Scanning rootkit on your Linux (Debian and Centos)

The steps to clean are:

  1. Check the file /etc/crontab. You probably have an entry to call the virus every 3 minutes
       */3 * * * * root /etc/cron.hourly/
    Delete this line.
  2. Identify the parent process of the virus. The bfyqwykzfr in your ps -ej. The other proceses are created and killed continously.
  3. Stop it, dont kill it, with kill -STOP 1632
  4. Check with another ps -ej that only the parent lives, the children should die quickly
  5. Now you can delete the files in /usr/bin and /etc/init.d. There are variants of the virus that also uses /boot or /bin. Use ls -lt | head to look for files that have been modified recently.
  6. Check the script in /etc/cron.hourly/ In our server it was calling another copy of the virus on /lib/ Delete both files.
  7. Now you can kill definitely the bfyqwykzfr process.

# rm /etc/cron.hourly/

# locate bfyqwykzfr

# ls -lRt /etc/init.d/ | grep /etc/init.d/bfyqwykzfr
-rwxr-xr-x  1 root root   323 Feb 16 14:57 bfyqwykzfr
# rm /etc/init.d/bfyqwykzfr -f

# chkconfig --list
bfyqwykzfr      0:off   1:on    2:off   3:off   4:off   5:off   6:off
# chkconfig --del bfyqwykzfr

# ls -l /usr/bin/ | grep bfyqwykzfr
-rwxr-xr-x  1 root root     625718 Feb 12 13:23 bfyqwykzfr
# rm -f /usr/bin/bfyqwykzfr

installing rkhunter
# apt-get install rkhunter

# yum install epel-release
# yum -y install rkhunter

update rkhunter database
# rkhunter --update
scan/check rootkit
# rkhunter -c
update rkhunter property
# rkhunter --propupd

installing chkrootkit

# yum install chkrootkit

# chkrootkit


# yum install clamav -y

update virus database
# freshclam
scan directory
# clamscan -r /usr/sbin/