Recently, I received a call from one of my client regarding the slowness(almost not responsive) of their linux server(running CentOS) and rapid increase in their network traffic.  Fortunately this is due to one of the their lab servers and they did not incur any production outages.

Here is the  output of the top command on this server:

[jtabs

size=”normal”

theme=”overcast”

width=”500″ — custom width, in pixels ] top command – text::
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1252 root 20 0 66.0g 2.9g 380 S 725.2 38.0 11935:13 .sshdd141199598
2025 root 20 0 423m 1760 0 S 3.2 0.0 0:39.98 gdmorpen
14295 root 20 0 107m 1180 964 R 0.5 0.0 0:00.03 ps
14297 root 20 0 107m 1180 964 R 0.5 0.0 0:00.03 ps
8316 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.86 .sshhdd14119186
8318 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.47 .sshhdd14119186
8319 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.27 .sshhdd14119186
8321 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.11 .sshhdd14119186
8338 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.67 .sshhdd14119186
8339 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.67 .sshhdd14119186
8341 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.86 .sshhdd14119186
8345 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.10 .sshhdd14119186
8360 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.59 .sshhdd14119186
8364 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.95 .sshhdd14119186
8371 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.94 .sshhdd14119186
8380 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.65 .sshhdd14119186
[jtab/]
top screenshot ::

top command output

top

[/jtabs]

 

Here are the steps that I followed to remove this malware and hopefully this will helps others having the similar issue.

1. Disconnect the server from network.

2. Take the backup of root crontab and remove the root crontab.  You can restore any relevant entries that you are aware of from the backup.

3. Remove the following files:

#rm /etc/gfhjrtfyhuf
#rm /etc/sfewfesfs
#rm /etc/gdmorpen
#rm /etc/fdsfsfvff
#rm /etc/rewgtf3er4t
#rm /etc/smarvtd
#rm /etc/whitptabil
#rm /etc/.SSH2

In case you are not able delete any of the above file, you might have to change the permissions and then remove the file:

#chattr -i /etc/sfewfesfs
#rm /etc/sfewfesfs

4. Remove the following files from /tmp directory:

#rm /tmp/gfhjrtfyhuf
#rm /tmp/sfewfesfs
#rm /tmp/gdmorpen
#rm /tmp/fdsfsfvff
#rm /tmp/rewgtf3er4t
#rm /tmp/smarvtd
#rm /tmp/whitptabil
#rm /tmp/.sshdd*

5. Remove file  – S99local from /etc/rc<x>.d directory

#rm /etc/rc2.d/S99local
#rm /etc/rc2.d/S99local
#rm /etc/rc3.d/S99local
#rm /etc/rc4.d/S99local

6.  Disable remote root login:

open the file etc/ssh/sshd_config and comment change the following value to “no”:

# Prevent root logins:
PermitRootLogin no

6. Connect/enable network.

7. Update System:

#yum update

8. Now check the current running process and make sure that there are no strange process that are running.