All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Debian 8 server infected with malware to mine XMR
Hi,
I have a server running Debian 8. Currently, it is infected with some kind of malware to mine XMR (minerd miner). Whenever I kill the process, it will restart itself after a few minutes. Here is what I have investigated about this malware:
Firstly, it downloads minerd to /tmp, then it installs minerd to /usr/sbin/minerd
In the /tmp dir, I also found this folder systemd-private-af024280d5cc42b388efdf6cc5c53418-systemd-timesyncd.service-fdqH64. I thought it reconfigured timesyncd service.
Each time I kill it and it restarts itself, the PID is different. It means there's a monitor for it. I have found that the parent of minerd process is systemd (PID = 1).
/var/spool/cron and crontab is cleared.
Tried remove minerd, but it reinstalled itself.
I think its behavior is very similar to Linux Lady (http://blog.huntingmalware.com/notes/LLMalware). However, I didn't find any ntp service on my server.
Do you guys have any ideas what should I do to remove it? Currently, I am using cpulimit to limit minerd cpu usage to very low. I don't want to reinstall my server.
Thank you in advance.
Comments
systemd doesn't use cron. It's a virus of it's own.
Remove systemd and see if it comes back.
You really should reinstall. You have some exploitable security hole so who knows what already infected your server besides the coin miner. Reinstall really is the only option to get back to a safe state.
Totally correct. Thank you. Is there any ways to know what exploitable security hole I am having?
Hard to say in general. You might find some hints in your logs. Successful ssh login from unknown IP after a lot of failed tries could mean you had a week password that was bruteforced. Strange HTTP requests might hint at some exploitable web script and so on. There is no guarantee that the attackers didn't clean the logs though but it's sure worth a try to poke around a bit.
This is what we call a root kit! Watch it still be there when you reinstall LOL.
Nuke the server and all related data volumes. Erase everything and install fresh from new installation medium.
offtopic, what provider are you using?
I took a pee on it.
It's Virmach on CC New York. I am still investigating how this root kit can get into the server.
DON'T TAKE CHANCES, KEEP IT OFF!!!
and that's the right thing to do. you would want to make sure, that you can close whatever security hole you had before.
simple reinstall as suggested most likely won't help in the long run otherwise.
This is what I actually trying to do. I never thought I made a critical security hole that a rootkit can get into and run command with root user. I am thinking of the problem lies on the SSH client I used on Android.
Take a look at the lastlog command output. The "miners" are exploring accounts with standard/default passwords to deploy the code.
Change SSH port (port knocking is better), and always use complex passwords (yet not something from online sources or images).
There’s probably a systemd service in /lib/systemd/system
But reinstall really is required.
To follow up on this, it'd definitely help to analyze whatever you ran/installed on the server. What shady benchmark scripts were run, what programs were installed, were best security practices followed to secure said applications, etc. My money is on a shitty wordpress plugin exploit.
You may also consider finding out more info about this miner. Normally the miners will mine as part of a pool, and so will provide it's address. If you can obtain the payout address and the mining pool, you can submit the info to the pool operator. The pools don't support botnets or hacked machines. So their addresses may be blacklisted. And the rewards from mining may be 'seized', which would discourage the hacker from doing this again since they would lose their earnings from multiple hacked machines (and not just yours).
It would be nice if it's true. However, I doubt that the pool will seize the money because the pool is also take fee from them.
Here is its address:
Text for anyone interested: 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbS5MiK5WrvMXJDx44dL
You can see he has mined a lot of coin. It means I am not the only one infected. https://xmr.nanopool.org/account/4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbS5MiK5WrvMXJDx44dL
Taking a pee on a server is like chown to self on all files.
I kinda forgot to mention, needless to say, all related passwords need to be changed to new ones too.
This is evolution... I must say!!! Atleast the hackers evolved from sending SPAM to shitmining.
Taking a pee on a server is like chown to self on all files.
I kinda forgot to mention, needless to say, all related passwords need to be changed to new ones too.
PS: I screwed myself with the quote/edit/post.
..and using these stupid blockchains, it's going to be more difficult to track them down. Wunderbar.
Re-installing to try fix problems is lazy IT and lazy advice. Not always a good option for people anyways.
You learn a lot more trying to find and fix the problems.
Why don't you have the logo of Los Pollos Hermanos as an avatar image?
This statement is fucktarded in response to a ROOTED MACHINE. It's not like he fucked up his network config.
Your statement further up to remove systemd is probably the worst advice possible. Amazing you are able to figure out how to use on the internet and post here. I guess porn is a good motivator.
@LosPollosHermanos
You idiot, it was a joke.
Likely stemming from his hatred for systemd, or just wanting to troll you.
@levnode
Back up your data through FTP/SFTP (disable SSH access) and reinstall the server. It doesn't matter who's mining on your server, but I'm pretty sure it's against the TOS.
Until then, you can keep the miner offline:
Then hit CTRL+A and CTRL+D.
It should keep it offline until you're done making a system backup.
You're a gem. Remind me to have you set in metal and put on display.
Maybe he should try being funny instead of coming off like a huge asshole.
Anyone whose only advice is "reinstall" is a waste of keystrokes. That is not advice. That is more like picking your nose and farting in the general direction of a keyboard.
If any of you actually tried to solve these problems instead of just re-installing you would know that it's not that hard to find and remove malware from Linux.
According to that link, he has been paid out over 3K USD.
We are seeing this happen to customers more and more often, i'll spend some time if it happens again and ask the customer for access to check
Alexander
Well, removing some malware might not be to hard but it's not really practical to go through all the required steps to even be semi-sure you removed all of it.