How everything started…
- noticed I can’t access my VM via ssh;
- checked log, CPU usage 100% from Apr 5, and network bandwidth stayed at 2Mbps;
Quick fix
- reset server password with the tips provided here: “https://vultrcoupons.com/reset-root-password-vultr-vps/";
- checked auth.log with
cat /var/log/auth.log | grep "Accepted"command, found entry:1
2
3
4
5
6
7
8
9
10
11
12
13Apr 5 **:**:47 vultr sshd[23636]: Accepted password for root from *[/*Attacker IP From China*/]* port 59464 ssh2
Apr 5 **:**:47 vultr sshd[23636]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 5 **:**:47 vultr systemd-logind[706]: New session 17302 of user root.
Apr 5 **:**:48 vultr sshd[23638]: Failed password for root from *[/*Attacker IP From France*/]* port 48796 ssh2
Apr 5 **:**:49 vultr sshd[23638]: Received disconnect from *[/*Attacker IP From France*/]* port 48796:11: Bye Bye [preauth]
Apr 5 **:**:49 vultr sshd[23638]: Disconnected from authenticating user root *[/*Attacker IP From France*/]* port 48796 [preauth]
Apr 5 **:**:50 vultr sshd[23666]: Invalid user nproc from *[/*Attacker IP From China*/]* port 59976
Apr 5 **:**:50 vultr sshd[23666]: pam_unix(sshd:auth): check pass; user unknown
Apr 5 **:**:50 vultr sshd[23666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=*[/*Attacker IP From China*/]*
Apr 5 **:**:51 vultr sshd[23666]: Failed password for invalid user nproc from *[/*Attacker IP From China*/]* port 59976 ssh2
Apr 5 **:**:52 vultr sshd[23666]: Received disconnect from *[/*Attacker IP From China*/]* port 59976:11: Bye Bye [preauth]
Apr 5 **:**:52 vultr sshd[23666]: Disconnected from invalid user nproc *[/*Attacker IP From China*/]* port 59976 [preauth]
Apr 5 **:**:53 vultr chpasswd[23755]: pam_unix(chpasswd:chauthtok): password changed for root
Root of all evil
checked files changed; found two directories:
1and.configrcunder root folder;inspected folder structure:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17.configrc/
├── a
│ ├── a
│ ├── bash.pid
│ ├── dir.dir
│ ├── kswapd0
│ ├── run
│ ├── stop
│ └── upd
├── b
│ ├── a
│ ├── dir.dir
│ ├── run
│ ├── stop
│ └── sync
├── cron.d
└── dir2.dirThe attacker first executes cronjobs inside
cron.dfile, specifically:
execute
updateevery 12 hour or after reboot;execute
syncevery Sunday 0805 a.m.; more on that later;execute
aptitudeevery month.
To inspect, stop and delete all the cronjobs:
1
2
3
4cd /var/spool/cron/crontabs
ls -lhat
crontab -r
lsBack to the sync script. The sync basically calls
rununder the same directory, which consists of a script converting a base64 string into a perl script and executes it as a process calledrsync, then removes user’s ssh directory and add a ssh public key for a user called mdrfckr🤣 ;
6.
What’s the content of this Perl script? after the base 64 conversion, it seems it was obfuscated like this: eval unpack u=>q{/*random characters that don't make sense at all*/}
some google search later, discovered it has more functionalities like a bot net.
7.
In the kswapd0, found json string like:
{
...
"pools": [
{
"coin": "monero",
"algo": null,
"url": "*xxx.xxx.xxx.xxx:80*",
"user": "*User*",
"pass": "x",
"tls": false,
"keepalive": true,
"nicehash": true
},]
}combining the fact that this is the main program consuming all the CPU power plus the discovery of another shell includes some CPU checking and executing wrmsr Linux command to disable hardware prefetching on AMD and intel platforms, it’s clearly a cryptominer, specifically, it’s XMrig and the exploiter set up to pool in two servers in Netherland.
Summary:
- Use fail2ban to add multiple offenders to iptables drop table;
- Disable root login;
- Disable password login and use only SSH keys for login purpose; if you must use a user-password combination, use a robust password;
- If the server is already infected, migrate your important stuff to another server as soon as possible.