Home » Linux tips » 12 March 2019 » 1,662 supporters » 3 Comments »

Cpanel server infected with mining software

12 March 2019 1,662 supporters 3 Comments

Recently one of server under my control infected with mining software. It cause unnecessary load and waste of server resource.

Since the server is using Cpanel, I must use WHM to track down the source. I check WHM ‘Process Manager’ and ‘Daily process log’ and found something similar like :

impxxxx impxxxxketing.com 98.5 -bash -a cryptonight -o stratum+tcp://xx.xx.xx.xx:14444 -u 4AmprS3UsK28LE9pHnt9TXDZygXoVtnQ6eFkD5ghP7TwPZ7tKkhQJn1Z3SUCbmw7xcA8F6pnQBpEzfQ2BGdTXo6BEs7MFHZ -p x

Using ‘Process Manager’ to kill the pid who is running the process.

I have check in the user Cpanel and found strange cronjob point to strange path eg :

/home/impxxxx/public_html/nrxxxxment/includes/.qts/upd

So I read the content of the file using cat command:

[root@svr2 ~]# cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
#!/bin/sh
if test -r /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid; then
pid=$(cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /home/impxxxx/public_html/nrxxxxment/includes/.qts
./r &>/dev/null

Go to the folder contents and see what is inside the folder:

[root@svr2 ~]# cd /home/impxxxx/public_html/nrxxxxment/includes/.qts/
[root@svr2 .qts]# ls
a bash.pid cron.d dir.dir f g m p r s t upd x

The existence of bash.pid confirm that the mining come from that path.

Delete the folder and delete the cronjob so the mining stop.

[root@svr2 .qts]# cd ..
[root@svr2 includes]# rm -rfv .qts
removed ‘.qts/f’
removed ‘.qts/x’
removed ‘.qts/cron.d’
removed ‘.qts/t’
removed ‘.qts/s’
removed ‘.qts/p’
removed ‘.qts/dir.dir’
removed ‘.qts/bash.pid’
removed ‘.qts/a’
removed ‘.qts/upd’
removed ‘.qts/g’
removed ‘.qts/m’
removed ‘.qts/r’
removed directory: ‘.qts’




3 Comments »

  • admin (author) said:

    Outdated script…

  • kumail said:

    Do you have any idea of how they infected the server in the first place? how did they upload the bash.pid file onto the server?

  • Benton Secondo said:

    Its such as you read my mind! You appear to understand so much about this, like you wrote
    the guide in it or something. I feel that you simply could do with a few
    % to drive the message house a little bit, however instead of
    that, that is magnificent blog. A fantastic read.
    I will certainly be back.

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.