Hello.

I discovered that my web server is being used to mine virtual coins.
I have identified and eliminated other types of threats, but this one for me is new.
Also, there is a process that is using memory and CPU resources, however, I can not access the file that is causing this. It appears as part of an active process, but when trying to access the file and as if it did not exist.

Can someone help me understand what's going on?

Thank you.

Maybe you should tell us how and what you "identified"...

Cleaning tips at https://aw-snap.info

will list the what's open by that apache process.

What about this information leads you to believe it is mining coins?

I can pretty much assure you that PHP could never be successfully used for any such compute-intensive task . . .

I'd like to know more about why you say this. PHP can be used to launch other programs with exec or similar functions in response to a web server request. Given that the path of the executable being executed is in the /tmp folder, that suggests the PHP script might have been used to download and compile something written in C (/tmp/phpwOu2Lc.c). Additionally, functions like pcntl_fork and posix_setsid can be used to fork off multi-threaded/multi-processing programs that persist in memory long after a web server request has timed out.

EDIT: I would further add that a botnet of machines might have sufficient computing power in aggregate to provide meaningful coin-mining power back to a single bot herder. It has been widely reported that some jerks have embedded Javascript bitcoin miners into their websites to hijack CPU power from clueless visitors.

Hi

I received an alert from the University IT. They found some activities about mining coins in my webserver (thy use a proprietary program).
And I found (netsat -a) so many connections with these url: "monerohash.com" and "monero.farm".

Thanks.

can you give us a long ls on these files, i.e. or is it constantly changing?

It's a bit of a hack--and I'm not sure this will help much -- but you might mitigate this problem immediately in the short term by adding a couple of entries to your /etc/hosts file until you get the problem solved:
This should cause any attempts to connect to those domains to fail from your machine.

As for the original question 'what is happening,' the apperance of "php" in your posted details suggests to me that you are running some PHP code that is accessible to the public, probably a website, and that there might be a vulnerability in that website that allows an attacker to write arbitary files to your tmp folder and execute them. You might want to scan your apache logs for some of those unique strings and see if anything comes up.

Youm might also want to run 'unhide'.

It looks like he's having trouble listing them suggesting that the files don't exist (e.g., they are very short-lived, ephemeral files) or that he doesn't have permission to list them (which seems unlikely). Perhaps something like this executed with root privileges: