Results 1 to 6 of 6

Thread: Coin miner malware

  1. #1
    Join Date
    Nov 2010
    Beans
    58

    Coin miner malware

    I have detected a coin miner trojan on my computer. I noticed the CPU temperature was running very hot with one CPU core pegged at 100%. Running 18.04 development version with no PPAs enabled. It is located in the /tmp folder where it appears in a subfolder named with random 16 charcater alphanumeric name. Inside that folder is a ELF executable that is named after a linux process eg. gvfsd or initctl but runs with my user ID.


    Top shows thisprocess to be the one utilising the CPU core.


    Suricata detectsnetwork activity to IP addresses associated with miner activity.


    Killing theprocess/deleting the folder/changing the permissions stops the trojanuntil reboot. The subfolder is generated when ntwork activity isdetected. Interestingly, it does not re-appear when Wireshark isrunning.


    I’m not sure ofthe initial route of infection. I have firefox with no script,apparmor enabled. No servers, no open ports (fresh install).


    Unable to attach files but I can post output of stings later when it works.


    I guess I have to wipe and install, unless anyone would think that mounting /tmp as read only would be worth trying or would hose the system.
    Last edited by DanR01; April 20th, 2018 at 07:56 AM.

  2. #2
    Join Date
    Jul 2006
    Location
    Here
    Beans
    11,190

    Re: Coin miner malware

    just wipe your browser cookies & data, there stored on disk in your home folder which load every time you open the browser.

  3. #3
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    14,865
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Coin miner malware

    Create a new userid. Login using that. If it doesn't cause the crypto-miner to kick off, then it is tied to the other userid ... so look in the HOME. It is non-trivial to store outside a HOME in usual Linux install unless permissions were modified.

    /tmp/ gets wiped at reboot.

    If you have versioned backups, perhaps you can compare those over time to see when something suspicious changed in your HOME.

  4. #4
    Join Date
    Nov 2010
    Beans
    58

    Re: Coin miner malware

    Thank you to both.

    TheFu, I tried your suggestion and the malware does not load under a different userid. I have copied across some files to a new userid and deleted the old one. No sign yet of any compromise. Unfortunately, I was unable to identify any suspicious files in /home/$olduser

  5. #5
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    14,865
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Coin miner malware

    Thanks for the update. Please mark the thread as solved using the menu to help others.

  6. #6
    Join Date
    Nov 2010
    Beans
    58

    Re: Coin miner malware

    Brief update:

    This is now being reported on other forums such as reddit and is a trojan linked to a Kodi addon. Users should check to see if ~/.config/autostart/dbus-daemon.desktop or similar exists.

    https://www.reddit.com/r/Addons4Kodi...ddon_on_linux/
    Last edited by deadflowr; April 27th, 2018 at 07:15 PM. Reason: fixed link

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •