Thanks for sharing TS, that's good information about some bad stuff. Jeremiah Bess
On Wed, May 20, 2020 at 7:22 AM T S <[email protected]> wrote: > I am afraid that is not your biggest problem. > > take a look at > https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ > > all those processes from your ps shows that your server was infected. I > have just cleand mine, the same issue and doubling ps output was one of > effects. As for PS you will have to reinstall it (apt-get install > --reinstall procps) > but you need to clean up a lot - every script that is mentioned in your ps > output, cron, rcX.d, init.d, sysctl.d > > after month you have probably noticed that, but just in case someone else > need it > > W dniu środa, 22 kwietnia 2020 18:53:28 UTC+2 użytkownik Humberto Blanco > Castillo napisał: >> >> @daniel, this is the output >> >> [user@repositorio /]# which ps >> /usr/bin/ps >> >> [user@repositorio /]# typeset -f ps >> ps () >> { >> proc_name=$(/bin/ps $@); >> proc_name=$(echo "$proc_name" | sed -e '/linux_amd64/d'); >> proc_name=$(echo "$proc_name" | sed -e '/linux_kill/d'); >> proc_name=$(echo "$proc_name" | sed -e '/linux.service/d'); >> proc_name=$(echo "$proc_name" | sed -e '/System.img.config/d'); >> proc_name=$(echo "$proc_name" | sed -e '/linux.sh/d'); >> proc_name=$(echo "$proc_name" | sed -e '/32679/d'); >> proc_name=$(echo "$proc_name" | sed -e '/41414/d'); >> proc_name=$(echo "$proc_name" | sed -e '/.img/d'); >> proc_name=$(echo "$proc_name" | sed -e '/libdlrpcld.so/d'); >> proc_name=$(echo "$proc_name" | sed -e '/id.services.conf/d'); >> proc_name=$(echo "$proc_name" | sed -e '/system-monitor/d'); >> proc_name=$(echo "$proc_name" | sed -e '/ifconfig.conf/d'); >> proc_name=$(echo "$proc_name" | sed -e '/sleep/d'); >> proc_name=$(echo "$proc_name" | sed -e '/seeintlog/d'); >> proc_name=$(echo "$proc_name" | sed -e '/bash_config/d'); >> echo "$proc_name" >> } >> >> >> [user@repositorio /]# alias >> alias cp='cp -i' >> alias egrep='egrep --color=auto' >> alias fgrep='fgrep --color=auto' >> alias grep='grep --color=auto' >> alias l.='ls -d .* --color=auto' >> alias ll='ls -l --color=auto' >> alias ls='ls --color=auto' >> alias mv='mv -i' >> alias rm='rm -i' >> alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot >> --show-tilde' >> >> -- > -- > You received this message because you are subscribed to the Linux Users > Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup > References can be found at: http://goo.gl/anqri > Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules) > --- > You received this message because you are subscribed to the Google Groups > "Linux Users Group" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/linuxusersgroup/c89e30ed-9afd-4cdf-8477-62c14dee2532%40googlegroups.com > <https://groups.google.com/d/msgid/linuxusersgroup/c89e30ed-9afd-4cdf-8477-62c14dee2532%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup References can be found at: http://goo.gl/anqri Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules) --- You received this message because you are subscribed to the Google Groups "Linux Users Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/linuxusersgroup/CAN%2Braev8d_aPU_fDUHzUWzSNShYt4nUdjNrMNUAu%3DvWsjNpuug%40mail.gmail.com.
