xm64 fills my processor resource in Linux Mageia 6

Question

Since this morning I began to notice a slowness into my Linux/mageia 6.

I checked by using top command as root user, finding that a process named xm64 running as invitado user (guest user in spanish) was using 755% of my CPU.

I killed several times that process and it suddendly began again. The suspicious thing was that nobody was logged in as guest user (invitado), the only real user of the computer was me.

As invitado is an account just for my guests when they are at my home, I decided to erase that user before kill again xm64 process.

After erasing that user, xm64 process never showed up again.

I searched for xm64 information on /var/log using grep -ri xm64 /var/log but nothing was found.

Now I'm installing clamav and maldetect in order to search for information.

I searched on google and I find nothing related with xm64 linux but when I look just for xm64 I find information about a trojan virus on windows XM64.EXE.

This is the first time in 25 years since I began to use Linux that I suspect that my Linux machine is infected.

I blame myself because I created that guest user using a dictionary password ... I promise to never do this again.

Could anyone confirm me if this is a malware on Linux or if this is another issue?

Answer 1

I had the same trojan, and it was places in two locations on the system.

/tmp 
/var/tmp

Besides the xm64, the program "goauto" was running in top and was used to autostart the "dtsm" program, which seem to be a mining tool, but I'm not certain.

It had placed cronjob-lines in multiple crontab files inside the /var/spool/cron folder, so be sure to check them all.

I did the following:

• Removed the crontab lines
• Killed the "xm64", "goauto" and all the "dtsm" processes that was running
• Deleted the files in the /tmp and the /var/tmp folder (search for all locations with "locate goauto" or "locate xm64")
• Added the "139.59.28.207" IP to IPTABLES so that it gets blocked (some of the scripts wget'ed from that IP).

It seems like it has stopped the issue.

I am now running clamscan to do the rest of the cleanup if any and have to figure out how it ended up on the server in the first place.

Answer 2

Today, calmed down, I find information with:

[root@tarfful etc]# cd /var/
[root@tarfful var]# grep -ri xm64 *
Coincidencia en el fichero binario lib/mlocate/mlocate.db
Coincidencia en el fichero binario local/mga_rpms/core/glibc-devel-2.22-29.mga6.x86_64.rpm
Coincidencia en el fichero binario log/journal/235b4f4f2b94420e852900b7e0210a05/system.journal
log/security/unowned_user.weekly.today:/tmp/.zx/xm64
log/security/unowned_group.weekly.diff:+/tmp/.zx/xm64
log/security/unowned_user.weekly.diff:+/tmp/.zx/xm64
log/security/mail.weekly.today:/tmp/.zx/xm64
log/security/mail.weekly.today:/tmp/.zx/xm64
log/security/unowned_group.weekly.today:/tmp/.zx/xm64
log/security.log:jun 02 04:22:01 tarfful diff:     -   Added Unknown owner for files : /tmp/.zx/xm64
log/security.log:jun 02 04:22:01 tarfful diff:     -   Added Unknown group for files : /tmp/.zx/xm64
Coincidencia en el fichero binario log/squid/access.log.1
mail/postfix:/tmp/.zx/xm64
mail/postfix:/tmp/.zx/xm64
mail/postfix:-   Added Unknown owner for files : /tmp/.zx/xm64
mail/postfix:-   Added Unknown group for files : /tmp/.zx/xm64
spool/mail/postfix:/tmp/.zx/xm64
spool/mail/postfix:/tmp/.zx/xm64
spool/mail/postfix:-   Added Unknown owner for files : /tmp/.zx/xm64
spool/mail/postfix:-   Added Unknown group for files : /tmp/.zx/xm64
[root@tarfful var]#

And now I have a copy of /tmp/.zx/xm64

I uploaded that information to https://www.clamav.net/reports/malware/

I also fount into /tmp/.zx other scripts and binaries:

[root@tarfful spool]# tree /tmp/.zx/
/tmp/.zx/
├── a
├── cron.d
├── h32
├── h64
├── run
├── update
├── x
├── xm32
└── xm64

When I revised crontab spool I find:

[root@tarfful cron]# cd /var/spool/cron/
[root@tarfful cron]# ls
invitado
[root@tarfful cron]# cat invitado 
* * * * * /tmp/.zx/update >/dev/null 2>&1

So the trojan every minute runs the update script where it says:

[root@tarfful spool]# cat /tmp/.zx/update 
#!/bin/bash

DIR=$( cd ${0%/*} && pwd )
ps aux | grep ALIENS_z | grep -v grep

if [ $? = 0 ]
then
echo
else
cd $DIR
./run &>/dev/null &
#./run &
fi

exit 0

In order to remove the trojan I made the following steps as root user:

ps -xau | grep xm64
kill -9 [PID OF xm64]
rm /var/spool/cron/invitado
rm -rf /tmp/.zx