Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: I think I got hacked by some crypo mining malware

  1. #1
    Join Date
    Feb 2007
    Beans
    40

    I think I got hacked by some crypo mining malware

    I noticed that my crontab job wasn't running so I went looking and I saw my crontab had been overwritten by

    * * */2 * * /home/media/.ttp/a/upd>/dev/null 2>&1
    @reboot /home/media/.ttp/a/upd>/dev/null 2>&1
    5 8 * * 0 /home/media/.ttp/b/sync>/dev/null 2>&1
    @reboot /home/media/.ttp/b/sync>/dev/null 2>&1
    5 1 * * * /tmp/.ssh/.rsync/c/aptitude>/dev/null 2>&1

    These seem to be pointing to some crypto mining daemon stuff installed under my home directory. I removed the files and updated my crontab and rebooted, I don't see much evidence of them now (however they are likely to hide if present)

    This server is on ubuntu 16.04, fully patched up.

    Anyone seen this sort of thing before? Perhaps it came from a package like sonarr or radarr where someone managed to check in something malicious?

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    15,628
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: I think I got hacked by some crypo mining malware

    I would check my versioned backups to see when those files were added, then look through the authentication logs and logs for whatever services run. The /tmp/.ssh/ stuff seems extra fishy. I'd scan the entire file system for directories beginning with a . (dot).

    Depending on what your server is doing, I'd look for hacks against those services. Themes are a common method and any direct update methods that aren't via official repos too.

    IMHO.

  3. #3

    Re: I think I got hacked by some crypo mining malware

    Play FortNite?
    Windows assumes the user is an idiot.
    Linux demands proof.

  4. #4
    Join Date
    Feb 2007
    Beans
    40

    Re: I think I got hacked by some crypo mining malware

    Nope. never.

  5. #5
    Join Date
    Feb 2007
    Beans
    40

    Re: I think I got hacked by some crypo mining malware

    Their hamfisted overwrite on cron told me pretty quick because my jobs were not running.

    Oh, look at this from my authorized keys:

    ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvA cwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+ rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYM b66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp 5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYj IIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr


    That is not me. Looks like they were hoping to get in. Well not publicly accessible via ssh so perhaps my saving grace. The key above could be handy in finding the culprit.

  6. #6
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    15,628
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: I think I got hacked by some crypo mining malware

    And what is your server supposed to be doing?

  7. #7
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    9,485

    Re: I think I got hacked by some crypo mining malware

    Well, you should at least also run "ps -e" and look at what is running, and 'users' to see which accounts are existing.

  8. #8
    Join Date
    Feb 2007
    Beans
    40

    Re: I think I got hacked by some crypo mining malware

    Runs radarr, sonarr and mythtv.

  9. #9
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    15,628
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: I think I got hacked by some crypo mining malware

    Quote Originally Posted by ltburch2000 View Post
    Runs radarr, sonarr and mythtv.
    So it is a BT server for your home constantly downloading media. I suspect the BT client you use has been cracked. Which ports are remotely available inbound? Is that the way you think the extra code was setup?

    Obviously, they got in, elevated privileges and altered a crontab. How could that have happened?
    * some remote access method?
    * hacked open ports?
    * tricked your download client into pulling stuff down, then tricked some service into installing it?
    * tricked an operator to copy/paste code or directly run code with curl {URL} | sudo bash -
    * Some other device/system on the subnet was used as a jump-box?

    Have you looked at all the other devices on the same subnet?

  10. #10
    Join Date
    Jun 2018
    Beans
    Hidden!

    Re: I think I got hacked by some crypo mining malware

    I don't think they got root privileges as none of the crontab entries calls for something outside of your home directory.

    If I had been the attacker and I had got root privileges, I would have probably installed something inside your /usr/bin or /something else/ directory. Letting files inside your home directory is somehow too obvious, as obvious as the crontab entries are, easy to find out. Something hidden in /etc/systemd/system/ would have been much more preferable.

    What happened is probably that an userid command or script has been run and installed this stuff. It also means that as long as the crontab entries has been deleted, this malicious stuff shouldn't work anymore.

    This said, do not hesitate to share these presumably malicious files, either here (link to an upload website) or to antivirus companies (Kasperky, etc.).

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •