1

Topic: Crypto

Somehow it is not so smoothly added at me with . Here such  suddenly started to guzzle processor F S UID PID PPID of C PRI NI ADDR SZ WCHAN RSS PSR STIME TTY TIME CMD 0 S postgres 25296 1 87 80 0 - 97413 - 10644 0 14:29? 0:05:04 AM-bash-a cryptonight-o stratum+tcp://pool.etn.spacepools.org:3333-u etnk6UXPznXeFPhMrNEpx8Cpaw7g5Gr6ZSND6S9TQRQqJsvFfvxJxTA7Ya8EkNnFsrVZV6uJf7MWt98G1J5he9Z882Lgzfdhjk-p x as to me to get rid of it?

2

Re: Crypto

man ps man lsof man kill to find on process where it lies and to delete

3

Re: Crypto

Hello, reversecode, you wrote: R> man ps R> man lsof R> man kill R> to find on process where it lies R> and It is possible to delete more in detail? Here by such command it is launched-bash-a cryptonight-o stratum+tcp://pool.etn.spacepools.org:3333-u etnk6UXPznXeFPhMrNEpx8Cpaw7g5Gr6ZSND6S9TQRQqJsvFfvxJxTA7Ya8EkNnFsrVZV6uJf7MWt98G1J5he9Z882Lgzfdhjk-p x lsof udo lsof-p 28936 [sudo] the password for pavel: lsof: WARNING: cannot stat () fuse.gvfsd-fuse file system/run/user/1000/gvfs Output information may be incomplete. lsof: WARNING: cannot stat () fuse file system/run/user/1000/doc Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME md 28936 postgres cwd DIR 253,0 4096 942104/var/lib/pgsql/.c md 28936 postgres rtd DIR 253,0 4096 2 / md 28936 postgres txt REG 253,0 2547192 925491/var/lib/pgsql/.c/md md 28936 postgres mem REG 253,0 31144 544112/usr/lib64/libnss_dns-2.26.so md 28936 postgres mem REG 253,0 11128 524628/usr/lib64/libnss_mdns4_minimal.so.2 md 28936 postgres mem REG 253,0 57008 544379/usr/lib64/libnss_files-2.26.so md 28936 postgres mem REG 253,0 11400 530176/usr/lib64/libfreebl3.so md 28936 postgres mem REG 253,0 541992 560487/usr/lib64/libpcre2-8.so.0.6.0 md 28936 postgres mem REG 253,0 43696 544972/usr/lib64/librt-2.26.so md 28936 postgres mem REG 253,0 36728 569003/usr/lib64/libcrypt-nss-2.26.so md 28936 postgres mem REG 253,0 162520 566507/usr/lib64/libselinux.so.1 md 28936 postgres mem REG 253,0 251792 566527/usr/lib64/libnspr4.so md 28936 postgres mem REG 253,0 20048 566528/usr/lib64/libplc4.so md 28936 postgres mem REG 253,0 15744 566529/usr/lib64/libplds4.so md 28936 postgres mem REG 253,0 197584 527931/usr/lib64/libnssutil3.so md 28936 postgres mem REG 253,0 1228920 560039/usr/lib64/libnss3.so md 28936 postgres mem REG 253,0 164264 560040/usr/lib64/libsmime3.so md 28936 postgres mem REG 253,0 319424 560041/usr/lib64/libssl3.so md 28936 postgres mem REG 253,0 121160 553791/usr/lib64/libsasl2.so.3.0.0 md 28936 postgres mem REG 253,0 110080 544859/usr/lib64/libresolv-2.26.so md 28936 postgres mem REG 253,0 15392 532603/usr/lib64/libkeyutils.so.1.6 md 28936 postgres mem REG 253,0 61800 561607/usr/lib64/libkrb5support.so.0.1 md 28936 postgres mem REG 253,0 1513480 547055/usr/lib64/libunistring.so.2.0.0 md 28936 postgres mem REG 253,0 19264 538931/usr/lib64/libdl-2.26.so md 28936 postgres mem REG 253,0 94232 533960/usr/lib64/libz.so.1.2.11 md 28936 postgres mem REG 253,0 61904 568954/usr/lib64/liblber-2.4.so.2.10.8 md 28936 postgres mem REG 253,0 344304 568955/usr/lib64/libldap-2.4.so.2.10.8 md 28936 postgres mem REG 253,0 15448 530715/usr/lib64/libcom_err.so.2.1 md 28936 postgres mem REG 253,0 210024 561563/usr/lib64/libk5crypto.so.3.1 md 28936 postgres mem REG 253,0 958264 558581/usr/lib64/libkrb5.so.3.3 md 28936 postgres mem REG 253,0 321152 545158/usr/lib64/libgssapi_krb5.so.2.2 md 28936 postgres mem REG 253,0 2681616 527251/usr/lib64/libcrypto.so.1.1.0g md 28936 postgres mem REG 253,0 451232 563113/usr/lib64/libssl.so.1.1.0g md 28936 postgres mem REG 253,0 56256 567111/usr/lib64/libpsl.so.5.1.2 md 28936 postgres mem REG 253,0 185552 553798/usr/lib64/libssh2.so.1.0.1 md 28936 postgres mem REG 253,0 118104 533691/usr/lib64/libidn2.so.0.3.3 md 28936 postgres mem REG 253,0 157512 531257/usr/lib64/libnghttp2.so.14.14.0 md 28936 postgres mem REG 253,0 2245824 537491/usr/lib64/libc-2.26.so md 28936 postgres mem REG 253,0 2500032 530505/usr/lib64/libcrypto.so.1.0.2m md 28936 postgres mem REG 253,0 153128 544551/usr/lib64/libpthread-2.26.so md 28936 postgres mem REG 253,0 532528 555311/usr/lib64/libcurl.so.4.4.0 md 28936 postgres mem REG 253,0 190296 525343/usr/lib64/ld-2.26.so md 28936 postgres 0r CHR 1,3 0t0 1042/dev/null md 28936 postgres 1w CHR 1,3 0t0 1042/dev/null md 28936 postgres 2w CHR 1,3 0t0 1042/dev/null How to learn who launches/var/lib/pgsql/.c/md?

4

Re: Crypto

Hello, 13akaEagle, you wrote: E> E> udo lsof-p 28936 E> [sudo] the password for pavel: E> md 28936 postgres cwd DIR 253,0 4096 942104/var/lib/pgsql/.c E> md 28936 postgres txt REG 253,0 2547192 925491/var/lib/pgsql/.c/md E> How to learn who launches/var/lib/pgsql/.c/md? The user postgres launches - is written.

5

Re: Crypto

Hello, Sheridan, you wrote: S> the User postgres launches - is written. Same not the interactive user. Where it is registered, what it is necessary to launch it? How to clean these evil spirits? sudo cat/var/spool/cron/postgres * * * * */var/lib/pgsql/.c/upd>/dev/null 2>&1 sudo crontab-l-u postgres * * * * */var/lib/pgsql/.c/upd>/dev/null 2>&1 sudo ls/var/lib/pgsql/.c/1 a bash.pid cron.d dir.dir h32 h64 md md32 mdx r.txt run sh upd x z Today made dnf upgrade and at me it was for some reason delivered posgresql though I deleted it recently. Even if I will delete the job cron, I will delete all from/var/lib/pgsql, I will delete the user postgres I so understand there are no warranties, what in system other part of a virus does not sleep? How to learn, who in the list of updates added postgresql?

6

Re: Crypto

Hello, 13akaEagle, you wrote: E> Hello, Sheridan, you wrote: S>> the User postgres launches - is written. E> Same not the interactive user. Where it is registered, what it is necessary to launch it? At  there is a shell  . Look/etc/passwd at the last column. Time is a shell means it is possible . E> How to clean these evil spirits? E> E> sudo cat/var/spool/cron/postgres E> * * * * */var/lib/pgsql/.c/upd>/dev/null 2>&1 It is the text file. Open the editor and delete record. E> E> sudo crontab-l-u postgres E> * * * * */var/lib/pgsql/.c/upd>/dev/null 2>&1 at It it only read  E> E> sudo ls/var/lib/pgsql/.c/E> 1 a bash.pid cron.d dir.dir h32 h64 md md32 mdx r.txt run sh upd x z Look that there in files. If it - simply delete. If the rights does not suffice - darings , to it on the rights . E> Today made dnf upgrade and at me it was for some reason delivered posgresql though I deleted it recently. Even if I will delete the job cron, I will delete all from/var/lib/pgsql, I will delete the user postgres I so understand there are no warranties, what in system other part of a virus does not sleep? More interesting as it there got.... Passwords check up, change for the difficult more precisely. Make shh an input only on a key. Do not work . E> How to learn who in the list of updates added postgresql? In  did not sit with 2005 year like. Look at lists of dependences. There can be you   for   installed and it with itself  brought...

7

Re: Crypto

Hello, 13akaEagle, you wrote: E> Somehow it is not so smoothly added at me with . E> Here such  suddenly started to guzzle processor E> E> F S UID PID PPID C PRI NI ADDR SZ WCHAN RSS PSR STIME TTY TIME CMD E> 0 S postgres 25296 1 87 80 0 - 97413 - 10644 0 14:29? 0:05:04 AM-bash-a cryptonight-o stratum+tcp://pool.etn.spacepools.org:3333-u etnk6UXPznXeFPhMrNEpx8Cpaw7g5Gr6ZSND6S9TQRQqJsvFfvxJxTA7Ya8EkNnFsrVZV6uJf7MWt98G1J5he9Z882Lgzfdhjk-p x E> as to me to get rid of it? Make top, look at an executed command,  on  (find/-name XXX). On one our server made the way recently such. Placed in a folder/tmp/.ssh (.ssh that did not see). Launched stupidly on cron for from some user. Look that there in crontab those users from which it is launched (crontab-u USER-l). If there it is - the rest will find and beat simply. PS well who in 20018 on CPU , schoolboys.

8

Re: Crypto

Hello, 13akaEagle, you wrote: E> as to me of it to get rid? https://blog.huntingmalware.com/notes/LLMalware https://security.stackexchange.com/ques … 2-instance

9

Re: Crypto

Hello, smeeld, you wrote: S> Make top, look at an executed command,  on  (find/-name XXX). On one our server made the way recently such. Placed in a folder/tmp/.ssh (.ssh that did not see). Launched stupidly on cron for from some user. Look that there in crontab those users from which it is launched (crontab-u USER-l). If there it is - the rest will find and beat simply. S> PS well who in 20018 on CPU , schoolboys. And made. Only at me it was in/var/lib/pgsql/and was launched from a name postgres How  repetitions?  already in system and it not to find? Or the password root ?

10

Re: Crypto

Hello, 13akaEagle, you wrote: E> How  repetitions?  already in system and it not to find? Or the password root ? At us simply withdrew ssh keys of that system user. Left in a grid have been admitted at one time. That there at you it is not known. And generally,  which?

11

Re: Crypto

Hello, smeeld, you wrote: S> At us simply withdrew ssh keys of that system user. Left in a grid have been admitted at one time. That there at you it is not known. And generally,  which? At me a computer house. Just now thought that I included access by key only for git, for remaining under the password. The password not that that from the dictionary, but also not the difficult. System Fedora. Are permanently hollowed  16 6:24:51 PM desktop sshd [19889]: Failed password for root from 42.7.26.54 port 7766 ssh2  16 6:24:52 PM desktop sshd [19889]: pam_succeed_if (sshd:auth): requirement "uid> = 1000" not met by user "root"  16 6:24:54 PM desktop sshd [19889]: Failed password for root from 42.7.26.54 port 7766 ssh2  16 6:24:55 PM desktop sshd [19889]: pam_succeed_if (sshd:auth): requirement "uid> = 1000" not met by user "root"  16 6:24:58 PM desktop sshd [19889]: Failed password for root from 42.7.26.54 port 7766 ssh2  16 6:24:58 PM desktop sshd [19889]: pam_succeed_if (sshd:auth): requirement "uid> = 1000" not met by user "root"  16 6:25:00 PM desktop sshd [19889]: Failed password for root from 42.7.26.54 port 7766 ssh2  16 6:25:01 PM desktop sshd [19889]: pam_succeed_if (sshd:auth): requirement "uid> = 1000" not met by user "root"  16 6:25:03 PM desktop sshd [19889]: Failed password for root from 42.7.26.54 port 7766 ssh2  16 6:25:03 PM desktop sshd [19889]: pam_succeed_if (sshd:auth): requirement "uid> = 1000" not met by user "root"

12

Re: Crypto

Where that not there look ps-auxwwww it seems so a full path of that that is launched it is necessary to look

13

Re: Crypto

Hello, smeeld, you wrote: S> PS well who in 20018 on CPU , schoolboys. Well that is. Not so and often there are servers with GPU.

14

Re: Crypto

Hello, reversecode, you wrote: R> man ps ps/top it is faster for . htop more .