Scanning rootkit on your Linux (Debian and Centos)

The steps to clean are:

  1. Check the file /etc/crontab. You probably have an entry to call the virus every 3 minutes
       */3 * * * * root /etc/cron.hourly/cron.sh
    Delete this line.
  2. Identify the parent process of the virus. The bfyqwykzfr in your ps -ej. The other proceses are created and killed continously.
  3. Stop it, dont kill it, with kill -STOP 1632
  4. Check with another ps -ej that only the parent lives, the children should die quickly
  5. Now you can delete the files in /usr/bin and /etc/init.d. There are variants of the virus that also uses /boot or /bin. Use ls -lt | head to look for files that have been modified recently.
  6. Check the script in /etc/cron.hourly/cron.sh. In our server it was calling another copy of the virus on /lib/libgcc.so. Delete both files.
  7. Now you can kill definitely the bfyqwykzfr process.



# rm /etc/cron.hourly/gcc.sh

# locate bfyqwykzfr
/etc/cron.hourly/gcc.sh
/etc/rc.d/init.d/bfyqwykzfr
/etc/rc.d/rc0.d/K90bfyqwykzfr
/etc/rc.d/rc1.d/S90bfyqwykzfr
/etc/rc.d/rc2.d/K90bfyqwykzfr
/etc/rc.d/rc3.d/K90bfyqwykzfr
/etc/rc.d/rc4.d/K90bfyqwykzfr
/etc/rc.d/rc5.d/K90bfyqwykzfr
/etc/rc.d/rc6.d/K90bfyqwykzfr
/usr/bin/bfyqwykzfr

# ls -lRt /etc/init.d/ | grep /etc/init.d/bfyqwykzfr
-rwxr-xr-x  1 root root   323 Feb 16 14:57 bfyqwykzfr
# rm /etc/init.d/bfyqwykzfr -f

# chkconfig --list
...
bfyqwykzfr      0:off   1:on    2:off   3:off   4:off   5:off   6:off
...
# chkconfig --del bfyqwykzfr

# ls -l /usr/bin/ | grep bfyqwykzfr
...
-rwxr-xr-x  1 root root     625718 Feb 12 13:23 bfyqwykzfr
...
# rm -f /usr/bin/bfyqwykzfr

installing rkhunter
--------------------------------
debian
# apt-get install rkhunter

centos
# yum install epel-release
# yum -y install rkhunter

update rkhunter database
# rkhunter --update
scan/check rootkit
# rkhunter -c
update rkhunter property
# rkhunter --propupd

installing chkrootkit
--------------------------------
debian

centos
# yum install chkrootkit

scan/check
# chkrootkit

ClamAV
--------------------------------
debian

centos
# yum install clamav -y

 
update virus database
# freshclam
scan directory
# clamscan -r /usr/sbin/
 

--------------------------------
References:
http://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver
http://blog.amet13.name/2015/05/linux.html
http://www.woktron.com/secure/knowledgebase/79/Installation-Rootkit-Hunter-rkhunter-on-CentOS-5-and-6.html
http://www.clamav.net/documents/troubleshooting-faq