Hi,
I do some development work for a customer and I happened to log into
their server to see if I could find a large file that I could use for
testing and noticed that the machine was running very slowly, so I
checked it out. m64 was running and a quick investigation showed that a
litecoin miner had been installed and running as root. They had created
a .logs folder with some files in it and in the .bash_history there were
mentions of something called privRK,tgz
It appears to compromise different programs on a Linux system including
sshd, which explained why my FileZilla wouldn't connect and I couldn't
use scp.
Additionally, I noticed a user http with root privileges had been added
to the /etc/passwd.
I did run rkhunter, which is running v1.4.6 but can't find the rootkit
in the listing, although it does warn certain programs had been replaced.
Best,
John
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
