‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, March 2, 2021 10:48 PM, Per Jessen > > 2 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -B >/dev/null
^^^^^^^^^^^^^^^^^^^
That is a useful hint - it led me to this:
https://blogs.akamai.com/sitr/2020/04/a-brief-history-of-a-rootable-docker-i...
As also expected when this project first started, the docker image was a prime target for crypto-mining malware. An installation script is run via SSH that monitors the process tree with "top" - a process monitoring tool - checking for when the malware has successfully been executed. Once the process is detected, in this case it is "dhcpcd", the malware adds two new users to the system - test and test1. It changes the root password to ""(blank) and creates entries in cron to start the mining software up after a reboot. It also attempts to set the immutable bit (+i) on various files including /etc/shadow and the malware binary in /sbin/dhcpcd.
The malware also adds a .ssh key to /root/.ssh/authorized_keys:
ssh-rsa ..........
The mining software reports as XMRig v5.2.0.
Per Jessen, Zürich (5.5°C)
This is all why I have switched over to an immutable OS. (MicroOS) Every security layer counts.