A few days ago my server was infected with #
Perfctl #
malware. Most likely some #
clowns got hold of my #
phone and from there got my server #
keys and infected my #
server. It's a very annoying malware that eats all the #
CPU for #
mining #
cryptocurrency and changes a lot of files to remove logs to hide itself.
Here are the steps to remove it.
THERE MIGHT STILL BE SOME TRACES OF IT LEFT IN THE SYSTEM.
I would recommend to perform a clean install.
1.Remove the paths virus added in the environment variables.
vim /etc/profile
Delete the $PATH /bin/.local/bin added by the virus program
2.Remove the daemon startup script added by the virus.
Delete the script from the /root/.bash_profile.
This script will trigger the execution of [/usr/bin/perfcc when the root account logs in through #
SSH.
3.Remove the virus program.
rm -rf /bin/.local
rm -rf /tmp/.perf.c
Do rm -rf to all the mining files starting with private in tmp/private.
rm -rf /usr/bin/perfcc
4.Kill all the virus processes. Use
lsof -i
to check the processes. They would be with httpd with strange foreign network connections. Kill the process and login through ssh again. Use systemctl status pid passes through the process tree. The parent process is the ssh tty that has just logged in. To accurately locate the virus process use ll /proc/pid, you would be able to see that the startup path of the process is /tmp/.perf.c/path.
Beware: After the process is started, the file is automatically deleted.
5.Remove the system service kmodaudit.service.
Delete the system service kmodaudit.service registered by the systemctl virus perfcc.
The service will actually be failing after deleting perfcc process.