How to un-hide?

[bepstein111]

Yesterday my server was infected by what seems to be a crypto-miner or some other type of bandwidth hog. I found the following in /var/tmp/.11/:
-rwxr-xr-x 1 root root 20240 Oct 26 22:54 bash.sh
-rw-r--r-- 1 root root 4413086 Jan 5 23:34 enbash.tar
-rw-r--r-- 1 root root 6304805 Jan 5 23:34 enbio.tar
-rwxr-xr-x 1 root root 2359889 Nov 28 02:11 fkoths
drwxr-xr-x 2 root root 4096 Jan 7 22:27 ..lph

and ..lph contains Makefile, and processhider.c . Since your code enables this virus to function, I'm hoping you're aware of a safe workaround or method of un-hiding because obviously, I can't fix what I can't see.

[dronov]

Hello @bepstein111

I am not the author of this library, but I hope it will help you.
This library uses ld preloader and modifies /etc/ld.so.preload file.
root@sid:~# echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
So if you will delete /usr/local/lib/libprocesshider.so line from /etc/ld.so.preload file, you should see malicious process.