1

I have a server box I use to host various web applications and game servers for friends. I recently connected to it to check how it was running, and discovered a program "Opera" trying to use over 3000% of my CPU according to top. I tried to kill it with pkill Opera and pkill <pid> then used killall to do the same, which worked initially, but the Opera program came back within a minute or so. I checked through all of my system services and cron jobs and can't find any mention of "Opera" anywhere, and trying to run the command manually ("Opera", not "opera" like the browser) just prompts me to install the opera browser from snap. top only informed me that opera was somehow located at ./Opera. I eventually tracked down the executable by following the symlink in /proc/ and found it in /var/tmp inside a "Documents" folder with some other odd files (a config.json, and several hidden files with strange names and no extensions) the picture I've included does not have the Opera file, as I deleted it.

The /var/tmp/Documents folder without the Opera executable

Deleting the executable seems to have fixed the problem, but I still have no idea what it was caused by or what the Opera executable is, what it was doing, and why it was executing from the /var/tmp folder. I mainly want to know if this is a known virus or trojen, and whether I should purge the user it's executing from.

Editing this because I forgot to add my system info. My operating system is Ubuntu 22.04.4 LTS and I use bash as my kernel. my kernel version is Linux 5.15.0-116-generic

Any help is appreciated, thanks!

Improve this question
4
  • 3
    The behavior and the name of one of the dotfiles you found (a "leetspeak" spelling of "Bandito") lead me to believe that it is possible your host has been compromised. As an aside, bash is not a kernel. Commented Jul 25, 2024 at 23:08
  • Try to use ps aux to find the PID, then use kill -9 <PID> , which prevents the process from restarting. Commented Jul 25, 2024 at 23:22
  • @DopeGhoti Thanks for the advice, yeah, bash is a shell, I mistyped. Commented Jul 26, 2024 at 18:45
  • @gorgo I'll do that, thanks! I didn't know about that flag. Commented Jul 26, 2024 at 18:49

1 Answer 1

Reset to default
5

According to https://www.cadosecurity.com/blog/tracking-diicot-an-emerging-romanian-threat-actor, the file .b4nd1d0 is created by a crypto-mining malware named diicot. Perhaps that is the reason that this process is consuming all your CPU. I would recommend installing an antivirus or reinstalling the operating system ASAP.

Definitely purge the user, and delete .b4nd1d0, then reboot. Let us know how you fare...

Improve this answer
9
  • Deleting the Opera executable seems to have fixed the issue currently, and it does not seem to have any way of reinstalling itself. This is the only server on my system and the only server showing any signs of infection. I'm looking into this more. I've locked the user it's executing from and am in the process of backing everything up. I think I caught and deleted it early enough that it broke thankfully, but I'm going to purge that user and install an antivirus. Do you recommend any for Linux? Commented Jul 26, 2024 at 18:49
  • Getting an antivirus for linux is often tough. Because Linux is a. not really used by the majority of consumers and b. fairly secure on its own, most Linux anti-viruses are geared towards businesses, and the price reflects. I'd recommend taking a look at BitDefender - they are the company that discovered this virus and have some pretty affordable options. Otherwise, you can take a look at the various open source offerings - but I wouldn't recommend them. Commented Jul 26, 2024 at 20:18
  • If you can get everything backed up, I would strongly recommend reinstalling the entire server from scratch - it is a hassle but is worth it.. also update the OS. Commented Jul 26, 2024 at 20:19
  • 1
    thanks! I'll look into them. So far so good on the malware front, the user is completely gone and from the research I have done (mostly according to your link) the traces I know of are gone. I think I'm going to reinstall the operating system just to be safe. Thanks so much for your help! Commented Jul 26, 2024 at 20:24
  • You have chosen your path wisely. Once a system has been compromised, the only way to truly get close to certainty that it is no longer so is to reinstall the OS. Commented Jul 26, 2024 at 23:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.