0

Context

I found out my Linux server was infected.

Symptoms were : 100% CPU usage when idle, slow download speed, iptables rules keeps growing.

After finding the processes, killing it and all the possible ways it setup to restart again, I'm back with a normal-looking server (no symptoms).

I used this blogpost (in chinese) instructions to clean the system.


In the process of cleaning the system, I could save the script used by the hacker. It is available here : https://gist.github.com/Colanim/0c7d71b90893a54c731de4e328585e9f

Question

I can't fully understand this virus script, but it seems bad enough (scanning intranet ? Downloading weird files from weird domain ? Modifying iptables secretly ?). My question is : what should be my next steps ?

I have data on this server I need to keep.

Is the virus very bad and I should just wipe everything ? Is it ok to save the data and just do a clean Linux install ? Or if the virus is not that bad, can I keep my server in the current state ? (system seems clean, no symptoms anymore)

Should the passwords used in the server be considered leaked ? Or it's fine because anyway it's hashed ?

Astariul
  • 115
  • 4
  • This seems to be a question tailored for Windows, and the user don't have access to the virus source. Maybe knowing what the virus source can help giving a more precise estimate of what's infected or not ? But yes, I got the idea : it's safer to nuke it from orbit. – Astariul Jul 22 '20 at 01:31
  • 2
    Indeed. Nuke it from orbit! Well, technically, figure out how the attackers got in, otherwise you will probably just get reinfected. Take it offline if possible, try to find the point of entry, plug the hole(s), nuke it from orbit, rebuild. Doing it the right way is not easy and - who knows - maybe it won't get reinfected if you just clean up what you see and leave it online. I just wouldn't count on it. – Conor Mancone Jul 22 '20 at 01:41
  • The only exception where you can avoid the "Nuke it from orbit!" approach is when you can track how you got the infection and follow & revert all the changes made by it. – Esa Jokinen Jul 22 '20 at 04:50
  • 2
    You might also want to read [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – MadHatter Jul 22 '20 at 05:34
  • 1
    Does this answer your question? [How do I deal with a compromised server?](https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) This is actually the same post @MadHatter already linked, but from this SE. – Esa Jokinen Jul 22 '20 at 05:55

1 Answers1

1

To add to the above comments:

I used this blogpost (in chinese) instructions to clean the system.

Once your system gets compromised you can no longer trust it in any shape or form. The only surefire remedy is to wipe clean your entire drives.

Also, the above links don't mention it but nowadays, but if we are talking about a personal PC/server malware can infect UEFI BIOS as well, so if I were you, I'd reflash BIOS as well. If your device is some shared virtual server, then simply destroy it and create a new instance.

Artem S. Tashkinov
  • 2,217
  • 6
  • 17