On 03/03/2021 07.48, Per Jessen wrote:
James Knott wrote:
On 2021-03-02 4:46 p.m., Carlos E.R. wrote:
Well, I have removed that crontab line, so it won't be trying to start again. Ah, you removed a crontab line! You did not tell us that. What line, where exactly?
2 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -B >/dev/null ^^^^^^^^^^^^^^^^^^^
That is a useful hint - it led me to this:
https://blogs.akamai.com/sitr/2020/04/a-brief-history-of-a-rootable-docker-i...
As also expected when this project first started, the docker image was a prime target for crypto-mining malware. An installation script is run via SSH that monitors the process tree with "top" - a process monitoring tool - checking for when the malware has successfully been executed. Once the process is detected, in this case it is "dhcpcd", the malware adds two new users to the system - test and test1. It changes the root password to ""(blank) and creates entries in cron to start the mining software up after a reboot. It also attempts to set the immutable bit (+i) on various files including /etc/shadow and the malware binary in /sbin/dhcpcd.
The malware also adds a .ssh key to /root/.ssh/authorized_keys:
ssh-rsa ..........
The mining software reports as XMRig v5.2.0.
That attack is different, they start with root powers. Much more dangerous. Interesting read that link, thanks :-) -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)