1

My VPS sometimes goes wild because of:

/tmp/.X17-unix/.rsync/c/lib/64/tsm --library-path
/tmp/.X17-unix/.rsync/c/lib/64/ /tmp/.X17-unix/.rsync/c/tsm64 -t 302 -f 1 -s 8 -S 8 -p 0 -d 1

After killing the PID and restarting the VPS, I saw 3 PIDs that kill my CPU with just ./cron in the command. After killing the ./cron PID, it is quiet but I guess it will return at some point.

I tried cd-ing into .X17-unix to see what's in there but it says the folder does not exist. Running ls -ld .?* also does not show .X17-unix though it does show .X11-unix. Any idea what it is and what does it do? And more important, how can I make sure it doesn't kill my VPS?

Amos
  • 135
  • How is this Ubuntu related? – Pilot6 Nov 15 '19 at 09:34
  • 1
    Not sure what you ask me but my VPS has ubuntu installed – Amos Nov 15 '19 at 09:36
  • This problem is not related to Ubuntu. You'd better ask VPS maintainers. Ubuntu doesn't have any .X17-unix files. – Pilot6 Nov 15 '19 at 10:33
  • It's not related to the provider, they just gave me a VPS and I'm on my own. It looks like a malware of some kind that attacked my VPS and my VPS is ubuntu so I guess this is where I can get help on where and what to look for to fix/kill it. – Amos Nov 15 '19 at 10:39

1 Answers1

1

I'm afraid it looks like your VPS has already been taken over. It's basically impossible to get rid of malware once a system has been compromised. You have no chance of really knowing what the attackers did, what has been manipulated or changed, where a backdoor (or ten backdoors) might be, and so on and so forth.

Judging from the fact that you can't "see" files and directory that are actually there, the attackers have probably compromised the VPS all the way and can do anything they'd like. They basically took away from you any tools to do anything against it.

There's only one way: Get rid of the VPS and make sure the provider deletes it properly. It can't be salvaged any more. Then, start over with a new VPS and better security this time. To name just a few aspects, use better passwords or strong key-based authorization, always be diligent with updates, don't use software from dubious sources, don't give anybody access you don't completely trust and so on and so forth.

Don't transfer any file, any database records or basically anything from the old VPS to the new. For all you know, anything might be compromised and just give the attacker the keys to the new VPS the minute it's set up. Remember, the attackers already own the old VPS to the degree that they can control what you do or don't "see".

If you've got backups that you know(!) are from before the intrusion (and that haven't been stored on the old VPS, obviously), you might think about using them for the new VPS. But that's still a risk, because it's hard to say when the initial intrusion really occured.

I'm sorry I can't give you a more positive outlook, but that's basically the only chance you've got. Remember, the internet is international. The moment a system can be reached from the internet, attackers from all over the world, from pole to pole, will try to compromise it and use for themselves, often by using automated attack tools. You can't be too paranoid when security is concerned.

Henning Kockerbeck
  • 8,057
  • Thank you for the calming message :) 1. I can format it and start from scratch, is it a ok or should I tell the provider to do something on his side? 2. Maybe I just need something else to make the folder accessible? what is .X11-unix folder? 3. After killing the PIDs, it calmed down. I expect a malware to wake up immediately. 4. While the CPUs went crazy, the network didn't so it doesn't look like it jsut tried to exhaust the VPS. 5. I only installed tomcat/java and htop + strong password. If I'll start over, not sure what I can do differently to avoid it from happening again. – Amos Nov 15 '19 at 11:28
  • Regarding 1.) That depends on how your provider set things up. I'd advise to talk to them. Regarding 2.) If the attacker has penetrated the system that deep, there's no "something else". Sorry. You interact with the VPS through tools like `ls', 'cd' and so forth. If the attacker already controls those, you're basically a puppet on his strings. – Henning Kockerbeck Nov 15 '19 at 12:02
  • The .X11-unix folder belongs to the X Window System, basically the graphical interface often used on Unix-like systems. See also this other question. The X Window System may be present on a server as well, for example to use a remote desktop. It's only guessing on my part, but I'd assume the attacker chose the '.X17-unix' directory name to make people assume "oh, that's probably a part of X too, no need to worry". – Henning Kockerbeck Nov 15 '19 at 12:05
  • Regarding 4.) The purpose the attacker(s) are misusing your VPS for isn't necessarily network-related. They might use the VPS to send mass spam, to down other systems in DDoS attacks or to try and compromise other systems, which is all network-related. But they also might, for example, use the VPS' computing power to mine some crypto-currency. – Henning Kockerbeck Nov 15 '19 at 12:10
  • Regarding 3.) Malware is quite sophisticated these days. For example, some are trying to find out whether they are "living" in a simulated system, which might mean they are analyzed by a security researcher. If so, the malware "keeps quiet" so it can't be analyzed as easy. Maybe the malware(s) on your VPS tries to lull you into thinking the problem's solved, and starts up again automatically a week from now. – Henning Kockerbeck Nov 15 '19 at 12:12
  • Regarding 5.) Because I don't know exactly what you did and how you did it, and I don't know how exactly the VPS was compromised (and I'm not all-knowing either ;) ), it's hard to say what you can do better from here. The best advise I can give is: Always keep learning and looking into things, always try to understand what you're doing and why (instead of blindly copying commands from somewhere on the internet), and be really carefull about who or what you trust. – Henning Kockerbeck Nov 15 '19 at 12:15
  • Thank you for a detailed response... Will running an anti virus (clamav maybe?) can help here? I read here https://askubuntu.com/questions/1115770/crond64-tsm-virus-in-ubuntu - denying 22 out can help here and ssh will still work? how can I delete ALL files and folders under tmp folder? – Amos Nov 15 '19 at 13:17