12 October 2020 nicolas

I’ve been hacked

Crypto bots are back

This week-end, our server ( VPS @OVH ) has been hacked ( brute force root login ).
I noticed that I was unable to log in through ssh as usual ( using RSA or ED25519 keys ) but need a password.

After successfully logging in, I found out that my authorized_keys file has been change with only one RSA key ( all others have been overwritten ) having the comment mdrfckr.

After a little Googling, I find the following article : Outlaw is Back, a New Crypto-Botnet…

Even if my version was not exactly identical, I did get me on the right path to clean it :

  1. Erased the authorized_keys file
  2. Killed the rsync process
  3. Looked at the crontab for user root ( crontab -l ) – get a bunch of stuff :
    1. 1 1 */2 * * /root/.configrc/a/upd>/dev/null 2>&1
      @reboot /root/.configrc/a/upd>/dev/null 2>&1
      5 8 * * 0 /root/.configrc/b/sync>/dev/null 2>&1
      @reboot /root/.configrc/b/sync>/dev/null 2>&1
      0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1
  4. Deleted the crontab for user root ( crontab -d ). (As you can see, on reboot it will reinstall itself otherwise )
  5. Deleted the directory : rm -fR /root/.configrc and anything in /tmp that seems suspicious.
  6. Find out through top that a process was grabbing 99% of the CPU ( mine was named kswapd0 )
  7. killed this process
  8. did a find / -name kswapd0 to find where this code was : it was not in /.rsync as in the article but in /root/.configrc so  already cleaned ( step 5 )
  9. reboot the server.
  10. Everything seems OK == according to the link above, this hack is just a crypto bot so I didn’t bother to re install the whole server even it is a best practices

Hopes it will help somebody somewhere 😉

1 Étoile2 Étoiles3 Étoiles4 Étoiles5 Étoiles (17 votes, average: 4.71 out of 5)

voir / ajouter un commentaire

Articles les plus lus

Comments (3)

Leave a Reply

Your email address will not be published. Required fields are marked *