libprocesshider icon indicating copy to clipboard operation
libprocesshider copied to clipboard

Published 20 hours ago verified publisher icon gianlucaborello

How to un-hide?

Open bepstein111 opened this issue 1 year ago • 1 comments

Yesterday my server was infected by what seems to be a crypto-miner or some other type of bandwidth hog. I found the following in /var/tmp/.11/: -rwxr-xr-x 1 root root 20240 Oct 26 22:54 bash.sh -rw-r--r-- 1 root root 4413086 Jan 5 23:34 enbash.tar -rw-r--r-- 1 root root 6304805 Jan 5 23:34 enbio.tar -rwxr-xr-x 1 root root 2359889 Nov 28 02:11 fkoths drwxr-xr-x 2 root root 4096 Jan 7 22:27 ..lph

and ..lph contains Makefile, and processhider.c . Since your code enables this virus to function, I'm hoping you're aware of a safe workaround or method of un-hiding because obviously, I can't fix what I can't see.

bepstein111 avatar Jan 08 '24 06:01 bepstein111

Hello @bepstein111

I am not the author of this library, but I hope it will help you. This library uses ld preloader and modifies /etc/ld.so.preload file. root@sid:~# echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload So if you will delete /usr/local/lib/libprocesshider.so line from /etc/ld.so.preload file, you should see malicious process.

dronov avatar Jan 23 '24 18:01 dronov