linux - Check which script create a file in /tmp -

-



i got malware or hack in debian. see process in top took 300% of processor load. how can check script or user creating file on , on again, can kill process in next 30 min process renew.

this process is: /tmp/phpmne0ib_jhikt717dscrcw6b -c 2 -m stratum+tcp://4ae9fi43498hg 938hg....3o4ijf3ioei0:x@monerohash.com:3333/xmr

and user of process apache (www-data).

there no sure or easy way find causing this. worse still, if find keeps running script, , rid of immediate problem, still can't sure 1) "hole" got in through has been plugged , 2) haven't installed rootkit or backdoor can in @ later date.

the best advice is:

  • shutdown compromised system
  • snapshot / preserve file system.
  • use known secure system forensically examine compromised file system. should looking evidence identify vulnerability (or bad security practice!!) lead compromise.
  • once have positively cause of problem:
    • build new version of system known clean base image (e.g. installation discs) , up-to-date copies of of software, obtained known clean sources.
    • restore files , database state backup known clean; i.e. taken prior compromise.

it unwise attempt "clean out" compromised system. unless extremely skilled in forensic security , extremely diligeny, can never sure have gotten rid of hidden backdoors, etc bad guys might have left. expert hackers @ hiding tracks ... , leading false trails / false clues make think have figured out.





wiki

Comments

Post a Comment

Popular posts from this blog

python - Read npy file directly from S3 StreamingBody -

-
i have many .npy (numpy) , .json files saved in s3, need download , load these files. for json files downloading files , loading dictionary using following code: obj = s3.object(bucket, key) response = obj.get() body = response['body'].read().decode('utf-8') data = json.loads(body) that way avoid writing .json file disk , reading it. now want same .npy files, equivalent? currently downloading file, saving temp file on disk , loading np.load avoid if possible. following https://stackoverflow.com/a/28196540/3509999 : obj = s3.object(bucket, key) io.bytesio(obj.get()["body"].read()) f: # rewind file f.seek(0) arr = np.load(f) wiki
Read more

kotlin - Out-projected type in generic interface prohibits the use of metod with generic parameter -

-
i start using kotlin , defined interface this: interface aadapter<vh : recyclerview.viewholder> { fun oncreateaviewholder(parent: viewgroup): vh fun onbindaviewholder(v: vh, position: int) } and when try use on code: class klasa ( private val adapter: aadapter<*> ) { fun dosth(){ //... val vh = this.adapter.oncreateaviewholder(parent) //on below line error adapter.onbindaviewholder(v, position) //... } } i error out-projected type 'aadapter<*>' prohibits use of 'public abstract fun onbindaviewholder(v: t, position: int): unit i tied add "in" or "out" definition i'm confused. how allow it. replace aadapter<*> aadapter<recyclerview.viewholder> . class klasa ( private val adapter: aadapter<recyclerview.viewholder> ) { // ... because have declared aadapter has type parameter vh type subclass of recyclerview....
Read more

Asterisk AGI Python Script to Dialplan does not work -

-
i'm stuck project have check database of sip extension incoming caller id , dial sip extension. below receive when run script on asterisk cli. -- registered sip '9125' @ 192.168.1.102:50142 > saved useragent "zoiper rv2.8.40" peer 9125 [2017-08-22 13:53:33] notice[5095]: chan_sip.c:24558 handle_response_peerpoke: peer '9125' reachable. (17ms / 2000ms) == using sip rtp tos bits 184 == using sip rtp cos mark 5 -- executing [0112617769@from-trunk:1] answer("sip/obitrunk1-0000000d", "") in new stack > 0x1ca50d0 -- probation passed - setting rtp source address 192.168.1.98:16834 -- executing [0112617769@from-trunk:2] agi("sip/obitrunk1-0000000d", "test.py") in new stack -- launched agi script /var/lib/asterisk/agi-bin/test.py args: ['/var/lib/asterisk/agi-bin/test.py'] env line: agi_request: test.py env line: agi_channel: sip/obitrunk1-0000000d env line: agi_language: en env line: a...
Read more