Account infected with malware script

sepehrmm

• November 18, 2017 03:53

I'm posting this thread for the sake of awareness about raise of mining maleware scripts. I own a VPS with WHM installed and serving 50+ accounts, today I recieved an email saying a process related to processing statistics and bandwidth data has failed and stalled and in the email body there was mention to other top cpu utilized scripts which included this suspicious script which is making the server have a 3.8 load on a 4 core VPS (smart enough not to go over 100% :) ): /tmp/phpNv0NqF_xvj7psyoaiw7jbi6 -c /tmp/phpNv0NqF.c /tmp/phpNv0NqF.c: threads = 2 mine=stratum+tcp://46Q6XfsiKDZfjy3nVfm1XmiLh1JXSYfd9AF5Jg1GFNQNHpH8ivz8b96KUoHxo8uupi8vrcosMHbxABwKxbVzEThhRfNEHFA:x@xmr.crypto-pool.fr:3333/xmr the other file is just a binary: # file /tmp/phpNv0NqF_xvj7psyoaiw7jbi6 /tmp/phpNv0NqF_xvj7psyoaiw7jbi6: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, stripped The interesting part is that the account which this binary is running under doesn't have shell access enabled at the first place so I guess my up to date server is vulnerable to a privilege escalation bug.

• 

  rpvw

  • November 18, 2017 09:41

  Is this running in the /tmp folder under a user ( /home//tmp or /home//public_html/../tmp ) or is it in the server root /tmp ?

  0
• 

  cPanelMichael

  • November 20, 2017 17:35

  Hello, Regarding PHP sessions in the /tmp directory, note the information in the following post: Is the new tmp folder safe? Thank you.

  0

Please sign in to leave a comment.