26

I found malware on my ec2 instance which was continuously mining bitcoin and using my instance processing power. I successfully identified the process, but was unable to remove and kill it.

I ran this command watch "ps aux | sort -nrk 3,3 | head -n 5" It shows the top five process running on my instance, from which I found there is a process name 'bashd' which was consuming 30% of cpu. The process is 

bashd -a cryptonight -o stratum+tcp://get.bi-chi.com:3333 -u 47EAoaBc5TWDZKVaAYvQ7Y4ZfoJMFathAR882gabJ43wHEfxEp81vfJ3J3j6FQGJxJNQTAwvmJYS2Ei8dbkKcwfPFst8FhG -p x

I killed this process by using the kill -9 process_id command. After 5 seconds, the process started again.

Kusalananda
  • 333,661
Nadeem Ahmed
  • 379
  • 4
    You don't give enough details (at least several commands that you have tried) – Basile Starynkevitch Sep 30 '17 at 11:06
  • 28
    "Servers are cattle, not pets." Especially virtual servers that are really easy to create and destroy. Throw away this one (terminate it) and create another. Or create another, switch over, and keep the old one around while you figure out how the malware got on there. – user253751 Sep 30 '17 at 20:18
  • 14
    your instance is compromised, nuke it from orbit – njzk2 Sep 30 '17 at 23:41
  • 4
    (note for anyone else reading this - "servers are cattle, not pets" only applies to cloud servers or to a large number of identical servers) – user253751 Oct 01 '17 at 05:09
  • 1
    this is mining Monero, not bitcoin (if it matters) – anna328p Oct 02 '17 at 06:02
  • 1
    @DmitryKudriavtsev It could just as well play chess or twiddle its thumbs in a long sleep call. The point is: Someone got in. You don't have full control of the server any longer. Do not leave it on line. – Kusalananda Oct 02 '17 at 15:13
  • 1
    @Kusalananda Far worse than that. Leaving it online with crypto miners does incur high costs....AWS is a pay as you go service. – Rui F Ribeiro Oct 02 '17 at 15:48
  • 1
    @RuiFRibeiro The point is the same. – Kusalananda Oct 02 '17 at 16:00
  • 1
    @Kusalananda It may be obvious to you and me, however I doubt it is obvious to the OP judging by this thread and his failure to decommissioning the vm – Rui F Ribeiro Oct 02 '17 at 16:02
  • @Kusalananda That's not really the point of my comment... I've had the same happen to me. I had to rebuild the whole server. – anna328p Oct 03 '17 at 03:55
  • I just remove my instance and setup new one. – Nadeem Ahmed Oct 03 '17 at 08:33

2 Answers2

81

If you did not put the software there and/or if you think your cloud instance is compromised: Take it off-line, delete it, and rebuild it from scratch (but read the link below first). It does not belong to you anymore, you can not trust it any longer.

See "How to deal with a compromised server" on ServerFault for further information about what to do and how to behave when getting a machine compromised.

In addition to the things to do and think about in the list(s) linked to above, be aware that depending on who you are and where you are, you may have a legal obligation to report it to either a local/central IT security team/person within your organization and/or to authorities (possibly even within a certain time frame).

In Sweden (since December 2015), for example, any state agency (e.g. universities) are obliged to report IT-related incidents within 24 hours. Your organization will have documented procedures for how to go about doing this.

Kusalananda
  • 333,661
12

This command bashd is the same as ccminer from ccminer-cryptonight programm to mine Monero on your system (there is tuto : Monero - Ccminer-cryptonight GPU miner on Linux) , the bashd is obtained by aliasing or by modifying the source code of the program .

Cryptonight Malware : how to kill the process ? (information found on malware expert webpage)

This again new malware which we call cryptonight, what we haven’t seen before. It’s downloads executable Linux program and hides that http daemon in background, which is difficult find process list at first glance.

Manual remove process

You can search if there running process httpd, which start cryptonight parameter:

ps aux | grep cryptonight

Then just kill -9 process_id with root permissions.(you should kill the process of cryptonight not the bashd)

To be safe you should:

  1. Reinstall your system
  2. Patch your system to prevent the remote attack vulnerability :Linux Servers Hijacked to Mine Cryptocurrency via SambaCry Vulnerability
  3. Restrict users to run limited commands
Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
GAD3R
  • 66,769