ispconfig on Ubuntu - Bitcoin miner intruder

Discussion in 'Installation/Configuration' started by eliside, Nov 14, 2013.

  1. eliside

    eliside New Member

    recently i've noticed that my server load was constantly 1.0 and i keep wondering what it could be. today i've discovered that a bitcoin miner named Minerd runs on my server under the www-data user and its just killing my server with 99.6% usage. can anyone explain how could that happened. please note: I have the root user password deactivates on this server and i followed The Perfect Server - Ubuntu 11.04[ISPConfig 3] instructions to setup my server on ubuntu. thank you. :(
    the Bitcoin miner is located in /tmp directory runs under process number 9347 and under www-data user
     
    Last edited: Nov 14, 2013
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. eliside

    eliside New Member

    RK Hunter says the system is infected with Slapper Worm. How do I remove it
     
  4. eliside

    eliside New Member

    I've investigated the problem on my server a bit and i've noticed that before the bitcoin miners process starts, every time I reboot the server there is another process running under user "nobody" and at description says something like jk_soket or jr_soket. Is this user legitimate?
    Now I get this error in system log
    Nov 16 12:00:20 server postfix/sendmail[17845]: fatal: file /etc/postfix/main.cf: parameter default_privs: unknown user name value: nobody
    The good thing is now that the bitcoin miner has not tart again, Yet, and all the executable file in /tmp directory have disappeared.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If rkhunter says the system is infected, then the best option is to backup the sites, email folders and databases (and a copy of the /etc/ directory as you might need some settings form it on the new server) and then reinstall the system.
     

Share This Page