CentOS 7 Malware? - O usuário "impress+" executa um comando ("cron") com alto consumo de CPU

Infelizmente meu servidor está infectado ... =\

Parte da saída do utilitário de segurança Chkrootkit ( http://www.chkrootkit.org/ )...

NOTA: Informação confirmada através da análise do sistema!

[...]
Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
/tmp/.X19-unix/.rsync/c/lib/64/libc.so.6
/tmp/.X19-unix/.rsync/c/lib/64/libpthread.so.0
/tmp/.X19-unix/.rsync/c/lib/64/tsm
/tmp/.X19-unix/.rsync/c/lib/32/libc.so.6
/tmp/.X19-unix/.rsync/c/lib/32/libpthread.so.0
/tmp/.X19-unix/.rsync/c/lib/32/tsm
/tmp/.X19-unix/.rsync/c/lib/arm/libc.so.6
/tmp/.X19-unix/.rsync/c/lib/arm/libpthread.so.0
/tmp/.X19-unix/.rsync/c/lib/arm/tsm
/tmp/.X19-unix/.rsync/c/slow
/tmp/.X19-unix/.rsync/c/tsm
/tmp/.X19-unix/.rsync/c/watchdog
/tmp/.X19-unix/.rsync/c/run
/tmp/.X19-unix/.rsync/c/go
/tmp/.X19-unix/.rsync/c/tsm32
/tmp/.X19-unix/.rsync/c/tsmv7
/tmp/.X19-unix/.rsync/c/start
/tmp/.X19-unix/.rsync/c/tsm64
/tmp/.X19-unix/.rsync/c/stop
/tmp/.X19-unix/.rsync/c/v
/tmp/.X19-unix/.rsync/c/golan
/tmp/.X19-unix/.rsync/c/dir.dir
/tmp/.X19-unix/.rsync/c/n
/tmp/.X19-unix/.rsync/c/aptitude
/tmp/.X19-unix/.rsync/init
/tmp/.X19-unix/.rsync/init2
/tmp/.X19-unix/.rsync/initall
/tmp/.X19-unix/.rsync/a/anacron
/tmp/.X19-unix/.rsync/a/run
/tmp/.X19-unix/.rsync/a/stop
/tmp/.X19-unix/.rsync/a/a
/tmp/.X19-unix/.rsync/a/cron
/tmp/.X19-unix/.rsync/a/init0
/tmp/.X19-unix/.rsync/b/run
/tmp/.X19-unix/.rsync/b/stop
/tmp/.X19-unix/.rsync/b/a
/tmp/.X19-unix/.rsync/1
/tmp/.X19-unix/.rsync/dir.dir
[...]

AÇÕES TOMADAS: Destrua o servidor comprometido. Altere as senhas "root" na Infraestrutura local. Altere as senhas para usuários capazes de executar como "root".

DICA: O Chkrootkit é instalado e configurado pela ferramenta private_tux ( https://github.com/eduardolucioac/private_tux ). Ele instala e configura utilitários de segurança e executa vários diagnósticos de segurança automaticamente.

Divulgação: Eu sou o autor de private_tux.