Here is how I removed the perfctl malware

My YunoHost server

Yunohost 11.1.2.2 (testing)
VPS Hetzner CX 31 (8Go RAM 2 vCPU intel)
Interface admin + SSH`

How I caught the malware ?

I really don’t know… so I am seriously concerned. There are very few testimonials on the internet about this malware.

I don’t know what this malware did, but it ended up using all the ram and cpu. The process had “ROOT” rights…
I don’t know how it got the “ROOT” rights, but I wonder if it’s because of a root access via ssh by password that I enabled for a few months before the infection. Since then, my root access is via public key.

Steps to remove the perfctl malware

After months of regular mysql crashes caused by memory and cpu saturation (read the initial topics here and here), I finally managed to identify and remove this malware. Since 8 days, no more problems (my server reached saturation after a few days and then mysql crashed)

  1. delete perfcc line in crontab (use crontab -e command )
  2. run the following commands :
rm /usr/bin/perfcc
rm /root/.config/cron/perfcc
rm /etc/cron.*/perfclean
rm /etc/cron.*/perfcc
reboot

The file named perfcc can be elsewhere. Check it with locate perfcc command.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.