Mdthbs

I got kicked out from graduate school in the past. How do I include this on my CV?

Why did MS-DOS applications built using Turbo Pascal fail to start with a division by zero error on faster systems?

Are modern clipless shoes and pedals that much better than toe clips and straps?

Why is less being run unnecessarily by git?

Slitherlink Fillomino hybrid

If all stars rotate, why was there a theory developed, that requires non-rotating stars?

How would one country purchase another?

Fancy String Replace

Why were movies shot on film shot at 24 frames per second?

Checking a beta regression model via glmmTMB with DHARMa package

Which note goes on which side of the stem?

Are there account age or level requirements for obtaining special research?

Start from ones

Numbers Decrease while Letters Increase

Using `With[...]` with a list specification as a variable

Why were the crew so desperate to catch Truman and return him to Seahaven?

Singleton Design Pattern implementation in a not traditional way

Average period of peer review process

Was there ever a treaty between 2 entities with significantly different translations to the detriment of one party?

Dealing with an extrovert co-worker

Is there any practical application for performing a double Fourier transform? ...or an inverse Fourier transform on a time-domain input?

antonym of "billable"

Is "The life is beautiful" incorrect or just very non-idiomatic?

Which household object drew this pattern?

How can/should I kill masscan process

How to kill both process and subprocess?How can I kill the top CPU/IO process quickly?How can I create a hard to kill processHow to kill stubborn processHow can I kill my backticked yes process?Kill a process cleanlyKill process when PID is constantly changingHow can I kill minerd malware on an AWS EC2 instance? (compromised server)

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

1

I host a small Ubuntu server with DigitalOcean and recently realized a guest user was compromised. I have been trying to cleanup up my server to stop future attacks and have come across a process that consistently takes up ~25% of my CPU. The process is running masscan and I am under the impression that this process is a result my recent attack.

I have been trying to kill the existing process but a new masscan process continues to spawn in its place. I am first wondering if I am right to assume that this masscan process is likely coming from a malicious place and I am then wondering how to go about killing the process for good.

Here is the full command being run:

./masscan -p 1835 --banner --rate 50000 --exclude 255.255.255.255 --exclude 10.0.0.0/8 --exclude 192.168.0.0/16 --exclude 127.0.0.0/8 --range 1.0.0.0-223.255.255.255

ubuntu process kill malware

share|improve this question

edited 2 days ago

Kusalananda♦

160k1818 gold badges318318 silver badges504504 bronze badges

asked 2 days ago

AC-5AC-5

611 bronze badge

New contributor

AC-5 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  You may want to delete that instance and rebuild it. See How do I deal with a compromised server?
  
  – Kusalananda♦
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Kusalananda I was trying to avoid that but you may be right
  
  – AC-5
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  wiping and rebuilding is the right (and only) answer to a compromised system....but in the short term, you can probably use pstree to find the process which is respawning masscan. also look in the crontab for root and/or the uid running masscan.
  
  – cas
  2 days ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @cas that's lousy advice. any process can fork+exit to get rid of its parent or execute a binary as child of another process by attaching to it with ptrace().
  
  – Uncle Billy
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @UncleBilly I think you mean "accurate" rather than "lousy". The OP was concerned about masscan respawning after being killed. That requires some other process to notice that masscan has been killed and respawn it. Or just run a wrapper script from cron, to start masscan if needed. This other process can't just fork and exit, it has to stick around to restart masscan if/when required. There are, of course, other methods but detecting and fixing them aren't worth the bother in the short time frame before Doing The Right Thing by wiping and reinstalling.
  
  – cas
  2 days ago
  
  
  

  
  
  
  

 | 
show 2 more comments

1

I host a small Ubuntu server with DigitalOcean and recently realized a guest user was compromised. I have been trying to cleanup up my server to stop future attacks and have come across a process that consistently takes up ~25% of my CPU. The process is running masscan and I am under the impression that this process is a result my recent attack.

I have been trying to kill the existing process but a new masscan process continues to spawn in its place. I am first wondering if I am right to assume that this masscan process is likely coming from a malicious place and I am then wondering how to go about killing the process for good.

Here is the full command being run:

./masscan -p 1835 --banner --rate 50000 --exclude 255.255.255.255 --exclude 10.0.0.0/8 --exclude 192.168.0.0/16 --exclude 127.0.0.0/8 --range 1.0.0.0-223.255.255.255

ubuntu process kill malware

share|improve this question

edited 2 days ago

Kusalananda♦

160k1818 gold badges318318 silver badges504504 bronze badges

asked 2 days ago

AC-5AC-5

611 bronze badge

New contributor

AC-5 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  You may want to delete that instance and rebuild it. See How do I deal with a compromised server?
  
  – Kusalananda♦
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Kusalananda I was trying to avoid that but you may be right
  
  – AC-5
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  wiping and rebuilding is the right (and only) answer to a compromised system....but in the short term, you can probably use pstree to find the process which is respawning masscan. also look in the crontab for root and/or the uid running masscan.
  
  – cas
  2 days ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @cas that's lousy advice. any process can fork+exit to get rid of its parent or execute a binary as child of another process by attaching to it with ptrace().
  
  – Uncle Billy
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @UncleBilly I think you mean "accurate" rather than "lousy". The OP was concerned about masscan respawning after being killed. That requires some other process to notice that masscan has been killed and respawn it. Or just run a wrapper script from cron, to start masscan if needed. This other process can't just fork and exit, it has to stick around to restart masscan if/when required. There are, of course, other methods but detecting and fixing them aren't worth the bother in the short time frame before Doing The Right Thing by wiping and reinstalling.
  
  – cas
  2 days ago
  
  
  

  
  
  
  

 | 
show 2 more comments

I host a small Ubuntu server with DigitalOcean and recently realized a guest user was compromised. I have been trying to cleanup up my server to stop future attacks and have come across a process that consistently takes up ~25% of my CPU. The process is running masscan and I am under the impression that this process is a result my recent attack.

I have been trying to kill the existing process but a new masscan process continues to spawn in its place. I am first wondering if I am right to assume that this masscan process is likely coming from a malicious place and I am then wondering how to go about killing the process for good.

Here is the full command being run:

./masscan -p 1835 --banner --rate 50000 --exclude 255.255.255.255 --exclude 10.0.0.0/8 --exclude 192.168.0.0/16 --exclude 127.0.0.0/8 --range 1.0.0.0-223.255.255.255

ubuntu process kill malware

share|improve this question

edited 2 days ago

Kusalananda♦

160k1818 gold badges318318 silver badges504504 bronze badges

asked 2 days ago

AC-5AC-5

611 bronze badge

New contributor

AC-5 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

./masscan -p 1835 --banner --rate 50000 --exclude 255.255.255.255 --exclude 10.0.0.0/8 --exclude 192.168.0.0/16 --exclude 127.0.0.0/8 --range 1.0.0.0-223.255.255.255

share|improve this question

edited 2 days ago

Kusalananda♦

160k1818 gold badges318318 silver badges504504 bronze badges

asked 2 days ago

AC-5AC-5

611 bronze badge

New contributor

AC-5 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 2 days ago

Kusalananda♦

160k1818 gold badges318318 silver badges504504 bronze badges

asked 2 days ago

AC-5AC-5

611 bronze badge

New contributor

AC-5 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 2 days ago

Kusalananda♦

160k1818 gold badges318318 silver badges504504 bronze badges

edited 2 days ago

Kusalananda♦

160k1818 gold badges318318 silver badges504504 bronze badges

asked 2 days ago

AC-5AC-5

611 bronze badge

New contributor

AC-5 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 days ago

AC-5AC-5

611 bronze badge