This week-end, our server ( VPS @OVH ) has been hacked ( brute force root login ).
I noticed that I was unable to log in through ssh as usual ( using RSA or ED25519 keys ) but need a password.
After successfully logging in, I found out that my authorized_keys file has been change with only one RSA key ( all others have been overwritten ) having the comment mdrfckr.
After a little Googling, I find the following article : Outlaw is Back, a New Crypto-Botnet…
Even if my version was not exactly identical, I did get me on the right path to clean it :
- Erased the
- Killed the
- Looked at the crontab for user root (
crontab -l) – get a bunch of stuff :
1 1 */2 * * /root/.configrc/a/upd>/dev/null 2>&1
@reboot /root/.configrc/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.configrc/b/sync>/dev/null 2>&1
@reboot /root/.configrc/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1
- Deleted the crontab for user root (
crontab -d). (As you can see, on reboot it will reinstall itself otherwise )
- Deleted the directory :
rm -fR /root/.configrcand anything in /tmp that seems suspicious.
- Find out through
topthat a process was grabbing 99% of the CPU ( mine was named kswapd0 )
- killed this process
- did a
find / -name kswapd0to find where this code was : it was not in /.rsync as in the article but in /root/.configrc so already cleaned ( step 5 )
- reboot the server.
- Everything seems OK == according to the link above, this hack is just a crypto bot so I didn’t bother to re install the whole server even it is a best practices
Hopes it will help somebody somewhere 😉