2

I have a process named "stealth" that has infected my server (slamming my CPU) and I can't figure out where it is to remove it for good. Everytime I kill the process it somehow starts itself again...

ps -ef | grep stealth gives me this:

ps showing stealth process

But I have no idea where ./stealth would be since it's a relative path?

Also when I try using locate or find, I get nothing.

Any ideas how I can find and remove this process?

Jesse Bunch
  • 324

3 Answers3

9

If I’m not mistaken, ls -l /proc/11377/exe will tell you where the file is located. Removing it might be a whole other matter though.

Michael Kropat
  • 889
4

Your computer is compromised. If possible replace the server with an clean one or reinstall it. You should not trust it anymore.

Mircea Vutcovici
  • 19,011
1
  1. before running locate, run updatedb to make sure the "locate" database is current
  2. the fact that the process respawns means it is under the supervision of another process (init, daemontools, cron, etc). Look at the process parent-id to find out which process is launching it. This program will need to be examined to figure out what relationship it has to the stealth program
  3. examine the proc entry for the process id, look at /proc/[pid]/cwd this gives you the "current working directory" which will tell you where ./stealth is
  4. kill -SIGSTOP [pid] will stop (suspend) the process without killing it, letting you examine it without worrying about it doing anything further.
Michael Martinez
  • 2,765