Removing Perfctl From My Linux Server

If you’ve been around a while, you’d remember there was a time when you can rest quietly assured that your Linux box is safe from viruses and other malware. Or rather, few bad actors bother to target Linux. Most target Windows. That was then. But today, with the increase in the popularity of Linux not just on servers but even on desktops, Linux is no longer under the radar of bad actors.

So a few days ago, I was alerted to abnormal CPU utilization on one of my servers. I logged in to check and saw that there’s a process called perfctl that was using up CPU time. I killed it but it respawned after a while. It looked like my Linux server had malware.

I checked and indeed it is malware that’s been targeting Linux servers. Thankfully, this particular one had been out for quite a while now and already well-researched. So I was able to remove it with not too much effort.

After reviewing the bulletin, I logged in as a secure user and then killed the malware process as well as deleting its file system components.

# Kill perfctl
kill -9 $(pgrep perfctl)

# Remove associated files
rm -f /tmp/.xdiag/hroot/cp
rm -f /tmp/.xdiag/hroot/hscheck
rm -f /tmp/.xdiag/cp
rm -f /tmp/.xdiag/elog
rm -f /tmp/.xdiag/exi
rm -f /tmp/.xdiag/int/.e.lock
rm -f /tmp/.xdiag/p
rm -f /tmp/.xdiag/uid
rm -f /tmp/.xdiag/ver
rm -f /tmp/.xdiag/tordata/control_auth_cookie.tmp
rm -f /tmp/.xdiag/tordata/cached-certs.tmp
rm -f /tmp/.xdiag/tordata/cached-microdesc-consensus.tmp
rm -f /tmp/.xdiag/tordata/state.tmp
rm -f /tmp/.perf.c/Loader
rm -f /tmp/.perf.c/perfctl
rm -f /tmp/.apid
rm -f /tmp/lgctr
rm -f /tmp/lgctr2
rm -f /usr/bin/.local/bin/ldd
rm -f /usr/bin/.local/bin/top
rm -f /usr/bin/perfcc
rm -f /usr/bin/wizlmsh
rm -f /usr/lib/libfsnldev.so
rm -f /usr/lib/libgcwrap.so
rm -f /usr/lib/libpprocps.so
rm -f /root/.cache/pci.ids
rm -f /root/.config/cron/perfcc
rm -f /root/sedkBrgaa
rm -f /etc/ld.so.preload
rm -f /etc/profile

That seemed to work as the process no longer respawned and CPU usage was back to normal. But just to be sure, I installed and ran ClamAV to ensure the system is now clean.

# Install ClamAv
sudo apt update
sudo apt install clamav clamav-daemon

# Start clamd
sudo systemctl start clamav-daemon

# Enable clamd to start on boot
sudo systemctl enable clamav-daemon

# Update database
sudo freshclam

# Scan recursively logging only infected files
sudo clamscan -ri --bell --log ~/clamscan.log /

After a few hours, ClamAV finished scanning and reported the system was clean. I can rest easy again… but not too much.