Re: [PLUG] time to reinstall

don't reinstall yet. Run "lsof -i"

find the pid of the process that makes the connection to ovh

check the proc filesystem for the corresponding pid, you'll find within the directory for the pid the name of the binary or script that makes the connection

note the date stamp

grep all of your logs for these date stamps

If you find more malware just keep grepping backward by date stamp until you find the original source of intrusion

you might want to scan for shells, you can try chkroot, rkhunter, and clamav

Michael

On Wed, Jan 16, 2019 at 12:42 PM jeff <jeffv@op.net> wrote:

Remember a while back I noticed certain processes eating up 60% of cpu?
After serious detective work, I found Interesting Stuff.

5 processes phone OVH hosting, with multiple address ranges
NetMgr seems fond of Virgin Media
When FF comes up, it visits some film festival in Canada (per netstat,
but not viewed in FF).

I firewalled everything and am ready to reinstall, but what is this and
where did it come from? No amount of searching turns up anything. Miner?

Nothing from any scanner or rkhunter.
A packet cap turned up a tiny amount of what looks like obfuscated code,
featuring 'blobs'. I guess I have the Blobs.

"{"method":"login","params":{"login":"49WAk6Txxxxxxxxxxxxxxetc"
"jsonrpc":"2.0"
{"blob":"0909d49xxxxxxxxxxx, "job_idxxxxx'

Aside from that, everything's fine.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug