webserver

coin mining abuse software is all around...
you hear it nowadays in the media

• Youtube Ads are harvesting your mining power
• Websites are harvesting your mining power ("cryptojacking")
  

and I found an apache server who got cryptojacked ..
webserver code placed in / tmp and executed is mining

How does it look like if you find it? Lots of load

lets find where it is located by simply

ps aux | grep php

and maybe you want to stop it

kill -9 <process_ids>

looking in the (config) file

cat /tmp/phpKRGiDE.c

you can see it's a monero mining pool
which it contributes the server cpu power to

How to clean up the mess?

mount -o remount,noexec /tmp

and to make the server safe for future edit

vi /etc/fstab

change the mounting of tmp to noexec and remount it

/dev/sda3       /tmp              ext3  noexec,nosuid           0       2

mount -o remount /tmp