Is /root/b26 a DDoS process?

0

I have found this process:

/root/b26

Here is a top:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
20810 root      20   0  339m  808  360 S  100  0.0  27:39.95 b26

I have seen it use 100% CPU, and the name of the process isn't very descriptive so it looks like it might be a bad process.

I searched Google and I don't get much information on this process. But I did see that there was someone who said this process was doing DDoS attacks. My Host has also reported to me that my server was sending outbound DDoS attacks. Could this be the process that is doing it?

Would this be the same for me? Should I remove it? If so how can I remove it?

Get Off My Lawn

Posted 2014-01-02T01:24:22.520

Reputation: 1 003

If your server IS sending outbound attacks, take it offline first! Please? – K.A.Monica – 2014-01-02T01:36:16.623

I have been told to do this: iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP while this is happening so I have that. I was told it will stop the server from sending attacks until I figure it out, then I can drop it. – Get Off My Lawn – 2014-01-02T01:40:18.250

Answers

2

Trust your host to know an outbound DDOS when it sees one.

And yes, a quick WWW search turns up the script that is used to install this.

Your computer has had its superuser account compromised. The attacker has installed at least two other root-equivalent accounts into the password database, and possibly other back doors as well; and as your host has reported to you, your computer is now part of a botnet that sends DDOS attacks to third parties.

  • Shut your computer's network access off completely, right now. Don't muck around. Don't experiment. Turn it off.
  • Clean your computer. Wipe and reinstall from a trusted source for best results.
  • Use a new root password. Set it before you restore network access to your computer and after wiping. Don't use something bloody stupid, and for best results take advantage of whatever facilities you have to stop people remotely logging into your computer (at all, as a superuser or otherwise) in the first place.

Further reading

JdeBP

Posted 2014-01-02T01:24:22.520

Reputation: 23 855

I Turned off the VPS, and Created a new VPS and re-installed everything. – Get Off My Lawn – 2014-01-02T04:07:02.133

Asked: 2014-01-02T01:24:22.520

Viewed: 1 229 times

Active: 2014-01-02T02:05:03.203