our antivirus system told us that we do have malware on a Linux system.
The originating process was ‘nrpe’
The process user was ‘nagios’
The command line argument was ‘/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p’
The file/path was ‘/bin/rm’
The message was ‘Destroys data in a suspicious way’
Our first thought was ‘rm is doing what rm has to do’
We just would like to understand what kind of files nrpe/check_disk is removing.
Is there a temp file that will be deleted after a check?
On that server is installed
check_disk v2.2 (monitoring-plugins 2.2)
Can somebody explain what kind of files will be removed and why?
Thanks a lot
Whether a file is read, deleted or written can be found out with the linux command strace.
Syntax: strace “command”
The Output of strace is for beginners difficult to read but with some practise you figure it out .
With plugins it is typically a temporary file, with nrpe I would expect it is the socket needed for the plugin result to come back. But “the file/path was ‘/bin/rm’” makes me wonder as both parts, plugin and nrpe, are compiled C code, so they should use a syscall and not the binary!