Removing sim_disk_attack.sh and diskbomb from apps‐a - GriffinKat/group-a GitHub Wiki
Initial Detection
-
Found unusual disk space usage and traced it to:
/usr/local/bin/sim_disk_attack.sh
and/usr/local/bin/tmp/sim_disk_attack.sh
-
Verified its presence with:
stat /usr/local/bin/sim_disk_attack.sh
stat /usr/local/bin/tmp/sim_disk_attack.sh
-
Found it was actively running:
pgrep -a -f sim_disk_attack.sh
Stopping the Malicious Script
-
Terminated the process:
sudo kill -9 367533
Disabling the Auto-Restarting systemd Service
-
Found it registered as a service:
sudo grep -r sim_disk_attack /etc/systemd/system/
-
Stopped and disabled the service:
sudo systemctl stop simdiskattack.service
sudo systemctl disable simdiskattack.service
-
Removed the service file:
sudo rm /etc/systemd/system/simdiskattack.service
sudo systemctl daemon-reload
sudo systemctl mask simdiskattack.service
Deleting the Scripts
-
Deleted both script versions:
sudo rm -f /usr/local/bin/sim_disk_attack.sh
sudo rm -f /usr/local/bin/tmp/sim_disk_attack.sh
sudo rmdir /usr/local/bin/tmp
Cleaning Up the diskbomb Directory
-
The diskbomb directory was filling the disk.
-
To delete it completely:
sudo rm -rf /var/tmp/diskbomb/