I found out my Linux server was infected.
Symptoms were : 100% CPU usage when idle, slow download speed,
iptables rules keeps growing.
After finding the processes, killing it and all the possible ways it setup to restart again, I’m back with a normal-looking server (no symptoms).
I used this blogpost (in chinese) instructions to clean the system.
In the process of cleaning the system, I could save the script used by the hacker. It is available here : https://gist.github.com/Colanim/0c7d71b90893a54c731de4e328585e9f
I can’t fully understand this virus script, but it seems bad enough (scanning intranet ? Downloading weird files from weird domain ? Modifying
iptables secretly ?). My question is : what should be my next steps ?
I have data on this server I need to keep.
Is the virus very bad and I should just wipe everything ? Is it ok to save the data and just do a clean Linux install ? Or if the virus is not that bad, can I keep my server in the current state ? (system seems clean, no symptoms anymore)
Should the passwords used in the server be considered leaked ? Or it’s fine because anyway it’s hashed ?