How to find and stop coin mining on the web server?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to find and stop coin mining on the web server?
Hello.
I discovered that my web server is being used to mine virtual coins.
I have identified and eliminated other types of threats, but this one for me is new.
Also, there is a process that is using memory and CPU resources, however, I can not access the file that is causing this. It appears as part of an active process, but when trying to access the file and as if it did not exist.
Code:
# ps aux | grep php
apache 30429 0.5 0.1 424248 20288 ? Sl 2017 661:13 /tmp/phpwOu2Lc_so6tr275vprwjvls -c /tmp/phpwOu2Lc.c
# ls /tmp/phpwOu2Lc_so6tr275vprwjvls
ls: cannot access /tmp/phpwOu2Lc_so6tr275vprwjvls: No such file or directory
# ls /tmp/phpwOu2Lc.c
ls: cannot access /tmp/phpwOu2Lc.c: No such file or directory
I discovered that my web server is being used to mine virtual coins.
I have identified and eliminated other types of threats, but this one for me is new.
Also, there is a process that is using memory and CPU resources, however, I can not access the file that is causing this. It appears as part of an active process, but when trying to access the file and as if it did not exist.
Code:
# ps aux | grep php
apache 30429 0.5 0.1 424248 20288 ? Sl 2017 661:13 /tmp/phpwOu2Lc_so6tr275vprwjvls -c /tmp/phpwOu2Lc.c
# ls /tmp/phpwOu2Lc_so6tr275vprwjvls
ls: cannot access /tmp/phpwOu2Lc_so6tr275vprwjvls: No such file or directory
# ls /tmp/phpwOu2Lc.c
ls: cannot access /tmp/phpwOu2Lc.c: No such file or directory
What about this information leads you to believe it is mining coins?
I can pretty much assure you that PHP could never be successfully used for any such compute-intensive task . . .
I'd like to know more about why you say this. PHP can be used to launch other programs with exec or similar functions in response to a web server request. Given that the path of the executable being executed is in the /tmp folder, that suggests the PHP script might have been used to download and compile something written in C (/tmp/phpwOu2Lc.c). Additionally, functions like pcntl_fork and posix_setsid can be used to fork off multi-threaded/multi-processing programs that persist in memory long after a web server request has timed out.
EDIT: I would further add that a botnet of machines might have sufficient computing power in aggregate to provide meaningful coin-mining power back to a single bot herder. It has been widely reported that some jerks have embedded Javascript bitcoin miners into their websites to hijack CPU power from clueless visitors.
I received an alert from the University IT. They found some activities about mining coins in my webserver (thy use a proprietary program).
And I found (netsat -a) so many connections with these url: "monerohash.com" and "monero.farm".
# ps aux | grep php
apache 30429 0.5 0.1 424248 20288 ? Sl 2017 661:13 /tmp/phpwOu2Lc_so6tr275vprwjvls -c /tmp/phpwOu2Lc.c
# ls /tmp/phpwOu2Lc_so6tr275vprwjvls
ls: cannot access /tmp/phpwOu2Lc_so6tr275vprwjvls: No such file or directory
# ls /tmp/phpwOu2Lc.c
ls: cannot access /tmp/phpwOu2Lc.c: No such file or directory
I received an alert from the University IT. They found some activities about mining coins in my webserver (thy use a proprietary program).
And I found (netsat -a) so many connections with these url: "monerohash.com" and "monero.farm".
It's a bit of a hack--and I'm not sure this will help much -- but you might mitigate this problem immediately in the short term by adding a couple of entries to your /etc/hosts file until you get the problem solved:
Code:
0.0.0.0 monerohash.com
0.0.0.0 monero.farm
This should cause any attempts to connect to those domains to fail from your machine.
As for the original question 'what is happening,' the apperance of "php" in your posted details suggests to me that you are running some PHP code that is accessible to the public, probably a website, and that there might be a vulnerability in that website that allows an attacker to write arbitary files to your tmp folder and execute them. You might want to scan your apache logs for some of those unique strings and see if anything comes up.
It looks like he's having trouble listing them suggesting that the files don't exist (e.g., they are very short-lived, ephemeral files) or that he doesn't have permission to list them (which seems unlikely). Perhaps something like this executed with root privileges:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.