This week-end, our server ( VPS @OVH ) has been hacked ( brute force root login ).
I noticed that I was unable to log in through ssh as usual ( using RSA or ED25519 keys ) but need a password.
After successfully logging in, I found out that my authorized_keys file has been change with only one RSA key ( all others have been overwritten ) having the comment mdrfckr.
After a little Googling, I find the following article : Outlaw is Back, a New Crypto-Botnet…
Even if my version was not exactly identical, I did get me on the right path to clean it :
- Erased the
authorized_keys
file - Killed the
rsync
process - Looked at the crontab for user root (
crontab -l
) – get a bunch of stuff :1 1 */2 * * /root/.configrc/a/upd>/dev/null 2>&1
@reboot /root/.configrc/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.configrc/b/sync>/dev/null 2>&1
@reboot /root/.configrc/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1
- Deleted the crontab for user root (
crontab -d
). (As you can see, on reboot it will reinstall itself otherwise ) - Deleted the directory :
rm -fR /root/.configrc
and anything in /tmp that seems suspicious. - Find out through
top
that a process was grabbing 99% of the CPU ( mine was named kswapd0 ) - killed this process
- did a
find / -name kswapd0
to find where this code was : it was not in /.rsync as in the article but in /root/.configrc so already cleaned ( step 5 ) - reboot the server.
- Everything seems OK == according to the link above, this hack is just a crypto bot so I didn’t bother to re install the whole server even it is a best practices
Hopes it will help somebody somewhere 😉
Erwan
It helped me 😉 Thank you
Mehdi
Thank you for you help 🙂
anonymous
Helpful, Thanks a lot