Recently one of server under my control infected with mining software. It cause unnecessary load and waste of server resource.
Since the server is using Cpanel, I must use WHM to track down the source. I check WHM ‘Process Manager’ and ‘Daily process log’ and found something similar like :
impxxxx impxxxxketing.com 98.5 -bash -a cryptonight -o stratum+tcp://xx.xx.xx.xx:14444 -u 4AmprS3UsK28LE9pHnt9TXDZygXoVtnQ6eFkD5ghP7TwPZ7tKkhQJn1Z3SUCbmw7xcA8F6pnQBpEzfQ2BGdTXo6BEs7MFHZ -p x
Using ‘Process Manager’ to kill the pid who is running the process.
I have check in the user Cpanel and found strange cronjob point to strange path eg :
So I read the content of the file using cat command:
[root@svr2 ~]# cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
if test -r /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid; then
if $(kill -CHLD $pid >/dev/null 2>&1)
Go to the folder contents and see what is inside the folder:
[root@svr2 ~]# cd /home/impxxxx/public_html/nrxxxxment/includes/.qts/
[root@svr2 .qts]# ls
a bash.pid cron.d dir.dir f g m p r s t upd x
The existence of bash.pid confirm that the mining come from that path.
Delete the folder and delete the cronjob so the mining stop.
[root@svr2 .qts]# cd ..
[root@svr2 includes]# rm -rfv .qts
removed directory: ‘.qts’