Malware: Droplet being used to mine cryptocurrency | Stratum

Question

I’ve noticed for some time that my new droplet has been topping out at 100% CPU and for days.
Running htop I’ve learned of these two files:

13931 www-data   20   0  180M 21344  2652 S 99.3  2.1 19h31:03 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c
13932 www-data   20   0  180M 21344  2652 R 98.7  2.1 19h30:56 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c

When I nano /tmp/phpeJCFnP.c I discover:

threads = 1
mine = stratum+tcp://44XNuUyCFUgjG23yPfCHpb572jwWanhYn7KZtiRcGmMoHc9BG9iZp5cVasUtz5Sq2GiJv8qoGDDVs6PXajCJumfdJbrR1P7:x@monerohash.com:3333/xmr

When I delete these files they simply return in some form. I suspect there is a file on the apache2 server that these guys are accessing.

If anyone has encountered this kind of malware and has any advice, please share?

Answer 1

aseemr October 3, 2017

[deleted]

Reply Report

Ur4nus October 4, 2017

What part of that uninstalls monero?
Reply Report
colton8aca32d751ce4d178f57 January 4, 2018

Is this a joke?

Those commands are literally to install a crypto-miner on your machine. Someone is asking for help and you are maliciously having them install exactly what they are trying to remove.

What kind of garbage person are you?
Reply Report
- Ur4nus January 4, 2018
  
  @colton8aca32d751ce4d178f57 Thank you.
  
  Reply Report
- aseemr January 5, 2018
  
  There seems to be some misunderstanding. If I remember correctly, I asked for verification in logs etc. not to run those commands.
  
  I have no intention of misleading anyone.
  
  Reply Report

Answer 2

Ur4nus October 4, 2017

What part of that uninstalls monero?
Reply Report
colton8aca32d751ce4d178f57 January 4, 2018

Is this a joke?

Those commands are literally to install a crypto-miner on your machine. Someone is asking for help and you are maliciously having them install exactly what they are trying to remove.

What kind of garbage person are you?
Reply Report
- Ur4nus January 4, 2018
  
  @colton8aca32d751ce4d178f57 Thank you.
  
  Reply Report
- aseemr January 5, 2018
  
  There seems to be some misunderstanding. If I remember correctly, I asked for verification in logs etc. not to run those commands.
  
  I have no intention of misleading anyone.
  
  Reply Report

Answer 3

kamaln7 February 14, 2018

In the case of any kind of infection, the recommended course of action is to back up the Droplet’s contents and redeploy a new one, making sure to only transfer over known files (i.e. your own) and to properly secure it (use ssh keys, disable root login, run apps and programs with only the security permissions that they need, etc.)

Reply Report

Related

Question

Malware: Droplet being used to mine cryptocurrency | Stratum

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Malware: Droplet being used to mine cryptocurrency | Stratum

Leave a comment

Related

question

Having trouble getting a web application that uses websockets to work after setting up the HTTPS Apache reverse proxy to Tomcat

question

How can I redirect the phpmyadmin login on apache to port 443 instead of 80?

question

Securing phpmyadmin with LetsEncrypt SSL?

question

PHP Error Log: authz_core:error - For files that don't exists on my server

Looking for something else?