Unknown HZ value! (##) Assume 100

VMware Virtual Machine Hosting

You’ve been hacked.

How to clean a Hacked CentOS / LINUX Machine

yum install chkrootkit

Run chkrootkit to find INFECTED files

You will need to delete, manually, each of these files.

The permissions will be modified to stump the average user.

You will need to use: chattr

This command will free most files: chattr -suSadAc

For the ones that can not be deleted after the above, try: chattr -i

Files commonly targeted: top ps find netstat ifconfig

Once the files are deleted, reinstall the files using YUM:

yum reinstall procps openssh-server openssl psmisc findutils fileutils util-linux net-tools textutils sysklogd

Additional things:

1. sshd will be renamed to sshd0 in /usr/sbin/
2. the hacker has most likely added an entry to the bottom of: /etc/rc.d/rc.sysinit
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

Remove it: chattr -suSadAc xntps ; rm -f xntps

3. Re-run chkrootkit until the machine is clean

VMware Virtual Machine Hosting