How I Traced a Bandwidth‑Hogging Malware on a Linux Server

Yesterday afternoon I was studying in the library when a classmate called about a Linux server in his office that was consuming all bandwidth. He asked for help, and after initially refusing, I went to the server room.

Inside the server’s desktop environment (Gnome), we logged in and ran ifconfig, noticing unusually high outbound traffic. Using top we spotted a suspicious process named sbin that consumed a lot of CPU and memory, could not be listed with ps, and should normally be a directory, not an executable.

We located the binary with which sbin, which pointed to /var/cache/sbin. Examining the /var/cache directory revealed other known binaries (e.g., man, ps) and several files added a few months ago.

Running netstat -p | grep sbin showed that the sbin process had opened many PPTP connections, explaining the bandwidth surge.

We terminated the process, which stopped the immediate problem, but the root cause remained unknown. Later investigation (2024/7/4 update) found that the attacker had placed a series of scripts in /var/cache, including an install script that added a user to /etc/passwd and /etc/sudoers, granting administrative access. Deleting that user and related files resolved the intrusion.

The disk space exhaustion was unrelated to the attack; it resulted from long‑term neglect and accumulated files.

Next steps? The author asks readers for suggestions on further investigation.