I have detected a coin miner trojan on my computer. I noticed the CPU temperature was running very hot with one CPU core pegged at 100%. Running 18.04 development version with no PPAs enabled. It is located in the /tmp folder where it appears in a subfolder named with random 16 charcater alphanumeric name. Inside that folder is a ELF executable that is named after a linux process eg. gvfsd or initctl but runs with my user ID.
Top shows thisprocess to be the one utilising the CPU core.
Suricata detectsnetwork activity to IP addresses associated with miner activity.
Killing theprocess/deleting the folder/changing the permissions stops the trojanuntil reboot. The subfolder is generated when ntwork activity isdetected. Interestingly, it does not re-appear when Wireshark isrunning.
I’m not sure ofthe initial route of infection. I have firefox with no script,apparmor enabled. No servers, no open ports (fresh install).
Unable to attach files but I can post output of stings later when it works.
I guess I have to wipe and install, unless anyone would think that mounting /tmp as read only would be worth trying or would hose the system.
Bookmarks