Removing Linux Bash ShellShocker Malware

Recently, I received a call from one of my client regarding the slowness(almost not responsive) of their linux server(running CentOS) and rapid increase in their network traffic.  Fortunately this is due to one of the their lab servers and they did not incur any production outages.

Here is the  output of the top command on this server:

[jtabs

size=”normal”

theme=”overcast”

width=”500″ — custom width, in pixels ] top command – text:: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1252 root 20 0 66.0g 2.9g 380 S 725.2 38.0 11935:13 .sshdd141199598 2025 root 20 0 423m 1760 0 S 3.2 0.0 0:39.98 gdmorpen 14295 root 20 0 107m 1180 964 R 0.5 0.0 0:00.03 ps 14297 root 20 0 107m 1180 964 R 0.5 0.0 0:00.03 ps 8316 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.86 .sshhdd14119186 8318 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.47 .sshhdd14119186 8319 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.27 .sshhdd14119186 8321 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.11 .sshhdd14119186 8338 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.67 .sshhdd14119186 8339 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.67 .sshhdd14119186 8341 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.86 .sshhdd14119186 8345 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.10 .sshhdd14119186 8360 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.59 .sshhdd14119186 8364 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.95 .sshhdd14119186 8371 root 20 0 4085m 32m 204 S 0.3 0.4 3:49.94 .sshhdd14119186 8380 root 20 0 4085m 32m 204 S 0.3 0.4 3:50.65 .sshhdd14119186 [jtab/] top screenshot ::

top command output

top

[/jtabs]

 

Here are the steps that I followed to remove this malware and hopefully this will helps others having the similar issue.

1. Disconnect the server from network.

2. Take the backup of root crontab and remove the root crontab.  You can restore any relevant entries that you are aware of from the backup.

3. Remove the following files:

#rm /etc/gfhjrtfyhuf
#rm /etc/sfewfesfs
#rm /etc/gdmorpen
#rm /etc/fdsfsfvff
#rm /etc/rewgtf3er4t
#rm /etc/smarvtd
#rm /etc/whitptabil
#rm /etc/.SSH2

In case you are not able delete any of the above file, you might have to change the permissions and then remove the file:

#chattr -i /etc/sfewfesfs
#rm /etc/sfewfesfs

4. Remove the following files from /tmp directory:

#rm /tmp/gfhjrtfyhuf
#rm /tmp/sfewfesfs
#rm /tmp/gdmorpen
#rm /tmp/fdsfsfvff
#rm /tmp/rewgtf3er4t
#rm /tmp/smarvtd
#rm /tmp/whitptabil
#rm /tmp/.sshdd*

5. Remove file  – S99local from /etc/rc<x>.d directory

#rm /etc/rc2.d/S99local
#rm /etc/rc2.d/S99local
#rm /etc/rc3.d/S99local
#rm /etc/rc4.d/S99local

6.  Disable remote root login:

open the file etc/ssh/sshd_config and comment change the following value to “no”:

# Prevent root logins:
PermitRootLogin no

6. Connect/enable network.

7. Update System:

#yum update

8. Now check the current running process and make sure that there are no strange process that are running.

Leave a Reply

Your email address will not be published. Required fields are marked *