Bro I’ve ran into the same issue but a little deeper.
ps aux | grep -E 'kinsing|udiskssd|kdevtmpfsi|bash2'
/usr/lib/secure/udiskssd
This file cannot be deleted.
“Opperation not permitted”
Fix with:
pkill -f udiskssd
chattr -i /usr/lib/secure/
rm -f /usr/lib/secure/udiskssd
chattr -ia /etc/cron.hourly/oanacroner
rm -f /etc/cron.hourly/oanacroner
Same issue with editing crontab and the file does not have the immutable attribute.
Fix the crontab with:
chattr -ia /var/spool/cron/root
chattr -ia /etc/cron.d/root
chattr -ia /etc/cron.d/apache
chattr -ia /etc/cron.d/nginx
Then search the files for anything suspicious like /usr/lib/secure/atdb and remove those lines or files. Make sure to check them
The following finds files containing atdb that were modified within the last 2 days
find /etc /tmp /var /usr -mtime 2 -type f -exec grep -El 'kinsing|udiskssd|kdevtmpfsi|bash2|bash3|\.network-setup|syshd|atdb' {} +
Also backup:
mv /etc/systemd/system/systemd_s.service /etc/systemd/system/systemd_s.service.bak
mv /etc/systemd/system/sshd-network-service.service /etc/systemd/system/sshd-network-service.service.bak
mv /etc/systemd/system/network-monitor.service /etc/systemd/system/network-monitor.service.bak
mv /usr/bin/network-setup.sh /usr/bin/network-setup.sh.bak
mv /etc/systemd/system/multi-user.target.wants/systemd_s.service /etc/systemd/system/multi-user.target.wants/systemd_s.service.bak
mv /etc/systemd/system/multi-user.target.wants/sshd-network-service.service /etc/systemd/system/multi-user.target.wants/sshd-network-service.service.bak
mv /etc/systemd/system/multi-user.target.wants/network-monitor.service /etc/systemd/system/multi-user.target.wants/network-monitor.service.bak
Also check /root/.ssh/known_hosts