Recently I noticed my home server to get painfully slow. All the resources were eaten up by two processes: crond64 and tsm. Even though I repeatedly killed them, they kept showing up again and again.
At the same time, my ISP was notifying me about an abuse originating from my IP address:
==================== Excerpt from log for 178.22.105.xxx====================
Note: Local timezone is +0100 (CET)
Jan 28 20:55:44 shared06 sshd[26722]: Invalid user admin from 178.22.105.xxx
Jan 28 20:55:44 shared06 sshd[26722]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.22.105.xxx
Jan 28 20:55:45 shared06 sshd[26722]: Failed password for invalid user admin from 178.22.105.xxx port 33532 ssh2
Jan 28 20:55:46 shared06 sshd[26722]: Received disconnect from 178.22.105.xxx port 33532:11: Bye Bye [preauth]
Jan 28 20:55:46 shared06 sshd[26722]: Disconnected from 178.22.105.xxx port 33532 [preauth]
Jan 28 21:12:05 shared06 sshd[30920]: Invalid user odm from 178.22.105.xxx
Jan 28 21:12:05 shared06 sshd[30920]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.22.105.xxx
Jan 28 21:12:07 shared06 sshd[30920]: Failed password for invalid user odm from 178.22.105.xxx port 45114 ssh2
Jan 28 21:12:07 shared06 sshd[30920]: Received disconnect from 178.22.105.xxx port 45114:11: Bye Bye [preauth]
Jan 28 21:12:07 shared06 sshd[30920]: Disconnected from 178.22.105.xxx port 45114 [preauth]
I was tipped of by this website that I might have a virus. I run Sophos AV scanning my entire hard drive and indeed it found some virus in /tmp/.mountfs/.rsync. So I deleted the entire folder and thought this is it. But it kept coming back afterwards. Then I checked the user cron file in /var/spool/cron/crontabs/kodi (the virus was running using the user of my media server kodi), which looked like this:
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.d installed on Sun Feb 3 21:52:03 2019)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* */12 * * * /home/kodi/.ttp/a/upd>/dev/null 2>&1
@reboot /home/kodi/.ttp/a/upd>/dev/null 2>&1
5 8 * * 0 /home/kodi/.ttp/b/sync>/dev/null 2>&1
@reboot /home/kodi/.ttp/b/sync>/dev/null 2>&1
#5 1 * * * /tmp/.mountfs/.rsync/c/aptitude>/dev/null 2>&1
It looks like, the virus is reactivating itself every once in a while from another directory. The content of that directory is:
>>> ls /home/kodi/.ttp/*
/home/kodi/.ttp/cron.d /home/kodi/.ttp/dir2.dir
/home/kodi/.ttp/a:
a bash.pid config.txt crond32 crond64 cronda crondb dir.dir pools.txt run stop upd
/home/kodi/.ttp/b:
a dir.dir rsync run stop sync
/home/kodi/.ttp/c:
aptitude dir.dir go ip lib n p run slow start stop tsm tsm32 tsm64 v watchdog
I deleted all these files and the entries in the crontab and hope with this, the problem is solved. However, I would be interested what virus this was, how I might have caught it (it might be connected to Kodi) and what I can do to prevent it. Luckily, it was running only from a user with limited rights, but it still was annoying to deal with.
EDIT
Although I seemingly removed all the remains of this virus (I also removed the entire tmp folder), the virus kept coming back. I realized that there was an entry in ~/.ssh/authorized_hosts, which I definitely did not put myself. This explains how the virus could be replanted repeatedly. I removed the entry, disabled login for that user, disabled password login (passkey only), and use a non-standard port now.
I also noticed repeated login attempts on my server with random user names, probably by some kind of bot (the log looked astonishingly similar to the one launched from my IP, sent to me by my ISP). I guess that is how my computer got infected in the first place.
I had the same. The service installed rsync and got some files. I found a
dota.tar.gzfile in the user folder.ufw deny out 22)pkill -KILL -u kodi( this kills all running processes of user kodi)deluser kodi/tmp/.mountfs*Please take note this will probably ruin things for kodi. Instead of removing the whole userhome you can probably only remove
dota.tar.gz(if it's there) and the.ttpfolder (do not forget to clean the crontab!)After a reboot I don't see any outgoing connections anymore (check with:
Infection happened via a user with a weak password (kodi account with the default password maybe?)
In my case the source of infection was a user thad dind't change his unsafe password from when I created his account (of course I told him to). My server probably is on some lists: i get around 1000 bans a week from fail2ban (try 4 times with a wrong user or password and be blocked for a month)
I had the same malware. Entry was through an unsave user password via ssh (non-default port), was detected and removed after roughly 24 hours.
In my case, deleting the user's crontab,
rm -rdf /tmp/.*,rm -rdf /home/user/.*,killall -u userwas enough.Had this thing today. I've examined the system and found my system has its traces for about a month and I haven't realized that this thing was there until my ISP has notified me.
Malware came through insecure user with a weak password. In my case it was timemachine user. Penetration log looked like this.
This is XMRIG miner and an exploit that scans other IPs for the same weaknesses. So, one machine can cascade-infect dozens of others. You can take a look at MS report about this cyberattack.
The most effective protection from this kind of attacks is installing
fail2banon your server, rate-limiting ssh access withufw, and use whitelist ACL for systems that can access SSH on your server.This is my solution(also names as a crypo mining malware):
I had miner on my vps. My CPU usage was always 100%. First moment i was thinking i have memory leak in my java app or tomcat. I could kill process but it was starting another one in few seconds. In my case it was on user account which i didn't use. I killed all user processes with
pkill -u usernameand then fast deleted user bysudo deluser --remove-home usernamebefore miner started its' processes. After this vps worked fine. Maybe it will help someone.