DDoS Virus infection (as a unix service) on a Debian 8 VM Webserver

We suffered a similar infection on Suse, probably through ssh brute force login.

The steps to clean are:

  1. Check the file /etc/crontab. You probably have an entry to call the virus every 3 minutes

    */3 * * * * root /etc/cron.hourly/cron.sh
    

    Delete this line.

  2. Identify the parent process of the virus. The rguoywvrf in your ps -ej. The other proceses are created and killed continously.
  3. Stop it, dont kill it, with kill -STOP 1632
  4. Check with another ps -ej that only the parent lives, the children should die quickly
  5. Now you can delete the files in /usr/bin and /etc/init.d. There are variants of the virus that also uses /boot or /bin. Use ls -lt | head to look for files that have been modified recently.
  6. Check the script in /etc/cron.hourly/cron.sh. In our server it was calling another copy of the virus on /lib/libgcc.so. Delete both files.
  7. Now you can kill definitely the rguoywvrf process.

To answer your questions:

  1. Without the necessary precautions (off site syslog, IDS, log monitoring, etc) you'll probably never find out what happened.
  2. I would have to agree with Matt. You'll invest time to get a machine running which you will never really trust. In my opinion, the best solution is to move the data off site & redo the machine.

Of course, for what it is worth, this is only my opinion. Though, when redoing the machine, you can of course take the necessary precautions & protect yourself better in the future.