ./stealth would be since it's a relative path?

Also when I try using locate or find, I get nothing.

Any ideas how I can find and remove this process?

Jesse Bunch
  • 314
  • 2
  • 9
  • 3
    I wouldn't settle for just removing the process... – ceejayoz Dec 20 '11 at 15:36
  • 3
    What you mean a rebuild? I'm thinking that's the way I'll go. – Jesse Bunch Dec 20 '11 at 15:37
  • It's running under apache's id. Shutdown the apache service and then kill the process to see if apache was the infected host process. – Tim Dec 20 '11 at 15:42
  • Running under the Apache user, so that's a good bet on where it came from. – Shane Madden Dec 20 '11 at 15:42
  • If you kill it now, you won’t be able to figure out what’s going on. At least not until the intruder starts it up again at 4:00AM a week from now. At least that’s been my experience with this sort of thing. – Michael Kropat Dec 20 '11 at 15:45
  • 1
    do a `find /tmp | grep -i stealth`, people with similar infections found the executables and hackers break-in tools in /tmp. – Tim Dec 20 '11 at 15:47
  • 2
    [Nuke from orbit - it's the only way to be sure](http://nukeitfromorbit.com/) – user9517 Dec 20 '11 at 15:50
  • Do crackware authors think that naming an executable "stealth" will make it invisible to admins? :) – janneb Dec 20 '11 at 15:50
  • @Tim - That turned it up. See this: http://cl.ly/2Y0I1F131x3x1E0g1t3w. Tricky little thing. – Jesse Bunch Dec 20 '11 at 15:51
  • @MichaelKropat You're right. That's why I left it running for now. – Jesse Bunch Dec 20 '11 at 15:51
  • Great! I would go ahead and nuke that folder `.shy` – Tim Dec 20 '11 at 15:52
  • @ShaneMadden Exactly. I had an old version of PHPMyAdmin laying stagnant on the server. (I know, stupid me). I think it was uploaded through that. – Jesse Bunch Dec 20 '11 at 15:52
  • 2
    I'd go with the nuke-and-rebuild approach, but definitely do what you can to investigate, first (disconnected from the network, if you can). See [My server's been hacked EMERGENCY](http://serverfault.com/questions/218005/my-servers-been-hacked-emergency). – Shane Madden Dec 20 '11 at 15:52
  • @janneb there is at least 1 admin that it would work on. – Tim Dec 20 '11 at 15:53
  • 1
    Out of interest, before you nuke it from orbit, do strace -p 11377 and pastebin the output for us all to see. – Tom O'Connor Dec 20 '11 at 16:08
  • @TomO'Connor I tried, but I don't have `strace` installed on my server and couldn't get `yum` to run with that process running. – Jesse Bunch Dec 20 '11 at 17:01
  • Boo. What a shame. – Tom O'Connor Dec 20 '11 at 17:18
  • It's probably a simple IRC client/bot joined to a server/channel owned by the intruder (port 6667 is a default IRC port and IRC bots are a very popular means of remote control.) If you can snoop the connection you might learn something interesting. – Andrew Lambert Jan 05 '12 at 22:04

3 Answers3

8

If I’m not mistaken, ls -l /proc/11377/exe will tell you where the file is located. Removing it might be a whole other matter though.

Michael Kropat
  • 819
  • 2
  • 8
  • 16
4

Your computer is compromised. If possible replace the server with an clean one or reinstall it. You should not trust it anymore.

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
1
  1. before running locate, run updatedb to make sure the "locate" database is current
  2. the fact that the process respawns means it is under the supervision of another process (init, daemontools, cron, etc). Look at the process parent-id to find out which process is launching it. This program will need to be examined to figure out what relationship it has to the stealth program
  3. examine the proc entry for the process id, look at /proc/[pid]/cwd this gives you the "current working directory" which will tell you where ./stealth is
  4. kill -SIGSTOP [pid] will stop (suspend) the process without killing it, letting you examine it without worrying about it doing anything further.
Michael Martinez
  • 2,543
  • 3
  • 20
  • 31