Home / ubuntu / Questions / 1254440
Accepted
Nanang Arema
Asked: 2020-06-28 18:48:02 +0800 CST

Strange path or folder on hacked vps

  • 772

My vps was confirmed hacked, Ubuntu 16.04 LTS (Thanks for answering in my post My previous post).

Now I have created new vps and move my site to new VPS.

But I don't delete my hacked vps, i preserve it to learn why i can got hacked.

My Question is : where is file/folder execute by python3 /~.pid -x -b ?

Thanks for your help.

iotop result

hacking iotop

1 Answers

  1. Best Answer

    It's a file located at / (root) named ~.pid.

    To create the same file in my root directory:

    $ cd /
$ sudo touch '~.pid'

    And now let us to look for it at /:

    $ find / -maxdepth 1 | grep pid -C 3
/srv
/sbin
/dev
/~.pid                    <<< Here it is
/libx32
/lost+found
/proc

    Write something within it:

    $ echo hello | sudo tee \~.pid 
hello

    Look what is inside:

    $ cat \~.pid 
hello

    And what is the type of file:

    $ file /~.pid       # Absolute path
/~.pid: ASCII text

$ file \~.pid       # Relative path
~.pid: ASCII text

    If you can't state the file using ls or anything else so it has been removed. You can create a file, run it and then remove it. There is still a version of that file in the memory (RAM) being used by python in your case but it has been removed from filesystem so you can't find it.

    If you kill the process it should go away. however it depends on the malware. It might get recreated by another process.

    • 2