Removing sim_disk_attack.sh and diskbomb from apps‐a - GriffinKat/group-a GitHub Wiki
Initial Detection
-
Found unusual disk space usage and traced it to:
/usr/local/bin/sim_disk_attack.shand/usr/local/bin/tmp/sim_disk_attack.sh -
Verified its presence with:
stat /usr/local/bin/sim_disk_attack.shstat /usr/local/bin/tmp/sim_disk_attack.sh -
Found it was actively running:
pgrep -a -f sim_disk_attack.sh
Stopping the Malicious Script
-
Terminated the process:
sudo kill -9 367533
Disabling the Auto-Restarting systemd Service
-
Found it registered as a service:
sudo grep -r sim_disk_attack /etc/systemd/system/ -
Stopped and disabled the service:
sudo systemctl stop simdiskattack.servicesudo systemctl disable simdiskattack.service -
Removed the service file:
sudo rm /etc/systemd/system/simdiskattack.servicesudo systemctl daemon-reloadsudo systemctl mask simdiskattack.service
Deleting the Scripts
-
Deleted both script versions:
sudo rm -f /usr/local/bin/sim_disk_attack.shsudo rm -f /usr/local/bin/tmp/sim_disk_attack.shsudo rmdir /usr/local/bin/tmp
Cleaning Up the diskbomb Directory
-
The diskbomb directory was filling the disk.
-
To delete it completely:
sudo rm -rf /var/tmp/diskbomb/