Khad's Blog

So you have identified your server is infected with this Trojan Using top you can find random proces name Killing it will spawn another new random proces There is nothing you can do.. just restore your server from backup Or reinstall your server Just kidding... You can clean this trojan because this one is non destructive Ok let's go! First you have to find the pid of random process using top You cannot use ps because it renamed the process name Then you have to freeze those processes, do not kill it because it will spawn another random process Use kill -STOP pid [pid] [pid] it will freeze those processes Next we do cleaning up the trojan from file system Truncate /lib/libudev.so /lib/libudev.so.6 So it contains nothing, because the trojan copy from this file to random name Make it immutable (chattr +i) Next edit /etc/crontab  find lines contains gcc and remove it Check crontab -e , and all files in /var/spool/cron/ Go to /etc/cron.d , /etc/c...

Download firmware in .iso format (BIOS bootable update CD) dnf install geteltorito geteltorito -o bios.img j5uj62wd.iso Plug USB flash, umount manually if mounted, find out the device name (dmesg) Write bios.img to usb flash disk, be careful about device name, for example /dev/sdb, all data in USB flash will be deleted dd if=bios.img of=/dev/sdb bs=1M Boot and enter Setup, make sure system can boot in Legacy mode UEFI / Legacy = both Priority = Legacy First CSM = yes Save and boot using USB flash Ref: https://workaround.org/article/updating-the-bios-on-lenovo-laptops-from-linux-using-a-usb-flash-stick/

Tune grub config in: /etc/default/grub and /etc/grub.d/* Update grub config: grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg To update initramfs run: dracut -fv