6 posts / 0 new
Last post
#1 Sun, 01/21/2018 - 13:11
briand

cpuminer

-bash -c 1 -t 2 -M stratum+tcp://46WyHX3L85SAp3oKu1im7EgaVGBsWYhf7KxrebESVE6QHA5vJRab6wF1gsVkYwJfnNV2KYHU1Xq2A9XUYmWhvzPf2E6Nvse:x@monerohash.com:3333/xmr ID 14687

cpuminer installed by root. does anybody have ideas how these 'miners' can install software on server as root ? I'll try and dig about some more myslef to see how they can do so. Brian

Operating system CentOS Linux 7.4.1708 Perl version 5.016003 Path to Perl /usr/bin/perl BIND version 9.9 Postfix version 2.10.1 Mail injection command /usr/lib/sendmail -t Apache version 2.4.6 PHP versions 5.4.16, 5.6.25 Webalizer version 2.23-08 Logrotate version 3.8.6 MySQL version 5.5.56-MariaDB ProFTPD version 1.35 SpamAssassin version 3.4.0 ClamAV version 0.99.2

Sun, 01/21/2018 - 15:54
Joe
Joe's picture

Your system has been rooted. The miner itself isn't relevant information...that's just what they decided to do with the rooted system. The fact that they haven't hidden it from you is an indicator that they didn't install a rootkit (or didn't know how to use it, if they did), which could hide the miner from the process list.

There was a series of major vulnerabilities discovered in both Intel and AMD CPUs recently, which could be exploited on any OS to escalate privilege. If your kernel wasn't updated quickly, and an untrusted user had any kind of user access, that could explain the escalation (I don't know the details of those exploits, but I know they could be used to obtain sensitive information from memory...probably including passwords). How the attacker initially got into your system could be all sorts of things...exploitable web apps, weak password, a legitimate user gone rogue, etc.

Anyway, you can't trust your server anymore without a reinstall. Even though it doesn't look like they installed a rootkit (since you can see the miner process) I'd be surprised if they didn't. So, back up your data, and either migrate to a new VM (if this is a virtual machine), or reinstall your OS (deleting all the existing filesystems and starting from scratch). You can run tools like rkhunter and chkrootkit, which might sniff the problems out, it's impossible to know for sure...because a rootkit can theoretically completely hide itself from detection (though realistically they are rarely completely undetectable).

In terms of avoiding it in the future: Make sure you stay up to date. The most common cause of exploited systems is old software (whether services, kernel, or web apps), followed closely by weak passwords and other poor practices (repeating passwords on multiple systems, for example). Things like firewalls are band-aids, at best...fail2ban can prevent brute force attacks, but won't make an exploitable application or service safe.

--

Check out the forum guidelines!

Sun, 01/21/2018 - 16:00
Joe
Joe's picture

Oh, and if you're backing up and starting over on the same system, I'd recommend two kinds of backup. Virtualmin backups are usually reliable, but it's likely there are things you configured outside of Virtualmin that are important. So, backup /etc, /var, and /home, at least, independently of the Virtualmin backups. /bin and /usr/bin and /lib and /usr/lib are all provided by the OS, so can generally be ignored in backups.

Also keep in mind that when restoring a backup from a rooted machine, there may be bombs that can re-infect the new machine. I would not restore /etc in bulk; I would only pull out the specific things you need (if any beyond what Virtualmin backs up) because there could be a bomb waiting for the next boot in rc files, systemd unit files, or any of the other executable bits in /etc. I would look it over pretty carefully, even if just restoring the Virtualmin backups...a determined and knowledgeable attacker could modify Virtualmin created scheduled jobs, for example.

--

Check out the forum guidelines!

Sun, 01/21/2018 - 18:26
briand

thanks Joe, beginning to lose the will these days with such attacks. ;o(( I always check with rkhunter and chkrootkit, and on this server I alwyas thought I had kept things up to date. this one is a home server so at least it is easy to reformat.

Sun, 01/21/2018 - 19:01 (Reply to #4)
Jfro

For home server when no other users then you know have access, probably the spectre , meltdown bug isn't the issue here. (if so then the firmware ....)

But you have to check very precise where come from open acces to server from outside or inside, when security is OK, then this could be comming from something trusted or person inside your network. ( though this part itself could be hacked from outside)

So be very carefull when "hacked" local Network Servers, devices, IOT sh...t, webcams, smartdevices, whatever, then they are in your private trusted ....

Windows ---Linux networks and for all not updated then such hacks could be causing by SMB (such as vulnerable Samba file sharing servers) because the vulnerability is exploitable via the SMB protocol, and because the issue came to light so close to the WannaCry ransomware outbreak, some researchers started referring to the bug as SambaCry or EternalRed.

Wen not realy hacked but cause is a "virus" or other Bogus programm please check also, and notify the "antivirus" Programm makers. you use..

Old Software versions!

You can try if local network to check find trafic out.. https://www.wireshark.org/

CSF if used i think should have send you a notice for strange root behaveoir

For all readers. Main basic causes for hacked networks are: That a lot of different protocols, devices and different OS also the diverge version, has to talk to eachother. If some are to old and/or have Security flaws, or even worse default setups / admin/root access then mostly your complete network is unsafe, while mostly to much trusted out of own network! ( also in that view BYOD and the Users themselves..)

And warning never ever asume if only 1 device in network seems hacked or have a bogus programm the rest of your devices is not and should be safe

For the topic starter a good thing could be that they only are wanting "MINER" Machines so have a look at you other devices for exactly that kind off things

Also you use older php and mariadb it seems (PHP versions 5.4.16) when this is in special for 1 or more APPS then these apps could be to old and have some flaws to. ( apps not updated for using newer PHP then 5.4.x i think you can't really trust anymore ? )

Mon, 01/22/2018 - 01:53
briand

Thanks also

I had a feeling it might have been an SSH issue

Looks like a schoolboy error on my part ! :o( Despite knowing that SSH v1 is a problem it is not turned off, I normally switch this off if or at least check it but I guess I made a mistake this time So I think that is backdoor

Topic locked