-1

Today i'm update my web server on Cent OS 6 and like this if see top

 2593 root      20   0  196m 5228  212 S 730.6  0.1 484:18.06 wjeackglrl
 8648 bitrix    20   0  399m  85m 7580 R 42.5  2.2   0:23.72 php
 2184 mysql     20   0 2386m 1.0g 5820 S  9.6 26.5   6:24.16 mysqld
   13 root      20   0     0    0    0 S  2.3  0.0   0:40.89 ksoftirqd/2
   17 root      20   0     0    0    0 S  2.0  0.0   0:42.32 ksoftirqd/3
   21 root      20   0     0    0    0 S  2.0  0.0   0:42.08 ksoftirqd/4
   25 root      20   0     0    0    0 S  2.0  0.0   0:40.31 ksoftirqd/5
   29 root      20   0     0    0    0 S  2.0  0.0   0:39.51 ksoftirqd/6
    4 root      20   0     0    0    0 S  1.7  0.0   0:32.24 ksoftirqd/0
   33 root      20   0     0    0    0 S  1.7  0.0   0:34.97 ksoftirqd/7
    9 root      20   0     0    0    0 S  1.3  0.0   0:37.43 ksoftirqd/1
    1 root      20   0 19352 1536 1212 S  0.0  0.0   0:06.73 init
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd
    3 root      RT   0     0    0    0 S  0.0  0.0   0:00.13 migration/0
    5 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 stopper/0
    6 root      RT   0     0    0    0 S  0.0  0.0   0:00.08 watchdog/0
    7 root      RT   0     0    0    0 S  0.0  0.0   0:00.12 migration/1

Root procecc kill wjeackglrl my system on web server and very very slow. I'm kill process, but web server stupid. How look in for this rootkit on system?

Dima Vasiluk
  • 101
  • 1
  • 7

1 Answers1

3

In your place, I would re-image the whole thing.

Whatever it is has root, and could have done any number of things to try and persist on your server.

Since you mention this is on a webserver, you should probably consider any TLS certificates and their privates keys compromised, and take the necessary steps to have them revoked.

If you have auditd in place, there may be some logs showing what could have been done, but again, given this has root, there may be questions about how reliable such logging would be.

If you were seriously considering investigating, ideally, you would make a copy of the whole disk, and if possible a memory dump. You could use something like sysdig and Falco to try and gain some insight without needing to dump anything, but the insight will possibly be limited (and again, the attacker has root, so could affect what you see).

But this would be for your satisfaction only, and (to me at least) would not change the fact you would need to re-install the whole system from scratch.

iwaseatenbyagrue
  • 3,631
  • 1
  • 13
  • 24