2

My linux server was hacked. and now there is a file in root directory that generates big traffic. when i kill this process it autostarts itself again. then i did chmod -x. but it returned x option. there is no crontab job. i have installed auditd to check what is going on. but i cannot find how it autostarts itself? and maybe some other processes (daemons) work there to autostart it. how can i trace the daemons activity that starts this process?

thanks.

Improve this question
3
  • 1
    Take the machine offline, i.e. unplug the network cable, shut it down, boot from a live medium and make an image of it. Or, if you're able to, image it while running. You can do the forensics later using the appropriate tools, some time ago there were things like tct and co... Commented Sep 12, 2014 at 19:56
  • i wrote a little bash script that kills this process every 5 seconds. it works in cron. can you tell me which tools to use? Commented Sep 12, 2014 at 20:40
  • I'd go with DEFT: www.deftlinux.net Commented Sep 12, 2014 at 20:53

2 Answers 2

Reset to default
3

If your server is hacked do not use it with current status. Backup your data and then setup new, hardened server and setup your environment. Be cautious while backup because you may backup malware too and setup it to new server. Because there may be a lot of harmfull applications in your server even you solve your single one problem.

Improve this answer
1

Take the machine offline, i.e. unplug the network cable, shut it down, boot from a live medium and make an image of it. Or, if you're able to, image it while running. You can do the forensics later using the appropriate tools, I'd go with DEFT: www.deftlinux.net

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.