0

How to detect where the issue on my server is, and whether the server is being used for cryptocurrency mining?

I just received an email from Google and my server stopped working.

Dear Developer,

Our systems identified that your Google Cloud Platform / API Project ID HelloWorld (id: fair-solution-555555) may have been compromised and used for cryptocurrency mining.

This activity was detected as originating from IP xyz and VM ID 123456:us-east1-b to destination IP abc on remote port 6233 between 2020-10-22 23:14 and 2020-10-22 23:22 (Pacific Time), though it may still be ongoing.

We recommend that you review this activity to determine if it is intended. Cryptocurrency mining is often an indication of the use of fraudulent accounts and payment instruments, and we require verification in order to mine cryptocurrency on our platform.

Therefore if you wish to continue engaging in cryptocurrency mining, and you haven't already applied for an Invoiced Billing Account (support.google.com/cloud/contact/apply_for_invoiced_billing), please do so. Additional information is available in the Cloud Security Help Center(support.google.com/cloud/answer/6262505).

If you believe your project has been compromised, we recommend that you secure all your instances (https://support.google.com/cloud/answer/6262505), which may require uninstalling and then re-installing your project.

To better protect your organization from misconfiguration and access the best of Google's threat detection, you may consider enabling Security Command Center (SCC) for your organization. To learn more about SCC visit https://cloud.google.com/security-command-center.

Once you have fixed the issue, please respond to this email. If the behavior is intentional, please explain so that we do not ping you again for this activity. Please do not hesitate to reach out to us if you have questions.

Should you require further assistance or information related to this matter, don't hesitate to email us and we'll get back to you as soon as we're able. In the best effort to help out, feel free to provide us your best contact number as well as the best time to contact you. Looking forward to your response.

Sincerely,

Hanna Google Cloud Platform Support

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Muhammad Shahzad
  • 101
  • 1
  • 1
    There is nothing known about your server, the configuration, the installed software and its versions, suspicious log entries etc. This makes it in my opinion a duplicate of the also very generic [How do I deal with a compromised server?](https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Steffen Ullrich Oct 28 '20 at 06:44
  • That is not related to my question buddy – Muhammad Shahzad Oct 28 '20 at 11:13
  • @MuhammadShahzad Why not? Someone hacked your server and installed a bitcoin miner. The other question is about what to do when someone hacks your server. – user253751 Oct 28 '20 at 18:08
  • That answer is not about bitcoin miner, I'm sure some one else faced the issue and may be he can guide better, it is not good to close the question if you don't know the answer. Also I'm sure near future most of the user facing this issue so instead of reading that 20 minutes long answer and most of the related to don't panic I want to do some productive action so server can be restored. – Muhammad Shahzad Oct 28 '20 at 19:13

0 Answers0