In a VM on a cloud provider, I'm seeing a process with weird random name. It consumes significant network and CPU resources.
Here's how the process looks like from pstree view:
systemd(1)───eyshcjdmzg(37775)─┬─{eyshcjdmzg}(37782)
├─{eyshcjdmzg}(37783)
└─{eyshcjdmzg}(37784)
I attached to the process using strace -p PID. Here's the output I've got: https://gist.github.com/gmile/eb34d262012afeea82af1c21713b1be9.
Killing the process does not work. It is somehow (via systemd?) resurrected. Here's how it looks from systemd point of view (note the weird IP address at the bottom):
$ systemctl status 37775
●くろまる session-60.scope - Session 60 of user root
Loaded: loaded
Transient: yes
Drop-In: /run/systemd/system/session-60.scope.d
└─50-After-systemd-logind\x2eservice.conf, 50-After-systemd-user-sessions\x2eservice.conf, 50-Description.conf, 50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.conf
Active: active (abandoned) since Tue 2018年03月06日 10:42:51 EET; 1 day 1h ago
Tasks: 14
Memory: 155.4M
CPU: 18h 56min 4.266s
CGroup: /user.slice/user-0.slice/session-60.scope
├─37775 cat resolv.conf
├─48798 cd /etc
├─48799 sh
├─48804 who
├─48806 ifconfig eth0
├─48807 netstat -an
├─48825 cd /etc
├─48828 id
├─48831 ps -ef
├─48833 grep "A"
└─48834 whoami
Mar 06 10:42:51 k8s-master systemd[1]: Started Session 60 of user root.
Mar 06 10:43:27 k8s-master sshd[37594]: Received disconnect from 23.27.74.92 port 59964:11:
Mar 06 10:43:27 k8s-master sshd[37594]: Disconnected from 23.27.74.92 port 59964
Mar 06 10:43:27 k8s-master sshd[37594]: pam_unix(sshd:session): session closed for user root
What is going on?!
-
51The answer to "Is someone hacking me?" is always "Yes", the real question is "Has someone succeeded in hacking me?".ChuckCottrill– ChuckCottrill2018年03月08日 01:46:34 +00:00Commented Mar 8, 2018 at 1:46
-
10the word is ‘cracking’ or ‘penetrating’, or ‘commandeering’, not necessarily ‘hacking’can-ned_food– can-ned_food2018年03月08日 17:50:50 +00:00Commented Mar 8, 2018 at 17:50
-
8@can-ned_food I was told that about 15 years ago. It took me a while to realize the distinction is a bunch of hogwash and "hacking" absolutely means the same thing. Even if that wasn't the case in 1980, language has certainly changed enough that it is now.jpmc26– jpmc262018年03月10日 00:01:52 +00:00Commented Mar 10, 2018 at 0:01
-
3@jpmc26 From what I understood, Hacking is the broader term: a hacker is also any ol' programmer who works at someone else's sloppy code.can-ned_food– can-ned_food2018年03月10日 15:10:11 +00:00Commented Mar 10, 2018 at 15:10
-
3@can-ned_food It can be used that way, but it's much more commonly used to describe unauthorized access. It's nearly always clear from the context what is meant.jpmc26– jpmc262018年03月10日 15:19:00 +00:00Commented Mar 10, 2018 at 15:19
2 Answers 2
eyshcjdmzg is a Linux DDoS trojan (easily found through a Google search). You've likely been hacked.
Take that server off-line now. It's not yours any longer.
Please read the following ServerFault Q/A carefully: How to deal with a compromised server.
Note that depending on who you are and where you are, you may additionally be legally obliged to report this incident to authorities. This is the case if you are working at a government agency in Sweden (e.g. a university), for example.
Related:
-
2If you serve dutch customers also, and you store personal information(ip adresses, emails, names, shopping list, credit card info, passwords) you need to report it to datalekken.autoriteitpersoonsgegevens.nl/actionpage?0Tschallacka– Tschallacka2018年03月09日 09:48:45 +00:00Commented Mar 9, 2018 at 9:48
-
@tschallacka surely IP address alone is not considered PII? Pretty much every Webserver anywhere stores IP addresses in it's access logsDarren H– Darren H2018年03月10日 08:52:30 +00:00Commented Mar 10, 2018 at 8:52
-
@DarrenH I'm assuming that it would cover "data that can be used to identify a person" etc. Logs are usually not seen as this type of data AFAIK, but it may be different if an IP address is explicitly stored in a database as part of an account record.2018年03月10日 08:54:55 +00:00Commented Mar 10, 2018 at 8:54
-
That makes sense. Thanks for the clarificationDarren H– Darren H2018年03月10日 08:59:43 +00:00Commented Mar 10, 2018 at 8:59
-
In the netherlands we are required to mask all octets before sending to google because the entire range falls under personal information, because it can be crosschecked with other records. A hacker could crosscheck with other logs to track your activities. So yes, its full persal information like an actual adressTschallacka– Tschallacka2018年03月10日 09:35:32 +00:00Commented Mar 10, 2018 at 9:35
Yes. A google search for eyshcjdmzg indicates that your server has been compromised.
See How do I deal with a compromised server? for what to do about that (in short, wipe the system and re-install from scratch - you can't trust anything on it. I hope you have backups of important data and config files)
-
21You'd think they'd bother to randomize the name on each infected system, but apparently not.Stack Exchange Broke The Law– Stack Exchange Broke The Law2018年03月07日 23:37:12 +00:00Commented Mar 7, 2018 at 23:37
-
2@immibis It may be an abbreviation, meaningful only to the authors. the
DMZbit is a real acronym.shcould mean "shell" andeymay be "eye" without the "e", but I'm just speculating.2018年03月08日 07:37:25 +00:00Commented Mar 8, 2018 at 7:37 -
16@Kusalananda I'd say "Eye without e Shell CJ Demilitarized zone g" trojan, not a bad name tho.The-Vinh VO– The-Vinh VO2018年03月08日 09:10:31 +00:00Commented Mar 8, 2018 at 9:10
-
12@The-VinhVO Really rolls off the tongueDason– Dason2018年03月08日 20:57:25 +00:00Commented Mar 8, 2018 at 20:57