How did the system get rebooted if they didn't get root? On a server, end-users can't reboot without privilege escalation.
How did the system get rebooted if they didn't get root? On a server, end-users can't reboot without privilege escalation.
I may have missed something, but I haven't read that the system had been rebooted.
Anyway, it would mean that the attacker(s) has found at least 2 vulnerabilities. One to get code run, the other to get root access. Based on that possibility, we should probably hear about a lot more of these cases in a near future, and not only on servers, specially if their purpose was not individual targeted but crypto-mining. Moreover, if I had a trick to get root access up my sleeve, I wouldn't use that obvious crontab entries.
My mistake. The OP rebooted the system.
Last time I was hacked (16+yrs ago via bind), I was able to use versioned backups to see everything modified on the system over time.
What is the most surprising to me is that these crontab entries has overwritten the previous ones, instead of keeping them unchanged, letting the owner know that something went wrong.
It sounds like a sort of malicious stuff that was not totally finished or checked.
No BT server on the system. System on a private subnet, not DMZ. No ports open to public. Reaching server requires physical presence on subnet or access via a dual homed server (interface on front and back).
Did check other devices, no signs of the same hack.
Once removed (crontab etc.) it does not seem to have returned.
Yeah, no root access. Can't login as root (actually can't SSH as compromised user either) and they clearly did not have password. They had a back door via the authorized_keys but it would do no good as the server was not SSH accessible to the public.
Interesting. I'd still wipe the system and reload from the last "good" backups pre-hack. Then I'd triple-check all inbound AND outbound network connections. A hacked system cannot be trusted again, ever.
Kapersky tagged it as HEUR:RiskTool.Linux.BitCoinMiner when I uploaded a TAR of the files they installed. Maybe accurate, maybe just lumps all bitcoin miners together then they see bitcoin mining libraries.
.I have the exact same malware. I post some more information about it in my thread. I can add that it works on the .ttp directory in the home of a non-sudoer user, apparently does not take root privileges, does refer to /tmp/.sssh but i found nothing there. What I cannot find out is how it reappears after I erase the user's crontab and .tpp folders. For now I put a "stopper" .ttp folder owned by root and has worked so far in preventing it from reappearing while waiting for a clean, definitive solution.
Bookmarks