Hacked

ruby-talk
1

Some of my servers have been hacked and running a monero(?) coin miner. It
creates a directory
called /tmp/systemd-private-60ffef34724f43b19fa2d3962b83687e-systemd-timesyncd.service-sPMHHT
(or similar)

Also at the same time a /tmp/bundle directory is created

Do these seem related? Does anyone have an idea on this?

2

Sounds like that temp folder's being created by a reg file or being autorun
by some startup process. I bet if you spike that process and/or startup
value you'd be able to stop that temp folder from being created.

All in all, I'm not entirely sure that's what's happening but personally
I'd assume as much

···

On Wed, Feb 13, 2019 at 8:37 AM Peter Hickman < peterhickman386@googlemail.com> wrote:

Some of my servers have been hacked and running a monero(?) coin miner. It
creates a directory
called /tmp/systemd-private-60ffef34724f43b19fa2d3962b83687e-systemd-timesyncd.service-sPMHHT
(or similar)

Also at the same time a /tmp/bundle directory is created

Do these seem related? Does anyone have an idea on this?

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com

3

The temp folder is the /tmp folder on a Linux system. Not really something
you can just drop

Should have said that these are Linux boxes

···

On Wed, 13 Feb 2019 at 13:41, Gamal Aly <galy@accessstaffing.com> wrote:

Sounds like that temp folder's being created by a reg file or being
autorun by some startup process. I bet if you spike that process and/or
startup value you'd be able to stop that temp folder from being created.

All in all, I'm not entirely sure that's what's happening but personally
I'd assume as much

Managed Threat Detection & Response Solution - Rapid7

On Wed, Feb 13, 2019 at 8:37 AM Peter Hickman < > peterhickman386@googlemail.com> wrote:

Some of my servers have been hacked and running a monero(?) coin miner.
It creates a directory
called /tmp/systemd-private-60ffef34724f43b19fa2d3962b83687e-systemd-timesyncd.service-sPMHHT
(or similar)

Also at the same time a /tmp/bundle directory is created

Do these seem related? Does anyone have an idea on this?

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com
http://www.accessstaffing.com

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

4

Check this

···

On Wed, Feb 13, 2019 at 8:46 AM Peter Hickman < peterhickman386@googlemail.com> wrote:

The temp folder is the /tmp folder on a Linux system. Not really something
you can just drop

Should have said that these are Linux boxes

On Wed, 13 Feb 2019 at 13:41, Gamal Aly <galy@accessstaffing.com> wrote:

Sounds like that temp folder's being created by a reg file or being
autorun by some startup process. I bet if you spike that process and/or
startup value you'd be able to stop that temp folder from being created.

All in all, I'm not entirely sure that's what's happening but personally
I'd assume as much

Managed Threat Detection & Response Solution - Rapid7

On Wed, Feb 13, 2019 at 8:37 AM Peter Hickman < >> peterhickman386@googlemail.com> wrote:

Some of my servers have been hacked and running a monero(?) coin miner.
It creates a directory
called /tmp/systemd-private-60ffef34724f43b19fa2d3962b83687e-systemd-timesyncd.service-sPMHHT
(or similar)

Also at the same time a /tmp/bundle directory is created

Do these seem related? Does anyone have an idea on this?

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org
?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com
http://www.accessstaffing.com

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com

5

Thats a good start, seems that it is reasonably well known once you what it
is called "watchbog". However the infection route is a mystery

···

On Wed, 13 Feb 2019 at 13:51, Gamal Aly <galy@accessstaffing.com> wrote:

Check this

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

On Wed, Feb 13, 2019 at 8:46 AM Peter Hickman < > peterhickman386@googlemail.com> wrote:

The temp folder is the /tmp folder on a Linux system. Not really
something you can just drop

Should have said that these are Linux boxes

On Wed, 13 Feb 2019 at 13:41, Gamal Aly <galy@accessstaffing.com> wrote:

Sounds like that temp folder's being created by a reg file or being
autorun by some startup process. I bet if you spike that process and/or
startup value you'd be able to stop that temp folder from being created.

All in all, I'm not entirely sure that's what's happening but personally
I'd assume as much

Managed Threat Detection & Response Solution - Rapid7

On Wed, Feb 13, 2019 at 8:37 AM Peter Hickman < >>> peterhickman386@googlemail.com> wrote:

Some of my servers have been hacked and running a monero(?) coin miner.
It creates a directory
called /tmp/systemd-private-60ffef34724f43b19fa2d3962b83687e-systemd-timesyncd.service-sPMHHT
(or similar)

Also at the same time a /tmp/bundle directory is created

Do these seem related? Does anyone have an idea on this?

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org
?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com
http://www.accessstaffing.com

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org
?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com
http://www.accessstaffing.com

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

6

I'll do some research but sounds a little strange

···

On Wed, Feb 13, 2019 at 9:51 AM Peter Hickman < peterhickman386@googlemail.com> wrote:

Thats a good start, seems that it is reasonably well known once you what
it is called "watchbog". However the infection route is a mystery

On Wed, 13 Feb 2019 at 13:51, Gamal Aly <galy@accessstaffing.com> wrote:

Check this

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

On Wed, Feb 13, 2019 at 8:46 AM Peter Hickman < >> peterhickman386@googlemail.com> wrote:

The temp folder is the /tmp folder on a Linux system. Not really
something you can just drop

Should have said that these are Linux boxes

On Wed, 13 Feb 2019 at 13:41, Gamal Aly <galy@accessstaffing.com> wrote:

Sounds like that temp folder's being created by a reg file or being
autorun by some startup process. I bet if you spike that process and/or
startup value you'd be able to stop that temp folder from being created.

All in all, I'm not entirely sure that's what's happening but
personally I'd assume as much

Managed Threat Detection & Response Solution - Rapid7

On Wed, Feb 13, 2019 at 8:37 AM Peter Hickman < >>>> peterhickman386@googlemail.com> wrote:

Some of my servers have been hacked and running a monero(?) coin
miner. It creates a directory
called /tmp/systemd-private-60ffef34724f43b19fa2d3962b83687e-systemd-timesyncd.service-sPMHHT
(or similar)

Also at the same time a /tmp/bundle directory is created

Do these seem related? Does anyone have an idea on this?

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org
?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com
http://www.accessstaffing.com

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org
?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org
?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com
http://www.accessstaffing.com

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;

--

*Gamal Aly*
*Senior Business Developer, Technology*

*Access Staffing, LLC*360 Lexington Avenue, 8th floor
New York, NY 10017

*P:* 212-687-5440 ext. 2301
*D:* 646-307-8908
*F: *212-818-9251 <(212)%20818-9251>
galy@accessstaffing.com

7

The most common known infection route seems to be solr. Which we do not
run, we are a pure Rails shop so I was worried when the /tmp/bundle
directory has the same timestamp as the /etc/systemd-* directory

8

Hi, you can delete the tmp folder contents without problems and check if there's a script in your server that generate it. You can scan the folders with a server antivirus or some other tools to find unconventional commands.

Andrea Beducci

···

Inviato da iPhone

Il giorno 13 feb 2019, alle ore 14:37, Peter Hickman <peterhickman386@googlemail.com> ha scritto:

Some of my servers have been hacked and running a monero(?) coin miner. It creates a directory called /tmp/systemd-private-60ffef34724f43b19fa2d3962b83687e-systemd-timesyncd.service-sPMHHT (or similar)

Also at the same time a /tmp/bundle directory is created

Do these seem related? Does anyone have an idea on this?

Unsubscribe: <mailto:ruby-talk-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-talk&gt;