| === StoneTable is now known as aisrael | ||
| === ohsix_ is now known as ohsix | ||
| === neunon_ is now known as neunon | ||
| === Ursinha_ is now known as Ursinha | ||
| === DalekSec_ is now known as DalekSec | ||
| === rsampaio__ is now known as rsampaio_ | ||
| === lfaraone_ is now known as lfaraone | ||
| === henrix_ is now known as henrix | ||
| === stgraber_ is now known as stgraber | ||
| SamSpaces | Hi all, I've noticed a process called Rpigdnos. It returns after killing and deletion from /bin. Any ideas what that is? | 15:36 |
|---|---|---|
| TJ- | SamSpaces: is this a publicly available system? | 15:42 |
| TJ- | SamSpaces: check its parent process; anaylse *all* running processes and exectuable paths; some other process may be restarting it as a randomly named process. The name doesn't match any file in the archives, so it is likely some form or malicious process, possibly part of a root-kit exploit | 15:44 |
| SamSpaces | Thanks for the reply. It's a digitalocean server. I've rebooted with firewall now, checking if it's still there. | 15:45 |
| SamSpaces | Hm, yes, still active | 15:45 |
| SamSpaces | it takes up 100% cpu too | 15:46 |
| SamSpaces | parent process is /sbin/init | 15:48 |
| SamSpaces | Oh sorry, it's not a server, it's a droplet. | 15:49 |
| SamSpaces | Ok, Rpigdnos is as malicious program probably, no references what so ever, so to anyone who wants the scoop, now is your chance :) | 16:10 |
| === Elimin8r is now known as Elimin8er | ||
| TJ- | SamSpaces: found out anything more about it? | 16:43 |
| SamSpaces | I've managed to clear my system of it. I created another older droplet, copied the /sbin/init to the infected droplet, removed the init file, deleted the program in /bin, overwrote /sbin/init with the clean version and rebooted. | 16:54 |
| TJ- | SamSpaces: you should investigate how it got itself installed and launched, that sounds like an init system compromise | 16:55 |
| SamSpaces | I mess around a lot with crypto currency wallets. I know I shouldn't run them as root, so, that's a bit dumb, I know. But the culprit is most likely a crypto wallet. | 16:56 |
| === ParsectiX_ is now known as ParsectiX | ||
| Guest58677 | wats +5519994589853 hacking | 17:10 |
| === yofel_ is now known as yofel | ||
| JanC | seems like SamSpaces is not the only one: http://webcache.googleusercontent.com/search?q=cache:RqrdyvB6TTwJ:https://forums.aws.amazon.com/thread.jspa?threadID%3D219865 | 20:23 |
| JanC | and "Rpigdnos" might not be too random... | 20:25 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!