=== StoneTable is now known as aisrael
=== ohsix_ is now known as ohsix
=== neunon_ is now known as neunon
=== Ursinha_ is now known as Ursinha
=== DalekSec_ is now known as DalekSec
=== rsampaio__ is now known as rsampaio_
=== lfaraone_ is now known as lfaraone
=== henrix_ is now known as henrix
=== stgraber_ is now known as stgraber
SamSpacesHi all, I've noticed a process called Rpigdnos. It returns after killing and deletion from /bin. Any ideas what that is?15:36
TJ-SamSpaces: is this a publicly available system?15:42
TJ-SamSpaces: check its parent process;  anaylse *all* running processes and exectuable paths; some other process may be restarting it as a randomly named process. The name doesn't match any file in the archives, so it is likely some form or malicious process, possibly part of a root-kit exploit15:44
SamSpacesThanks for the reply. It's a digitalocean server. I've rebooted with firewall now, checking if it's still there.15:45
SamSpacesHm, yes, still active15:45
SamSpacesit takes up 100% cpu too15:46
SamSpacesparent process is /sbin/init15:48
SamSpacesOh sorry, it's not a server, it's a droplet.15:49
SamSpacesOk, Rpigdnos is as malicious program probably, no references what so ever, so to anyone who wants the scoop, now is your chance :)16:10
=== Elimin8r is now known as Elimin8er
TJ-SamSpaces: found out anything more about it?16:43
SamSpacesI've managed to clear my system of it. I created another older droplet, copied the /sbin/init to the infected droplet, removed the init file, deleted the program in /bin, overwrote /sbin/init with the clean version and rebooted.16:54
TJ-SamSpaces: you should  investigate how it got itself installed and launched, that sounds like an init system compromise16:55
SamSpacesI mess around a lot with crypto currency wallets. I know I shouldn't run them as root, so, that's a bit dumb, I know. But the culprit is most likely a crypto wallet.16:56
=== ParsectiX_ is now known as ParsectiX
Guest58677 wats +5519994589853 hacking17:10
=== yofel_ is now known as yofel
JanCseems like SamSpaces is not the only one: http://webcache.googleusercontent.com/search?q=cache:RqrdyvB6TTwJ:https://forums.aws.amazon.com/thread.jspa?threadID%3D21986520:23
JanCand "Rpigdnos" might not be too random...20:25

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!