I am running a wordpress website and suddenly cpu usage spiked to 100%. When I tried to dig in, I found a binary in php/tmp folder which was running with configuration file-
{
"algo": "cryptonight",
"av": 0,
"background": true,
"donate-level": 1,
"log-file": "/dev/null",
"threads": "1",
"pools": [
{
"url": "xmr.crypto-pool.fr:80/xmr",
"user": "xyz",
},
],
}
It seems to me that the server is involved in mining monero coin. As the location of folder is in tmp directory, I guess that the files were shipped there exploiting some insecure file upload
kind of vulnerability, but I can't understand how the attacker made the system to execute the binary. As I can see the process in htop, I don't think attacker gained root access to system at any point of time, or he could have installed some root kit to hide the process at all.
The process is being run under daemon user and and PPid 1 and restarts itself after sometime if I try to kill it. I can't see any init file related to this binary.
I want to figure out exactly how the attacker managed to start it as daemon and how is it being controlled but I am stuck here. Any tips for further analysis will be very helpful.
EDIT:
Php version is - 7.0.6
My wordpress is running using bitnami certified aws image. Php master process is running as root and children are running as daemon. As I checked php.ini file, there is nothing under disable_function
configuration. This I guess is a bad practice as someone can exploit functions like exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
.
I am not sure about editing the configuration as I have never worked with wordpress or php and I am not sure if this will break the wordpress itself.
Even if I migrate my wordpress to a new instance, how can I make sure that it will not happen again ?