How a New Year UDP Flood Hid a Trojan: A Linux Incident Response Walkthrough

Introduction

On Chinese New Year's Day, a client reported that their Oracle+Tomcat server was overwhelmed by massive UDP traffic, exhausting bandwidth. After local technicians failed, they turned to us on the third day.

Finding the Trojan

SSH login, using top revealed a suspicious process named gejfhzthbp. Running lsof -c gejfhzthbp showed external TCP connections, possibly a reverse shell.

We examined the file path and timestamps, matching the intrusion time, then copied the file to a Kali VM for analysis.

Restoring Service

Attempted to kill the process, but it respawned with a different name. Various parent processes (sshd, pwd, ls) appeared, and a VNC connection was installed. Finally, we added iptables rules to block unwanted traffic:

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d 192.168.1.235 -j ACCEPT
iptables -A DROP

After applying the rules, the service returned to normal.

Investigating the Root Cause

The breach originated from a weak SSH password. An Indonesian IP successfully brute‑forced the login. The client had temporarily set a weak password for third‑party technicians and forgot to change it, allowing the attacker to gain root access and change the root password.

Reviewing /var/log/secure and the history file revealed the attacker’s actions, confirming the compromise.

Conclusion

The incident highlights the importance of strong SSH credentials and proper post‑maintenance cleanup.