Elf Malware Attack And Cleaning

Elf Malware

Recently I have been having internet problems at home, so alarm bells didn’t immediately start to ring when a number of websites on a small VPS that I look after for a colleague started loading extremely slowly.

Eventually I noticed that other websites at this time were going pretty quick and it was just the ones on this particular VPS that were crawling along.

Firstly I restarted apache and then mysql however things didn’t improve. Eventually I rebooted the server completely and things sped up – for a while.

Unfortunately within an hour things slowed down again, and I noticed one process was consuming massive amounts of CPU, leaving very little for anything else.

The process was /usr/bin/host.

After doing a little research I began to realize that it was possible the VPS had been compromised so I killed the process, which sped things up once again, temporarily.

I knew that something must be restarting the CPU eating process and suspected a cron job, so I logged into my putty and checked out the cronjobs.

Unfortunately I couldn’t see anything that looked too suspicious so headed back to Google.

Eventually I came across this article and it helped me greatly, mainly the part where it shows you how to search through all your files, and highlight which ones included the text /usr/bin/host. So that is what I did.

grep -ri --include=*.php "/usr/bin/host" /

The files that showed up indeed appeared to be infected, looking at the code it appeared to be unpacking and installing malware.

I then installed and ran Maldet which found another 16 or so infected files and then cleaned or quarantined what it found.

The problem for now has gone away, I advised my colleague to update all their WordPress plugins, themes etc and changed passwords.

It’s only a matter of time before another attack hits, however for now everything is back to normal.

Image credit

Rob StGeorge
Senior SQL Server Database Administrator residing in Auckland, NZ

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.