Check_disk malware rm?

Hello Community,

our antivirus system told us that we do have malware on a Linux system.
The originating process was ‘nrpe’
The process user was ‘nagios’
The command line argument was ‘/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p’
The file/path was ‘/bin/rm’
The message was ‘Destroys data in a suspicious way’

Our first thought was ‘rm is doing what rm has to do’
We just would like to understand what kind of files nrpe/check_disk is removing.
Is there a temp file that will be deleted after a check?

On that server is installed
check_disk v2.2 (monitoring-plugins 2.2)

Can somebody explain what kind of files will be removed and why?
Thanks a lot

Hi Oceanborn,

Whether a file is read, deleted or written can be found out with the linux command strace.
Syntax: strace “command”
The Output of strace is for beginners difficult to read but with some practise you figure it out :slight_smile: .

1 Like

The plugins are also open source so you can check the sourcecode at monitoring-plugins/check_disk.c at master · monitoring-plugins/monitoring-plugins · GitHub and GitHub - NagiosEnterprises/nrpe: NRPE Agent

With plugins it is typically a temporary file, with nrpe I would expect it is the socket needed for the plugin result to come back. But “the file/path was ‘/bin/rm’” makes me wonder as both parts, plugin and nrpe, are compiled C code, so they should use a syscall and not the binary!