How to deal with Debian servers infected with DDoS virus

-2

I have 4 Debian servers which got infected all together at exactly one time and they send somehow that the network gets stuck.

These servers arent web servers and only SSH is installed. I checked running processes and it’s a weird name process looks like a virus. It creates a line in crontab and when I remove it it creates itself again.

One weird thing is that all these 4 servers have the same user/pass and also the ssh port is the default 22. another server I have on the same vmware network which has the same os, connected to those 4 servers but never have such issue. maybe I should tell you that the password was a 5 character and easy one.

For now I reinstalled Debian on them and change root password and also ssh port.

I really appreciate a suggestion.

user410929

Posted 2015-01-21T20:22:09.787

Reputation: 7

1Step 1: Remove the infected machines from the network – heavyd – 2015-01-21T20:25:16.287

3

Take down the servers immediately, and then read this post on serverfault in detail: http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server

– tlng05 – 2015-01-21T21:14:45.260

I posted an answer with some basics, but your question does not provide more details. Can you please add more details to your question such as what these servers do that might expose them to malware? Are they web servers or have any web-related functionality that would expose them to the world in a way that would invite infection? – JakeGould – 2015-01-21T21:40:36.660

So you are saying my server has definitely been hacked right? – user410929 – 2015-01-22T01:36:09.697

If you aren't sure, you should assume that it has been hacked until you can be certain that it was a false alarm. – tlng05 – 2015-01-22T17:08:42.987

Answers

0

My advice? Look in the /tmp/ directory and see of there is anything there that shouldn’t be there. 9 times out of 10 malware on Linux systems will be able to install themselves in /tmp/.

If you are unsure what should/shouldn’t be in /tmp/ there is an easy—but extreme—thing you can do to clear out the bad stuff. Just run this online in the command line:

rm -rf /tmp && mkdir /tmp && chown root:root /tmp && chmod 1777 /tmp

Or run each command individually like this:

sudo rm -rf /tmp 
sudo mkdir /tmp
sudo chown root:root /tmp
sudo chmod 1777 /tmp

Then reboot the server to see if that clears things up. If it does, congrats! But you are not out of the woods yet since it whatever caused the original system can still penetrate your system, it’s only a matter of time before they reinfect you again. Meaning, this cleans up the mess caused by a weakness in your system, but you need to find out what that weak-point might be and harden it.

If your servers are infected, the infection had to come from somewhere. Since the bash shellshock bug was discovered this past summer, chances are high that your machine was infected by an exploit to the server that took advantage of this bug. You can check to see by doing this running this command from the command line:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If you are infected, it would return the following output:

vulnerable
hello

The hello is acceptable output. The vulnerable means the verison of bash installed on the system is vulnerable to “Shellshock” exploits.

So now that we know this version of bash has a problem, let’s enter the following commands to install an upgrade of bash.

apt-get update
sudo apt-get install --only-upgrade bash

Once that is all done, run this hack test again:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

And the output this time should only be hello. Which means bash is now solid.

But all of that presumes that the bash exploit was the issue. If something else happened, something else would need to be done.

JakeGould

Posted 2015-01-21T20:22:09.787

Reputation: 38 217

Tnx guys, they are debian 64bit wheezy minimal with only ssh on them. They have scripts on them with no web server installed. I noticed that 4 of my servers that have same user/pass are exposed to the same malware but the 5th one has special password and no issues with that one. Right now I changed ssh port and assigned special password to the machines. – user410929 – 2015-01-22T00:28:10.917

@user410929 You should not be adding that kind of info to a comment. Like I mentioned you should add this to your original question so everybody can help you. If you don't do that nobody can help you in the question will be closed. – JakeGould – 2015-01-22T00:29:50.877

Asked: 2015-01-21T20:22:09.787

Viewed: 354 times

Active: 2015-01-22T01:37:03.347