wish helps you My guess, it runs a Powershell with NoProfile WindowStyle 1 = Minimized ExecutionPolicy ByPass = Nothing is blocked and there are no warnings or prompts then dot-sources the remaining code
like below fixes the issue Quite likely. It uses /lib/libudev.so.6 as an executable while the name implies it should be a library - try using a tool like nm or objdump to see if it's an executable. It copies from /lib/libudev.so to .so.6 - while normally the .so is a symlink to the versioned one. It also runs a for loop to bring up all network connections even if you've turned them off. It uses the name of a well-known compiler to look legit. I'd call this 99%+ likely a virus. Found another reference to something calling itself gcc - https://superuser.com/questions/863997/ddos-virus-infection-as-a-unix-service-on-a-debian-8-vm-webserver . And yes, that's a DDoS virus on a unix system, exactly matching your problem.