The company's network of a Linux server traffic inexplicably increased, with iftop to view the situation connected to the outside network. In this case, it is generally important to look at the external IP and port of the Netstat connection.
Use the Lsof-p PID to see which files are specific to those processes. The survey found that/root under the relevant configuration CONF.N hhe two suspicious files, RM-RF in less than a minute automatically generated, which is inferred that a parent process produced these files. So to find the mother process is to find the culprit.
Avira virus best cut off the external network access, fortunately is the intranet server, can be accessed through the intranet. Broken network, the virus will lose the ability of the outreach, killing it is much easier. How to find, find a half-day also did not see clues, there is no way only PS Axu a check, the method is to see the user and the system is similar and not the counterfeit, sure enough, see the following process suspicious.
I can't see the picture, it's/usr/bin/.sshd.
So I killed all the. SSHD-related processes and then deleted the. sshd executable file directly. Then deleted the automatic resurrection file mentioned at the beginning of the article.
Summing up, encountered this problem, if not too serious, try not to re-install the system, generally is first off the outside network, and then use iftop,ps,netstat,chattr,lsof,pstree these tools, generally can find the culprit. But if you're having problems like that,
/boot/efi/efi/redhat/grub.efi:heuristics.broken.executable FOUND
Personally feel the need to re-install the system.
This article is only a solution to the problem of a train of thought, only as a reference, not absolute.
A Linux delete file after the automatic generation is the case of the Trojan Horse resolution process