[15:36] <SamSpaces> Hi all, I've noticed a process called Rpigdnos. It returns after killing and deletion from /bin. Any ideas what that is?
[15:42] <TJ-> SamSpaces: is this a publicly available system?
[15:44] <TJ-> SamSpaces: check its parent process;  anaylse *all* running processes and exectuable paths; some other process may be restarting it as a randomly named process. The name doesn't match any file in the archives, so it is likely some form or malicious process, possibly part of a root-kit exploit
[15:45] <SamSpaces> Thanks for the reply. It's a digitalocean server. I've rebooted with firewall now, checking if it's still there.
[15:45] <SamSpaces> Hm, yes, still active
[15:46] <SamSpaces> it takes up 100% cpu too
[15:48] <SamSpaces> parent process is /sbin/init
[15:49] <SamSpaces> Oh sorry, it's not a server, it's a droplet.
[16:10] <SamSpaces> Ok, Rpigdnos is as malicious program probably, no references what so ever, so to anyone who wants the scoop, now is your chance :)
[16:43] <TJ-> SamSpaces: found out anything more about it?
[16:54] <SamSpaces> I've managed to clear my system of it. I created another older droplet, copied the /sbin/init to the infected droplet, removed the init file, deleted the program in /bin, overwrote /sbin/init with the clean version and rebooted.
[16:55] <TJ-> SamSpaces: you should  investigate how it got itself installed and launched, that sounds like an init system compromise
[16:56] <SamSpaces> I mess around a lot with crypto currency wallets. I know I shouldn't run them as root, so, that's a bit dumb, I know. But the culprit is most likely a crypto wallet.
[17:10] <Guest58677>  wats +5519994589853 hacking
[20:23] <JanC> seems like SamSpaces is not the only one: http://webcache.googleusercontent.com/search?q=cache:RqrdyvB6TTwJ:https://forums.aws.amazon.com/thread.jspa?threadID%3D219865
[20:25] <JanC> and "Rpigdnos" might not be too random...