I am afraid that is not your biggest problem.
take a look at
https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
all those processes from your ps shows that your server was infected. I
have just cleand mine, the same issue and doubling ps output was one of
effects. As for PS you will have to reinstall it (apt-get install
--reinstall procps)
but you need to clean up a lot - every script that is mentioned in your ps
output, cron, rcX.d, init.d, sysctl.d
after month you have probably noticed that, but just in case someone else
need it
W dniu środa, 22 kwietnia 2020 18:53:28 UTC+2 użytkownik Humberto Blanco
Castillo napisał:
>
> @daniel, this is the output
>
> [user@repositorio /]# which ps
> /usr/bin/ps
>
> [user@repositorio /]# typeset -f ps
> ps ()
> {
> proc_name=$(/bin/ps $@);
> proc_name=$(echo "$proc_name" | sed -e '/linux_amd64/d');
> proc_name=$(echo "$proc_name" | sed -e '/linux_kill/d');
> proc_name=$(echo "$proc_name" | sed -e '/linux.service/d');
> proc_name=$(echo "$proc_name" | sed -e '/System.img.config/d');
> proc_name=$(echo "$proc_name" | sed -e '/linux.sh/d');
> proc_name=$(echo "$proc_name" | sed -e '/32679/d');
> proc_name=$(echo "$proc_name" | sed -e '/41414/d');
> proc_name=$(echo "$proc_name" | sed -e '/.img/d');
> proc_name=$(echo "$proc_name" | sed -e '/libdlrpcld.so/d');
> proc_name=$(echo "$proc_name" | sed -e '/id.services.conf/d');
> proc_name=$(echo "$proc_name" | sed -e '/system-monitor/d');
> proc_name=$(echo "$proc_name" | sed -e '/ifconfig.conf/d');
> proc_name=$(echo "$proc_name" | sed -e '/sleep/d');
> proc_name=$(echo "$proc_name" | sed -e '/seeintlog/d');
> proc_name=$(echo "$proc_name" | sed -e '/bash_config/d');
> echo "$proc_name"
> }
>
>
> [user@repositorio /]# alias
> alias cp='cp -i'
> alias egrep='egrep --color=auto'
> alias fgrep='fgrep --color=auto'
> alias grep='grep --color=auto'
> alias l.='ls -d .* --color=auto'
> alias ll='ls -l --color=auto'
> alias ls='ls --color=auto'
> alias mv='mv -i'
> alias rm='rm -i'
> alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot
> --show-tilde'
>
>
--
--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to [email protected]
To unsubscribe, send email to [email protected]
For more options, visit our group at
http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules)
---
You received this message because you are subscribed to the Google Groups
"Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/linuxusersgroup/c89e30ed-9afd-4cdf-8477-62c14dee2532%40googlegroups.com.
