Seeing psclient? Could it be related to a perfectl infection?
Let’s find out.
STEPS:
check $PATH
# echo $PATH
also remove any suspicious directories
rm -rf /bin/.local
check
ls -l /bin/.local
edit the path
export PATH=$(echo $PATH | sed -e 's|:/bin/.local/bin||' -e 's|/bin/.local/bin:||' -e 's|/bin/.local/bin||')
SOURCES:
- How ‘perfctl’ malware infected Linux servers undetected for years
- perfctl: A Stealthy Malware Targeting Millions of Linux Servers >> The Nitty-Gritty
UPDATE:
After trying to remove the suspect files only to have them reappear after a reboot I stumbled upon the following solution.
Kaspersky Virus Removal Tool or KVRT for short.
I downloaded a stand alone malware scanner and removal tool from Kaspersky.
(NOTE: if you are in the US you may have to VPN to a different locale in order to access it).
I downloaded it to the infected Ubuntu VM then booted from the Ubuntu installer iso, choosing ‘Try’ instead of ‘Install’ . After booting I ran the KVRT tool (several times rebooting after each run until the scans came up clean).
Lastly I ran the tool after booting from the VM’s own image to double check that it was ‘clean’.
A week later I have detected no new infection and have observed no unusual CPU activity. 🙂