Viruses on servers

(edited by sela 29/07/2020 10:54:45)

Topic: Viruses on servers

Recently, infections of some of our partners' servers with viruses have become more frequent.

In particular, a virus with the type Multios.Coinminer.Miner. Often, it masquerades as a system process, for example, kswapd0 and significantly loads the server.

To detect virus you can us "top" utility or command:

ps axf | grep "/kswapd0" | grep -v grep

From the cases investigated by us, the virus is written either to hidden subdirectories of the /tmp directory, or to user ones, such as /home/wialon/ - for example, /home/wialon/.configrc/a/kswapd0
In some cases, it is possible to detect such a process simply using "top" utility, however, virus is not always active.

An antivirus should be used for an accurate detection.
One of such is free ClamAv - https://www.clamav.net/
You can install it from the standard Debian repositories by running

apt-get install clamav -y

Next, update the database


You can use this command to scan

clamscan -ri /

The virus files can be deleted manually, or just add option -remove to the previous command.
However, if system files are infected, you will have to restore them individually, or reinstall the system (which is more reliable).

What could cause the server to become infected?

This is often a simple password for ssh access and standard connection settings.
In general, it is recommended to use complex passwords and forbid root access from outside.
You can create a separate user to connect via ssh, with superuser rights, or with the ability to switch to root.
Also, for additional security, you can use a port other than the standard (22) for ssh.

Wialon Local Expert