www-data user process named ./stealth consumes 90+% cpu
Any help on how to investigate this would be much appreciated!
Best,
Tim
2 Replies
EugeneKay>: Ubuntu Forums suggest it's a standard issue combination keylogger, irc bot, DDoS client, all that jazz.
@heckman>: It compromises ALL THE THINGS
@AviMarcus:
On IRC:
EugeneKay>: Ubuntu Forums suggest it's a standard issue combination keylogger, irc bot, DDoS client, all that jazz.
@heckman>: It compromises ALL THE THINGS
Running this command may help you track it down:
ps auxf
However, you should consider this Linode compromised and that it's no longer safe to store any data or use it for anything. Your best option is to back up your data and redeploy.
One way to do this would be to shrink your disk images and deploy a new distro alongside. You can then copy the files over and delete the old disk image.
I would also recommend trying to determine how the compromise happened in the process of moving data to prevent it from happening again.
-Tim
Edit: Make sure you only copy files over that you know where not the root of the problem. Here's more conversation from IRC:
> Dec29 18:31:18 < EugeneKay> The forum post I read traced it down to something called Zen
Dec29 18:31:29 < rnowak> the shopping cart?
Dec29 18:31:29 < EugeneKay> Which is any of a dozen PHP packages
Dec29 18:31:40 < EugeneKay> Didn't say.
Dec29 18:31:46 < EugeneKay> But probably