Hi, my VPS was recently compromised and infected. The hosting company told me that they've cleaned the server of the infection, however I've ran a rootkit hunter scan and seen a few worrying things. Here is the full scan, the things I'm not sure about are highlighted in bold..
Does anybody have any idea about what these randomly named files/processes I highlighted could be? Right click -> properties says it's an executable. I can try to upload the contents of the file onto pastebin however I'm not sure if that is against the forum rules or not - so if it's allowed and needed then ask.
I really don't know much about this kind of thing so if there is any information I was meant to provide please ask for it and I'll do my best to provide it.
Best regards
..Also, how can I whitelist .log files?
Code:
root@badbox:~# sudo rkhunter -c --enable all --disable none --rwo
Warning: The following processes are using deleted files:
Process: /usr/bin/tgfvvtxvse PID: 1608 File: /usr/bin/tgfvvtxvse
Process: /usr/bin/tgfvvtxvse PID: 1611 File: /usr/bin/tgfvvtxvse
Process: /usr/bin/tgfvvtxvse PID: 1612 File: /usr/bin/tgfvvtxvse
Process: /usr/bin/tgfvvtxvse PID: 1615 File: /usr/bin/tgfvvtxvse
Process: /usr/bin/tgfvvtxvse PID: 1621 File: /usr/bin/tgfvvtxvse
Process: /usr/bin/sudo PID: 3809 File: /dev/pts/0
Process: /bin/dash PID: 3810 File: /dev/pts/0
Process: /usr/bin/xinit PID: 4044 File: /dev/pts/0
Process: /usr/bin/xfce4-session PID: 4061 File: /dev/pts/0
Process: /usr/bin/dbus-launch PID: 4092 File: /dev/pts/0
Warning: File '/tmp/gvxddrshkl' (score: 206) contains some suspicious content and should be checked.
Warning: File '/tmp/vmware-root/vmware-apploader-1068.log' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/vmware-root/vmware-apploader-26937.log' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/vmware-root/vmware-apploader-4536.log' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/vmware-root/vmware-apploader-1073.log' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/vmware-root/vmware-apploader-27797.log' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/vmware-root/vmware-apploader-4291.log' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/vmware-root/vmware-apploader-28589.log' (score: 221) contains some suspicious content and should be checked.
Warning: Checking for files with suspicious contents [ Warning ]Does anybody have any idea about what these randomly named files/processes I highlighted could be? Right click -> properties says it's an executable. I can try to upload the contents of the file onto pastebin however I'm not sure if that is against the forum rules or not - so if it's allowed and needed then ask.
I really don't know much about this kind of thing so if there is any information I was meant to provide please ask for it and I'll do my best to provide it.
Best regards
..Also, how can I whitelist .log files?
No comments:
Post a Comment