5

On one of development machines, we've noticed high CPU usage caused by md process. A short inspection has lead to ~/.info/md process which turned out to be monero miner, started by crontab.

Unfortunately we've deleted it too eagerly, without inspecting, how it could get there.

It could be installed 'for fun' or as a part of some performance benchmark, or anything, but if it was a worm or virus, than we have a bigger problem for inspect.

Does the installation directory and the name of the process matches any known worm or virus? It looks like an attempt to hide the activity behind under the legitimate processs name (though on *nix all 2-character names are probably reserved for something legitimate).

The machine is running Ubuntu.

I've tried googling for 'monero worm .info md' but without any reasonable results, probably the whole phrase is not good searchable.

9ilsdx 9rvj 0lo
  • 197
  • 6
  • You are unlikely to find anything searching like this - the culprit could have used any mechanism to get the monero miner onto the machine, as it is just a payload. Instead, look at any network or system logs you may have. – Rory Alsop Dec 18 '17 at 19:22
  • @RoryAlsop assuming it was the culprit, not the worm. In order to make any meaningful profit in that way, the process would have to be quite automated. – 9ilsdx 9rvj 0lo Dec 19 '17 at 08:47
  • 5
    Yes, of course. The problem is that the miner is just the payload. You are looking for the wrong things. And you need logs... – Rory Alsop Dec 19 '17 at 12:17
  • @RoryAlsop said it best, you need to consult the logs. Aside from those, it would be helpful to understand what exactly the development server's role is, what or who it communicates with, what services it runs, etc. This would make it easier in understanding a possible avenue that was used to get the payload onto the machine, which might useful in preventing future compromise. – jonroethke Jul 19 '18 at 05:54

1 Answers1

1

As others have stated, the miner is just the payload. If this is a web server you may want to look at the Apache or the web server access logs around the same time stamp as the creation date of the md file. It's possible they exploited a vulnerability or logged into an administrative page with a default password. You could also check if syslog got SSH logins and see if any came in around same time or from unusual source IP as again maybe you have a default or weak password set.

If all you did was delete the miner you likely have other issues and the miner or other malware may come back since the attacker probably still has an entry point or has placed multiple backdoors on the system.

You could also run netstat -anop and look for odd network connections outbound as the attacker may have a reverse shell or another miner on the system.

You could also if it's a web server review all files in all web folders on the system looking webshells (odd webpages that attacker dropped in order to remotely execute commands).

Attackers don't just go away if you delete the payload so be in the look out for them to return or they may already be there.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
neonprimetime security
  • 936
  • 4
  • 15