Related

Having trouble getting a web application that uses websockets to work after setting up the HTTPS Apache reverse proxy to Tomcat Question Question
How can I redirect the phpmyadmin login on apache to port 443 instead of 80? Question Question

Question

Malware: Droplet being used to mine cryptocurrency | Stratum

Posted October 2, 2017 5.2k views
ApacheSecurityUbuntu 16.04

I’ve noticed for some time that my new droplet has been topping out at 100% CPU and for days.
Running htop I’ve learned of these two files:

13931 www-data   20   0  180M 21344  2652 S 99.3  2.1 19h31:03 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c
13932 www-data   20   0  180M 21344  2652 R 98.7  2.1 19h30:56 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c

When I nano /tmp/phpeJCFnP.c I discover:

threads = 1
mine = stratum+tcp://44XNuUyCFUgjG23yPfCHpb572jwWanhYn7KZtiRcGmMoHc9BG9iZp5cVasUtz5Sq2GiJv8qoGDDVs6PXajCJumfdJbrR1P7:x@monerohash.com:3333/xmr

When I delete these files they simply return in some form. I suspect there is a file on the apache2 server that these guys are accessing.

If anyone has encountered this kind of malware and has any advice, please share?

Add a comment
Ur4nus
By:
Ur4nus
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
aseemr October 3, 2017
[deleted]
Reply Report
kamaln7 February 14, 2018

In the case of any kind of infection, the recommended course of action is to back up the Droplet’s contents and redeploy a new one, making sure to only transfer over known files (i.e. your own) and to properly secure it (use ssh keys, disable root login, run apps and programs with only the security permissions that they need, etc.)

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help