Today I was incidentally ssh'ing into my VPS and checked htop. Instantly I was wondering, why CPU usage was 100% and I identified an unknown (to me) screen session running a dubious "masscan" program.
I was totally shocked, entered the screen session and saw some totally unknown programm running seemingly scanning the internet, random IP addresses and ports. Sadly I forgot to take a screenshot of the console contents before ctrl+c'ing the application.
So it turns out in the path /var/lib/rmrf/.files there is so weird stuff going on. The contents of this folder are stated below. I downloaded the folder in case the ominous stranger tries to clean its traces. I also went through the last commands, which suggest a real person has entered those (stated below).
Please, can anyone suggest, what the heck is/was going on with my VPS?! I guess, I was hacked or part of a bot network or something similar?? How should I go on? Any recommended actions I should take next? (I stopped the VPS for now)
The last entered shell commands in that screen session, where I know, I have not entered them (the typos show, thos have been entered by a human and not a script or similar, I suggest):
./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti
./rupe
chmod +x rupe
./rupe
chmod +x masscan
chmod +x .*
chmod +x *
./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti
./rupe
chmod +x *
chmod +x .*
./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti
ls -a
chmod +x main
./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti
Contents of the folder:
main
masscan
.sbanner
notti
rupe
.filter
... 161 text documents (with hundreds of thousands of ip addresses each)
bios.txt (hundreds of thousands lines, each "open tcp 6122 x.x.x.x 1665657431" - the last number seems to be counted up of something, it increases by one every couple of lines)
fura
pass (looks like a list of possible passwords for (random?) usersnames [www-data, uftp, Huawei, steam, root, www, postgres .....], 621 lines, each username fills several lines, each with several possible passwords; one of my accounts (obsolete minecraft server) is included, while others are not)
paused.conf (seems to contain informations for the program to load during the next startup in order to continue)
ports (contains 146 lines of seemingly different ports)
prinse.v5 (379 lines of this format: [ 2 ] - [ ACCOUNTNAME@IP-ADDRESS:PORT Pass: PASSWORD ] - [ A - x86_64 | G - NO ]) The very first number differs from line to line
ultimate.lst (475k lines in the format: 116.206.100.0/22 #subnets?, I am no expert)
users.v5 (seemingly a list of possible account names; seems to be structured by different OS and each with possible account names, 5291 lines)
.resturi.v5 (5775 lines, Format: test test XXX.XXX.XXX.XXX 20022 aarch64 4)
.txt (865k lines with IP addresses)
banner.log:
176.41.224.105 - /multistream/1.0.0
171.6.145.194 - RFB 003.003
111.201.215.224 - SSH-2.0-OpenSSH_8.0
199.15.77.4 - RFB 003.008
188.131.180.65 - HTTP/1.1 302 Redirect
Server: Gnway RProxy Server
Location: http://xiaohe8.ikuai5.com:5353/natforward-yun-404.html?port=6122
Date Thu, 13 Oct 2022 18:37:28 GMT
123.13.215.124 - SSH-2.0-OpenSSH_7.4
8.129.103.205 - SSH-2.0-OpenSSH_7.4
103.131.17.166 -
111.173.83.64 - D
1.15.74.126 - SSH-2.0-OpenSSH_7.4
202.120.188.70 - SSH-2.0-OpenSSH_7.4
123.57.71.35 - SSH-2.0-OpenSSH_8.0
103.131.17.206 -
82.156.252.38 - SSH-2.0-OpenSSH_7.4
120.92.50.5 -
202.148.3.166 - 220 (vsFTPd 2.0.5)
94.103.35.8 - RFB 003.008
