Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Vitaly R2018-02-19 13:35:30
Burglary protection
Vitaly R, 2018-02-19 13:35:30

How to understand where the miner comes from?

Good morning everyone.
There is an old site. Apparently it's full of holes. The situation is standard, as always, someone once raised a server. The owner has been gone for a hundred years. Everyone disowns the server.
It runs debian + apache2.2 + php5.4 + mysql.
4 sites are hosted.
Periodically appears through php running process - crypto-miner. Mines to the site xmr.crypto-pool.fr.
A config and an executable file appear in the /tmp folder. Sometimes two processes at once.
I delete the file, the kill process - enough for 1-2 days. Appears again.
As I understand it, the logs are overwritten after the process is started, because many logs become "null".
How to understand where it comes from? Where should you start?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
S
Stanislav Pugachev, 2018-02-19
@Stqs

Vitaliy R ,
1) I would try to update the axis, if of course it is permissible
2) disable ssh by password in general,
leave only by keys,
change the default port from 22 to some other
3) make revisions of the existing junk (of course, we are interested in those parts of the system that are at least somehow look out) - you need to have a list of suspects. that is, roughly speaking with netstat, we look at the list of open ports
, map them into processes,
look at what these processes are and find out how outdated and full of holes this software is, then
we go through the list of tools / frameworks that we have audited and try to find something interesting for our version of the product using the vulnerability databases
if there is really an ass and there are already a lot of vulnerabilities, then there is nowhere to go, you will have to update the software
, the answer is of course not exhaustive, because it all depends very much,
but as I understand it, you are generally at a loss and don’t know where to start
, so the first rule is you need to learn everything to the maximum about your system and you need to personify evil (that is, find out what specific software we are dealing with on this particular server)
it will be easier to go further
if time allows - to figure out from which user all this junk is running,
it can quickly turn out to chop the rights of someone and again get the fastest possible result

Report
M
MyMac, 2018-02-20
@MyMac

If it is initiated from outside (a php script request), then you can try to find it in the Apache logs at the time the files were created in /tmp . That is, we just look at the creation time, and according to the access-log - which scripts were requested at that moment and from where. Perhaps it will be possible to catch and get by with little blood, simply by cleaning up the source.
But the hole still needs to be found. Patched once - patched and the second (if crawled through php - then 99% that the problem is in some ancient vulnerability of one of the standard frameworks, Stanislav Pugachev is right, no one would specifically write anything).

Similar questions
A
artal2013-04-20 15:30:21
Organization of a hacker network 4Reply
A
Andy McTracher2018-06-08 12:34:42
How to turn off the Internet via wifi on the router / the router itself? 1Reply
D
dimmaaaan2016-02-11 14:51:40
How to find an article on habré or giktimes about hacking a router through another router? 2Reply
T
Trifors2013-09-24 12:04:22
Hacking routers or something else? 8Reply
T
Tremo2018-07-19 19:36:09
Is ssl pinning used for web applications? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question