kill-malware — Linux compromise inspection helpers

Implements the workflow from the Malware respawn: kill and clean a Linux system runbook: find persistence first, then remove it, then kill processes and delete files, then verify (or reinstall).

These scripts are read-only except for helping you decide what to edit; they do not automatically delete system files or kill random processes.

Quick start (on the affected host)

cd /path/to/kill-malware

# Phase 0 — what to do first
bash scripts/containment-checklist.sh

# Phase 1 — for each bad PID
sudo bash scripts/inspect-pids.sh 3803 2901

# Phase 2 — sweep persistence (use sudo for full crontab/root files)
sudo bash scripts/hunt-persistence.sh

# How to apply removals in the right order (printed instructions only)
bash scripts/remediation-order.sh

# After you disabled persistence, killed PIDs, deleted files, and rebooted:
bash scripts/post-reboot-verify.sh
# Fedora/RHEL: quick package checks
bash scripts/rpm-integrity-hints.sh

Scripts

Script	Role
scripts/containment-checklist.sh	Containment: network, credentials, do not only kill.
scripts/inspect-pids.sh	Phase 1: /proc/PID exe, cwd, cmdline, fd, sha256.
scripts/hunt-persistence.sh	Phase 2: systemd, cron, ld.so.preload, profiles, SSH, containers.
scripts/remediation-order.sh	Phase 3: ordered checklist (persistence off → kill → delete → reboot).
scripts/post-reboot-verify.sh	ps/ss/systemctl quick verify after reboot.
scripts/rpm-integrity-hints.sh	Phase 4: rpm -V on a few critical packages (Fedora/RHEL).
docs/REINSTALL.md	Nuclear option: when to stop and reinstall.

Requirements

• bash, coreutils, ss (from iproute) or netstat. Optional: sha256sum, podman/docker for the container section in hunt-persistence.sh.

Warning

A compromised system may have a keylogger or trojaned sudo. Typing a password on the infected host has risk; for maximum safety, run inspection from a Live USB with the disk mounted read-only, or reimage if you need strong assurance. See docs/REINSTALL.md.

The scripts are not enough — the bad process is still there

inspect-pids.sh and hunt-persistence.sh are read-only. They do not kill processes, disable units, or remove files. You must do that as root.

If top / ps still shows a fake -bash (high CPU)

1. As root, get the real binary: readlink -f /proc/PID/exe
   A common trick is a file named with a leading dash, e.g. /usr/bin/-bash (deleted).

2. See which systemd slice owns the PID: sudo bash scripts/cgroup-service.sh PID
   The cgroup line often ends in …/something.service — that is the service name to disable and remove from disk (e.g. under /etc/systemd/system/ or /lib/systemd/system/), then systemctl daemon-reload.

3. If the unit is already missing but the process is still running, the service file was probably removed after boot; you can still sudo kill -9 PID and any child PIDs, then sudo find / -xdev 2>/dev/null | grep for that service basename (and for odd names in /usr/bin/), and reboot to confirm it does not respawn.

4. Your ./main -port 80 in ps is often a Docker process (e.g. Kerberos Agent uses exactly ./main -action run -port 80). It is a separate case from a root -bash — confirm with docker ps and pstree before you treat it as malware.