Hi,
I have been affected by perfctl malware.
It is eating up all the CPU.
Related topic: Here is how I removed the perfctl malware
On reddit: Reddit - Dive into anything
But unfortunately, the solution in the thread did not helped. It comes back after few hours.
Any help would be highly appreciated.
Thanks
Here are the steps to remove it.
THERE MIGHT STILL BE SOME TRACES OF IT LEFT IN THE SYSTEM.
I would recommend to perform a clean install.
Remove the paths virus added in the environment variables.
vim /etc/profile
Delete the $PATH /bin/.local/bin added by the virus program
Remove the daemon startup script added by the virus.
Delete the script from the /root/.bash_profile. This script will trigger the execution of /usr/bin/perfcc when the root account logs in through SSH.
Remove the virus program.
rm -rf /bin/.local
rm -rf /tmp/.perf.c
Do rm -rf to all the mining files starting with private in tmp/private.
rm -rf /usr/bin/perfcc
Kill all the virus processes. Use lsof -i to check the processes. They would be with httpd with strange foreign network connections. Kill the process and login through ssh again. Use systemctl status pid passes through the process tree. The parent process is the ssh tty that has just logged in. To accurately locate the virus process use ll /proc/pid, you would be able to see that the startup path of the process is /tmp/.perf.c/path.
Beware: After the process is started, the file is automatically deleted.
Remove the system service kmodaudit.service.
Delete the system service kmodaudit.service registered by the systemctl virus perfcc.
The service will actually be failing after deleting perfcc process.
Pro tip : if your system was infected, burn everything and restore it from scratch.
Let’s hope only the system was infected and not the apps and their backups.
Take great care not to restore user env as they might be impacted, and restore manually what you want to restore.
Did you find how it got in?
Either from Wordpress or an unused ssh key from my stolen phone.