“Life is not easy.” Linux virus : what to do next?



Context

I found out my Linux server was infected.

Symptoms were : 100% CPU usage when idle, slow download speed, iptables rules keeps growing.

After finding the processes, killing it and all the possible ways it setup to restart again, I’m back with a normal-looking server (no symptoms).

I used this blogpost (in chinese) instructions to clean the system.


In the process of cleaning the system, I could save the script used by the hacker. It is available here : https://gist.github.com/Colanim/0c7d71b90893a54c731de4e328585e9f

Question

I can’t fully understand this virus script, but it seems bad enough (scanning intranet ? Downloading weird files from weird domain ? Modifying iptables secretly ?). My question is : what should be my next steps ?

I have data on this server I need to keep.

Is the virus very bad and I should just wipe everything ? Is it ok to save the data and just do a clean Linux install ? Or if the virus is not that bad, can I keep my server in the current state ? (system seems clean, no symptoms anymore)

Should the passwords used in the server be considered leaked ? Or it’s fine because anyway it’s hashed ?