=== StoneTable is now known as aisrael | ||
=== ohsix_ is now known as ohsix | ||
=== neunon_ is now known as neunon | ||
=== Ursinha_ is now known as Ursinha | ||
=== DalekSec_ is now known as DalekSec | ||
=== rsampaio__ is now known as rsampaio_ | ||
=== lfaraone_ is now known as lfaraone | ||
=== henrix_ is now known as henrix | ||
=== stgraber_ is now known as stgraber | ||
SamSpaces | Hi all, I've noticed a process called Rpigdnos. It returns after killing and deletion from /bin. Any ideas what that is? | 15:36 |
---|---|---|
TJ- | SamSpaces: is this a publicly available system? | 15:42 |
TJ- | SamSpaces: check its parent process; anaylse *all* running processes and exectuable paths; some other process may be restarting it as a randomly named process. The name doesn't match any file in the archives, so it is likely some form or malicious process, possibly part of a root-kit exploit | 15:44 |
SamSpaces | Thanks for the reply. It's a digitalocean server. I've rebooted with firewall now, checking if it's still there. | 15:45 |
SamSpaces | Hm, yes, still active | 15:45 |
SamSpaces | it takes up 100% cpu too | 15:46 |
SamSpaces | parent process is /sbin/init | 15:48 |
SamSpaces | Oh sorry, it's not a server, it's a droplet. | 15:49 |
SamSpaces | Ok, Rpigdnos is as malicious program probably, no references what so ever, so to anyone who wants the scoop, now is your chance :) | 16:10 |
=== Elimin8r is now known as Elimin8er | ||
TJ- | SamSpaces: found out anything more about it? | 16:43 |
SamSpaces | I've managed to clear my system of it. I created another older droplet, copied the /sbin/init to the infected droplet, removed the init file, deleted the program in /bin, overwrote /sbin/init with the clean version and rebooted. | 16:54 |
TJ- | SamSpaces: you should investigate how it got itself installed and launched, that sounds like an init system compromise | 16:55 |
SamSpaces | I mess around a lot with crypto currency wallets. I know I shouldn't run them as root, so, that's a bit dumb, I know. But the culprit is most likely a crypto wallet. | 16:56 |
=== ParsectiX_ is now known as ParsectiX | ||
Guest58677 | wats +5519994589853 hacking | 17:10 |
=== yofel_ is now known as yofel | ||
JanC | seems like SamSpaces is not the only one: http://webcache.googleusercontent.com/search?q=cache:RqrdyvB6TTwJ:https://forums.aws.amazon.com/thread.jspa?threadID%3D219865 | 20:23 |
JanC | and "Rpigdnos" might not be too random... | 20:25 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!