1

A Windows server of ours got infected with some kind of mining tool.

As luck (?) would have it, the tool left plenty of logs. The logs suggest it's a Claymore CryptoNote CPU Miner v3.5 Beta. Outside of the logs, there are also mysterious files called history.txt and id.txt - but both contain hexadecimal gibberish akin to IDs of some kind.

Outside of the obvious next step of nuking the server and setting it up anew, I was wondering if there's anything I can do to mess with whatever mechanisms attacked the server in the first place. Steal their work, or at least make it harder to continue?

Is there anything I can do? Or is this entire line of thought a lost cause and best to just focus on getting a new server set up?

MBender
  • 380
  • 3
  • 12
  • Most of this is a question for an attorney/law enforcement. Anything beyond that is a question of level of effort/consequence. Yes, assuming it's legal, you could mess with them. But the end result would be the (malicious) user getting an error message and either re-installing the software, or worse, realizing you've messed with them, and deciding to exact retribution. Regardless, without nuking the server, you would have no way to ensure that you've kicked the attacker out of your server. I would chalk this one up as a loss and move on. – Dan Landberg May 01 '17 at 19:47
  • @user52472 Well, I've already removed the tool from the system and purged whatever I found (mainly to retain the configuration to be moved by hand to the new system once it's up and running). Only the logs remained - so anything that requires that the system be "intact" from the attackers perspective are not possible. – MBender May 01 '17 at 19:52
  • 2
    The attacker may have left other back doors on the system to allow him/her to retain access in the event that their activity was discovered. I recommend rebuilding the system from the ground up. If this is not possible, you definitely need to keep an eye on the system for new activity. – Dan Landberg May 01 '17 at 21:03
  • @user52472 I'm ready to do exactly that. Like I wrote - the system is retained (for the time being at least) ONLY so that we can move the configuration by hand to the new machine. – MBender May 02 '17 at 06:11
  • You do not need to nuke the server, you can clean that up and capture the miner. Just follow it's processes, see where they deposit files and then end them and keep the files for further investigation. – Overmind May 02 '17 at 12:40
  • 1
    @Overmind it is important to nuke it as there's no way to tell if the (seemingly inoffensive) miner is the only thing the attacker left. You could very well have nasty malware from a state-sponsored attacker and the miner is just a decoy. – André Borie May 02 '17 at 13:16
  • @Overmind [How do you explain the necessity of “nuke it from orbit” to management and users?](https://security.stackexchange.com/q/24195/2138) and [How do I deal with a compromised server?](https://serverfault.com/q/218005/58408) (on [sf]) and [Reinstall after a Root Compromise?](https://serverfault.com/q/6190/58408) (on [sf]) – user May 02 '17 at 14:28
  • Michael, the tactic depends on many factors. I recently removed a pack that had miner + root kit + adware all in one. It was overall more efficient to dig them all out and remove them compared to a nuke. If a full reinstall is not a big headache, then yes, it should be done, but in many situations that's the last thing that is desired. @Borie, yes, and that's one more reason to dig deeper instead of a quick reinstall. Know your enemy. – Overmind May 03 '17 at 08:06

1 Answers1

7

A cryptocurrency miner will usually request bits of work from a server, work on them for a certain period of time (until the block is mined, either by it or by someone else), submit its result and start over with a new piece of work.

The miner itself doesn't hold much data, and that data is irrelevant as the recipient address for the profits of the mined block are encoded in it, so by the time a block is mined there's no way to "go back" and get the funds.

The only option is to see if you can crack whatever server the miner is connected to, and see if that holds a wallet which you can steal - in that case you'd be able to recover funds mined on your hardware and maybe the attacker's other victims, unless the attacker already spent this money or transferred it to another wallet out of your reach.

To be honest, on a CPU miner you probably didn't loose much money - in fact writing this answer cost me more than this miner could've made in a month, so I'd say let it go, nuke the server and move on.

André Borie
  • 12,736
  • 3
  • 40
  • 76
  • I was wondering how much a CPU miner is worth. I had no idea is THAT little. The question was mostly me being curious due to the logs left by the miner. – MBender May 02 '17 at 19:47