Perfctl malware attack

I have been affected by perfctl malware.
It is eating up all the CPU.
Related topic: Here is how I removed the perfctl malware

On reddit: Reddit - Dive into anything

But unfortunately, the solution in the thread did not helped. It comes back after few hours.

Any help would be highly appreciated.


Here are the steps to remove it.
I would recommend to perform a clean install.

  1. Remove the paths virus added in the environment variables.
    vim /etc/profile
    Delete the $PATH /bin/.local/bin added by the virus program

  2. Remove the daemon startup script added by the virus.
    Delete the script from the /root/.bash_profile. This script will trigger the execution of /usr/bin/perfcc when the root account logs in through SSH.

  3. Remove the virus program.
    rm -rf /bin/.local
    rm -rf /tmp/.perf.c
    Do rm -rf to all the mining files starting with private in tmp/private.
    rm -rf /usr/bin/perfcc

  4. Kill all the virus processes. Use lsof -i to check the processes. They would be with httpd with strange foreign network connections. Kill the process and login through ssh again. Use systemctl status pid passes through the process tree. The parent process is the ssh tty that has just logged in. To accurately locate the virus process use ll /proc/pid, you would be able to see that the startup path of the process is /tmp/.perf.c/path.
    Beware: After the process is started, the file is automatically deleted.

  5. Remove the system service kmodaudit.service.
    Delete the system service kmodaudit.service registered by the systemctl virus perfcc.
    The service will actually be failing after deleting perfcc process.

1 Like

Pro tip : if your system was infected, burn everything and restore it from scratch.
Let’s hope only the system was infected and not the apps and their backups.

Take great care not to restore user env as they might be impacted, and restore manually what you want to restore.

1 Like

Did you find how it got in?

Either from Wordpress or an unused ssh key from my stolen phone.