Where to look for trojan file in ubuntu infected server?
by Ketmen from LinuxQuestions.org on (#5907W)
Problem description: Noticed high CPU, htop shows 4 of 8 my cpu cores are 100% loaded. Htop not showing corect %load. htop/top were not showing PIDs which were running on 4 100% loaded cores.
Thanks to perf i identified pid which is occupying my 4 cores.
So, someone was hijacking my cpu, most probably for curency mining. Changed root passsword with 40 simbols, but intruder get again in my server. After some investigation found that intruder is deleting traces of his work in my server.
Found that he is saving my complex pass in /var/tmp/pam.log and probably sending the password via e-mail to intruder.
After I protected ssh port he was unable to get in.
I am novice with Linux and my questions for experts are:
1. Can you recognize what type of trojin I am dealing with?
2. The server is quarantined for learning purpose. Could you help me to find the file where the e-mail of the intruder is?
3. I am assuming he is doing keystroke logging using some Linux commands or scripts. Any idea where to look for those scripts?
Thank you
Thanks to perf i identified pid which is occupying my 4 cores.
So, someone was hijacking my cpu, most probably for curency mining. Changed root passsword with 40 simbols, but intruder get again in my server. After some investigation found that intruder is deleting traces of his work in my server.
Found that he is saving my complex pass in /var/tmp/pam.log and probably sending the password via e-mail to intruder.
After I protected ssh port he was unable to get in.
I am novice with Linux and my questions for experts are:
1. Can you recognize what type of trojin I am dealing with?
2. The server is quarantined for learning purpose. Could you help me to find the file where the e-mail of the intruder is?
3. I am assuming he is doing keystroke logging using some Linux commands or scripts. Any idea where to look for those scripts?
Thank you