Malware: Droplet being used to mine cryptocurrency | Stratum

October 2, 2017 319 views
Security Apache Ubuntu 16.04

I've noticed for some time that my new droplet has been topping out at 100% CPU and for days.
Running htop I've learned of these two files:

13931 www-data   20   0  180M 21344  2652 S 99.3  2.1 19h31:03 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c
13932 www-data   20   0  180M 21344  2652 R 98.7  2.1 19h30:56 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c

When I nano /tmp/phpeJCFnP.c I discover:

threads = 1
mine = stratum+tcp://44XNuUyCFUgjG23yPfCHpb572jwWanhYn7KZtiRcGmMoHc9BG9iZp5cVasUtz5Sq2GiJv8qoGDDVs6PXajCJumfdJbrR1P7:x@monerohash.com:3333/xmr

When I delete these files they simply return in some form. I suspect there is a file on the apache2 server that these guys are accessing.

If anyone has encountered this kind of malware and has any advice, please share?

1 Answer

Appears you are infected with Monero cryptocurrency malware. Following sequence seems to havve been executed on your machine and attacker may have sudo access on your machine.

You can use following info to uninstall.

sudo apt-get install git libcurl4-openssl-dev build-essential libjansson-dev autotools-dev automake 
git clone https://github.com/wolf9466/cpuminer-multi 
cd cpuminer-multi 
./autogen.sh CFLAGS="-march=native" ./configure 
sudo ./minerd -a cryptonight -o stratum+tcp://pool.minexmr.com:4444 -u WALLET_ADDRESS_HERE -p x -t 3

If /tmp directory is created as a simple directory try changing it to partition mounted from a file with nodev,noexec and nosuid permissions. Good Luck!!

Have another answer? Share your knowledge.