On 2/9/2018 4:00 PM, Randall Chamberlin wrote:
I am experiencing this too. For me the "solr" user is running "fs-manager"
from with the directory "/var/tmp/.X1M-Unix. There is a "config.json",
"out.log" and "xmrig.log" file present. The json looks like this:
{
"algo": "cryptonight",
"av": 0,
"background": true,
"colors": false,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 2,
"log-file": "xmrig.log",
"max-cpu-usage": 85,
"print-time": 60,
"retries": 2,
"retry-pause": 3,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "pool-proxy.com:8080",
"user": "user",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
Further research with this new information suggests that this is a part
of a cryptomining botnet. If you think you can trust the following
link, here's some information:
https://malware.news/t/inside-one-xmrig-botnet-miner/17692
The xmrig software is an actual legitimate cryptomining program, but it
is apparently being installed on vulnerable webservers by malware and
generating profit for those who created the malware.
If this is malware as I suspect, you're going to need to figure out what
parts of your system are publicly accessible and vulnerable, patch them,
and clean up the malware. Alternatively you could completely rebuild
the server with newer software versions so it's completely clean and
cannot be infected again.
Thanks,
Shawn
