Removing sim_disk_attack.sh and diskbomb from apps‐a - GriffinKat/group-a GitHub Wiki

Initial Detection

  • Found unusual disk space usage and traced it to:

    /usr/local/bin/sim_disk_attack.sh and /usr/local/bin/tmp/sim_disk_attack.sh

  • Verified its presence with:

    stat /usr/local/bin/sim_disk_attack.sh

    stat /usr/local/bin/tmp/sim_disk_attack.sh

    image

  • Found it was actively running:

    pgrep -a -f sim_disk_attack.sh

    image

Stopping the Malicious Script

  • Terminated the process:

    sudo kill -9 367533

Disabling the Auto-Restarting systemd Service

  • Found it registered as a service:

    sudo grep -r sim_disk_attack /etc/systemd/system/

    image

  • Stopped and disabled the service:

    sudo systemctl stop simdiskattack.service

    sudo systemctl disable simdiskattack.service

    image

  • Removed the service file:

    sudo rm /etc/systemd/system/simdiskattack.service

    sudo systemctl daemon-reload

    sudo systemctl mask simdiskattack.service

    image

    image

Deleting the Scripts

  • Deleted both script versions:

    sudo rm -f /usr/local/bin/sim_disk_attack.sh

    sudo rm -f /usr/local/bin/tmp/sim_disk_attack.sh

    sudo rmdir /usr/local/bin/tmp

Cleaning Up the diskbomb Directory

  • The diskbomb directory was filling the disk.

  • To delete it completely:

    sudo rm -rf /var/tmp/diskbomb/

    image