our antivirus system told us that we do have malware on a Linux system.
The originating process was ‘nrpe’
The process user was ‘nagios’
The command line argument was ‘/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p’
The file/path was ‘/bin/rm’
The message was ‘Destroys data in a suspicious way’
Our first thought was ‘rm is doing what rm has to do’
We just would like to understand what kind of files nrpe/check_disk is removing.
Is there a temp file that will be deleted after a check?
On that server is installed
check_disk v2.2 (monitoring-plugins 2.2)
Can somebody explain what kind of files will be removed and why?
Thanks a lot