I think I got hacked by some crypo mining malware

[ltburch2000]

I noticed that my crontab job wasn't running so I went looking and I saw my crontab had been overwritten by

* * */2 * * /home/media/.ttp/a/upd>/dev/null 2>&1
@reboot /home/media/.ttp/a/upd>/dev/null 2>&1
5 8 * * 0 /home/media/.ttp/b/sync>/dev/null 2>&1
@reboot /home/media/.ttp/b/sync>/dev/null 2>&1
5 1 * * * /tmp/.ssh/.rsync/c/aptitude>/dev/null 2>&1

These seem to be pointing to some crypto mining daemon stuff installed under my home directory. I removed the files and updated my crontab and rebooted, I don't see much evidence of them now (however they are likely to hide if present)

This server is on ubuntu 16.04, fully patched up.

Anyone seen this sort of thing before? Perhaps it came from a package like sonarr or radarr where someone managed to check in something malicious?

[TheFu]

I would check my versioned backups to see when those files were added, then look through the authentication logs and logs for whatever services run. The /tmp/.ssh/ stuff seems extra fishy. I'd scan the entire file system for directories beginning with a . (dot).

Depending on what your server is doing, I'd look for hacks against those services. Themes are a common method and any direct update methods that aren't via official repos too.

IMHO.

[Habitual]

Play FortNite?

[ltburch2000]

Nope. never.

[ltburch2000]

Their hamfisted overwrite on cron told me pretty quick because my jobs were not running.

Oh, look at this from my authorized keys:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvA cwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+ rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYM b66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp 5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYj IIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr


That is not me. Looks like they were hoping to get in. Well not publicly accessible via ssh so perhaps my saving grace. The key above could be handy in finding the culprit.

[TheFu]

And what is your server supposed to be doing?

[HermanAB]

Well, you should at least also run "ps -e" and look at what is running, and 'users' to see which accounts are existing.

[ltburch2000]

Runs radarr, sonarr and mythtv.

[TheFu]

Runs radarr, sonarr and mythtv.

So it is a BT server for your home constantly downloading media. I suspect the BT client you use has been cracked. Which ports are remotely available inbound? Is that the way you think the extra code was setup?

Obviously, they got in, elevated privileges and altered a crontab. How could that have happened?
* some remote access method?
* hacked open ports?
* tricked your download client into pulling stuff down, then tricked some service into installing it?
* tricked an operator to copy/paste code or directly run code with curl {URL} | sudo bash -
* Some other device/system on the subnet was used as a jump-box?

Have you looked at all the other devices on the same subnet?

[mohicann]

I don't think they got root privileges as none of the crontab entries calls for something outside of your home directory.

If I had been the attacker and I had got root privileges, I would have probably installed something inside your /usr/bin or /something else/ directory. Letting files inside your home directory is somehow too obvious, as obvious as the crontab entries are, easy to find out. Something hidden in /etc/systemd/system/ would have been much more preferable.

What happened is probably that an userid command or script has been run and installed this stuff. It also means that as long as the crontab entries has been deleted, this malicious stuff shouldn't work anymore.

This said, do not hesitate to share these presumably malicious files, either here (link to an upload website) or to antivirus companies (Kasperky, etc.).