My advice? Look in the /tmp/ directory and see of there is anything there that shouldn’t be there. 9 times out of 10 malware on Linux systems will be able to install themselves in /tmp/.
If you are unsure what should/shouldn’t be in /tmp/ there is an easy—but extreme—thing you can do to clear out the bad stuff. Just run this online in the command line:
rm -rf /tmp && mkdir /tmp && chown root:root /tmp && chmod 1777 /tmp
Or run each command individually like this:
sudo rm -rf /tmp
sudo mkdir /tmp
sudo chown root:root /tmp
sudo chmod 1777 /tmp
Then reboot the server to see if that clears things up. If it does, congrats! But you are not out of the woods yet since it whatever caused the original system can still penetrate your system, it’s only a matter of time before they reinfect you again. Meaning, this cleans up the mess caused by a weakness in your system, but you need to find out what that weak-point might be and harden it.
If your servers are infected, the infection had to come from somewhere. Since the bash shellshock bug was discovered this past summer, chances are high that your machine was infected by an exploit to the server that took advantage of this bug. You can check to see by doing this running this command from the command line:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
If you are infected, it would return the following output:
vulnerable
hello
The hello is acceptable output. The vulnerable means the verison of bash installed on the system is vulnerable to “Shellshock” exploits.
So now that we know this version of bash has a problem, let’s enter the following commands to install an upgrade of bash.
apt-get update
sudo apt-get install --only-upgrade bash
Once that is all done, run this hack test again:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
And the output this time should only be hello. Which means bash is now solid.
But all of that presumes that the bash exploit was the issue. If something else happened, something else would need to be done.
