0

I am running an Ubuntu virtual machine that has few sites installed on it. I think due to my error and wrong permissions a malicious code was uploaded on the server and the "worm" had root access for a while before I delete it. Now all looks fine apart of one thing, there is a process that gets started automatically called named and that process uses 100% of my CPU. I checked it in TOP and the path of the process is ./named -c named.conf which is relative to something not sure what. Second thing I tried was to get the PID and I checked /proc/[PID]/exe and it point to non-existent file in root: /root/named/named I presume because there is no file at this path it gives constant error and gets in some kind of loop.

Now I can stop the process which is fine but I can't find who or where is the process started. I am afraid there are still some files left behind that I didn't clear.

Can anyone help investigating this issue or give some tips on where to look for the malicious code or is there a way to block the process from starting completely on the server?

infinity
  • 183
  • 9
  • it's not duplicate as I am trying to debug/investigate the problem and remove the code that starts the process and I am not after a complete restore of the system. – infinity Dec 27 '13 at 14:36
  • A complete restore or rebuild is the only safe way to recover from a root compromise. Don't just fix the problems you've noticed because there are almost certainly other problems that you *haven't* noticed. – Gordon Davisson Dec 27 '13 at 17:08
  • Hi I'm facing this problem as well. How do you managed to fix it? – Jason Mar 10 '14 at 06:23
  • hey @Jason I was looking for a solution but the problems kept incrementing so at the end I had to reinstall the linux and migrated all of my stuff across. Really no solution. – infinity Mar 10 '14 at 09:48
  • I managed to fix this issue. For my case, my server was hacked and mis-use for bitcoin purpose by the hacker. wordpress is the root caused, just make sure you clear all your malware from wordpress and secure it by change the folder permission to root. – Jason Apr 18 '14 at 01:59
  • @Jason could you give more details on how you investigated it? Seeing same behaviour.. – loder Apr 24 '14 at 15:32

1 Answers1

4

Your machine is hosed, who knows what else is wrong. Reinstall from scratch and restore your data from backups.

Dennis Kaarsemaker
  • 18,793
  • 2
  • 43
  • 69
  • I've found the whole and that is fixed now, the only outstanding problem I have is this process that I want to resolve/block. So complete restore from backup won't be needed in this case. – infinity Dec 27 '13 at 14:34
  • 4
    It had root access, you cannot possibly know what else it infected. A complete reinstall is the only way to be sure. – Dennis Kaarsemaker Dec 27 '13 at 14:38