Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Curious how you resolved this? #1

Open
mfurlend opened this issue Sep 1, 2021 · 10 comments
Open

Curious how you resolved this? #1

mfurlend opened this issue Sep 1, 2021 · 10 comments

Comments

@mfurlend
Copy link

mfurlend commented Sep 1, 2021

I'm having the same exact issues. What did you do to prevent this? The directory keeps showing up every week.
@dangoldin
Copy link
Owner

Hmm. I don't recall the exact details but did a writeup/analysis of this on https://dangoldin.com/2020/05/29/anatomy-of-a-crypto-mining-hack/ so that might provide some info.

I think I had to remove the folder itself but also some of the initial processes/files by tracing it backwards.

@mfurlend
Copy link
Author

mfurlend commented Sep 2, 2021

Thanks for the reply. Interestingly, the ssh key in your analysis is the exact same one that I encountered.

@dangoldin
Copy link
Owner

I'm surprised the hack is still going on. Were you able to trace it back to a source? I do think that origin script was in another folder but don't recall which one. You can try running "ps -a" to see the processes running and also check out your cron file to see if anything got automatically scheduled there.

@aaabhilash97
Copy link

Any idea how this got installed in machine?
My server not allowing ssh from public ip

@sibidharan
Copy link

We got the same attack today. We recovered it successfully and stopped the attack as users complained the site was slow. In our case they got root access. Is there some info on how they got in the first place?

@sibidharan
Copy link

Any idea how this got installed in machine?
My server not allowing ssh from public ip

Go to your server, boot with live cd, access shell and change your key back.

@aaabhilash97
Copy link

@sibidharan no idea how it got installed in first place. We terminated machine immediately, so couldn't able to troubleshoot.

It might be some vulnerable packages you installed or ssh key or password is compromised.

@dangoldin
Copy link
Owner

Yea - I think what caused it for me was installing an sftp package that I was lazy in configuring so it exposed a vulnerability that gave them access. It's pretty hard to do a deep clean since you always wonder if you got something. If easy I'd suggest just rebuilding and creating a new instance.

@sibidharan
Copy link

In my case, it looks like a vulnerability in our gitlab instance. We notice the moment the attack happened, changed ssh key via live boot CD and got access back and ran a full scale backup on gitlab and restored it in a new machine. We are investigating the old server, keeping it live at time moment, by completely isolating it.

@aaabhilash97
Copy link

@sibidharan
Please update here if you find anything in your investigation.

In our case, if I remember correctly, they gained access to a non-root user account on a machine where we were running some Python applications. We could have isolated the machine and investigated further, but we made a mistake and terminated the machine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dangoldin @mfurlend @aaabhilash97 @sibidharan