[Chugalug] Anyone have experience removing a malicious Bitcoin miner?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] Anyone have experience removing a malicious Bitcoin miner?

Adam Jimerson
Hello,

I friend of mine reached out for help removing a malicious Bitcoin miner off one of his clients servers. If anyone has experience and time I can pass on your contact information to him so you can hash out details directly.

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Anyone have experience removing a malicious Bitcoin miner?

David White-2
I don't have direct experience with this sort of thing, but certainly know my way around the guts of Linux well enough to probably be able to get rid of it. I'd be happy to talk about it and look at it, if your friend is interested.
That said, in all reality, my normal recommendation is that, when a Linux server gets owned, it needs to be rebuilt from scratch, and backups restored.

I'm not available during normal business hours, but could work on the project tomorrow (Friday) evening and Saturday.

On Thu, Aug 9, 2018 at 9:12 PM Adam Jimerson <[hidden email]> wrote:
Hello,

I friend of mine reached out for help removing a malicious Bitcoin miner off one of his clients servers. If anyone has experience and time I can pass on your contact information to him so you can hash out details directly.
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Anyone have experience removing a malicious Bitcoin miner?

Billy
I’ll agree with this.

If it’s been compromised at all, then there is not a guarantee that there aren’t other backdoors that were left on the machine.

1) Either restore from a good backup - which good is left up to the definition of the customer - would they bet their business on it?

2) reinstall from scratch, uploading the custom data after the fact.

--b

On Aug 9, 2018, at 9:39 PM, David White <[hidden email]> wrote:

I don't have direct experience with this sort of thing, but certainly know my way around the guts of Linux well enough to probably be able to get rid of it. I'd be happy to talk about it and look at it, if your friend is interested.
That said, in all reality, my normal recommendation is that, when a Linux server gets owned, it needs to be rebuilt from scratch, and backups restored.

I'm not available during normal business hours, but could work on the project tomorrow (Friday) evening and Saturday.

On Thu, Aug 9, 2018 at 9:12 PM Adam Jimerson <[hidden email]> wrote:
Hello,

I friend of mine reached out for help removing a malicious Bitcoin miner off one of his clients servers. If anyone has experience and time I can pass on your contact information to him so you can hash out details directly.
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Anyone have experience removing a malicious Bitcoin miner?

JustinMcAfee
If.anyone is interested, once the server is restored, maybe we could get an image (sans PII) and do a root cause analysis? I'd love to do some forensics that didn't come out of a can!


Also, turn and burn that server. No reason or excuse to roll back. Without forensics, its possible the machine was compromised for a long period prior to the discovery of the miner.

Unlikely as miners are usually put into work shortly after exploit, but we don't know this attackers MO, AND this wouldn't be the first time a rogue employee had intentionally infected a server to mine.

Just my .02

Sent from ProtonMail mobile



-------- Original Message --------
On Aug 10, 2018, 09:24, Billy < [hidden email]> wrote:

I’ll agree with this.

If it’s been compromised at all, then there is not a guarantee that there aren’t other backdoors that were left on the machine.

1) Either restore from a good backup - which good is left up to the definition of the customer - would they bet their business on it?

2) reinstall from scratch, uploading the custom data after the fact.

--b

On Aug 9, 2018, at 9:39 PM, David White <[hidden email]> wrote:

I don't have direct experience with this sort of thing, but certainly know my way around the guts of Linux well enough to probably be able to get rid of it. I'd be happy to talk about it and look at it, if your friend is interested.
That said, in all reality, my normal recommendation is that, when a Linux server gets owned, it needs to be rebuilt from scratch, and backups restored.

I'm not available during normal business hours, but could work on the project tomorrow (Friday) evening and Saturday.

On Thu, Aug 9, 2018 at 9:12 PM Adam Jimerson <[hidden email]> wrote:
Hello,

I friend of mine reached out for help removing a malicious Bitcoin miner off one of his clients servers. If anyone has experience and time I can pass on your contact information to him so you can hash out details directly.
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Anyone have experience removing a malicious Bitcoin miner?

Stephen Kraus
Backup what you want and format. Never assume it's clean

On Fri, Aug 10, 2018, 10:07 AM JustinMcAfee <[hidden email]> wrote:
If.anyone is interested, once the server is restored, maybe we could get an image (sans PII) and do a root cause analysis? I'd love to do some forensics that didn't come out of a can!


Also, turn and burn that server. No reason or excuse to roll back. Without forensics, its possible the machine was compromised for a long period prior to the discovery of the miner.

Unlikely as miners are usually put into work shortly after exploit, but we don't know this attackers MO, AND this wouldn't be the first time a rogue employee had intentionally infected a server to mine.

Just my .02

Sent from ProtonMail mobile



-------- Original Message --------
On Aug 10, 2018, 09:24, Billy < [hidden email]> wrote:

I’ll agree with this.

If it’s been compromised at all, then there is not a guarantee that there aren’t other backdoors that were left on the machine.

1) Either restore from a good backup - which good is left up to the definition of the customer - would they bet their business on it?

2) reinstall from scratch, uploading the custom data after the fact.

--b

On Aug 9, 2018, at 9:39 PM, David White <[hidden email]> wrote:

I don't have direct experience with this sort of thing, but certainly know my way around the guts of Linux well enough to probably be able to get rid of it. I'd be happy to talk about it and look at it, if your friend is interested.
That said, in all reality, my normal recommendation is that, when a Linux server gets owned, it needs to be rebuilt from scratch, and backups restored.

I'm not available during normal business hours, but could work on the project tomorrow (Friday) evening and Saturday.

On Thu, Aug 9, 2018 at 9:12 PM Adam Jimerson <[hidden email]> wrote:
Hello,

I friend of mine reached out for help removing a malicious Bitcoin miner off one of his clients servers. If anyone has experience and time I can pass on your contact information to him so you can hash out details directly.
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Anyone have experience removing a malicious Bitcoin miner?

Adam Jimerson
Thanks everyone I'll make sure that your comments are passed on. 

On Fri, Aug 10, 2018 at 10:37 AM Stephen Kraus <[hidden email]> wrote:
Backup what you want and format. Never assume it's clean

On Fri, Aug 10, 2018, 10:07 AM JustinMcAfee <[hidden email]> wrote:
If.anyone is interested, once the server is restored, maybe we could get an image (sans PII) and do a root cause analysis? I'd love to do some forensics that didn't come out of a can!


Also, turn and burn that server. No reason or excuse to roll back. Without forensics, its possible the machine was compromised for a long period prior to the discovery of the miner.

Unlikely as miners are usually put into work shortly after exploit, but we don't know this attackers MO, AND this wouldn't be the first time a rogue employee had intentionally infected a server to mine.

Just my .02

Sent from ProtonMail mobile



-------- Original Message --------
On Aug 10, 2018, 09:24, Billy < [hidden email]> wrote:

I’ll agree with this.

If it’s been compromised at all, then there is not a guarantee that there aren’t other backdoors that were left on the machine.

1) Either restore from a good backup - which good is left up to the definition of the customer - would they bet their business on it?

2) reinstall from scratch, uploading the custom data after the fact.

--b

On Aug 9, 2018, at 9:39 PM, David White <[hidden email]> wrote:

I don't have direct experience with this sort of thing, but certainly know my way around the guts of Linux well enough to probably be able to get rid of it. I'd be happy to talk about it and look at it, if your friend is interested.
That said, in all reality, my normal recommendation is that, when a Linux server gets owned, it needs to be rebuilt from scratch, and backups restored.

I'm not available during normal business hours, but could work on the project tomorrow (Friday) evening and Saturday.

On Thu, Aug 9, 2018 at 9:12 PM Adam Jimerson <[hidden email]> wrote:
Hello,

I friend of mine reached out for help removing a malicious Bitcoin miner off one of his clients servers. If anyone has experience and time I can pass on your contact information to him so you can hash out details directly.
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug