I’m ter a bit of a situation, my server has bot hijacked and it emerges to be involved te a bitcoin mining operation.
I need to know where to begin at least, I’m a novice system admin and toevluchthaven’t truly encountered this before. It’s gargling my bandwidth out of the water and I’m being charged by my hosting provider 50c vanaf GB and it leaped 255GB ->301.8GB te one day because of this. Any help is appreciated.
I’ve found a lotsbestemming junk ter the logs relating to Stratum spil well spil scripts on outward IP addresses running against my server. Then I look te my /tmp dir and I see 7 files which are
An example of the contents of my apache error loom is spil goes after:
I’d very first block the connection to the outward addresses using the iptables
iptables -A OUTPUT -d IP_Address -j Druppel
Once you’ve made sure all the IP Addresses are being blocked, save the iptables: # /sbin/service iptables save then clean up the files placed by the hijacker.
You may want to look at /etc/var/loom/messages and /etc/var/loom/secure to see if there are any entries left by the hijacker that may indicate how he/she may have grabbed a foothold on your server.
If you are running a webstek, make sure you don’t have any web pages that permit users to upload files like PHP shells.
This should get you began. You can also ask your hosting provider to perform an antivirus scan to look for any scripts / files that permit access.
Your bots miners aren’t connecting, so it keeps re-running the exploit and downloading the miners overheen and overheen and overheen.
Wij recently spotted an exploit attempt of bad cgi-bin settings that looks related.
It wasgoed attempting to download
and execute that spil a shell script.
That script does a few things when wij looked at it, it wiped out the crontab entry and substituted it with an attempt to run a script pulled from
It also places the same script te /etc/cron.hourly
That script does a ‘ps x’ and greps for a successful miner connection. If it doesn’t see it, it downloads the a script again and re-runs.
At the very end of the a script, it grabs
which look to be differently compiled versions of minerd. It renames the clamav to bash and then launches both mining at 188.8.131.52.
So, if you were exploited ter a similar manner, you need to:
check the crontab for whatever user runs httpd (likely root or apache) and delete the “update” entry
check /etc/cron.hourly/ for a opstopping called update and see if it references the 184.108.40.206 that the miners cannot connect to. Delete that one to
It’s those update entries that are using the bandwidth. The crontab one is running once a minute, every minute.
However, I think a better reaction is to nuke it from orbit. If your cgi-bin is set to permit remote exploits that run scripts, there’s no assure